Grey hat hacking series introduction to ethical disclosure by art4haxk
Grey hat hacking series part1 Introduction to ethical disclosure

Grey Hat Hacking Series Part 1 Introduction to Ethical Disclosure By art4haxk

Chap 1. Ethics of Ethical Hacking.

This is our first chap of grey hat hacking series a-z. And in this chapter will tell you about ethical of ethical hacking. It's just a simple chapter and start only not very depth but as beginner it's important for you. Don't miss any article regarding this series if you want to be professional in it.
Team art4haxk
Let's start:
  • • Role of ethical hacking in today’s world 
  • • How hacking tools are used by security professionals 
  • • General steps of hackers and security professionals 
  • • Ethical issues among white hat, black hat, and gray hat hackers
This series has not been compiled and written to be used as a tool by individuals who wish to carry out malicious and destructive activities. It is a tool for people who are interested in extending or perfecting their skills to defend against such attacks and damaging acts. Let’s go ahead and get the commonly asked questions out of the way and move on from there. Was this series written to teach today’s hackers how to cause damage in more effective ways? Answer: No. Next question. Then why in the world would you try to teach people how to cause destruction and mayhem? Answer: You cannot properly protect yourself from threats you do not understand.
Grey hat hacking series by

The goal is to identify and prevent destruction and mayhem, not cause it. I don’t believe you. I think these series are only written for profits and royalties. Answer: This series actually was written to teach security professionals what the bad guys already know and are doing. More royalties would be nice, so please buy two copies of this series. 
Still not convinced? Why do militaries all over the world study their enemies’ tactics, tools, strategies, technologies, and so forth? Because the more you know what your enemy is up to, the better idea you have as to what protection mechanisms you need to put into place to defend yourself. Most countries’ militaries carry out scenario-based fighting exercises in many different formats. For example, pilot units will split their team up into the “good guys” and the “bad guys.” The bad guys use the tactics, techniques, and fighting methods of a specific type of enemy—Libya, Russia, United States, Germany, North Korea, and so on.
The goal of these exercises is to allow the pilots to understand enemy attack patterns, and to identify and be prepared for certain offensive actions so they can properly react in the correct defensive manner. This may seem like a large leap for you, from pilots practicing for wartime to corporations trying to practice proper information security, but it is all about what the team is trying to protect and the risks involved. 
Militaries are trying to protect their nation and its assets. Several governments around the world have come to understand that the same assets they have spent millions and billions of dollars to protect physically are now under different types of threats. The tanks, planes, and weaponry still have to be protected from being blown up, but they are all now run by and are dependent upon software. This software can be hacked into, compromised, or corrupted. 
Coordinates of where bombs are to be dropped can be changed. Individual military bases still need to be protected by surveillance and military police, which is physical security. Surveillance uses satellites and airplanes to watch for suspicious activities taking place from afar, and security police monitor the entry points in and out of the base. These types of controls are limited in monitoring all of the physical entry points into a military base. 
Because the base is so dependent upon technology and software—as every organization is today—and there are now so many communication channels present (Internet, extranets, wireless, leased lines, shared WAN lines, and so on), there has to be a different type of “security police” that covers and monitors these technical entry points in and out of the bases. 
So your corporation does not hold top security information about the tactical military troop movement through Afghanistan, you don’t have the speculative coordinates of the location of bin Laden, and you are not protecting the launch codes of nuclear bombs—does that mean you do not need to have the same concerns and countermeasures? Nope. The military needs to protect its assets and you need to protect yours. The example of protecting military bases may seem extreme, but let’s look at many of the extreme things that companies and individuals have had to experience because of poorly practiced information security. 
