4. PREHISTORY Draper builds a "blue
1960s: The Dawn of box" used with whistle
Hacking allows phreaks to make
Original meaning of the free calls.
word "hack" started at Steve Wozniak and
MIT; meant elegant, witty Steve Jobs, future
or inspired way of doing founders of Apple
almost anything; hacks Computer, make and sell
were programming blue boxes.
shortcuts THE GOLDEN AGE
ELDER DAYS (1970-1979) (1980-1991)
1970s: Phone Phreaks 1980: Hacker Message
and Cap'n Crunch: One Boards and Groups
phreak, John Draper (aka Hacking groups form;
"Cap'n Crunch"), discovers such as Legion of Doom
a toy whistle inside Cap'n (US), Chaos Computer
Crunch cereal gives 2600- Club (Germany).
hertz signal, and can 1983: Kids' Games
access AT&T's long- Movie "War Games"
distance switching system. introduces public to
hacking.
5. THE GREAT HACKER WAR 1989: The Germans ,
Legion of Doom vs the KGB and Kevin
Mitnick.
Masters of Deception;
online warfare; jamming German Hackers
phone lines. arrested for breaking into
U.S. computers; sold
1984: Hacker 'Zines
information to Soviet
Hacker magazine 2600 KGB.
publication; online 'zine Hacker "The Mentor“
Phrack. arrested; publishes
CRACKDOWN (1986- Hacker's Manifesto.
1994) Kevin Mitnick convicted;
1986: Congress passes first person convicted
Computer Fraud and Abuse under law against gaining
access to interstate
Act; crime to break into network for criminal
computer systems. purposes.
1988: The Morris Worm
Robert T. Morris, Jr.,
launches self-replicating
worm on ARPAnet.
6. 1993: Why Buy a Car 1995: Russian Hackers
When You Can Hack Siphon $10 million from
One? Citibank; Vladimir Levin,
Radio station call-in leader.
contest; hacker-fugitive Oct 1998 teenager hacks
Kevin Poulsen and friends
crack phone; they into Bell Atlantic phone
allegedly get two Porsches, system; disabled
$20,000 cash, vacation communication at airport
trips; Poulsen now a disables runway lights.
freelance journalist 1999 hackers attack
covering computer crime. Pentagon, MIT, FBI web
First Def Con hacking sites.
conference in Las Vegas 1999: E-commerce
company attacked;
ZERO TOLERANCE (1994- blackmail threats followed
1998) by 8 million credit card
1995: The Mitnick
numbers stolen. (
Takedown: Arrested www.blackhat.info; www.h2k2.net;
www.slais.ubc.ca/; www.sptimes.com;
again; charged with www.tlc.discovery.com)
stealing 20,000 credit card
numbers.
8. EC-Council has certified IT
professionals from the following
organizations as CEH:
Novell, Canon, Hewlett Packard, US Air Force
Reserve, US Embassy, Verizon, PFIZER, HDFC
Bank, University of Memphis, Microsoft
Corporation, Worldcom, Trusecure, US
Department of Defense, Fedex, Dunlop, British
Telecom, Cisco, Supreme Court of the Philippines,
United Nations, Ministry of Defense, UK, Nortel
Networks, MCI, Check Point Software, KPMG, Fleet
International, Cingular Wireless, Columbia Daily
Tribune, Johnson & Johnson, Marriott Hotel,
Tucson Electric Power Company, Singapore Police
Force
9. (Cont.)
PriceWaterhouseCoopers, SAP, Coca-Cola
Corporation, Quantum Research, US Military, IBM
Global Services, UPS, American Express, FBI,
Citibank Corporation, Boehringer Ingelheim, Wipro,
New York City Dept Of IT & Telecom – DoITT, United
States Marine Corps, Reserve Bank of India, US Air
Force, EDS, Bell Canada, SONY, Kodak, Ontario
Provincial Police, Harris Corporation, Xerox, Philips
Electronics, U.S. Army, Schering, Accenture, Bank
One, SAIC, Fujitsu, Deutsche Bank
10. Hackers are here. Where are
you?
The explosive growth of the Internet has
brought many good things…As with most
technological advances, there is also a dark
side: criminal hackers.
The term “hacker” has a dual usage in the
computer industry today. Originally, the term
was defined as:
HACKER noun. 1. A person who enjoys
learning the details of computer systems and
how to stretch their capabilities…. 2. One who
programs enthusiastically or who enjoys
programming rather than just theorizing about
programming.
11. What is a Hacker?
Old School Hackers: 1960s style Stanford or MIT
hackers. Do not have malicious intent, but do have
lack of concern for privacy and proprietary
information. They believe the Internet was
designed to be an open system.
Script Kiddies or Cyber-Punks: Between 12-30;
predominantly white and male; bored in school; get
caught due to bragging online; intent is to
vandalize or disrupt systems.
Professional Criminals or Crackers: Make a
living by breaking into systems and selling the
information.
