logging in or signing up Thinking like a hacker kakarot3 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 231 Category: Entertainment License: All Rights Reserved Like it (1) Dislike it (0) Added: January 07, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Thinking like a hacker : Thinking like a hacker Abhilasha Sharma The Three Laws of Secure Computing : The Three Laws of Secure Computing Don't buy a computer. If you do buy a computer, don't plug it in. If you do plug it in, sell it and return to step 1 History of “ Hacker ” type : History of “ Hacker ” type First, there were phreaks –Hacked the phone – Dial 10 - 10 - BLUE - BOX for all your free long distance Then Al Gore invented Internet , and hackers were born Skilled & curious Mostly non - malicious “ Hacker” eventually on a bad connotation (crackers) in the press. Would this presentation help you ?? : Would this presentation help you ?? If you think FreeBSD refers to efforts for releasing a guy named BSD from prison If you think AOL and internet are same things If you get confused with web addresses starting with http://wwww If you just believed that Al gore invented internet !!!!! Slide 5: 5 Legal Disclaimer WARNING: The Surgeon General has deemed online hacking tools to be hazardous to your freedom. The ethically challenged, morally flexible, and honor deficient should beware. ALWAYS GET PERMISSION IN WRITING BY SOMEONE IN AUTHORITY. Performing “scans” against networked systems without permission is illegal. Password cracking too. You are responsible for your own actions! If you go to jail because of this material it’s not my fault, although I would appreciate it if you dropped me a postcard. This presentation references tools and URLs - use them at your own risk! Hacking : Hacking Mens Rea Hacking A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Cracking A cracker is a person who breaks into or otherwise violates the system integrity of remote machines, with malicious intent. To hack or crack, you must first be a genius or a UNIX guru. Slide 7: R U 3l1t3? How do you tell an elite Hacker from an average Hacker ? By the number of mouse buttons One Button – Lamer Two Button – Average Three Button – Elite Multi Button - UberGeek Every one knows some kewl… : Every one knows some kewl… The Microsoft programming team easter egg: 1. Right-click the Desktop and choose New Folder. 2. Name that folder and now the moment you've all been waiting for. 3. Right-click that folder and choose Rename. 4. Rename the folder we proudly present for your viewing pleasure. 5. Right-click the folder and choose Rename. 5. Rename the folder The Microsoft Windows 95 Product Team!. 6. Open that folder by double-clicking it. Hacking : Hacking Security Security weaknesses can be found in the computer systems used by: businesses, government (classified and unclassified), and personal computers. Causes of security weakness: characteristics of the Internet and Web, human nature, inherent complexity of computer systems. Types of flaws : Types of flaws Pure Flaws - The Netscape secure sockets layer flaw Secondary Flaws Seriousness of the flaw Word V/S NCSA HTTPD Increasing Use of… : Increasing Use of… Peer-to-peer file sharing Instant messaging Streaming media Spyware & malicious mobile code (MMC) Hacking tools 77% of companies have at least one P2P app in their environment. 44% of employees actively use streaming media. Hacking sites grew 46% last year. 19% of corporate employees use a public IM tool to chat. Experts believe that 90% of computers have spyware on them. What deos a hacker at ? : What deos a hacker at ? The hacker's systematic method generally covers these seven steps: 1. Perform a footprint analysis 2. Enumerate information 3. Obtain access through user manipulation 4. Escalate privileges 5. Gather additional passwords and secrets 6. Install backdoors 7. Leverage the compromised system Slide 13: Maven Security Consulting, Inc. Copyright 2002 - All rights reserved Direct Attack vs. Online Tool Online Tool Target Where’s Waldo (hacking from?) Target ? ? ? Old School – traffic direct from attacker; easily traced back Click Kiddie – traffic from attack portal; not easily traced back to attacker What are online tools ??? : What are online tools ??? Online tools are: Web front-ends for various network/security/hacking tools e.g. port scanner, traceroute, ping Only need a web browser Wireless Palm/PocketPC, or WAP phone! Nothing to download Virus free (sort of…see next slide) Nothing to unzip or compile Examples of