the explosive growth of the internet has brought many good things
TRANSCRIPT
INTRODUCTION
The explosive growth of the Internet has brought many good things:
electronic commerce, easy access to vast stores of reference material, collaborative
computing, e-mail, and new avenues for advertising and information
distribution, to name a few. As with most technological advances, there is also a
dark side: criminal hackers. Governments, companies, and private citizens
around the world are anxious to be a part of this revolution, but they are
afraid that some hacker will break into their Web server and replace their logo with
pornography, read their e-mail, steal their credit card number from an on-line
shopping site, or implant software that will secretly transmit their
organization's secrets to the open Internet. With these concerns and others, the
ethical hacker can help.
Ethical hacking, also known as penetration testing or white-hat hacking,
involves the same tools, tricks, and techniques that hackers use, but with one
major difference that Ethical hacking is legal. Ethical hacking is performed with
the targets permission. The intent of ethical hacking is to discover vulnerabilities
from a hackers viewpoint so systems can be better secured. Its part of an overall
information risk management program that allows for ongoing security
improvements. Ethical hacking can also ensure that vendors claims about the
security of their products are legitimate.
1.1 Security
Security is the condition of being protected against danger or loss. In the general
sense, security is a concept similar to safety. In the case of networks the
security is also called the information security. Information security means
protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction. Usually the security is
described in terms of CIA triads. The CIA are the basic principles of security in
which C´ denotes the Confidentiality , I´ represents Integrity and the letter A
´ represents the Availability.
Confidentiality
Confidentiality is the property of preventing disclosure of information to
unauthorized individuals or systems. This implies that the particular data \\should
be seen only by the authorized personals. Those persons who is a passive person
should not see those data. For example in the case of a credit card transaction, the
authorized person should see the credit card numbers and he should see that data.
Nobody others should see that number because they may use it for some
other activities. Thus the confidentiality is very important. Confidentiality is
necessary for maintaining the privacy of the people whose personal information a
system holds.
Integrity
Integrity means that data cannot be modified without authorization. This means
that the data seen by the authorized persons should be correct or the data should
maintain the property of integrity. Without that integrity the data is of no use.
Integrity is violated when a computer virus infects a computer, when an
employee is able to modify his own salary in a payroll database, when an
unauthorized user vandalizes a web site, when someone is able to cast a
very large number of votes in an online poll, and so on. In such cases the data is
modified and then we can say that there is a breach in the security.
Availability
For any information system to serve its purpose, the information must be available
when it is needed. Consider the case in which the data should have integrity and
confidentiality. For achieving both these goals easily we can make those data
off line. But then the data is not available for the user or it is not available. Hence
the data is of no use even if it has all the other characteristics. This means that the
computing systems used to store and process the information, the security controls
used to protect it, and the communication channels used to access it must be
functioning correctly. All these factors are considered to be important since data
lacking any of the above characteristics is useless. Therefore security is described
as the CIA trio. Lacking any one of the CIA means there is a security breach.
1.2 NEED FOR INFORMATION SECURITY
Computer security is required because most organizations can be damaged by
hostile software or intruders. Moreover security is directly related to business.
This is because if a company losses a series of credit card numbers of its customers
then many customers would be hesitant to go back to the same company and that
particular company will lose many customer and hence the business. There may
be several forms of damage which are obviously interrelated which are produced
by the intruders. These include:
Loss of Confidential Data
damage or destruction of data
damage or destruction of computer system
loss of reputation of a company
There may be many more in the list due to security breaches. This means
that security is absolutely necessary.
1.3 HACKERS
A hacker is a person who is interested in a particular subject and have an
immense knowledge on that subject. In the world of computers a hacker is a person
intensely interested in the arcane and recondite workings of any computer
operating system. Most often, hackers are programmers with advance knowledge
of operating systems and programming languages. Eric Raymond, compiler of
³The New Hacker's Dictionary´, defines a hacker as a clever programmer.
A "good hack" is a clever solution to a programming problem and "hacking" is the
act of doing it. Raymond lists five possible characteristics that qualify one as a
hacker, which we paraphrase here:
A person who enjoys learning details of a programming language or system
A person who enjoys actually doing the programming rather than just
theorizing about it
A person capable of appreciating someone else's hacking
A person who picks up programming quickly
A person who is an expert at a particular programming language or system.
As computers became increasingly available at universities, user communities
began to extend beyond researchers in engineering or computer science to
other individuals who viewed the computer as a curiously flexible tool. Whether
they programmed the computers to play games, draw pictures, or to help them
with the more mundane aspects of their daily work, once computers were
available for use, there was never a lack of individuals wanting to use them.