Figure 1-1, from Computer Economics, 2006, shows the estimated cost to corporations and organizations around the world to survive and “clean up” during the aftermath of some of the worst malware incidents to date. From 2005 and forward, overall losses due to malware attacks declined. This reduction is a continuous pattern year after year. Several factors are believed to have caused this decline, depending upon whom you talk to. These factors include a combination of increased hardening of the network infrastructure and an improvement in antivirus and anti-malware technology. Another theory regarding this reduction is that attacks have become less generalized in nature, more specifically targeted. 
The attackers seem to be pursuing a more financially rewarding strategy, such as stealing financial and credit card information. The less-generalized attacks are still taking place, but at a decreasing rate. While the less-generalized attacks can still cause damage, they are mainly just irritating, time-consuming, and require a lot of work-hours from the operational staff to carry out recovery and cleanup activities. The more targeted attacks will not necessarily continue to keep the operational staff carrying out such busy work, but the damage of these attacks is commonly much more devastating to the company overall.
Grey Hat Hacking Series Part 1 Introduction to Ethical Disclosure  by art4haxk
Fig 1-1
The “Symantec Internet Security Threat Report” (published in September 2006) confirmed the increase of the targeted and profit-driven attacks by saying that attacks on financial targets had increased by approximately 350 percent in the first half of 2006 over the preceding six-month period. Attacks on the home user declined by approximately 7 percent in that same period. The hacker community is changing.
Grey hat hacking series by
Over the last two to three years, hackers’ motivation has changed from just the thrill of figuring out how to exploit vulnerabilities to figuring out how to make revenue from their actions and getting paid for their skills. Hackers who were out to “have fun” without any real targeted victims in mind have been largely replaced by people who are serious about reaping financial benefits from their activities. The attacks are not only getting more specific, but also increasing in sophistication. 
This is why many people believe that the spread of malware has declined over time—malware that sends a “shotgun blast” of software to as many systems as it can brings no financial benefit to the bad guys compared with malware that zeros-in on a victim for a more strategic attack. 
The year 2006 has been called the “Year of the Rootkit” because of the growing use of rootkits, which allow hackers to attack specific targets without much risk of being identified. Much antivirus and anti-malware cannot detect rootkits (specific tools are used to detect rootkits), so while the vendors say that they have malware more under control, it is rather that the hackers are changing their ways of doing business.
Although malware use has decreased, it is still the main culprit that costs companies the most money. An interesting thing about malware is that many people seem to put it in a category different from hacking and intrusions. The fact is, malware has evolved to become one of the most sophisticated and automated forms of hacking.
Table 1-1
The attacker only has to put in some upfront effort developing the software, and then it is free to do damage over and over again with no more effort from the attacker. The commands and logic within the malware are the same components that many attackers carry out manually. The company Alinean has put together some cost estimates, per minute, for different organizations if their operations are interrupted. 
Even if an attack or compromise is not totally successful for the attacker (he does not obtain the asset he is going for), this in no way means that the company is unharmed. Many times attacks and intrusions cause a nuisance, and they can negatively affect production and the operations of departments, which always correlates with costing the company money in direct or indirect ways. These costs are shown in Table 1-1. 
