After a long Weekend I wonder if there is a good enough understanding of how(and why) hackers do what they do – i.e. What makes a hacker want to take control of an airplane just to see if they can do it?
There is a widely discussed Wired article: http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/ about hacking an airplane and potentially making the plane change its direction from one of the seats in coach. I am not interested in the details of the hack – Wired went into details of the hack and the only passengers in coach that want to change direction on a plane would want to inflict harm (like a terrorist). So the reality is that hacking a plane is not a good example of hacking.
This example is only a first example, here is another article:
http://daeken.com/2012-12-06_Responsible_Disclosure_Can_Be_Anything_But.html
This article is a review of the hacking of a lock, the hotel lock-key made by Onity, this hacker was especially considerate maybe even an “ethical” hacker.
Cody found a loophole in the way the lock-key worked within a lock that is in at least 4million locations.
Once Cody figured out the hack where he could open any of the locks within a fairly easy method. He did it because he looked at the lock one day and he figured out a way to hack it in an easy manner (to him it was easy). This is the crux of the problem, to a hacker a problem or function is just like walking or talking, it is not a great effort to be figured out after many hours of work. Hacking comes naturally and with only minimal effort.
Here is the paper that he created about the details of the hack: http://demoseen.com/bhpaper.html
I hope the person reading this understands that. Once the hack was found and he realized what it means – now what? He wanted to do a responsible disclosure. this was not as easy decision… here is the actual entry about disclosure in the paper:
{Given the obviousness of these vulnerabilities (outside of the obscure protocols used), their impact, and the difficulty of mitigating them, the decision to make this information public has not been an easy one. While it’s unlikely we’ll ever know for sure, we must suspect that concerns were raised inside of Onity about these issues, given the ten-plus years that these locks have been in development and on the market.
However, after much consideration it was decided that the potential short-term effects of this disclosure are outweighed by the long-term damage that could be done to hotels and the general public if the information was held by a select few. }
He also placed all details how this hack works on his paper, so anyone who has a few hardware and software skills can perform this hack now.
The problem is how to properly disclose while also incentivising the company to fix the security flaw.
Many companies (including software companies) will not make difficult decisions that cost a lot of money with no appreciable upside unless they have to.
But, if you think about it, the locks should work correctly allowing the card key holder to enter while leaving others out. This is not what happens when a hacker knows how to use the lock technique against the manufacturer. It is also not obvious how many other hackers figured this out but never wrote a paper and did not bother to contact the company or disseminate to public.
Is it better to perform ethical hacks and disclose or not hack and allow the criminal hackers to hack at will?
The criminal hackers are running around rampant at this time.
Why do you think? because there are more criminal hackers knowing how software and processes can be hacked rather than defending methods keeping the hackers out.
what should happen in the future?
I believe companies need to run a minimal set of vulnerability analysis
Which I explain here:
http://oversitesentry.com/tonyz/pubhtml/fixvirus/svapec/
The idea is to at least cover your basic vulnerabilities with a regular scan, because one has to be perfect, there are too many attacks heading our way for you not to test your defenses with outside help.
I have written about the new 2015 risk management problems:
http://oversitesentry.com/why-risk-management-model-failed-us/
Contact Us for any help