Ethical Hacking: Navigating The Modern Ethical And Moral Landscape

thank you uh good afternoon everyone thank you all for attending uh as you can see not quite as fancy as the last slides quite black and white but um today I'm just going to be giving a short discussion about ethical hacking as well as the ethical and moral aspects Associated within the topic my name is Anish as early introduced and I'm currently a university student in my final year of my bachelor's degree in cyber security and I look forward to briefly exploring this topic with my own um interpretations of this area so a quick overview of what I will cover today starting off with briefly defining ethical hacking and outlining its Essential Elements followed by then

delving into white is an important factor especially in modern society after that I will explore the ethical and moral considerations surrounding this field also moving forward shortly going over a couple examples of real world case studies to better understand how ethical hacking Works in practice followed by public View and a point of observation from my own personal experience within this area finally I'll wrap up with some concluding remarks and open the floor to any questions to begin with ethical hacking involves the authorized probing of computer systems and networks to uncover and identify key security vulnerabilities its purpose is to strengthen security measures and help highlight significant points of concern not to not to maliciously exploit those

outline weaknesses ethical hackers also operate Within legal framework with the permission from system owners to ensure no real harm is done to the affected networks with the with the quick introduction out the way I'd like to quickly analyze the importance of ethical hacking as it plays a critical role in our digital world with the increasing Reliance on technology both domestically and commercially the protection of data is also a primary risk factor for all organizations the prevention of cyber attacks is also largely assisted by ethical hacking as patching and resolving any highlighted security vulnerabilities earlier rather than later further strengthens the overall cyber defense of a network as well as this many vulnerabilities would remain undiscovered without ethical hacking

hence allowing organizations to stay one step ahead of malicious threat actors and adversaries moving on to addressing the ethical and moral aspects within this vector and the key controversial issues faced with modern hacking the most largely discussed topic to begin with ethical hackers are obligated as part of their work to obtain inform consent before conducting any testing as they are expected to follow responsible disclosure practices and policies ensuring vulnerabilities are reported and fixed rather than exploited balancing the necessity for security with an individual's right to privacy is also a constant challenge for several reasons such as diverse stakeholders where multiple individuals are involved legal and Regulatory legal and Regulatory framework That Vary between countries regarding privacy ethical dilemmas that

may arise when cyber security measures such as information collection encroach on personal privacy as well as maintaining General transparencies about cyber security practices and building trust within the community to illustrate how the ethics of ethical hacking Works in practice I'll quickly break down a relevant case study in particular a certain update to the PO popular website creation software WordPress in 2018 where in an update that allowed for social media adaptation and integration instead leaked uses social media credentials and in turn led to Twitter account takeovers the ethical and moral obligation of Baptist Robert during his Discovery led him to disclose this incident directly to Twitter using the appropriate communication channels rather than exploit this vulnerability

or use this knowledge for misuse moving on to an example of an unethical case study we have an Infamous incident in 2015 where in a lith wherein a Lithuanian threat actor falsely doctored fake companies by using reputed official brand names of computer manufacturers in Taiwan he and his co-conspirators were able to coerce employees who regularly conduct multi-million dollar transactions into paying out over $100 million between the years of 2013 to 2015 visibly cont visibly contradictory to the previous case study the primary involvement taking place in this example shows how an unethical approach although lucrative can cause impactful harm both financially and economically to an industry after receiving a Court verdict to prison time and forfeiture of the

stolen money a notable Point could be made that despite being unnoticed for 2 years the crime was eventually uncovered and exposed in its entirety regardless of scale slightly touching on from the last segment I would also like to shortly discuss the disadvantages of ethical hacking from my own point of view the most prominent drawback of these being the legal obligations and lawful responsibilities that need to be exercised throughout any kind of Engagement given the sensitivity of accessible information and boundaries set by acts and policies as well as a pre-specified scope similarly linked if completed unethically a perpetrator could potentially be motivated by a monetary benefit to criminal engagement whereas a more ethical approach to the

same situation may not be rewarded at all as seen in a lot of cases finally information disclosure and rul management actions taken from an organization are also undesirable even after a well documented vulnerability report and assessment a company may choose to reduce a spotlight onto the problem despite public opinion the final area of ethical hacking I would love to share is my own personal experience within this topic and my own findings resolving around my own moral navigation of the landscape through various hackathons and ctfs I have learned through firsthand experience how engaging and benefiting the community of cyber security in general currently is at least through the events I attended given the nature of ethical hacking and its dangerous