A conservative estimate from Gartner (a leading research and advisory company) pegs the average hourly cost of downtime for computer networks at $42,000. A company that suffers from worse than average downtime of 175 hours a year can lose more than $7 million per year. Even when attacks are not newsworthy enough to be reported on TV or talked about in security industry circles, they still negatively affect companies’ bottom lines all the time. Companies can lose annual revenue and experience increased costs and expenses due to network downtime, which translates into millions of dollars lost in productivity and revenue.
Here are a few more examples and trends of the security compromises that are taking place today:
  • • Both Ameritrade and E-Trade Financial, two of the top five online brokerage services, confirmed that millions of dollars had been lost to (or stolen by) hacker attacks on their systems in the third quarter of 2006. Investigations by the SEC, FBI, and Secret Service have been initiated as a result. 
  • • Apple computers, which had been relatively untargeted by hackers due to their smaller market share, are becoming the focus of more attacks. Identified vulnerabilities in the MAC OS X increased by almost 400 percent from 2004 to 2006, but still make up only a small percentage of the total of known vulnerabilities. In another product line, Apple reported that some of their iPods shipped in late 2006 were infected with the RavMonE.exe virus. The virus was thought to have been introduced into the production line through another company that builds the iPods for Apple.
  • • In December 2006, a 26-year-old Romanian man was indicted by U.S. courts on nine counts of computer intrusion and one count of conspiracy regarding breaking into more than 150 U.S. government computer systems at the Jet Propulsion Labs, the Goddard Space Flight Center, Sandia National Laboratories, and the U.S. Naval Observatory. The intrusion cost the U.S. government nearly $150 million in damages. The accused faces up to 54 years in prison if convicted on all counts.
  • • In Symantec’s “Internet Security Threat Report, Volume X,” released September 2006, they reported the detection of over 150,000 new, unique phishing messages over a six-month period from January 2006 through June 2006, up 81 percent over the same reporting period from the previous year. Symantec detected an average of 6,110 denial-of-service (DoS) attacks per day, the United States being the most prevalent target of attacks (54 percent), and the most prolific source of attacks (37 percent) worldwide. Networks in China, and specifically Beijing, are identified as being the most bot-infected and compromised on the planet.
  • • On September 25, 2007, hackers posted names, credit card numbers, as well as Card Verification Value (CVV) Codes and addresses of eBay customers on a forum that was specifically created for fraud prevention by the auction site. The information was available for more than an hour to anyone that visited the forum before it was taken down. 
  • • A security breach at Pfizer on September 4, 2007, may have publicly exposed the names, social security numbers, addresses, dates of birth, phone numbers, credit card information, signatures, bank account numbers, and other personal information of 34,000 employees. The breach occurred in 2006 but was not noticed by the company until July 10, 2007. 
  • • On August 23, 2007, the names, addresses, and phone numbers of around 1.6 million job seekers were stolen from 
  • • On February 8, 2007, reported that identity theft had topped the Federal Trade Commission’s (FTC’s) complaint list for the seventh year in a row. Identity theft complaints accounted for 36 percent of the 674,354 complaints that were received by the FTC in the period between January 1, 2006, and December 31, 2006. 
  • • has reported that the total number of records containing sensitive information that have been involved in security breaches from January 10, 2005, to September 28, 2007 numbers 166,844,653.
  • • Clay High School in Oregon, Ohio, reported on January 25, 2007, that staff and student information had been obtained through a security breach by a former student. The data had been copied to an iPod and included names, social security numbers, birth dates, phone numbers, and addresses.
  • • The theft of a portable hard drive from an employee of the U. S. Department of Veteran’s Affairs, VA Medical Center in Birmingham, Alabama, resulted in the potential exposure of nearly a million VA patients’ data, as well as more than $20 million being spent in response to the data breach. 
  • • In April 2007, a woman in Nebraska was able to use TurboTax online to access not only her previous tax returns, but the returns for other TurboTax customers in different parts of the country. This information contained things like social security numbers, personal information, bank account numbers, and routing digits that would have been provided when e-filing. 
