The term “hacking” often conjures up negative images — data breaches, compromised networks, defaced websites, and distributed denial-of-service (DDoS) attacks. Recently, the Philippines has been plagued by such incidents, further embedding the notion of hacking as a threat.
A recent event has muddied the waters between malicious hacking and ethical hacking. An alleged directive to hack both government and private entities by a newspaper editor has sparked confusion. This incident blurs the lines between illegal hacking and hacking with consent — often referred to as ethical hacking.
The National Bureau of Investigation (NBI) arrested three individuals for allegedly hacking into government websites, Facebook accounts, and banks. These activities were supposedly ordered by Art Samaniego Jr., the editor of the Manila Bulletin’s Tech Section and the paper’s technology officer. One suspect claimed Samaniego instructed them to hack websites to uncover content for his stories.
One suspect insisted they never sold or leaked the compromised data. However, does this lessen the severity of their actions?
In 2005, Samaniego was implicated in unauthorized access to the INQ7 news website. Samaniego asserted that the action was a “vulnerability test” conducted alongside Tridel Technologies Inc. However, their activities were deemed to violate Republic Act No. 8792, the Philippine Electronic Commerce Act, which penalizes unauthorized access to networks and computer systems. The parties involved reached an out-of-court settlement and issued a public apology for their actions.
To clarify the complexities of hacking, Back End News consulted CrowdStrike, a cybersecurity solutions company. According to Mark Goudie, services director for Asia Pacific and Japan at CrowdStrike, ethical hacking is the legitimate practice of testing systems’ security by using similar techniques to those used by malicious hackers.
Understanding hacking: Ethical vs. Malicious
Malicious hacking, often highlighted in media, involves unauthorized access to networks to commit crimes such as data theft. This form of hacking is illegal and carries severe legal, financial, and reputational consequences. Under the Philippines’ Cybercrime Prevention Act of 2012 (Republic Act No. 10175), “illegal access” is a punishable offense.
In contrast, ethical hacking, or white-hat hacking, involves security testing done with permission. Ethical hackers operate within legal boundaries and are often employed by organizations to identify and fix vulnerabilities.
Goudie explains that ethical hackers object to the term “ethical,” as it suggests hacking is inherently unethical. Instead, they prefer to be recognized as professionals who help secure systems against threats.
The role of white hat hackers
Many companies hire ethical hackers, also known as penetration testers or red teamers, to test their systems’ defenses. This practice is similar to quality control in other industries. Penetration testers use similar techniques as attackers to find and fix weaknesses before malicious hackers can exploit them.
Penetration testing involves chaining vulnerabilities into attack paths to achieve specific outcomes, whereas vulnerability scanning focuses on identifying individual weaknesses using automated tools.
“With the rise of advanced threats like APTs and ransomware, penetration testers have had to specialize in areas such as web application testing, cloud platforms, exploit development, or reverse engineering,” Goudie explained. “These specialists provide actionable recommendations to strengthen security based on their findings.”
Ethical hackers don’t necessarily come from malicious backgrounds. “Anyone with the necessary skills and a commitment to ethical standards can become an ethical hacker,” Goudie emphasized.
Tools and techniques of ethical hackers
According to Goudie, white hat hackers often use tools like Burp Suite and Nmap.
“Burp Suite allows them to analyze and modify web requests to uncover vulnerabilities in applications,” he said. “Nmap helps identify services running on IP addresses, which is crucial for finding potential entry points. They may also use Command and Control (C2) frameworks such as Cobalt Strike, Sliver, or Mythic for red team exercises. These tools can generate and remotely control malware implants, providing a foothold for further attacks in simulated environments.”
Legal boundaries and ethical considerations
Consent is the foundation of ethical hacking. Goudie stressed that penetration testing and red teaming must be done with explicit permission from system owners. Ethical hackers must follow all agreed-upon guidelines and legal boundaries.
The primary aim of ethical hacking is to demonstrate security flaws in a controlled manner to prevent unnecessary damage. Transparency is crucial; ethical hackers must provide clear reports to system owners, ensuring identified vulnerabilities are understood and addressed.
The importance of responsible disclosure
Responsible disclosure involves notifying vendors of vulnerabilities and giving them time to fix issues before publicizing the details. This process minimizes the risk of exploitation by malicious actors.
Goudie outlined the steps for responsible disclosure:
- Discovery: Ethical hackers find a vulnerability.
- Reporting: They securely report it to the affected organization or a mediator like a bug bounty platform.
- Verification: The organization confirms the vulnerability.
- Remediation: A fix is developed and implemented.
- Disclosure: The vulnerability is publicly disclosed with credit to the discoverer.
It is important to note that ethical hackers play a vital role in securing systems, especially those handling sensitive data. Their expertise is critical in testing for vulnerabilities that could be exploited by malicious actors. Hacking without consent is just malicious hacking.
CrowdStrike, a global cybersecurity provider, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity, and data.