Coders and Virus Writers: See themselves as an
elite; programming background and write code but
won’t use it themselves; have their own networks
called “zoos”; leave it to others to release their
code into “The Wild” or Internet. (www.tlc.discovery.com)
12. What is Ethical Hacking?
Ethical hacking – defined “methodology
adopted by ethical hackers to discover the
vulnerabilities existing in information
systems’ operating environments.”
With the growth of the Internet, computer
security has become a major concern for
businesses and governments.
In their search for a way to approach the
problem, organizations came to realize
that one of the best ways to evaluate the
intruder threat to their interests would be
to have independent computer security
professionals attempt to break into their
computer systems.
13. Who are Ethical Hackers?
“One of the best ways to evaluate the intruder
threat is to have an independent computer
security professionals attempt to break their
computer systems”
Successful ethical hackers possess a variety of
skills. First and foremost, they must be completely
trustworthy.
Ethical hackers typically have very strong
programming and computer networking skills.
They are also adept at installing and maintaining
systems that use the more popular operating
systems (e.g., Linux or Windows 2000) used on
target systems.
These base skills are augmented with detailed
knowledge of the hardware and software provided
by the more popular computer and networking
hardware vendors.
14. What do Ethical Hackers do?
An ethical hacker’s evaluation of a system’s
security seeks answers to these basic questions:
• What can an intruder see on the target
systems?
• What can an intruder do with that information?
• Does anyone at the target notice the intruder’s
at tempts or successes?
• What are you trying to protect?
• What are you trying to protect against?
• How much time, effort, and money are you
willing to expend to obtain adequate
protection?
15. How much do Ethical Hackers
get Paid?
Globally, the hiring of ethical hackers is on
the rise with most of them working with
top consulting firms.
In the United States, an ethical hacker can
make upwards of $120,000 per annum.
Freelance ethical hackers can expect to
make $10,000 per assignment.
Some ranges from $15,000 to
$45,000 for a standalone ethical
hack.
16. Certified Ethical Hacker (C|EH)
Training
InfoSec Academy
http://www.infosecacademy.com
• Five-day Certified Ethical Hacker (C|EH)
Training Camp Certification Training Program
• (C|EH) examination
• C|EH Certified Ethical
Hacker Training Camp
(5-Day Package)$3,595
($2,580 training only)
(Source: www.eccouncil.org)
18. Required Skills of an Ethical
Hacker
Routers: knowledge of routers, routing
protocols, and access control lists
Microsoft: skills in operation, configuration and
management.
Linux: knowledge of Linux/Unix; security
setting, configuration, and services.
Firewalls: configurations, and operation of
intrusion detection systems.
Mainframes
Network Protocols: TCP/IP; how they function
and can be manipulated.
Project Management: knowledge of leading,
planning, organizing, and controlling a
penetration testing team.
(Source: http://www.examcram.com)
20. Anatomy of an attack:
• Reconnaissance – attacker gathers
information; can include social
engineering.
• Scanning – searches for open ports (port
scan) probes target for vulnerabilities.
• Gaining access – attacker exploits
vulnerabilities to get inside system; used
for spoofing IP.
• Maintaining access – creates backdoor
through use of Trojans; once attacker
gains access makes sure he/she can get
back in.
• Covering tracks – deletes files, hides
files, and erases log files. So that attacker
cannot be detected or penalized.
(Source: www.eccouncil.org)
21. Hacker classes
• Black hats – highly skilled,
malicious, destructive “crackers”
• White hats – skills used for
defensive security analysts
• Gray hats – offensively and
defensively; will hack for different
reasons, depends on situation.
Hactivism – hacking for social and
political cause.
Ethical hackers – determine what
attackers can gain access to, what they
will do with the information, and can they
be detected.
(Source: www.eccouncil.org)
27. Certified Ethical Hacker Exam
Prep
The Business Aspects of Penetration
Testing
The Technical Foundations of Hacking
Footprinting and Scanning
Enumeration and System Hacking
Linux and automated Security Assessment
Tools
Trojans and Backdoors
Sniffers, Session Hyjacking, and Denial of
Service
28. Certified Ethical Hacker Exam
Prep (Cont.)
Web Server Hacking, Web Applications,
and Database Attacks
Wireless Technologies, Security, and
Attacks
IDS, Firewalls, and Honeypots
Buffer Overflows, Viruses, and Worms
Cryptographic Attacks and Defenses
Physical Security and Social Engineering
29. Hands-On Information Security
Lab Manual, Second Edition
1. Footprinting
2. Scanning and Enumeration
3. Operating System Vulnerabilities
and Resolutions
4. Network Security Tools and
Technologies
5. Security Maintenance
6. Information Security
Management
7. File System Security and
Cryptography
8. Computer Forensics http://www.course.com/
ISBN 0-619-21631-X
78. SQL Injection
Allows a remote attacker to
execute arbitrary database
commands
Relies on poorly formed database queries
and insufficient
input validation
Often facilitated, but does not rely on
unhandled
exceptions and ODBC error messages
Impact: MASSIVE. This is one of the most
dangerous
vulnerabilities on the web.