The Grey area of Hacking
In life, there are debates, debates that seem to go on forever with never a definitive conclusion in sight. Theses debates like many other spans on over centuries and give what is known as "age-old questions" one such question in Ethical Hacking is "When does white, become grey?" Some say when your intentions change from ethical to unethical, some say when you do something you have not had permission for, no matter what your intentions are. Regardless of what our individual opinions are there are laws and that is what defines our grey area, the most well known relevant act is the Computer Misuse Act 1990, which brings in three offences:
- Unauthorized access to computer material.
- Unauthorized access with intent to commit or facilitate the commission of further offences.
- Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of a computer, etc.
This act has since been amended twice, by the Police and Justice Act 2006 and by the Serious Crime Act 2015 – this introduced:
3ZA.Unauthorised acts causing or creating a risk of, serious damage.3A. Making, supplying or obtaining articles for use in the offence under section 1, 3 or 3ZA.
All these offences carry a different prison sentence with offence 1) and 3A) having a possible sentence of 2 years imprisonment, offence 2) is five years imprisonment, 3) is 10 years, and lastly offence 3ZA) is the most serious crime covered by this act and has a maximum sentence of life.
Before we move on please see /disclaimer/
So here I am sitting at my desk with this bug that I have just confirmed, knowing this could potentially be exploited by a Blackhat hacker to the extent of where the company's security is at risk, or even worse, end up being held for ransom since this is very common in 2020.
By looking at the above laws, my case would fall into category 1) since I did not have permission for testing, therefore I was unable to disclose this vulnerability that affected them.
So what do I do? Should I just ignore it and go on with the rest of my day?
I think this is many researcher's dilemma if you remember the case where two Pentesters had written authorization to test the physical security and were later arrested on felony third-degree burglary charges. (Currently, the charges have been dropped.)
Take another example only a few weeks previously I remember reading a post on LinkedIn where a company that specializes in mobile app Pentesting had looked into an application and found a critical vulnerability where users data was at risk of being breached. Said Pentester contacted the owner of the application but their report was ignored, the Pentester then went public with their findings which caused the company to deny any allegations which started a dispute between the two parties.
Here are a couple more grey hat hackers examples here.
I believe all the companies and the current legislation should enable researchers to safely undertake some analysis and therefore support businesses, especially those who cannot afford testing and are at huge risk from being hacked.
In the end, I decided to do what was best according to the values that I hold and disclose the information. I knew there was potential for the company in question to be rather annoyed, and they had every right to be according to the law. However I knew my intentions were honourable and hoped that would stand me in good stead and they wouldn't be too annoyed to the extent that they would report me, but you never know who is at the other side of the computer and therefore you will never know how they will react.
In regards to the vulnerability, I found I am talking about a British multinational engineering and defence business, with a net worth of over 16 billion pounds.
This particular company did not have a vulnerability disclosure policy in place at the time of my findings. The person whom I approached to report my findings was very polite and professional, they are the Cyber Incident Lead at the company in question.
They helped me by sharing the details of their SOC where I could send my report, this e-mail in question is not openly shared on the web.
I could only imagine how busy a person with such responsibility could be, so I left them to it not thinking "what did I just start."
A couple months went by, and of course, I received some updates along the way stating that the cyber department is still working on the matter. It soon came to light that my action prompted the company to perform analysis on all their domains which could be in the hundreds of thousands, at the same time they rolled out their vulnerability disclosure policy.
This was later confirmed when I received the following.
"We were already rolling out the vulnerability disclosure policy, but your engagement was nicely timed to validate the need for external parties having a viable and approved entry into the business."
- The company has fixed the flaw I reported and has since checked all their assets for such vulnerabilities.
- I have met some wonderful people and made connections within the IT industry.
- The company has put in place their vulnerability disclosure policy which is awesome, now researchers are legally allowed to report bugs they find within the scope of the program.
- I became more careful when engaging in tests especially regarding what policies and programs are in place.
- This opportunity enabled me to look at the wider issue of the current legislation preventing the white hat/pentest community from undertaking some analysis.
- The Head of the Department at my University has been informed about my encounter with the company and they are aware of the value I added.
- I received an amazing book and cannot wait to read it.
Have you got any suggestions for me ? Get in touch!
Thank you for reading my article, Until next time!
Your friendly neighbourhood Hacker.