Your SlideShare is downloading. ×
  • Like
  • Save
Bar Camp 11 Oct09 Hacking
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Bar Camp 11 Oct09 Hacking

  • 1,745 views
Published

A session by Manu Zacharia at BarcampKerala6, Ragiri College, cochin …

A session by Manu Zacharia at BarcampKerala6, Ragiri College, cochin

http://www.matriux.com

Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,745
On SlideShare
0
From Embeds
0
Number of Embeds
8

Actions

Shares
Downloads
0
Comments
1
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. # ethical hacking - hacking in its real sense by Manu Zacharia MVP (Enterprise Security), C|EH, C|HFI, Certified ISO 27001:2005 LA, MCP, CCNA, AFCEH
  • 2. CONTENTS INTRODUCTION WHO IS A HACKER? STATISTICS & CASE STUDY ETHICAL HACKING & PEN TEST CONCLUSION & Q ‘n’ A www.matriux.com
  • 3. WHO AM I Manu Zacharia Security Evangelist
  • 4. WHO AM I
  • 5. # hacking • What’s the image that comes to your mind when you hear about “hacker” or “hacking”?
  • 6. BEFORE WE START….
  • 7. # hacking • Commonly defined in the media as: “Illegal intrusion into a computer system without the permission of the computer owner/user”
  • 8. # misconceptions • Most people associate hacking with breaking the law. • Assume that everyone who engages in hacking activities is a criminal
  • 9. # hacking But what is hacking in its real sense?
  • 10. # hacker defined HACKER (Originally, someone who makes furniture with an Ax.
  • 11. # hacker • Someone involved in computer security/insecurity • An enthusiastic home computer hobbyist • A programmer(ing) culture that originated in US academia in the 1960’s - nowadays closely related with open source / free software.
  • 12. # history of hacking • Started off – MIT – Late 1950’s • Tech Model Rail Road club of MIT • Donated old telephone equipment •They re-worked & re-created a complex system that allowed multiple operators to control different parts of the track by dialing into the appropriate sections.
  • 13. # hacking & open source
  • 14. # they called it hacking They called this new and inventive use of telephone equipment hacking
  • 15. # hacker evolution • The conventional boundaries were broken also at MIT Rail Road Club.
  • 16. # do you know him? • Often known as “Programmer's programmer” • Creator of Ghostscript, a highly-portable, high- quality, Open Source implementation of the PostScript language. • Founder of Aladdin Enterprises • Authored or co-authored various RFCs - RFC 190, RFC 446, RFC 550, RFC 567, RFC 606, RFC 1950, RFC 1951 and RFC 1952
  • 17. # do you know him? • Dr. L. Peter Deutsch • Started programming at the age of 11. • He was accepted to the MIT Rail Road club at the age of 12 when he demonstrated his knowledge of the TX-0 and his desire to learn.
  • 18. # TX-0 • Fully transistorized computer • Transistorized Experimental computer zero • TX-0 - affectionately referred to as tixo (pronounced "tix oh")
  • 19. # short-pant hacker • Age • Race, • Gender, • Appearance, • Academic degrees, and • Social status were defied in search for free information
  • 20. # hacking Know the difference between a cracker and a hacker.
  • 21. # the money factor
  • 22. # why study & select security? • The 3 upcoming technology areas (Triple- S – 3S). • Synchronize (Collaboration) • Store (Storage), • Secure – (Security) • Its challenging • You need to have the “stuff”
  • 23. # scope for a security pro • Almost all the major / critical networks like: • Defense, • Communication, • Financial, • Infra networks, (Power Grids,) • Comn networks, etc
  • 24. # financials “skilled” sec pro • Average hourly rate – $40 – $60 • Skilled Pen Testers – $100 – $120 - $150 • 100 X 8 hrs = 800 • 800 X 5 days = 4000 • 4000 X 20 working days = 80,000 • $ 80,000 to INR (Rs 50) = 40,00,000
  • 25. # it‘s a long journey
  • 26. # bytes ‘n’ bullets “bytes are replacing bullets in the crime world”
  • 27. THE BIG PICTURE • World wide internet usage (2008) - 694 Million • World wide internet usage (2009) - 1.4 Billion Source: comScore Networks • Internet usage – growth rate (India) = 142 %
  • 28. THE BIG PICTURE 160 152 140 120 100 80 74 60 52 40 31 30 24 23 18 16 16 20 0 Top 10 Online Populations by Country Excludes traffic from public computers such as Internet cafe and, access from mobile phones or PDAs.
  • 29. BEFORE WE START…. INTERNET USERS - INDIA 50.6 USERS 40 42 39.2 22.5 16.5 5.5 7 2000 2001 2002 2003 2004 2005 2006 2007 Report of the Internet and Mobile Association of India (IAMAI) and IMRB International
  • 30. # the bigger picture • 1.4 Billion users can communicate with your system or • Your system can communicate with 1.4 Billion users.