Because of this increasing popularity of computers and their continued high cost,
access to them was usually restricted. When refused access to the computers, some
users would challenge the access controls that had been put in place. They would
steal passwords or account numbers by looking over someone's shoulder, explore
the system for bugs that might get them past the rules, or even take control of the
whole system. They would do these things in order to be able to run the programs
of their choice, or just to change the limitations under which their programs were
running. Initially these computer intrusions were fairly benign, with the most
damage being the theft of computer time. Other times, these recreations would take
the form of practical jokes.
However, these intrusions did not stay benign for long. Occasionally the less
talented, or less careful, intruders would accidentally bring down a system or
damage its files, and the system administrators would have to restart it or make
repairs. Other times, when these intruders were again denied access once their
activities were discovered, they would react with purposefully destructive
actions. When the number of these destructive computer intrusions became
noticeable, due to the visibility of the system or the extent of the damage
inflicted, it became ³news´ and the news media picked up on the story. Instead of
using the more accurate term of computer criminal,´ the media began using the
term ³hacker´ to describe individuals who break into computers for fun, revenge,
or profit. Since calling someone a hacker´ was originally meant as a
compliment, computer security professionals prefer to use the term cracker´
or intruder´ for those hackers who turn to the dark side of hacking.
1.4 Types of Hackers:
Hackers can be broadly classified on the basis of why they are hacking system or
why they are indulging hacking. There are mainly three types of hacker on this
basis
Black-Hat Hacker
A black hat hackers or crackers are individuals with extraordinary computing
skills, resorting to malicious or destructive activities. That is black hat hackers use
their knowledge and skill for their own personal gains probably by hurting others.
White-Hat Hacker
White hat hackers are those individuals professing hackerskills and using them for
defensive purposes. This means that the white hat hackers use their knowledge and
skill for the good of others and for the common good.
Grey-Hat Hackers
These are individuals who work both offensively and defensively at various
times. We cannot predict their behavior. Sometimes they use their skills for the
common good while in some other times he uses them for their personal gains.
Fig 1. Different kinds of System Attacks.
1.5 Can Hacking Be Done Ethically?
Due to some reasons hacking is always meant in the bad sense and hacking
means black hat hacking. But the question is can hacking be done ethically? The
answer is yes because to catch a thief, think like a thief. Thats the basis for ethical
hacking. Suppose a person or hacker try to hack in to a system and if he finds a
vulnerability. Also suppose that he reports to the company that there is
vulnerability. Then the company could make patches for that vulnerability
and hence they could protect themselves from some future attacks from some
black hat hacker who tries to use the same vulnerability. So unless somebody
try to find a vulnerability, it remains hidden and on someday somebody might
find these vulnerability and exploit them for their own personal interests. So this
can be done using ethical hacking.
CHAPTET TWO
2.1 ETHICAL HACKING
Ethical hacking is defined as a methodology adopted by ethical hackers to
discover the vulnerabilities existing in information systems operating
environments.´
Ethical hacking is also known as penetration testing, intrusion testing. With the
growth of the Internet, computer security has become a major concern for
businesses and governments. They want to be able to take advantage of the
Internet for electronic commerce, advertising, information distribution and
access, and other pursuits, but they are worried about the possibility of being
³hacked.´ At the same time, the potential customers of these services are
worried about maintaining control of personal information that varies from
credit card numbers to social security numbers and home addresses. In their search
for a way to approach the problem, organizations came to realize that one of
the best ways to evaluate the intruder threat to their interests would be to
have independent computer security professionals attempt to break into their
computer systems. This scheme is called Ethical Hacking. This similar to having
independent auditors come into an organization to verify its bookkeeping records.
This method of evaluating the security of a system has been in use from the early
days of computers.
In one early ethical hack, the United States Air Force conducted a ³security
evaluation´ of the Multics operating systems for ³potential use as a two-level
(secret/top secret) system´. With that they found out that the particular software
is better than the conventional systems. But it also brought out some of its
vulnerabilities. Successful ethical hackers possess a variety of skills. First and
foremost, they must be completely trustworthy. While testing the security of
a client's systems, the ethical hacker may discover information about the client
that should remain secret. In many cases, this information, if publicized, could lead
to real intruders breaking into the systems, possibly leading to financial losses.
