When White Hat Hackers Go Bad

Even the most ethical hacker can be lured in by the seven deadly sins of pen-testing. This article is part of CoinDesk's Sin Week series.

AccessTimeIconAug 31, 2022 at 5:03 p.m. UTC
Updated Sep 19, 2023 at 4:02 p.m. UTC
AccessTimeIconAug 31, 2022 at 5:03 p.m. UTCUpdated Sep 19, 2023 at 4:02 p.m. UTCLayer 2
AccessTimeIconAug 31, 2022 at 5:03 p.m. UTCUpdated Sep 19, 2023 at 4:02 p.m. UTCLayer 2

In most cases, cybersecurity can be achieved through ethical hacking – an established practice used to identify weaknesses and offer guidance on vulnerabilities. But, as with most things having to do with blockchain, the issue becomes a gray area.

To stay ahead of the attackers, those considered “ethical hackers” in crypto rely on some questionable tactics. These include using deep security inspection as well as the most recent offensive security techniques, such as advanced penetration testing (or pen-testing), in order to surface important vulnerabilities before they are exploited.

Luis Llubeck is the technical education specialist of Halborn. This article is part of CoinDesk’s Sin Week series.

To emulate the most recent actions and methods taken by threat actors, pen-testing needs to be carried out on everything from web applications, mobile applications and APIs to wallets and layer 1 blockchains.

A decentralized application, network or system that makes use of blockchain technology is subjected to a security audit known as a "penetration test." The goal is to find and alert security flaws before a malevolent user can.

Penetration testing is intended to fix vulnerabilities in the code by deliberately exploiting the target's weaknesses while adopting the mindset of a potential adversary. Sometimes you need to think like a criminal in order to beat them.

Read more: In Defense of Crime | Sin Week

Obviously, this raises concerns that even “ethical hackers” can gain insight into a system, and later exploit it. This has seemingly occurred in the past. White-hat hackers must go deep into a system while, at the same time, avoiding the temptations of the seven deadly sins:

PRIDE, the foremost sin, can lead any hacker to become a target. If an ethical hacker has the arrogance to believe their talents supersede all else – including the law – the ethical hacker can become a target for other hackers, or worse.

Under no circumstances should a penetration tester try to break a system without proper authorization from the company or the person in charge. This is considered an illegal action. And for the justice system, no amount of good deeds in the past can possibly overcome the consequences of crossing the line.

The ethical hacker carries with them a balance between internal and external motivations. On one shoulder sits the specter of reward and fame, and on the other sits sharing knowledge in the act of ensuring societal security (or at least that of the company for which they work). When this balance is tipped and personal fame or monetary gain is valued over sharing of knowledge and security, the hacker falls to the sin of GREED.

To combat this, they never use a virtual private network (VPN) to mask the internet protocol (IP) address from where their test is done. They always leave traces for outside observers that make it easy to recognize an attack vector. Obfuscation of knowledge will quickly lead to them to be excluded from the communities of ethical hackers - those who grow through shared knowledge.

Great hackers have the impetus to want more, know more, learn more, break more. In order not to fall into the sin of GLUTTONY, it is imperative to set limits. An ethical hacker must be certain to refine the scope of the penetration test to be performed, setting limits on what can be done and just how far one can go in trying to break the system.

Of course, hacking knowledge should never be used to gain unauthorized access to sensitive material, otherwise known as the temptation of LUST. As enticing as it may be to take a peek or go where no one has gone before, an ethical hacker must set boundaries. This means never sharing internal documentation or non-public knowledge with even their trusted counterparts.

To be an ethical hacker is to be on a path of constant learning, thus LAZINESS is one of the worst sins imaginable. Technology advances at hyperspeed. An ethical hacker always assumes that there is more to learn.

During a penetration test they must make sure to follow all procedures, go by the book and never perform experiments on the same machines or systems used in live production or daily tasks, as this can put the tester's own equipment at risk to malicious code. This can be the difference between “life and death,” since a real attacker could gain access to the client before the failure can even be detected.

ENVY must also be avoided at all costs. Using sensitive information from a company that was found during the penetration test for personal benefit is not only off-limits but downright illegal. Meanwhile, failure to acknowledge a teammate's expertise must also be avoided. Teamwork and understanding of strengths and growth areas is essential for comprehensive high-quality testing.

Not every penetration test ends in success; perhaps no error is found or is not found in time. Under no circumstance shall the ethical hacker travel down the path of ANGER. Losing control can lead to even more dangerous mistakes, such as not being able to respond in time to an incident, compounding damage in response to that incident or lack of learning from the event.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Luis Lubeck

Luis Lubeck is the technical education specialist of Halborn.