Black, White or Grey:

The Unique Necessity of Hackers

Eric Entenberg
ENC1102: Freshman Composition
April 22, 2016

1
The practice of gaining unauthorized access to data in a system is called hacking. Similar
to old western movies the bad guys and good guys can be differentiated by wearing black and
white hats respectively; while this exists in computer security, there also exists a third school of
thought, grey hat. The association the average user formulates falls under the spectrum of black
hat; the malicious, prying eyes upon sensitive personal information. The black hat deals in
exploiting systems to gain access to information; however unlike the black hat, the white hat has
a much nobler exigence. White hats explore computer systems with intentions to improve the
security of these systems. Grey hats fall between the other two sides; often times they will not
follow all the laws but generally dont have the malicious intentions of the black hats. The
invention of the internet has truly revolutionized how people approach a variety of situations. It
is now easier than ever to transmit information electronically; there is a huge demand for sharing
information be it in the form of social media or banking. While the integration of this
information juggernaut has improved many aspects of everyday life, it has created a void for a
new type of threat to appear. While this seems like it may be purely malicious in nature, the
opposite is actually true. When one analyzes the hacking discourse, some of the metaphorical
party lines can seem blurred but there are clear fundamental differences. Hacking is a necessary
evil in the modern age; the most prominent importance of hackers lies within their interactions
with other hackers. The back and forth of the hackers allows the cyber security industry to grow
rapidly; both monetarily and technically.
There exists an equilibrium between these three schools of hacking. Black hats are
finding new ways to infiltrate personal systems and avoid detection. Simultaneously white hats
are innovating to create a stronger security network to deter the black hats. While the black hat
and white hat hackers duke it out, the grey hat sits watching and learning from both sides. In

2
2007, Hal Berghel wrote about methods to hide covert data within light data1; the main focus is
hiding data within packets of information known as Information Control Message Protocol2, or
ICMP, which often go undetected by firewall and anti-intrusion software because many times the
programs will be under the assumption that ICMP packets all follow the appropriate
specifications. Considering the size of some file systems are measured in terabytes, 1012 bytes,
checking individual bytes is not only a non-viable option, its downright impossible. In 2011, a
randomized data hiding algorithm was proposed using a modified Vernam Cipher3 Method (Ray
et all 2011). This method allows a user to hide secret messages by changing the least significant
bit4 of bytes within the cover file5 (1211). In 2013, HIDEINSIDE, a randomized information
hiding tool, was proposed by Avinash Srinivasan, Srinath Thirthahalli, and Angelos Stavrou.
HIDEINSIDE combines two fields of computer security; a practice of concealing the
manipulation of data known as anti-forensics and the practice of hiding secret messages, or in a
modern context more likely a file, image, or other media, within another message or file known
1 Light data is data which is meant to be seen. Inversely dark data is meant to not be seen; it is
generally concealed, missing, misplaced, hidden or undiscovered
2 For more information on the specifics of the protocol: https://support.microsoft.com/enus/kb/170292
3 For more information on Vernam Cipher:
http://www.cs.miami.edu/home/burt/learning/Csc609.051/notes/02.html
4 Least significant bit memory is stored in bytes which are 8 bits long. The rightmost number
in a series of 8 binary numbers
5 Cover file a decoy file that is being used to store messages.

3
as steganography. The lowest order of memory blocks on a computer is known as a sector and
there are four sectors within each cluster; these sectors are of a static size, dependent upon the
system, and if a file requires more space than the current cluster has available, another whole
cluster must be allocated. To accomplish the concatenation of anti-forensics and steganography
techniques, Srinivasan, Thirthahalli, and Stavrou utilize the space located between the end of a
file and the start of the next cluster of memory to conceal their information (627). To further
obfuscate the secret, it is encrypted using a MD5 hash function6 which also allows for validation
of the integrity of the file. All the while the locations of each cover file is stored on an external
system in a map for easy reassembly later. In addition HIDEINSIDE also do not alter the
contents of the cover file along with the slack space being part of the allocated disk space make
the detection of a steganographic payload near impossible. This type of computer security can
fall anywhere on the black grey white spectrum depending upon the purpose of the person using
this tool. The progression of slack space hiding is visible in the respect that initial
implementations would only be able to hide text messages whereas some of the newer methods
can also hide information within an image. Hackers can use various tools to exploit the memory
that is reserved but not in use. A black hat could use this to hide malicious code in a location that
is inconvenient to access; this is a tactical move to evade detection from computer forensics
tools. Inversely a white hat can utilize HIDEINSIDE to store a clients sensitive information in a

6 The MD5 Hash function returns a 128 bit value in the form of a 32 digit hexadecimal number.
The function only works in one direction and therefore cant be reversed other than through a
brute force attack trying every possible outcome. For more information visit:
https://en.wikipedia.org/wiki/MD5