  • • A security contractor for Los Alamos National Laboratory sent critical and sensitive information on nuclear materials over open, unsecured e-mail networks in January 2007—a security failing ranked among the top of serious threats against national security interests or critical Department of Energy assets. Several Los Alamos National Security officials apparently used open and insecure e-mail networks to share classified information pertaining to nuclear material in nuclear weapons on January 19, 2007.
Carnegie Mellon University’s Computer Emergency Response Team (CERT) shows in its cyberterrorism study that the bad guys are getting smarter, more resourceful, and seemingly unstoppable, as shown in Figure 1-2. So what will companies need to do to properly protect themselves from these types of incidents and business risks?
  • • In 2006, an increasing number of companies felt that security was the number one concern of senior management. Protection from attack was their highest priority, followed by proprietary data protection, then customer and client privacy, and finally regulatory compliance issues. 
  • • Telecommuting, mobile devices, public terminals, and thumb drives are viewed as principal sources of unauthorized data access and data theft, but are not yet covered in most corporate security policies and programs. 
  • • The FBI has named computer crimes as their third priority. The 203-page document that justifies its 2008 fiscal year budget request to Congress included a request for $258.5 million to fund 659 field agents. This is a 1.5 percent increase over the 2007 fiscal year. 
  • • IT budgets, staffing, and salaries were expected to increase during the year 2007 according to a survey of CIOs and IT executives conducted by the Society for Information Management. 
  • • In February 2007, reported in a teleconference that the firms they had surveyed were planning on spending between 7.5 percent and 9.0 percent of their IT budgets on security. These figures were fairly consistent among different organizations, regardless of their industry, size, and geographic location. In May 2007 they reported that more than half of the IT directors they had surveyed were planning on increasing their security budgets.
Fig 1-2
As stated earlier, an interesting shift has taken place in the hacker community—from joyriding to hacking as an occupation. Today close to a million computers are infected with bots that are controlled by specific hackers. If a hacker has infected 4,000 systems, she can use her botnetwork to carry out DoS attacks or lease these systems to others. Botnets are used to spread more spam, phishing attacks, and pornography. 
Hackers who own and run botnets are referred to as bot herders, and they lease out systems to others who do not want their activities linked to their true identities or systems. Since more network administrators have properly configured their mail relays, and blacklists are used to block mail relays that are open, spammers have had to move to different methods (using botnets), which the hacking community has been more than willing to provide— for a price. 
On January 23, 2006, “BotHerder” Jeanson James Ancheta, 21, of Downey, California, a member of the “botmaster underground,” pleaded guilty to fraudulently installing adware and then selling zombies to hackers and spammers. “BotHerder” was sentenced on May 8, 2006, with a record prison sentence of 57 months (nearly five years) in federal prison. At the time of sentencing it was the first prosecution of its kind in the United States, and was the longest known sentence for a defendant who had spread computer viruses.
NOTE: A drastic increase in spam was experienced in the later months of 2006 and early part of 2007 because spammers embedded images with their messages instead of using the traditional text.This outwitted almost all of the spam filters, and many people around the world experienced a large surge in spam.
So what does this all have to do with ethics? As many know, the term “hacker” had a positive connotation in the 1980s and early 1990s. It was a name for someone who really understood systems and software, but it did not mean that they were carrying out malicious activities. As malware and attacks emerged, the press and the industry equated the term “hacker” with someone who carries out malicious technical attacks. 
Grey hat hacking series by
Just as in the rest of life, where good and evil are constantly trying to outwit each other, there are good hackers (ethical) and bad hackers (unethical). This series has been created by and for ethical hackers. 

