Forum Thread: Know Your Enemy

We are training here to become Grey Hat's and just in case someone does not know what that is see here.

A grey hat may refer to an individual who acts in a variety of IT-related areas. In the hacking community, this metaphorical title refers to a skilled hacker whose activities fall somewhere between white and black hat hackers in a variety of practices. The ambiguity connoted by the title suggests that such people sometimes act illegally, though in good will, to identify vulnerabilities in computing processes. They usually do not hack for personal gain or have malicious intentions, but may be prepared to break some laws during the course of their technological exploits in order to achieve better security.1 Whereas white hat hackers generally advise companies of security exploits quietly, grey hat hackers generally "advise the hacker community as well as the vendors and then watch the fallout" (credit Wikipedia)

That being said you should be aware of what you are up against. I found this article which goes into the different area's of corporate security professionals. You can even see what kind of training they have or what skills you would have to learn to become one. So before you go after Bank of America see below.

9 Responses

Lmao, it finally dawned on me what grey hating is and how you can actually do it. As per OWT's article on "The Legal Consequences of hacking" prosecution is usually based on damages.

Now I understand why Grey hatters can expose vulnerabilities from hacking a system without permission and telling the target that they have a confirmed hack. While they are skirting the fine line of the law, they did not do any damages.

Keep in mind those big pen testing company's have attorneys ect. to protect them. As a small time grey hatter it would be best to cover your track when testing your "theories" on getting into a system.

Jon Noob:

Unauthorised access to a system is still breaking the law; pen testing is unauthorised access. No matter your intentions; if you break the law, you break the law.

ghost_

Ghost:

Your statement is correct I am referring to Pentesting company's confirming a vulnerability. The only way to confirm it as far as I know is to test it with a hack.

This article gives a good example:

http://www.darknet.org.uk/2014/04/oracle-java-cloud-service-vulnerabilities-publicly-disclosed/

I feel fairly confident that they did not get permission to confirm a vulnerability.. If I am wrong or my reasoning is wrong I would really like to know.

In my description above of a grey hat, it does state that they may break the law and are known to break the law which is why I advised caution and covering your tracks. If there is no damage more often than not district attorneys are not gonna waste their time on a case they may not win. Not to mention spending (I researched this, it takes approximately 100 man hour to track down a hacker). Law enforcement are not going to dedicate that much time for a crime with no victim and no damages..

Jon:

Everything you say is true, but you are playing a VERY risky game. Losing could cost you a few years of your life and a decade of restitution.

OTW

One of the things I did not mention is that if you piss off the wrong people, it won't matter how many hours it takes to investigate or how much damage you do, they will go after you. I know what I'm talking about here. Trust me.

OWT:

I am not advocating committing crimes, I was just trying to state that I understood the grey hat mentality and how they operate. This thread is about knowing your enemy that would include white hats, black hats and grey hats. Each would depend on what discipline you wish to pursue.

Personally I think my personality and past experiences favors grey hat. But to be a grey would be the hardest job as you would have to know the black hat and the white hat. Very tough road to follow.

Jon Noob:

He's not even talking about just breaking the law. He's saying if you piss off the wrong people they will go after you. Think more in terms of cyber-mafias.

If you want to go into pentesting, that's great. But do it through a company who are specifically hired to do it. Companies such as FireEye and the like.

Don't be stupid and flirt with the law. Play it smart here, mate.

ghost_

Ghost:

Great point on the cyber mafia's. A simple non (Bank of America) site maybe a front for them. And thanks for the advice, but I have to say I am not at the point of feeling confident to hack "anything". In Grey, Black, White hat in any way. At least not without detection.

Share Your Thoughts

  • Hot
  • Active