Web Security Types of Hackers
Transcript from the "Types of Hackers" Lesson
>> Mike North: And before we begin with the attacks I just want to talk about different types of hackers, right? We've got black hat, grey hat, and white hat. Black hat hackers, these are the ones that just cause trouble for personal gain, or just to hurt things for fun. These are the ones that go to jail.
[00:00:22] These are the ones that are causing trouble and trying to get rich off of it, or the Equihax hackers who are now trying to sell the entire database for 400 bitcoins on the dark web. Like that's black hat hackers, grey hat hackers they, they're still try to compromise systems, they still don't have permission.
[00:00:47] They're mostly driven by curiosity and occasionally these people well report bugs that they find. So when you talk about you know when there are people who are just sort of curious and try to crack into system the same way people like to pick locks. This is the category we're talking about here.
[00:01:07] Now, these people are not, the act they may perform like the intrusion that maybe a criminal act but typically they're not gonna be causing damage once they get in. They're almost like using it as target practice and not trying to stir up too much trouble. White hat hackers, like if you go to some of these security conferences or you see videos on YouTube of like people hacking into a Jeep and getting it to like shut down its engine or automatically drive, these white hat hackers are what you're looking at in that situation.
[00:01:43] They're paid and given permission to crack into systems. Penetration testers fall into this category, and you're basically trying to find someone knowledgeable to do their best to get into something, so that when a black hat or a grey hat hacker comes along, you will have already found the vulnerabilities and already fixed them.
[00:02:06] So keep in mind, you need permission to explore in this area. So if you go into an airport and just start creating a malicious wi-fi network, that's illegal, that's risky. Don't do that. We're here to learn about how to defend against this stuff. We're here to talk about our own applications.
[00:02:27] So do not use these powers for evil. Something we're about to talk about is the short answer here. White hack hackers, they go through a process called responsible disclosure. And that means that you will If you find a bug, if I find a bug in front end masters, for example, I would communicate it to them.
[00:02:48] We'd agree upon a reasonable timeline. Say, I will publish knowledge of this bug within 90 days from now or when you tell me that it is okay with you. And that gives Mark a chance to roll a fix out. Say it was with the iOS app or something, so he basically needs to patch the app, roll it out to all new, publish the version, to witness that people are downloading it.
[00:03:14] To maybe send an email out saying, please update to the latest version. Maybe in their API, they can say, if you get a call from this older version, just shut it down. The app is broken. That'll encourage people to update more quickly. And by the time I publish a blog article or something about it to spread awareness amongst the developer community that I found this quirky little thing and here's how we fixed it.
[00:03:40] By the time we get that information out, this fix is already out and it's in place. The black hat hackers, they typically like to disclose without giving people advance notice. And if you hear the term zero day bug, that is what this is. That's basically it's a bug no-one knows about that can be used to either get a foothold within a system or to get complete control over a system, but these essentially are like weapons.
[00:04:06] And so if you just disclose this without giving whoever owns this project a chance to fix it, now it's a race between patching and hardening this problem and patching the vulnerability versus people trying to exploit it. And almost always, it's like some damage will be done, because these people that are trying to crack into your systems are pretty smart.