How Does This Stuff Relate to an Ethical Hacking Series?

Corporations and individuals need to understand how these attacks and losses are taking place so they can understand how to stop them. The vast amount of functionality that is provided by organizations’ networking, database, e-mail, instant messaging, remote access, and desktop software is also the thing that attackers use against them. There is an all too familiar battle of functionality versus security within every organization. This is why in most environments the security officer is not the most well-liked individual in the company. 
Security officers are in charge of ensuring the overall security of the environment, which usually means reducing or shutting off many functionalities that users love.
Telling people that they cannot use music-sharing software, open attachments, use applets or JavaScript via e-mail, or disable the antivirus software that slows down software procedures, and making them attend security awareness training does not usually get you invited to the Friday night get-togethers at the bar. Instead these people are often called “Security Nazi” or “Mr. No” behind their backs. They are responsible for the balance between functionality and security within the company, and it is a hard job. 
Grey hat hacking series by

The ethical hackers’ job is to find many of these things that are running on systems and networks, and they need to have the skill set to know how an enemy would use them against the organization. This needs to be brought to management and presented in business terms and scenarios, so that the ultimate decision makers can truly understand these threats without having to know the definitions and uses of fuzzing tools, bots, and buffer overflows.

The Controversy of Hacking Books, Series and Classes

When books or series on hacking first came out, a big controversy arose pertaining to whether they were the right thing to do. One side said that such books only increased the attackers’ skills and techniques and created new attackers. The other side stated that the attackers already had these skills, and these books were written to bring the security professionals and networking individuals up to speed. Who was right? They both were. 
The word “hacking” is sexy, exciting, seemingly seedy, and usually brings about thoughts of complex technical activities, sophisticated crimes, and a look into the face of electronic danger itself. Although some computer crimes may take on some of these aspects, in reality it is not this grand or romantic. A computer is just a new tool to carry out old crimes.
Caution: Attackers are only one component of information security. Unfortunately, when most people think of security, their minds go right to packets, firewalls, and hackers. Security is a much larger and more complex beast than these technical items. Real security includes policies and procedures, liabilities and laws, human behavior patterns, corporate security programs and implementation, and yes, the technical aspects—firewalls, intrusion detection systems (IDSs), proxies, encryption, antivirus software, hacks, cracks, and attacks.
So where do we stand on hacking books and hacking classes? Directly on top of a slippery banana peel. There are currently three prongs to the problem of today’s hacking classes and books. First, marketing people love to use the word “hacking” instead of more meaningful and responsible labels such as “penetration methodology.” 
This means that too many things fall under the umbrella of hacking. All of these procedures now take on the negative connotation that the word “hacking” has come to be associated with. Second, understanding the difference between hacking and ethical hacking, and understanding the necessity of ethical hacking (penetration testing) in the security industry are needed. Third, many hacking books and classes are irresponsible. If these items are really being developed to help out the good guys, they should be developed and structured that way. This means more than just showing how to exploit a vulnerability.
These educational components should show the necessary countermeasures required to fight against these types of attacks, and how to implement preventive measures to help ensure that these vulnerabilities are not exploited. Many books and courses tout the message of being a resource for the white hat and security professional. If you are writing a book or curriculum for black hats, then just admit it. You will make just as much (or more) money, and you will help eliminate the confusion between the concepts of hacking and ethical hacking.

The Dual Nature of Tools

In most instances, the toolset used by malicious attackers is the same toolset used by security professionals. A lot of people do not seem to understand this. In fact, the books, classes, series, articles, websites, and seminars on hacking could be legitimately renamed “security professional toolset education.” The problem is that marketing people like to use the word “hacking” because it draws more attention and paying customers. 
Grey hat hacking series by

As covered earlier, ethical hackers go through the same processes and procedures as unethical hackers, so it only makes sense that they use the same basic toolset. It would not be useful to prove that attackers could get through the security barriers with Tool A if attackers do not use Tool A. The ethical hacker has to know what the bad guys are using, know the new exploits that are out in the underground, and continually keep her skills and knowledgebase up to date. 
This is because the odds are against the company and against the security professional. The reason is that the security professional has to identify and address all of the vulnerabilities in an environment. The attacker only has to be really good at one or two exploits, or really lucky. A comparison can be made to the U.S. Homeland Security responsibilities. The CIA and FBI are responsible for protecting the nation from the 10 million things terrorists could possibly think up and carry out. The terrorist only has to be successful at one of these 10 million things.
NOTE: Many ethical hackers engage in the hacker community so they can learn about the new tools and attacks that are about to be used on victims.

How Are These Tools Used for Good Instead of Evil?

How would a company’s networking staff ensure that all of the employees are creating complex passwords that meet the company’s password policy? They can set operating system configurations to make sure the passwords are of a certain length, contain upper- and lowercase letters, contain numeric values, and keep a password history. But these configurations cannot check for dictionary words or calculate how much protection is being provided from brute-force attacks. 
So the team can use a hacking tool to carry out dictionary and brute-force attacks on individual passwords to actually test their strength. The other choice is to go to all employees and ask what their password is, write down the password, and eyeball it to determine if it is good enough. Not a good alternative.
NOTE: A company’s security policy should state that this type of password testing activity is allowed by the security team. Breaking employees’ passwords could be seen as intrusive and wrong if management does not acknowledge and allow for such activities to take place. Make sure you get permission before you undertake this type of activity.
The same security staff need to make sure that their firewall and router configurations will actually provide the protection level that the company requires. They could read the manuals, make the configuration changes, implement ACLs (access control lists), and then go and get some coffee. Or they could implement the configurations and then run tests against these settings to see if they are allowing malicious traffic into what they thought had controlled access. 
These tests often require the use of hacking tools. The tools carry out different types of attacks, which allow the team to see how the perimeter devices will react in certain circumstances. Nothing should be trusted until it is tested. In an amazing number of cases, a company seemingly does everything correctly when it comes to their infrastructure security. They implement policies and procedures, roll out firewalls, IDSs, and antivirus software, have all of their employees attend security awareness training, and continually patch their systems. 
It is unfortunate that these companies put forth all the right effort and funds only to end up on CNN as the latest victim who had all of their customers’ credit card numbers stolen and posted on the Internet. 
Grey hat hacking series by

