Hacking and Ethics

Hacker, is a term used in computing that can describe several types of persons:

  • Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment
  • Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities
  • Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network. Hackers fall on along an ethical scale:
    • Black hat: Exploits vulnerabilities without permission and consent for undue personal, financial, political, or idealogical gain. In other words, doesn’t follow the rules and doesn’t have the target’s interests in mind.

    • White hat: Exploits vulnerabilities with permission and consent inside clearly defined rules of engagement and laws with the intent of helping the target improve their security posture. In other words, follows the rules and has the target’s interests in mind.

    • Grey hat: Exploits vulnerabilities sometimes without clear permission and consent for non-malicious purposes, e.g., to help the target improve their security posture. In other words, may not follow the rules but may have the target’s interests in mind.

Characteristics of Black Hat hackers

  • Target selection: Motivation (malicious, criminal). No ground rules
  • Intermediaries: Hides identity by attacking from intermediary systems (creates collateral damage)
  • Maintaining long-term access: rootkits, backdoors
  • Covers tracks: wipes audit logs, hides malicious files
  • Hardens system: fixes vulnerabilities to prevent other hackers from gaining access
  • Most important: does not have consent of account/resource owner.

Examples

  • Criminal organizations: Monetary theft
  • Script kiddie: amateur hacker who breaks into systems by using automated tools written by others motivations: thrills/mayhem/revenge
  • Hacktivist: website defacement, doxxing, denial of service. Motivation: ideological/political. What about Edward Snowden?
  • Nation state: (e.g., NSA). Motivation: threat intelligence, IP theft, counter-terrorism,

Anti-Hacking Laws

Unauthorized Access

  • Hacking (Criminal Code Section 342.1). Everyone is guilty of an offence who fraudulently:
    • obtains, directly or indirectly, any computer service;
    • by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
    • uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system; or
    • uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c).
  • Eavesdropping/Spying/Stalking (Criminal Code Section 184) . Every person who, by means of any electro-magnetic, acoustic, mechanical or other device, knowingly intercepts a private communication.

Fraud

  • Fraud and Phishing (Criminal Code Section 380 (1)). Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service.

Mischief

  • Denial of Service Attacks (Criminal Code Section 430(1) Every one commits mischief who wilfully:
    • destroys or damages property;
    • renders property dangerous, useless, inoperative or ineffective;
    • obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or
    • obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property.
  • Ransomware/Malware/Virus (Criminal Code Section 430(1.1) Everyone commits mischief who wilfully:
    • destroys or alters computer data;
    • renders computer data meaningless, useless or ineffective;
    • obstructs, interrupts or interferes with the lawful use of computer data; or
    • obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it.

Tools of Cybercrime

  • Selling or possessing tools for cybercrime (Criminal Code Section 342.2(2) Every person who, without lawful excuse, makes, possesses, sells, offers for sale, imports, obtains for use, distributes or makes available a device that is designed or adapted primarily to commit an offence under section 342.1 or 430, knowing that the device has been used or is intended to be used to commit such an offence

Identity Theft

In this section, identity information means personal information such as a fingerprint, voice print, retina image, iris image, DNA profile, name, address, date of birth, written signature, electronic signature, digital signature, user name, credit card number, debit card number, financial institution account number, passport number, Social Insurance Number, health insurance number, driver’s licence number or password.

  • Identity theft (Criminal Code Section 402.2(1) Every person commits an offence who obtains or possesses another person’s identity information with intent to use it to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.

  • Identity fraud (Criminal Code Section 403.2(1) Everyone commits an offence who fraudulently personates another person, living or dead:

    • with intent to gain advantage for themselves or another person;
    • with intent to obtain any property or an interest in any property;
    • with intent to cause disadvantage to the person being personated or another person; or
    • with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice

Vulnerability Disclosure

You’re a hacker and you have discovered a vulnerability in a software or system. What do you do?

Disclosure Types

  • Full discolsure: Hacker publishes details of vulnerability without coordinating with vendor. Often done when hacker doesn’t trust the vendor to deal with the issue appropriately. But doesn’t give vendor the ‘chance’ to ignore vuln.
  • Non-discolsure: Hacker doesn’t tell vendor or anyone about the vulnerability. Often so they can later exploit the vuln themselves.
  • Responsible discolsure: Also called ‘coordinated disclosure.’ Hacker discloses vulnerability to vendor, gives them opportunity to develop fix and roll out patch.

Responsible Disclosure Process

How does a responsible hacker report a vulnerability? Their first stop should be to notify the vendor.

  1. Reporter discovers vulnerability and attempts to verify and document it
  2. Reporter sends notification to Vendor giving details
  3. Vendor verifies vulnerability and develops and tests a solution (e.g., patch), possibly in cooperation with reporter
  4. Vendor releases public disclosure statement
  5. User community provides feedback on vulnerability and solution