  • 31. # the bigger picture • Out of the 1.4 Billion, some can rattle your door to your computer to see if it is locked or not • locked – Its fine • not locked – not fine
  • 32. # can you handle it • Out of the 1.4 Billion, if 1% connects to your system, what will happen? •1%=?
  • 33. # case study
  • 34. # case study • The most powerful and costliest (physics) experiment ever built • 5000 high power magnets arranged in a 27 km giant tunnel. • will re-create the conditions present in the Universe just after the Big Bang • Large Hadron Collider (LHC) • CERN - European Organization for Nuclear Research • Hacked on 10 Sep 08
  • 35. # case study
  • 36. CASE STUDY
  • 37. CASE STUDY
  • 38. VICTIMS
  • 39. VICTIMS
  • 40. # credit & debit cards? • How many of you use credit cards? • What is the trust factor here?
  • 41. # case study • Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over a period of three months
  • 42. CASE STUDY
  • 43. # no boundaries • What does this mean? • Internet = No boundaries • You(r network) could be the next target
  • 44. # security
  • 45. # traditional security concept Protecting the resources by locking it under and lock and key
  • 46. # current security concept • Security is a state of well being • Security is all about being prepared for the unexpected.
  • 47. # information security The • policies, • procedures and • practices required to maintain and provide assurance of the • confidentiality, • integrity, and • availability of information
  • 48. # security jargon # Confidentiality # Integrity # Availability # CIA Triad # Vulnerability # Threat # Risk # Exposure # Countermeasure
  • 49. # penetration testing Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques. Also known as EH
  • 50. # why penetration testing To test if internal users can break security To test external threats can break your corporate security Compliance with standards Ensure and assure state of security to all stake holders
  • 51. # steps in hacking Phase 1 – Reconnaissance Phase 2 – Scanning Phase 3 – Gaining Access Phase 4 – Maintaining Access Phase 5 – Covering Tracks
  • 52. # demo Pre-attack phase Attack Phase Post Attack Phase
  • 53. # types of pen testing • Black Box Testing •No prior knowledge • White Box Testing •Detailed knowledge of targeted network and systems •Emulates attackers with insider knowledge • Grey Box Testing / Hybrid Testing •Combination of black and white testing.
  • 54. # elements of pen testing Three Elements for a Penetration Testing are: • People • Process • Technology Elements should be properly balanced to get the maximum quality output.
  • 55. # technology Two Types of technology associated with Pen Test: • Pen Testing Tools and Technology Example – Info Gathering Tools Network Scanning Tools • Technology implemented at the clients / testing site. Example – OS Implemented Database used
  • 56. # pen testing team Consists of generally three teams • Red Team – Attackers / pen testers • Blue Team – Defenders • White Team – Intermediate Team
  • 57. # rules of engagement • Definition: “ROE are detailed guidelines established before the start of an information security test that give the test team authority to conduct the technical and nontechnical activities defined in the ROE without additional permission.” • It is the basis on which the PT is performed. • It will serve as a contract between the customer and the testing agent.
  • 58. # hacking domain •Foot printing, •Social Engineering •Scanning •Session Hijacking •Enumeration •Web Server Hacking •System Hacking •Web App Vulnerabilities •Trojans and Backdoors •Web password cracking •Sniffers •Wireless Hacking •DoS, DDoS, DRDoS •Buffer Overflow •Cryptography
  • 59. # security & women •Shon Harris – Author of CISSP Study Guide and Info Sec Expert • Laura Chappell– Security Expert – Packet Analysis
  • 60. Most frequently asked questions Read, Read and Read – Make it a habit Thorough understanding OS Concepts Networking Concepts (TCP/IP) Programming / Coding (2 to 3 languages – Assembly, C, C++, Python, Perl, PHP, MySQL / SQL) 62
  • 61. 63
  • 62. 64
  • 63. 65
  • 64. http://www.owasp.org/index.php/Kerala Contact - deepu.joseph1@gmail.com
  • 65. 67
  • 66. # matriux Free and Open source project – OS You can be part of it – how? Write your scripts or programs and send it to us Test the OS and ensure its stability Documentation or Graphics 68
  • 67. # forum http://chat.theadmins.info or irc://irc.chat4all.org/#theadmis 69
  • 68. HACKING “If you are a hacker everyone knows you, if you are a good hacker nobody knows you.."
  • 69. # contact me Manu Zacharia m@matriux.com 98470-96355 or 71
  • 70. www.matriux.com