This can happen because they did not carry out the necessary vulnerability and penetration tests. Every company should decide whether their internal employees will learn and maintain their skills in vulnerability and penetration testing, or if an outside consulting service will be used, and then ensure that testing is carried out in a continual scheduled manner.

Recognizing Trouble When It Happens

Network administrators, engineers, and security professionals need to be able to recognize when an attack is under way, or when one is about to take place. It may seem as though recognizing an attack as it is happening should be easily accomplished. This is only true for the very “noisy” attacks or overwhelming attacks, as in denial-of-service (DoS) attacks. Many attackers fly under the radar and go unnoticed by security devices and staff members. It is important to know how different types of attacks take place so they can be properly recognized and stopped.
Security issues and compromises are not going to go away anytime soon. People who work in corporate positions that touch security in any way should not try to ignore it or treat security as though it is an island unto itself. 
The bad guys know that to hurt an enemy is to take out what that victim depends upon most. Today the world is only becoming more dependent upon technology, not less. Though application development and network and system configuration and maintenance are complex, security is only going to become more entwined with them. When network staff have a certain level of understanding of security issues and how different compromises take place, they can act more effectively and efficiently when the “all hands on deck” alarm is sounded. In ten years, there will not be such a dividing line between security professionals and network engineers. 
Network engineers will be required to carry out tasks of a security professional, and security professionals will not make such large paychecks. It is also important to know when an attack may be around the corner. If the security staff are educated on attacker techniques and they see a ping sweep followed a day later by a port scan, they will know that most likely in three days their systems will be attacked. There are many activities that lead up to different attacks, so understanding these items will help the company protect itself. 
The argument can be made that we have automated security products that identify these types of activities so that we don’t have to. But it is very dangerous to just depend upon software that does not have the ability to put the activities in the necessary context and make a decision. Computers can outperform any human on calculations and performing repetitive tasks, but we still have the ability to make some necessary judgment calls because we understand the grays in life and do not just see things in 1s and 0s. So it is important to see how hacking tools are really just software tools that carry out some specific type of procedure to achieve a desired result. The tools can be used for good (defensive) purposes or for bad (offensive) purposes. 
The good and the bad guys use the same toolset; it is just the intent that is practiced when operating these utilities that differs. It is imperative for the security professional to understand how to use these tools, and how attacks are carried out, if he is going to be of any use to his customer and to the industry.
Grey hat hacking series by

Emulating the Attack

Once network administrators, engineers, and security professionals understand how attackers work, they can emulate the attackers’ activities if they plan on carrying out a useful penetration test (“pen test”). But why would anyone want to emulate an attack? Because this is the only way to truly test an environment’s security level—how it will react when a real attack is being carried out on it. This book walks you through these different steps so that you can understand how many types of attacks take place. 
It can help you develop methodologies of how to emulate similar activities to test your company’s security level. Many elementary ethical hacking books are already available in every bookstore. The demand for these books and hacking courses over the years has shown the interest and the need in the market. 
It is also obvious that although some people are just entering this sector, many individuals are ready to move on to the more advanced topics of ethical hacking. 
The goal of this book is to quickly go through some of the basic ethical hacking concepts and spend more time with the concepts that are not readily available to you—but are unbelievably important. Just in case you choose to use the information in this book for unintended purposes (malicious activity), in the next chapters we will also walk through several federal laws that have been put into place to scare you away from this. 
A wide range of computer crimes are taken seriously by today’s court system, and attackers are receiving hefty fines and jail sentences for their activities. Don’t let it be you. There is just as much fun and intellectual stimulation to be had working as a good guy, with no threat of jail time!