4
secure location that is not as easily accessible to other hackers and a grey hat could also use
HIDEINSIDE for a similar purpose.
In a similar fashion of the authors of HIDEINSIDE, Jing Peng, Can Wang, and Hu Wu developed
an anti-forensic file concealing technique in 2013. Peng, Wang and Wus technique differs from
HIDEINSIDE in the respect that it implements an additional encryption step; by using a
symmetric encryption algorithm along with a second control key, and the inclusion of the XOR7
function. Furthermore, this technique is also differing from HIDEINSIDE because it falls under
exclusively white hat hacking; it lacks the ambiguity of usage that came with HIDEINSIDE.
The implementing of XOR in Peng, Wang, and Wus program generates the offsets to encode the
data using two files chosen by the user. The strength of the security of this method lies within
the two encryption processes applied along the way. If one were to figure out one of the hash
keys used to encode the data, they would still need to find the other key along with the two files
used to hide the information. Even if one were to happen upon one set of files hidden and the
symmetric hash key, the offsets created in the XOR function vary with different files passed into
it making the other files hidden in this manner still secure (1207). This technique has a strong
correspondence to the white hat school of hacking. The ultimate benefits come to the user from
this data hiding method; while hiding a malicious block of code is useful to a black hat hacker,
this technique is more aimed for hiding sensitive information. Peng, Weng, and Wus program
and HIDEINSIDE are both effective methods for hiding information in plain sight. However, the

7Known as logical exclusive disjunction, or exclusive or. In propositional logic this means that
the function returns true if and only if one piece of the argument or the other is true(1) but not
both and false(0) otherwise. See for more information:
https://en.wikipedia.org/wiki/Exclusive_or

5
two go about the hiding in different manner; HIDEINSIDE uses memory that is previously
reserved as extra space at the end of a file while Peng, Weng, and Wu create a dually encrypted
file with an offset decided from two other file in addition to using an arbitrarily selected
encryption algorithm with a unique encryption key. The benefit of two encryption stages is that
even if a black hat were to crack the encryption key, it would still be nearly impossible to
completely recover all of the files because of the variable offset generated through randomly
selected files.
Not all hacking concerns stem from home computers; the rapid improvement of cellular devices
has the average smart phone containing a more powerful set of hardware than many old
computers. With 4G LTE, the most current form of mobile internet protocol, there was a
paradigm shift from the old circuit switching design, requiring dedicated connections during
exchanges, to packet switching, sending the data in small blocks based off of the destination of
these packages. According to Tu et alls, New Threats to SMS-Assisted Mobile Internet
Services from 4G LTE Networks this shift ultimately leaves 4G LTE networks vulnerable to
attack.; the authors refer to a short messaging service, abbreviated as SMS, based attack where
the users personal information, in the form of a Facebook account, can be ascertained through a
fraudulent SMS message (9). The main point to bring home from this research is three fold:
device security cant handle the unpredictable changes of modern networking technologies,
phone companies must provide a network standard that does not facilitate insecure
correspondence and authenticating the users response at each instance instead of using a onetime authentication system when the user is registering to use a service (14). It seems as if
security of the user relies very heavily upon the work of the developers.

6
Popular in the modern technological market is the implementation of cloud based
computing systems. Cloud systems work by connecting a series of discrete nodes into a
network. A major attack that can be imposed upon cloud systems are known as Distributed
Denial of Service8, DDoS, attacks. Due to the demand and quantity of data, these attack are
quite devastating so computer scientists have designed a Collaborative Network Security
Management System, CNSMS (Chen et all 2013, 41). This system sifts through the data being
distributed over the cloud system and checks for suspicious activity over the network. CNSMS
accomplishes this through recording the raw internet traffic from users, then using a security
center to analyze the inter-node traffic. This analysis and design of a system falls under the
category of white hat. In a system so interconnected as cloud computing it is important for the
white hats to keep the black hats in check; a minor error could lead to the leak of countless
amounts of personal information. The manner in which we use traditional wireless networks
should also be considered though. Exemplified in, An Investigation of Security Trends in
Personal Wireless Networks, even a relatively inexperienced user can use tools for infiltrating
personal networks; tools such as Aircrack, MDK3, or Kismet (Liu et all 2014, 1672-74). While
the change from WEP to WPA was a step up in security, and the subsequent upgrade from WPA
to WPA2 also brought positive change, it is still necessary to change the methodology in which
we protect our personal networks because it is still flawed.
Another rampant issue within the field of personal information security is the effectiveness of
various anti-virus tools. What can often happen when users download anti-virus tools, such as
McAfee or Norton anti-virus, the user will experience a false sense of security. In A Forensic

8 Distributed Denial of Service consists of an attack where the source originates from several
unique IP address, effectively blocking the use of a service

