If you type Black Hat or White Hat into the search engine, we aren’t just presented with results about the latest offers on hats. These terms are also linked to information security and hacking computer systems. But what do hats have to do with hacking? And what constitutes an “ethical hacker”? These are the questions that we will be answering in the following blog article.
First of all, what exactly is hacking? You’ve probably read articles about the “10 best camping hacks”, which explain how to make popcorn over a campfire, or you’ve heard about “life hacks”, which can make everyday life easier in a creative way. “Hackers”, then, are by definition people who use their knowledge and creativity, often related to technology, to understand, improve and change existing systems. Since the 1980s, however, the term has undergone a negative transformation and narrowing to the field of IT security1. Nowadays, in everyday speech, someone who penetrates other people’s computer systems is called a hacker.
Hackers are almost exclusively the dodgy people in hoodies, pounding away at keyboards in a darkened room in front of various screens. This is also evident in the media, in news and feature films alike. There it becomes clear: the word “hacker ” usually has negative connotations. Maybe that’s why other descriptions are needed to distinguish between hackers: there is more and more talk of black hat hackers and white hat hackers. But how do they differ?
The terms have their origins in old Western films. There, the good characters with white hats distinguished themselves from their evil counterparts who wore black hats. And it is precisely in this sense that we find the “black hats” and “white hats” again in the world of hacking. To distinguish between good and evil in hackers, we need to look at two factors in particular: their motivation and the legitimacy of their work.
Black hats find motivation in their own financial gain, but also cyber espionage, protesting, or for the sheer thrill of it. They attempt to steal, encrypt, or destroy personal data, financial information or login details and thus cause harm to those they attack. They act without the knowledge of the targeted persons or companies and therefore make themselves liable to prosecution.
“White hats”, on the other hand, use their skills for a good cause. Their approach is similar to that of black hat hackers, with the difference that they do not act illegally. They work for companies or organisations as IT specialists and help to uncover and close security gaps through hacking. Their motivation is to improve and secure technical systems. More and more companies are making use of such services to prevent malicious cyberattacks.
The distinction between black and white, good and evil, is, as everywhere else, too short-sighted in the IT world. And so there is a third group: the “grey hats”. These stand between the two previously mentioned. They detect security vulnerabilities without the consent or knowledge of the system owners but then report the problems to those affected. They then ask for a financial reward for their work or/and give the companies a time frame for fixing the problems and then go public with the vulnerabilities. They do not pursue their goals with malicious intent. Their motivation is to raise awareness of the issue and to enjoy the hacking itself. This type of hacking is on the borderline of illegality, as they work without the permission of the system owners and often gain insight into sensitive data. The fact that the boundaries between white and black hat hackers are becoming increasingly blurred was already proven in a 2018 study by Osterman Research.2
White and grey hat hackers are also called “ethical hackers”. This term describes a responsible approach to one’s own hacking skills and results. There are even courses, conferences and certificates for ethical hackers who want to offer their work officially. For in addition to the appropriate ethical attitude, ethical hackers must also fulfil other requirements: great technical skill, the ability to put themselves in the shoes of attackers and an understanding of the value of the data and systems they are supposed to secure.3
In this context, you may remember a case highlighted in the media in May 2021. The hacker Lilith Wittmann uncovered security vulnerabilities in the CDU’s election campaign app. She then informed the party, the Federal Office for Information Security and the Berlin data protection commissioners4, offering them the opportunity to fix the problem. Only when the app was offline did she publish her work. This approach is also called “responsible disclosure” and shows an example of ethical hacking. However, the case also shows how difficult it can be to evaluate such work under the law. In this case, the CDU filed a criminal complaint against Wittmann, which not only increased the public embarrassment for the party but also resulted in the official statement of the Chaos Computer Club (CCC) that they would no longer point out security vulnerabilities to the party in the future. The case was dropped because the data was publicly accessible, and the legal situation only criminalises the spying or interception of access-protected data.5
This example shows once again that the work of ethical hackers is important: without them, there would be more open security gaps, which in turn could be exploited by black hat hackers.
By the way, the colour palette of hackers is expanding. For example, you can also read about Red Hats, Blue Hats, Purple and Green Hats. However, the definitions of these are sometimes very far apart, so we will leave it at this for the moment.
You can also find a scary overview of some of the approaches used by cybercriminals in our YouTube video: “Scary Stories of the Cybermonsters”.
1 On Hacking – Richard Stallman. (o. D.). Stallman. Abgerufen am 19. November 2021, von http://stallman.org/articles/on-hacking.html
2 White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime. (2018). Osterman Research, Inc. https://www.malwarebytes.com/resources/files/2018/08/global-white-hat-black-hat-and-the-emergence-of-the-gray-hat-the-true-costs-of-cybercrime-1.pdf
3 Cybersecurity Guide. (2021, 20. Oktober). How to Become an Ethical Hacker | Guide for 2021. Abgerufen am 19. November 2021, von https://cybersecurityguide.org/resources/ethical-hacker/
4 CCC | CCC meldet keine Sicherheitslücken mehr an CDU. (2021, 4. April). CCC. Abgerufen am 19. November 2021, von www.ccc.de/de/updates/2021/ccc-meldet-keine-sicherheitslucken-mehr-an-cdu
5 Reuter, M. (2021, 16. September). CDU Connect: Ermittlungsverfahren gegen Sicherheitsforscherin Lilith Wittmann eingestellt. netzpolitik.org. Abgerufen am 19. November 2021, von netzpolitik.org/2021/cdu-connect-ermittlungsverfahren-gegen-sicherheitsforscherin-lilith-wittmann-eingestellt/