online tools : Examples of online tools Ping – tells you user is online or not Can inventory the entire network with single ping www.tracert.com/cgi-bin/ping.pl Trace route - Map network perimeter Locate ingress router(s) Identify ISP and location http://www.tracert.com/cgi-bin/trace.pl RIP - Port Scan Anyone! http://www.blackcode.com/portscanner/ OS Fingerprint : OS Fingerprint What OS is the target? http://packetderm.cotse.com/cgi-bin/lookuptools http://wizard.ae.krakow.pl/~mike/traceping.cgi Uses Queso (others use nmap) Guesses the target’s OS via stack fingerprint SNMP : SNMP Simple Network Management Protocol Security Not My Problem Simple SNMP Browser Purpose Identify target OS and other nearby targets Find internal IP addresses Locate open TCP and UDP ports (we don’t need no stinkin port scan) NetBios : NetBios Purpose Collect Netbios info Workgroup Share names http://tatumweb.com/iptools.htm Types of hacking : Types of hacking Social engineering Default logins Aggressive attacks Slide 20: Attack – Multipurpose Site http://portal.cyberarmy.com Performed the following against ANY IP address: ** Port scan (TCP 1-149) ** Exploit scan (CGI scan) ** Subnet scan Search entire C class size network space for web servers ** Trojan scan Scanning for specific ports (** NO LONGER AVAILABLE!) Slide 21: One Click Hacking Shows other sites that are vulnerable…just click the link to exploit! Slide 22: 22 Anonymous Web Hacking/Surfing The key for an attacker will be anonymity Today this is trivial with web portals COTSE – Church of the Swimming Elephant http://www.cotse.com/anonimizer.htm Anonymizer.com http://www.anonymizer.com/ List of several http://www.proxys4all.com/web-based.shtml Via browser’s proxy settings (web proxies) Find available proxies at http://www.cyberarmy.com/lists/proxy/ http://www.multiproxy.org/anon_list.htm Config your browser proxy settings Test your settings by visiting http://www.cyberarmy.com/cgi/whoami.pl http://proxys4all.cgi.net/setup.shtml for instructions on how to set proxy settings for several browsers Slide 23: Multi-Tier Anonymity Web Proxy Web Portal Online Tool Target Real threats : Real threats Online hacking tools will… Increase the number of casual hackers. More 1st timers getting in trouble Increase the noise seen on your perimeter Harder to detect the real attacker Diverts corporate resources Consumes bandwidth What are the legal issues for sites that offer these services? TBD Hacking : Hacking The Law Computer Fraud and Abuse Act (CFAA, 1986) It is a crime to access, alter, damage, or destroy information on a computer without authorization. Computers protected under this law include: government computers, financial systems, medical systems, interstate commerce, and any computer on the Internet. Hacking : Hacking The Law (cont’d) USA Patriot Act (USAPA, 2001) Amends the CFAA. Allows for recovery of losses due to responding to a hacker attack, assessing damages, and restoring systems. Higher penalties can be levied against anyone hacking into computers belonging to criminal justice system or the military. The government can monitor online activity without a court order. Hacking : Hacking Catching Hackers … requires law enforcement to recognize and respond to myriad hacking attacks. Computer forensics tools may include: Undercover agents, Honey pots (sting operations in cyberspace), Archives of online message boards, Tools for recovering deleted or coded information. Computer forensics agencies and services include: Computer Emergency Response Team (CERT), National Infrastructure Protection Center (NIPC), Private companies specializing in recovering deleted files and e-mail, tracking hackers via Web site and telephone logs, etc.. Hacking : Hacking Questions About Penalties Intent Should hackers who did not intend to do damage or harm be punished differently than those with criminal intentions? Age Should underage hackers receive a different penalty than adult hackers? Damage Done Should the penalty correspond to the actual damage done or the potential for damage? Hacking : Hacking Security can be improved by: Ongoing education and training to recognize the risks. Better system design. Use of security tools and systems. Challenging “others” to find flaws in systems. Writing and enforcing laws that don’t stymie research and advancement. Any questions ?? : Any questions ?? References : References http://www.attackportal.net/online_HFTM_files/frame.htm Various books and message boards discussions Thanks a lot : Thanks a lot