White hat hacker

What is a white hat hacker?

A white hat hacker is one who gains unauthorized access to a computer system for the purpose of finding security vulnerabilities. White hat hackers typically report these security vulnerabilities in an effort to help organizations fix them quickly, before malicious hackers (or “black hats”) find and exploit them.

White hat hackers vs. black hat hackers

White hat hackers are often compared with their black hat counterparts. While white hat hackers use their skills to try and make the web a safer place, black hats use their skills for personal or criminal gain. It is important to note the ethical differences between white hat and black hat hacking.

Here are some key distinctions that illustrate how different the two types of hackers actually are:

White hats

• Work with organizations to fix security vulnerabilities before they can be exploited by black hats.
• Do not steal information from other computers and/or users in order to gain unauthorized access. If they do, it is in order to verify that vulnerabilities exist.
• Make sure their findings are communicated to the public so that others can avoid security breaches.

Black hats

• Work mostly for personal gain or notoriety. They want recognition as well as monetary compensation for finding and developing exploits (software codes) that enable unauthorized access to systems.
• Steal information such as passwords, bank account numbers and personal information from computer systems in order to commit fraud or identity theft.
• Do not report their findings to organizations or the public.

Black hats and white hats are not mutually exclusive

While there is obviously a clear distinction between the two, many people tend to focus on this one question: is a hacker good or bad? Yet all hackers are not either good or bad. In fact, they might even be motivated by both things simultaneously.

Some black hat hackers may start out as white hats before turning over to the “dark side.” They might get frustrated with an organization’s slow response time when it comes to fixing security vulnerabilities and give up on working with them at all. Or they may want money for finding bugs so badly that they decide selling exploits will be easier than going through the legal route. Some black hat hackers might just use their skills for malicious purposes even if they start out as white hats.

Black hat hackers also might not be motivated by personal gain at all. They could be working with a foreign government who wants to create security vulnerabilities in another nation’s computer system, or they could be employed by a criminal organization that hopes to make money off of the sale of stolen information like credit card numbers and social security numbers.

Black hat hackers might also come to the table with both good and bad intentions at once. They might want personal gain, but they also might genuinely want to help a foreign government or criminal organization accomplish its goals. This is especially relevant when looking at groups like Anonymous, who often claim their own status as white hats even though they have been engaged in some rather “black hat” activity, like hacking into corporate websites, DDoS (Distributed Denial of Service) attacks, attacking MPAA-member website The Pirate Bay and stealing credit card information from MasterCard’s site.

The bottom line is that you can’t determine whether a hacker is good or bad simply by assessing their actions alone. Unless you know exactly what motivates them you will never be able to truly classify them by their intentions.

How to become a white hat hacker

If you are motivated by the desire to make the internet a safer place, and to help individuals and organizations avoid costly breaches of their computer system’s security, then you might consider becoming a white hat hacker.

• Along with good intentions, there are some other requirements that go along with being a white hat. Here is a list of what it takes:
• A desire to help others keep their systems safe from attackers.
• The ability to find vulnerabilities in websites, applications and mobile devices.
• Good programming skills.
• The ability to cultivate your own reputation online (for those who work independently or in underground communities like Anonymous).
• Patience.
• A willingness to learn new things regularly.
• The ability to communicate with people but also to be calm while under pressure (when you report a security vulnerability to an organization, there is a good chance they will try to contradict your findings or even dismiss them entirely).
• A passion for computers and the internet as well as software development.
• Ability to work independently or in groups of hackers.
• Great personal morals.

Frequently asked questions about white hat hackers

Do you have to get permission from a company before testing their security system?

For the most part, no. In fact, there are certain laws that protect white hats who report vulnerabilities from the legal consequences of any damage they might cause while doing so. The best thing is to contact an organization’s personnel department and let them know what you want to do before actually testing their systems for security holes. Keep in mind that companies usually don’t just hire anyone off the street to help them with their computer problems, but if you live nearby or happen to be acquainted with someone who works at the company, this might make it easier for them to take your findings seriously.

If you try contacting the company without telling them in advance that you are planning on trying to hack into their website, they might have a hard time trusting that you are actually sincere about finding security flaws in the first place. You want to try coming across as someone who wants to help (and avoid sounding like someone who just wants to brag).

What exactly are the vulnerabilities that white hat hackers are searching for?

A vulnerability is basically a weakness in software or hardware that can be exploited by hackers for nefarious purposes. Vulnerabilities could lead to major damage if left unchecked, and companies and individuals usually contract with white hat hackers to help them determine where the vulnerabilities lie. Each company will likely have different kinds of testing they would like done upon their web server or computer system, from penetration tests and vulnerability all the way to network security testing.

When you start working as a white hat, you will be given certain terms and conditions that your employer expects you to obey. When it comes time for the actual testing of the vulnerability, they might want you to keep top-secret about what exactly is going on. This is why it’s good to ask questions before getting started and also having them sign a non-disclosure agreement (NDA).

What else are people likely going to expect from me if I become an ethical hacker?

Aside from reporting any vulnerabilities or bugs in their system, companies will probably have other things they want done around their website. They may have more suggestions than just finding holes in their computer systems—for instance, if they also have a website that is important to the public image of their company, they will want you to point out any errors in spelling or grammar.

A business may hire a white hat hacker to do some penetration testing and vulnerability assessments as well as network security testing. This means probing the firewall for potential holes but it could also mean trying to access confidential documents that are stored on large databases. They might also ask you to try your hand at malware analysis or even social engineering.

Why would I need social engineering skills as an ethical hacker?

Social engineering is basically a way of gathering information from people using different types of technical methods and/or pre-existing relationships with them. It could be used by an attacker who wants answers or access to a computer system, or by someone who is trying to find security flaws in another person’s system.

Social engineering skills can be very useful for white hat hackers because it’s hard to get your foot in the door of certain systems without already having some kind of connection there. If you have been able to gain access through social engineering before, then it will be easier for you to do so in the future. You might need these kinds of skills if:

A company has hired you as their sole external penetration tester but they don’t want this information leaking out to the general public. A company has just let you know that they are getting ready to hire other people with the same qualifications (and experience) and that competing companies may also try to get a hold of this same information.

A business may hire a white hat hacker to do some penetration testing and vulnerability assessments as well as network security testing. This means probing the firewall for potential holes but it could also mean trying to access confidential documents that are stored on large databases. They might also ask you to try your hand at malware analysis or even social engineering.