The Black Hat Community –
Vulnerability Issues and Organizations
The black hat community practices a policy of nondisclosure. When a black hat
discovers vulnerabilities, they retain the information or judiciously distribute it
only within a black hat group. These black hats then use the vulnerability to penetrate
unprotected
systems for whatever
covert
purpose
they
desire.
Eventually
the vulnerability information leaks out into a public forum. However, before this
time expires, systems and their administrators have no defense against exploitation.
Do organizations like black hats have the right to conceal vulnerability
issues for malicious purposes?
www.syngress.com
290_Ethics_IT_03.qxd  5/10/04  11:40 AM  Page 82
82 Chapter 3 • Vulnerability Disclosure
Conservative The black hat community is unethical by its very nature.
They are just adding additional intolerable behavior by failing to disclose
system weaknesses when they discover them.
Liberal Everyone has the right to information. Putting aside malicious
attacks derived from nondisclosure of information, the black hat community
may or may not disclose information weaknesses they discover. It is perfectly
ethical to gather information and remain silent about the data.The ethics
fall into the utilization of the information collected.
SUMMARY
Ethics and the black hat community is an interesting subject. Regarding
nondisclosure, some may argue they have the right to collect and withhold
information, while others argue that because of what these individuals
do with the information they collect their intent indicates that they
do
not have the ethical right to collect information or fail to disclose
system
weaknesses.
Full Disclosure
Full disclosure means many different things depending on the person you speak
with and the vulnerabilities at play. What does full disclosure mean to you? In
textbook terms, the definition of full disclosure is the process of broadly disseminating
as much
information
as possible
regarding
product
or system vulnerabilities
so that potential victim’s
possess the same information
as the potential
attackers.
A revelation of this type of disclosure ensures that product developers
and clients with foreknowledge of product weaknesses possess the necessary time
to implement defensive action against system vulnerabilities.
There are four primary ways potential victims ensure their systems withstand
the vulnerability after a full disclosure. The first is to activate system protection by
developing and implementing Intrusion Detection System (IDS) signatures. IDS
signatures provide secure detection of the exploit in question. A second means of
protection is implementing a temporary fix or workaround such as shutting
down a vulnerable service or blocking traffic at the firewall. The third means of
detection by systems administrators who utilize exploited code, is to scan the
network for vulnerable systems or to test the possible vulnerability of systems not
www.syngress.com
290_Ethics_IT_03.qxd  5/10/04  11:40 AM  Page 83
yet patched. Finally, on the vendor side, programmers of the product in question
can review the structure of the flaw and attempt to avoid similar situations in
future development.
Those who support full disclosure argue several advantages to this process.
This section addresses full disclosure from the ethical points of view of the conservative
and the liberal.