During an evaluation, the ethical hacker often holds the ³keys to the
company,´ and therefore must be trusted to exercise tight control over any
information about a target that could be misused. The sensitivity of the information
gathered during an evaluation requires that strong measures be taken to ensure the
security of the systems being employed by the ethical hackers themselves:
limited-access labs with physical security protection and full ceiling-to-floor walls,
multiple secure Internet connections, a safe to hold paper documentation from
clients, strong cryptography to protect electronic results, and isolated networks for
testing. Ethical hackers also should possess very strong programming and
computer networking skills and have been in the computer and networking
business for several years. Another quality needed for ethical hacker is to have
more drive and patience than most people since a typical evaluation may require
several days of tedious work that is difficult to automate. Some portions of the
evaluations must be done outside of normal working hours to avoid interfering
with production at ³live´ targets or to simulate the timing of a real attack.
When they encounter a system with which they are unfamiliar, ethical
hackers will spend the time to learn about the system and try to find its
weaknesses. Finally, keeping up with the ever-changing world of computer and
network security requires continuous education and review.
2.2 HISTORY / HACKING TRENDS:
In one early ethical hack, the United States Air Force conducted a ³security
evaluation´ of the Multics operating systems for ³potential use as a two-level
(secret/top secret) system.´ With the growth of computer networking, and of the
Internet in particular, computer and network vulnerability studies began to appear
outside of the military establishment. Most notable of these was the work by
Farmer and Venema, which was originally posted to Usenet in December of
1993.
2.3 Required Skills of an Ethical Hacker:
Following are the skills at mostly required by an Ethical Hacker:
Microsoft: skills in operation, configuration and management.
Linux: knowledge of Linux/Unix; security setting, configuration, and
services.
Firewalls: configurations, and operation of intrusion detection systems.
Routers: knowledge of routers, routing protocols, and access control lists
Mainframes
Network Protocols: TCP/IP; how they function and can be manipulated.
Project Management: leading, planning, organizing, and controlling a
penetration testing team.
2.4 FUNCTIONS OF ETHICAL HACKERS
An ethical hacker's evaluation of a system's security seeks answers to three basic
questions:
• What can an intruder see on the target systems?
• What can an intruder do with that information?
• Does anyone at the target notice the intruder's attempts or successes?
While the first and second of these are clearly important, the third is even more
important: If the owners or operators of the target systems do not notice when
someone is trying to break in, the intruders can, and will, spend weeks or months
trying and will usually eventually succeed.
When the client requests an evaluation, there is quite a bit of discussion and
paperwork that must be done up front. The discussion begins with the client's
answers to questions similar to those posed by Garfinkel and Spafford:
What are you trying to protect?
What are you trying to protect against?
How much time, effort, and money are you willing to expend to obtain
adequate protection?
A surprising number of clients have difficulty precisely answering the first
question: a medical center might say "our patient information," an engineering firm
might answer "our new product designs," and a Web retailer might answer "our
customer database."All of these answers fall short, since they only describe targets
in a general way.
2.5 ETHICAL HACKING COMMANDMENTS
Every ethical hacker must abide by a few basic commandments. If not, bad things
can happen. The commandments are as follows:
Working ethically:
The word ethical in this context can be defined as working with high professional
morals and principles. Everything you do as an ethical hacker must be aboveboard
and must support the company‘s goals. No hidden agendas are allowed!
Trustworthiness is the ultimate discipline of an ethical hacker. The misuse of
information is absolutely forbidden.
Respecting privacy:
Treat the information gathered with the utmost respect. All information you obtain
during your testing from Web-application log files to clear-text passwords must
be kept private. If you sense that someone should know there‘s a problem, consider
sharing that information with the appropriate manager.
Not crashing your systems:
One of the biggest mistakes hackers try to hack their own systems is inadvertently
crashing their systems. The main reason for this is poor planning. These testers
have not read the documentation or misunderstand the usage and power of the
security tools and techniques.
2.6 ADVANTAGES AND DISADVANTAGES
Ethical hacking nowadays is the backbone of network security. Each day its
relevance is increasing, the major pros & cons of ethical hacking are given below:
Advantages
To catch a thief you have to think like a thief´
Helps in closing the open holes in the system network
Provides security to banking and financial establishments
Prevents website defacements
An evolving technique Disadvantages
All depends upon the trustworthiness of the ethical hacker
Hiring professionals is expensive.
Disadvantage
As it an evolving branch the scope of enhancement in technology is
immense. No ethical hacker can ensure the system security by using the same
technique repeatedly. He would have to improve, develop and explore new
avenues repeatedly. More enhanced softwares should be used for optimum
protection. Tools used, need to be updated regularly and more efficient ones
need to be developed