potential I was surprised to find the friendly and Cooperative accommodation for others in the same area regardless of background or level of skill making it a very mentally positive space Des despite the technical challenges found in most hackathons as well as this modern companies and organizations have increasingly begun to implement bug Bounty programs in attempts to preemptively thwart malicious cyber attacks by incentivizing bug bounty hunters to attempt pinpointing and uncovering potential flaws in products and websites with potential rewards to credit and in most cases reputation the final point I would also like to bring awareness to is the capability of becoming an ethical hacker with almost no formal or paid education given the vast variety of resources and

costes available online introductions into Cy security have become an extremely easy Gateway into becoming an ethical hacker giving the determination of the participant which is something I found myself through websites such as try hackme and hack the box with both websites being extremely helpful in understanding complicated topics and mentoring through common challenges in an interactive and easy to understand way in conclusion ethical hacking is a vital tool in our digital security toolkit it ensures that our system and data remain safe in an increasingly connected World although myself still no it although myself still a novice I encourage you all to consider the ethical and moral aspects of this field as you all move forward in your own

careers I would like to also take this chance to advertise my search for open roles within cyber security for postgraduation as I'm actively looking for positions within which I can grow and learn as well as any scale projects within which I can gain more technical practice and experience thank you all for listening on your time I'll will now open the floor to any

[Applause]

questions so you mentioned quite rightly that many more organizations now do have BG formal BG Bounty programs in place um I've certainly seen amongst corporations sometimes there's a degree of nervousness when it comes to how do they handle interacting with a security researcher is there any particular advice that you would give to any security researchers in things they should just think of as they're reaching out or interacting with a company to try and disclose a potential issue thanks for the question so I have actually spoken to people working at companies that hostb bount program such show hacker one is a big one for example and through multiple surveys and just interviews in general they've said that

they do prefer more informal approaches because they can find for example as a security researcher to for them to just go to a company and say Here's this vulnerability will he give me money it's quite an unethical approach and not as desirable for like a managing director of a company to deal with so a recommendation I would give is to always go through the right communication channels which are made quite accessible and quite easy through hacker one and other examples like b r where they automatically connect you with the right correspondence at each

company you did you engage with the with the Hackle one B bound B crowd yeah ini begin um so yes as part of my university studies I've also taken like ethical hiking courses myself and one example I was given by my lecturer was to try and engage in bug Bounty programs myself just simple ones like cross- site scripting and I found myself on hacker one I'm not too sure how much I can disclose given the sensitivity of information but hacker one for example is very easy to use and very easy to get in contact with so given my working with the company before I was able to contact them about this uh talk and see if I can

get information from them see how they would respond to B Bounty programs and how they view view it as an ethical

dilemma I'm ask one so on the responsible disclosure that can be argued in as a two-way street it's about the responsibility to actually make that disclosure is someone's in denial or for whatever reason I'm not going to ask you for the definitive answer but what's your take on that that balancing act that you have to play if you're doing vulnerability research and you find a vulnerability I'll give an example the Bluetooth yeah the Bluetooth locks that we heard of early in the other tracks um when they got stonewalled by the manufacturer yeah but they've gone published anyway do you see any kind of rules that could be put into that or is that a is that an ethical

decision researchers so thanks for the question I think it is like like you said a two-way street where both the researcher and the organization The Afflicted organization they're both responsible equally both for disclosing the vulnerability and making it publicly um known as well for like so for example similar to the example you gave yourself users of the product may be affected personally and they have every right to know if what their information has been attacked or made vulnerable so it is not I don't think it'll be put in writing like an like on GDP like it could be do this though but it is quite an ethical decision and the right decision in my opinion at least thank you anyone

else yeah

[Music] mentioned so the primary scope that's given by the organizations is the consent that's given so for example with apple quite an Infamous one is their BG Bounty program for hacking that being able to hack iPhone face ID is like a million dollar bounty on that so I'm assuming with that one they've more or less given consent within a scope but another example could be a more smaller scale company where they can't afford to have a product breakdown just for research purposes so consent is quite a key

factor one more a bit of an off topic one uh more personal for yourself I notice you mentioned hack the box and try hack me uh do you have any recommendations for rooms or ctfs on either of those platforms so personally I started the try hack me and I'm still up to date on it today I haven't stopped using it it's been very beneficial towards me especially covering things that University doesn't teach it's very helpful and like very interactive and not so much just throwing information at you it's quite step by-step guide for so try Haack me rooms I would recommend is like Rick and Marty is like the most famous one it's quite a popular room in

there I'd also recommend like Pathways they have so instead of going for one specific area such as Linux escalation you can pick a general pathway and it will cover quite a lot of topics in that area thank you very much again thank you