You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Thinking like a hacker kakarot3 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 231 Category: Entertainment License: All Rights Reserved Like it (1) Dislike it (0) Added: January 07, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Thinking like a hacker : Thinking like a hacker Abhilasha Sharma The Three Laws of Secure Computing : The Three Laws of Secure Computing Don't buy a computer. If you do buy a computer, don't plug it in. If you do plug it in, sell it and return to step 1 History of “ Hacker ” type : History of “ Hacker ” type First, there were phreaks –Hacked the phone – Dial 10 - 10 - BLUE - BOX for all your free long distance Then Al Gore invented Internet , and hackers were born Skilled & curious Mostly non - malicious “ Hacker” eventually on a bad connotation (crackers) in the press. Would this presentation help you ?? : Would this presentation help you ?? If you think FreeBSD refers to efforts for releasing a guy named BSD from prison If you think AOL and internet are same things If you get confused with web addresses starting with http://wwww If you just believed that Al gore invented internet !!!!! Slide 5: 5 Legal Disclaimer WARNING: The Surgeon General has deemed online hacking tools to be hazardous to your freedom. The ethically challenged, morally flexible, and honor deficient should beware. ALWAYS GET PERMISSION IN WRITING BY SOMEONE IN AUTHORITY. Performing “scans” against networked systems without permission is illegal. Password cracking too. You are responsible for your own actions! If you go to jail because of this material it’s not my fault, although I would appreciate it if you dropped me a postcard. This presentation references tools and URLs - use them at your own risk! Hacking : Hacking Mens Rea Hacking A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Cracking A cracker is a person who breaks into or otherwise violates the system integrity of remote machines, with malicious intent. To hack or crack, you must first be a genius or a UNIX guru. Slide 7: R U 3l1t3? How do you tell an elite Hacker from an average Hacker ? By the number of mouse buttons One Button – Lamer Two Button – Average Three Button – Elite Multi Button - UberGeek Every one knows some kewl… : Every one knows some kewl… The Microsoft programming team easter egg: 1. Right-click the Desktop and choose New Folder. 2. Name that folder and now the moment you've all been waiting for. 3. Right-click that folder and choose Rename. 4. Rename the folder we proudly present for your viewing pleasure. 5. Right-click the folder and choose Rename. 5. Rename the folder The Microsoft Windows 95 Product Team!. 6. Open that folder by double-clicking it. Hacking : Hacking Security Security weaknesses can be found in the computer systems used by: businesses, government (classified and unclassified), and personal computers. Causes of security weakness: characteristics of the Internet and Web, human nature, inherent complexity of computer systems. Types of flaws : Types of flaws Pure Flaws - The Netscape secure sockets layer flaw Secondary Flaws Seriousness of the flaw Word V/S NCSA HTTPD Increasing Use of… : Increasing Use of… Peer-to-peer file sharing Instant messaging Streaming media Spyware & malicious mobile code (MMC) Hacking tools 77% of companies have at least one P2P app in their environment. 44% of employees actively use streaming media. Hacking sites grew 46% last year. 19% of corporate employees use a public IM tool to chat. Experts believe that 90% of computers have spyware on them. What deos a hacker at ? : What deos a hacker at ? The hacker's systematic method generally covers these seven steps: 1. Perform a footprint analysis 2. Enumerate information 3. Obtain access through user manipulation 4. Escalate privileges 5. Gather additional passwords and secrets 6. Install backdoors 7. Leverage the compromised system Slide 13: Maven Security Consulting, Inc. Copyright 2002 - All rights reserved Direct Attack vs. Online Tool Online Tool Target Where’s Waldo (hacking from?) Target ? ? ? Old School – traffic direct from attacker; easily traced back Click Kiddie – traffic from attack portal; not easily traced back to attacker What are online tools ??? : What are online tools ??? Online tools are: Web front-ends for various network/security/hacking tools e.g. port scanner, traceroute, ping Only need a web browser Wireless Palm/PocketPC, or WAP phone! Nothing to download Virus free (sort of…see next slide) Nothing to unzip or compile