Monday, 8 May 2017

Ethical Hacking

The past few months have seen quite a bit of activity working on an old investigation for the Click programme at the BBC. Although a lot of work (so much more than we were able to show even in a half hour special) it was a really important message: ethical hacking matters.

I've had so many people ask how hacking can be stopped. My answer is that yiu need to focus on what you mean by "hacking". It has become a derogatory term to some but origuinally it meant those of us who liked taking things apart to find out how they worked. I really enjoy doing just that. However, you need to draw a distinction between ethical hacking (sometimes called white hat hacking) and cybercrime (black hat hacking).

Nobody, other than the criminals, wants black hat hackers operating on their systems. But, it doesn't take very long in the security world to realise that ethical hackers are the only people who are flagging up problems that the black hat hackers might exploit for nefarious purposes. Just like the Wild West, you need the white hats to stop the black hats.

There is an added dimension to cyber security which highlights the need for ethical hackers. There is no one else holding to account those who would make overstated claims about the security of their products. Remember the Wild West had snakeoil salesmen who were happy to relieve you of your money in return for something that was, well, not what they claimed. In the cyber security world who else probes products to see if these products are what they claim to be.  It would be nice if there was some standard and independent testing organisation of security products, but we are some way off that, not least because how you produce a standard to cover all scenarios is unclear. Without even the gold standard it's difficult to see how you can test if something measures up.

And so we need ethical hackers. These researchers act within the law, interact with companies responsibly and disclose their findings in ways that will protect the public. Ethical hackers are an essential part of the security ecosystem. Although it is always a case of caveat emptor when buying any security product, at least with ethical hackers those who would oversell their products might think twice.

Ethical hackers do not create the problem, they detect the problem and alert the companies, who should fix the problem. If the product developers don't respond positively to an ethical hacker's warning then there comes a point where the public has to be informed.

If you want to see the programme it is on iplayer here and the findings presented in the programme about the particular product we examined were written up by Scott Helme on his blog here