Security Does Not Like Complexity

Software in general is very complicated, and the more functionality that we try to shove into applications and operating systems, the more complex software will become. The more complex software gets, the harder it is to properly predict how it will react in all possible scenarios, and it becomes much harder to secure. 
Today’s operating systems and applications are increasing in lines of code (LOC). Windows Vista has 50 million lines of code, and Windows XP has approximately 40 million LOC; Netscape, 17 million LOC; and Windows 2000, around 29 million LOC. Unix and Linux operating systems have many fewer, usually around 2 million LOC. A common estimate used in the industry is that 5–50 bugs exist per 1,000 lines of code. So a middle of the road estimate would be that Windows XP has approximately 1,200,000 bugs. 
(Not a statement of fact. Just a guesstimation.) It is difficult enough to try to logically understand and secure 17–40 million LOC, but the complexity does not stop there. The programming industry has evolved from traditional programming languages to object-oriented languages, which allow for a modular approach to developing software. There are a lot of benefits to this approach: reusable components, faster to-market times, decrease in programming time, and easier ways to troubleshoot and update individual modules within the software. 
But applications and operating systems use each other’s components, users download different types of mobile code to extend functionality, DLLs (dynamic linked libraries) are installed and shared, and instead of application-to-operating system communication, today many applications communicate directly with each other. This does not allow for the operating system to control this type of information flow and provide protection against possible compromises. 
If we peek under the covers even further, we see that thousands of protocols are integrated into the different operating system protocol stacks, which allow for distributed computing. The operating systems and applications must rely on these protocols for transmission to another system or application, even if the protocols contain their own inherent security flaws. 
Device drivers are developed by different vendors and installed into the operating system. Many times these drivers are not well developed and can negatively affect the stability of an operating system. Device drivers work in the context of privilege mode, so if they “act up” or contain exploitable vulnerabilities, this only allows the attackers more privilege on the systems once the vulnerabilities are exploited. 
And to get even closer to the hardware level, injection of malicious code into firmware has always been an attack vector. So is it all doom and gloom? Yep, for now. Until we understand that a majority of the successful attacks are carried out because software vendors do not integrate security into the design and specification phases of development, that most programmers have not been properly taught how to code securely, that vendors are not being held liable for faulty code, and that consumers are not willing to pay more for properly developed and tested code, our staggering hacking and company compromise statistics will only increase. 
Will it get worse before it gets better? Probably. Every industry in the world is becoming more reliant on software and technology. Software vendors have to carry out continual one-upmanship to ensure their survivability in the market. Although security is becoming more of an issue, functionality of software has always been the main driving component of products and it always will be. 
Attacks will also continue and increase in sophistication because they are now revenue streams for individuals, companies, and organized crime groups. Will vendors integrate better security, ensure their programmers are properly trained in secure coding practices, and put each product through more and more testing cycles? Not until they have to. Once the market truly demands that this level of protection and security is provided by software products, and customers are willing to pay more for security, then the vendors will step up to the plate. 
Currently most vendors are only integrating protection mechanisms because of the backlash and demand from their customer bases. Unfortunately, just as September 11th awakened the United States to its vulnerabilities, something catastrophic may have to take place in the compromise of software before the industry decides to properly address this issue. 
So we are back to the original question: what does this have to do with ethical hacking? A novice ethical hacker will use tools developed by others who have uncovered specific vulnerabilities and methods to exploit them. A more advanced ethical hacker will not just depend upon other people’s tools, but will have the skill set and understanding to be able to look at the code itself. The more advanced ethical hacker will be able to identify possible vulnerabilities and programming code errors, and develop ways to rid the software of these types of flaws.