Examples of online tools : Examples of online tools Ping – tells you user is online or not Can inventory the entire network with single ping www.tracert.com/cgi-bin/ping.pl Trace route - Map network perimeter Locate ingress router(s) Identify ISP and location http://www.tracert.com/cgi-bin/trace.pl RIP - Port Scan Anyone! http://www.blackcode.com/portscanner/ OS Fingerprint : OS Fingerprint What OS is the target? http://packetderm.cotse.com/cgi-bin/lookuptools http://wizard.ae.krakow.pl/~mike/traceping.cgi Uses Queso (others use nmap) Guesses the target’s OS via stack fingerprint SNMP : SNMP Simple Network Management Protocol Security Not My Problem Simple SNMP Browser Purpose Identify target OS and other nearby targets Find internal IP addresses Locate open TCP and UDP ports (we don’t need no stinkin port scan) NetBios : NetBios Purpose Collect Netbios info Workgroup Share names http://tatumweb.com/iptools.htm Types of hacking : Types of hacking Social engineering Default logins Aggressive attacks Slide 20: Attack – Multipurpose Site http://portal.cyberarmy.com Performed the following against ANY IP address: ** Port scan (TCP 1-149) ** Exploit scan (CGI scan) ** Subnet scan Search entire C class size network space for web servers ** Trojan scan Scanning for specific ports (** NO LONGER AVAILABLE!) Slide 21: One Click Hacking Shows other sites that are vulnerable…just click the link to exploit! Slide 22: 22 Anonymous Web Hacking/Surfing The key for an attacker will be anonymity Today this is trivial with web portals COTSE – Church of the Swimming Elephant http://www.cotse.com/anonimizer.htm Anonymizer.com http://www.anonymizer.com/ List of several http://www.proxys4all.com/web-based.shtml Via browser’s proxy settings (web proxies) Find available proxies at http://www.cyberarmy.com/lists/proxy/ http://www.multiproxy.org/anon_list.htm Config your browser proxy settings Test your settings by visiting http://www.cyberarmy.com/cgi/whoami.pl http://proxys4all.cgi.net/setup.shtml for instructions on how to set proxy settings for several browsers Slide 23: Multi-Tier Anonymity Web Proxy Web Portal Online Tool Target Real threats : Real threats Online hacking tools will… Increase the number of casual hackers. More 1st timers getting in trouble Increase the noise seen on your perimeter Harder to detect the real attacker Diverts corporate resources Consumes bandwidth What are the legal issues for sites that offer these services? TBD Hacking : Hacking The Law Computer Fraud and Abuse Act (CFAA, 1986) It is a crime to access, alter, damage, or destroy information on a computer without authorization. Computers protected under this law include: government computers, financial systems, medical systems, interstate commerce, and any computer on the Internet. Hacking : Hacking The Law (cont’d) USA Patriot Act (USAPA, 2001) Amends the CFAA. Allows for recovery of losses due to responding to a hacker attack, assessing damages, and restoring systems. Higher penalties can be levied against anyone hacking into computers belonging to criminal justice system or the military. The government can monitor online activity without a court order. Hacking : Hacking Catching Hackers … requires law enforcement to recognize and respond to myriad hacking attacks. Computer forensics tools may include: Undercover agents, Honey pots (sting operations in cyberspace), Archives of online message boards, Tools for recovering deleted or coded information. Computer forensics agencies and services include: Computer Emergency Response Team (CERT), National Infrastructure Protection Center (NIPC), Private companies specializing in recovering deleted files and e-mail, tracking hackers via Web site and telephone logs, etc.. Hacking : Hacking Questions About Penalties Intent Should hackers who did not intend to do damage or harm be punished differently than those with criminal intentions? Age Should underage hackers receive a different penalty than adult hackers? Damage Done Should the penalty correspond to the actual damage done or the potential for damage? Hacking : Hacking Security can be improved by: Ongoing education and training to recognize the risks. Better system design. Use of security tools and systems. Challenging “others” to find flaws in systems. Writing and enforcing laws that don’t stymie research and advancement. Any questions ?? : Any questions ?? References : References http://www.attackportal.net/online_HFTM_files/frame.htm Various books and message boards discussions Thanks a lot : Thanks a lot