WATCH ABOVE: Police are asking ethical hackers to help them with their investigation into the Ashley Madison data leaks. Tech reporter Nicole Bogart explains the difference between so-called white hat and black hat hackers.
TORONTO – It’s not every day that the police appeal to the hacking community to help investigate a wide-scale hacking incident.
On Monday, Toronto Police called on the so-called “white hat” hacker community to assist them in their investigation into the data breach of affair facilitating website Ashley Madison.
The website, operated by Toronto-based company Avid Life Media, was initially hacked last month by a group called The Impact Team. The hacker group’s data breach exposed some 32 million memberships. Police are now describing it as one of the largest data breaches in history.
“To the hacking community who engage in discussions on the dark web and no doubt have information that could assist this investigation,” said Acting Staff Superintendent Bryce Evans during the press conference. “We are…appealing to you to do the right thing, to acknowledge that this is a unique situation that has caused enormous social and economic fallout.”
Evans thanked the open source tech community for their help in the investigation thus far, adding that Avid Life Media is offering a $500,000 reward for information leading to the identification and arrest of those behind the data leak.
WATCH: Police call on hackers to help with Ashley Madison investigation
Who are ‘white hat’ hackers?
The term “hacker” is often associated with cyber criminals – the bad guys, who are behind serious data breaches like the Ashley Madison leak.
But hackers can also be found sitting in the offices of some of the most trusted security companies, conducting experiments for the same companies who may be targets.
The latter, however, are the good guys.
They call themselves ethical or “white hat” hackers, and work to find vulnerabilities either online or in business systems and responsibly disclose them to those in charge.
Ethical hackers are playing an increasingly important role in helping to find these vulnerabilities before the bad guys get to them.
White hat hackers can be employed by security firms like Trustwave, work for businesses, government bodies, or law enforcement agencies to assist in cyber crime investigations. They can also act independently, working in areas like the dark web to take down the “black hat” hackers.
‘Hacker’ doesn’t have to be a scary word
Ethical hackers have been responsible for discovering some major bugs, such as the massive OpenSSL vulnerability – dubbed the Heartbleed Bug. It was discovered by a team of researchers at Finnish security firm Codenomicon, with the help of a Google researcher.
In 2008, hacker Dan Kaminsky made a name for himself after discovering a flaw in the Domain Name System (DNS) protocol. His findings led to an industry-wide patching effort that included software giants like Microsoft and Cisco.
“I identify as a hacker – an ethical hacker – it shouldn’t be a bad term. There are a lot of people out there called tinkerers or hackers that are doing good,” Kaminsky said. “It’s just the only ones you hear about are the ones who are doing bad.”
But, asking white hat hackers for help could have implications
Because much of the Ashley Madison data leak unfolded on the dark web, it makes sense that authorities are appealing to “good” hackers who may have engaged with those behind the leak to come forward. However, according to cyber security expert Chris Parsons, it could have major implications.
“Such hackers possess a technical skill set and may use it to analyze leaked data or to try and track down or identify those suspected for leaking the Ashley Madison data,” said Parsons.
“The danger…is that in hunting for suspected leakers some parties may act beyond, or outside, the law in an attempt to help authorities. In the course of behaving this way they might actually endanger the investigation’s legitimacy or even compromise legitimate evidence.”
Parsons added that without a clearer set of ‘terms of engagement,’ police could bring on further investigations into those “recruited” to help them – putting a strain on resources and risking the integrity into the investigation into the Ashley Madison data breach.