Ethical Ethical HackingHacking

HACKINGHACKING

PREHISTORY PREHISTORY ► 1960s: The Dawn of 1960s: The Dawn of

HackingHackingOriginal meaning of the word Original meaning of the word "hack" started at MIT; meant "hack" started at MIT; meant elegant, witty or inspired way elegant, witty or inspired way of doing almost anything; of doing almost anything; hacks were programming hacks were programming shortcutsshortcuts

ELDER DAYS (1970-1979)ELDER DAYS (1970-1979)► 1970s: Phone Phreaks and 1970s: Phone Phreaks and

Cap'n Crunch: Cap'n Crunch: One phreak, One phreak, John Draper (aka "Cap'n John Draper (aka "Cap'n Crunch"), discovers a toy Crunch"), discovers a toy whistle inside Cap'n Crunch whistle inside Cap'n Crunch cereal gives 2600-hertz signal, cereal gives 2600-hertz signal, and can access AT&T's long-and can access AT&T's long-distance switching system.distance switching system.

► DraperDraper builds a "blue box" builds a "blue box" used with whistle allows used with whistle allows phreaks to make free calls.phreaks to make free calls.

► Steve WozniakSteve Wozniak and Steve and Steve Jobs, future founders of Apple Jobs, future founders of Apple Computer, make and sell Computer, make and sell blue boxes.blue boxes.THE GOLDEN AGE (1980-THE GOLDEN AGE (1980-1991)1991)

► 1980: Hacker Message 1980: Hacker Message Boards and GroupsBoards and GroupsHacking groups form; such as Hacking groups form; such as Legion of Doom (US), Chaos Legion of Doom (US), Chaos Computer Club (Germany).Computer Club (Germany).

► 1983: Kids' Games1983: Kids' GamesMovie "War Games" Movie "War Games" introduces public to hacking.introduces public to hacking.

THE GREAT HACKER WARTHE GREAT HACKER WAR► Legion of DoomLegion of Doom vs Masters of vs Masters of

Deception; online warfare; Deception; online warfare; jamming phone lines.jamming phone lines.

► 1984: Hacker 'Zines1984: Hacker 'ZinesHacker magazine 2600 Hacker magazine 2600 publication; online 'zine Phrack.publication; online 'zine Phrack.

CRACKDOWN (1986-1994)CRACKDOWN (1986-1994)► 1986: 1986: Congress passes Computer Congress passes Computer

Fraud and Abuse Act; crime to Fraud and Abuse Act; crime to break into computer systems.break into computer systems.

► 11988: The Morris Worm988: The Morris WormRobert T. Morris, Jr., launches self-Robert T. Morris, Jr., launches self-replicating worm on ARPAnet.replicating worm on ARPAnet.

► 1989: The Germans , 1989: The Germans , the KGB and Kevin the KGB and Kevin Mitnick.Mitnick.

► German HackersGerman Hackers arrested for breaking into arrested for breaking into U.S. computers; sold U.S. computers; sold information to Soviet information to Soviet KGB.KGB.

► Hacker "The Mentor“Hacker "The Mentor“ arrested; publishes arrested; publishes Hacker's Manifesto. Hacker's Manifesto.

► Kevin MitnickKevin Mitnick convicted; first person convicted; first person convicted under law convicted under law against gaining access to against gaining access to interstate network for interstate network for criminal purposes.criminal purposes.

Ethical HackingEthical Hacking

► Independent computer security Independent computer security Professionals breaking into the Professionals breaking into the computer systems. computer systems.

►Neither damage the target systems Neither damage the target systems nor steal information. nor steal information.

►Evaluate target systems security and Evaluate target systems security and report back to owners about the report back to owners about the vulnerabilities found. vulnerabilities found.

Ethical Hackers but not Criminal Ethical Hackers but not Criminal HackersHackers

► Completely trustworthy.Completely trustworthy.► Strong programming and computer Strong programming and computer

networking skills.networking skills.► Learn about the system and trying to Learn about the system and trying to

find its weaknesses.find its weaknesses.► Techniques of Criminal hackers-Techniques of Criminal hackers-

Detection-Prevention.Detection-Prevention.► Published research papers or released Published research papers or released

security software.security software.► No Ex-hackers.No Ex-hackers.

Being PreparedBeing Prepared

► What can an intruder see on the target systems? What can an intruder see on the target systems? ► What can an intruder do with that information? What can an intruder do with that information? ► Does anyone at the target notice the intruder's attempts or Does anyone at the target notice the intruder's attempts or

successes? successes?

1.1. What are you trying to protect? What are you trying to protect? 2.2. Who are you trying to protect against? Who are you trying to protect against? 3.3. How much time, effort, and money are you willing to How much time, effort, and money are you willing to

expend to obtain adequate protection? expend to obtain adequate protection?

Ethical Hacker’s ProspectiveEthical Hacker’s Prospective

► Ethical Hacker’s demand a lot of time and Ethical Hacker’s demand a lot of time and persistence.persistence.

► Security evaluation planSecurity evaluation plan1.1. Identify system to be testedIdentify system to be tested

2.2. How to test?How to test?

3.3. Limitations on that testing Limitations on that testing

► Evaluation done under a “no-holds-barred” Evaluation done under a “no-holds-barred” approach.approach.

► Clients should be aware of risks.Clients should be aware of risks.► Limit prior knowledge of test.Limit prior knowledge of test.

Required Skills of an Ethical Required Skills of an Ethical HackerHacker

► Routers:Routers: knowledge of routers, routing protocols, and knowledge of routers, routing protocols, and access control listsaccess control lists

► Microsoft:Microsoft: skills in operation, configuration and skills in operation, configuration and management.management.

► Linux:Linux: knowledge of Linux/Unix; security setting, knowledge of Linux/Unix; security setting, configuration, and services.configuration, and services.

► Firewalls:Firewalls: configurations, and operation of intrusion configurations, and operation of intrusion detection systems.detection systems.

► MainframesMainframes► Network Protocols:Network Protocols: TCP/IP; how they function and can TCP/IP; how they function and can

be manipulated.be manipulated.► Project Management:Project Management: knowledge of leading, planning, knowledge of leading, planning,

organizing, and controlling a penetration testing team.organizing, and controlling a penetration testing team.

Kinds of TestingKinds of Testing

► Remote NetworkRemote Network► Remote dial-up networkRemote dial-up network► Local networkLocal network► Stolen laptop computerStolen laptop computer► Social engineeringSocial engineering► Physical entryPhysical entry

1.Total outsider1.Total outsider2.Semi-outsider2.Semi-outsider3.Valid user 3.Valid user

REVIEWREVIEW

Therefore Ethical Hackers and Network Therefore Ethical Hackers and Network Security experts are highly required as Security experts are highly required as well as demanded by many organization’s well as demanded by many organization’s for the security of their own data, if it fell for the security of their own data, if it fell in the wrong hands in the wrong hands a competitor might use it for corporate espionage, a hacker might use it to break into the client’s computers, or a prankster might just post the report’s contents on the Web as a joke.