Security experts have hit out at the notion that there are benefits to be had from engaging with cyber criminals in order to better understand emerging threats.

However, many are calling on the industry and media to recognise the work of so-called 'ethical hackers' and to acknowledge that not all hackers are criminals.

Bruce Schneier, CTO at BT Counterpane, told silicon.com: "Hackers are not criminals. Hackers are individuals who know how to subvert systems. I don't think we open a dialogue with the criminals, like we don't open a dialogue with the mafia but the techniques that hackers understand are very important for us to understand."

However, the line between ethical hacking and the more common notion that hacking is related to criminal activity is blurred for many people and creates considerable grey areas. But for one lawyer it is pretty clear-cut. Ethical hackers - to be considered as such - must have been authorised by the rightful owner or administrator to test a system or application.

Check out the silicon.com InfoSec podcast

Featuring lively discussion on phishing, spam and the criminal fraternity. Listen now.

John Fell, partner at law firm Pinsent and Masons, said the issue of authorisation is critical. "Lawyers love definitions," said Fell. "'Black hat', 'white hat', 'ethical hacker'. But when you talk about ethical hacking there has to be some authorisation."

Those working on their own initiative fall outside the legal definition, said Fell.

'White hat' hackers

Graham Cluley, senior technology consultant at Sophos, said the actions of some 'white hat' hackers who find and disclose vulnerabilities can be as damaging as criminal activity if disclosure is handled irresponsibly.

Peter Wood from First Base Technologies is a well-established ethical hacker - or penetration tester - and says he must tread very carefully in his line of work. Wood normally only begins his attempts to breach the defences at companies hiring his services once HR and IT departments have given him sign-off.

However, beyond that, he said: "We try to take the same approach as people who attempt to break in with malicious intent."

The question of whether criminally motivated hackers can deliver value to businesses and help understand emerging threats also divided experts speaking to silicon.com (see the video above).

But First Base's Wood said many attackers now need no specialist knowledge due to the vast amounts of tools made available on the internet. As such, the notion that hackers possess a gift for complex code is far from the truth.

Sounding a warning to businesses, Wood added: "Attacks are getting easier and easier for people who may not be that technical."

Watch Video: InfoSec 2007: Hackers: What are they good for?

• Print this
• Add a comment
• Email this
• Bookmark
• Updates
• Related links