7
Study of the Effectiveness of Selected Anti-Virus Products Against Ssdt Hooking Rootkits, the
effectiveness of an anti-virus tool can be severely crippled if the system is infected prior to
installation and sometimes even if the system is infected post installation (Al-Shaheri et all 2013,
142-145). The main function which is targeted by rookits is called NtDeleteValueKey; the
purpose of this function is to edit a registry key value for the purposes of the hacker (139). Some
anti-virus programs were more effective in blocking the execution of references to the System
Service Descriptor Table9, or SSDT for short. These viruses try to hook certain functions of
the SSDT in an attempt to stop anti-virus tools from terminating and removing the infection.
Some software even goes as far as shutting the entire system down every time an attempt was
made to install anti-virus tools on an infected machine. The authors tested the performance of
anti-virus systems, AVG, Kaspersky, McAfee, Avast and Trend Micro, against the threats from
rookits Blackenergy, Haxdoor and Papras (141-142). Al-Shaheri et all concluded that the
functions hooked by Avast, Kapersky, and Trend Micro were most effective in protecting the
SSDT while AVG had less success and McAfee didnt hook any of the functions of the SSDT
(145). When the user purchases a security suite, they expect that this software is a foolproof
system however rookit threats are still very real. However, the extent of security does not end
upon the implementation of anti-virus software. More recently, the hiding of data in register files
has been observed as a black hat attack against users (Hsu et all 2016, 129). In the late 1990s the
replacement for internet protocol 4, IPv4, was announced to be IPv610. By implementing a
substantially larger set of possible IP addresses, this makes identification of targets more difficult

9 System Service Descriptor Table is table of pointers to functions for writing to registries for
Microsoft Windows based systems. For more information visit:
https://en.wikipedia.org/wiki/System_Service_Descriptor_Table

8
for the black hat hackers. While this will add some protection, the fact remains that some users
will still be tricked into falling for attacks such as Trojans, worms and other viruses (Jegatheesan
and El-Kadri 2). The task of protecting oneself lays in the hands of the user of a computer;
responsibly browsing the web is the most effective manner of trying to protect personal privacy.
Ultimately, at the end of this seemingly ever-branching tree of information vulnerability a
resolution propagates at the end of the tunnel. Each of these precisely executed attacks forces
computer scientists to constantly improve their security measures to stop the black hat hackers.
However, without the black hat hackers the white hat hackers would have no purpose. This
exchange of metaphorical blows allows the community to grow further. By constantly evolving
it not only allows but forces change within our current technological security infrastructure. The
grey hat has been seemingly passive this entire time though. Grey hats benefit from the
advancements of both sides though. Without the moral convictions of the white hat but also
lacking the malicious intent of the black hat, the grey hat seemingly gets the best of both worlds.
They receive whatever personal gain from their interactions, be it lawful or not, and do not
directly harm others with their actions. While the black hat and white hat both seek personal
gain, be it through different means, they converge upon the idea of profit. The noble seek to
protect the innocent, for their benefit, while the thieves build their own empire through
deception. The three sides are in reality much more similar to one another than an uninitiated
bystander may realize; the main differences lie in the intentions rather than the techniques.
Black hats essentially act as a test case for the white hats security systems. Grey hats can serve

10 IPv are the internet protocol versions. IPv6 includes 7.9 * 1028 times more addresses than the
previous IPv4 along with countless other security features. For more information visit:
https://www.google.com/intl/en/ipv6/

9
a similar function but their actions are often unbeknownst to other hackers. Without the black
hats there would be no need for white hats; the muddling of lines between righteous and
malevolent demonstrate that for a good to exist, there must also be an evil. With such a divided
ideology there will also exists a middle-ground, hence the role of the grey hat.

Works Cited
Al-Shaheri, Sami, Dale Lindskog, Pavol Zavarsky and Ron Ruhl. 2013. A Forensic Study of the
Effectiveness of Selected Anti-Virus Products Against Ssdt Hooking Rootkits 139-162
Berghel, Hal. 2007. Hiding Data, Forensics, and Anti-Forensics 15-20
Chen, Z., F.Y. Han, J. W. Cao, X. Jiang, and S. Chen. 2013. Cloud Computing-Based Forensic
Analysis for Collaborative Network Security Management System 40-50
Hsu, Fu-Hau, Min-Hao Wu, Syun-Cheng Ou and Shiuh-Jeng Wang. 2016. Data concealments
with high privacy in new technology file system 120-140

10

Jegatheesan, Sowmyan and Dr. Nour El-kadri. 2013. Privacy and Security in IPv6 1-3
Liu, Lu, Thomas Stimpson, Nick Antonopoulos, Zhijun Ding, Yongzhao Ding. 2014. An
Investigation of Security Trends in Personal Wireless Networks 1669-1687
Peng, Jing, Can Wang, and Hu Wu. 2013. A Novel File-Concealing Method for Computer AntiForensics 1203-09
Rishav, Ray, Jeeyan Sanyal, Das Tripti, Kaushik Goswami, Sankar Das and Asoke Nath. 2011. A
new randomized data hiding algorithm with encrypted secret message using modified
generalized Vernam Cipher Method: RAN-SEC algorithm 1211-1216
Srinivasan, A, S. T. Nazaraj and A. Stavrou. 2013. HIDEINSIDE A novel randomized
encrypted antiforensic information hiding 626-631
Tu, Guan-Hua, Yuanjie Li, Chunyi Peng, Chi-Yu Li, Muhammad Taqi Raza, Hsiao-Yun Tseng,
and Songwu Lu. 2015. New Threats to SMS-Assisted Mobile Internet Services from 4G LTE
Networks 1-16