This document discusses hacking and ethical hacking. It provides an overview of different types of hackers (white hat, black hat, grey hat) and defines ethical hacking as hacking performed to help identify security vulnerabilities. It then presents a case study about a data breach at AAPT where a hacker group accessed customer data. An investigation found that AAPT failed to take reasonable security measures to protect the data, such as using an outdated version of software with known vulnerabilities. As a result, the commissioner recommended steps for AAPT to improve its security practices and audit processes.

2. Hacking
Group Members

3. Contents Hacking
Types of Hackers
Ethical Hacking
Case Study
Background
Own motivation
Investigation
Palenties
Conclusion
Cracking

4. Hacking
Hacking is the gaining of
access(wanted or unwanted) to a
computer and viewing, copying, or
creating data without the intention of
destroying data or harming the
computer.
Hacker
Hacker is programmer who
breaks into computer systems in
order to steal or change
information

5. Cracking
Process in which a person who gains
unauthorized access to a computer
with the intention of causing damage.
Cracker
Cracker is a programmer who
cracks (gains unauthorized
access to) computers, typically
to do malicious things .
"crackers are often mistakenly
called hackers"

6. Types of Hackers
White Hat Hackers
Black Hat Hackers
Grey Hat Hackers

7. ETHICAL HACKING
A LICENCE TO HACK
 Ethical hacking is the term that describes
hacking performed to help a company or individual
and identify potential threats on the computer or
network.

8. Ethical Hacker
 Ethical hacker Refers to a person who apply
hacking skills for defensive purposes
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles.” The Art of War

9. Ethical Hacking is Legal, so ethical hacker should
have to follow rules
Rules for Ethical Hacker
Hacker should have permission to probe the
network and attempt to identify potential security
risks.
Hacker should respect the individual's or company's
privacy and only go looking for security issues.
Hacker should let the company know of any security
vulnerabilities you locate in their software or
hardware if not already known by the company.

10. Need of Ethical Hacking
Ethical hacking is necessary to protect against
an attack, understanding where the systems
are vulnerable is necessary.
Ethical hacking helps companies first
understand their risk and then, manage them.
Ethical hacking can be one of the most
effective ways to fix security Problems

11. Case Study
AAPT -- HACKING
AAPT- Australian Associated Press
Telecommunications

12. Background
This case involved AAPT's company data
(including customers' personal information)
being accessed and stolen by Anonymous, an
international network of "hackers“ between 17
and 19 July 2012.
Anonymous subsequently published the data
on the internet.
The data was held on a server managed by
WebCentral Pty Ltd, a web-hosting business
unit of Melbourne IT.

13. Under the contract between AAPT and
WebCentral, WebCentral was required to fully
manage and maintain the server, except for
the custom application content and data,
which was the responsibility of AAPT.
Anonymous accessed the data though the
application (Cold Fusion) installed on the
server, which was a "customer-managed
application" and was AAPT's responsibility
under the contract.
AAPT was using an old version of Cold
Fusion, which was known to have
vulnerabilities.

14. When Melbourne IT (Australian domain
name registration Service ) became aware
of the attack , it notified AAPT, which
immediately disconnected from the
network and took steps to ensure the data
could not be further compromised.

15. Own motion investigation
Agencies didn’t get any Complaint about
this act, so they started Own Motion
Investigation

16. Results of Inverstigation
The Commissioner found AAPT failed to take
reasonable steps to secure the personal
information.
 the Commissioner examined the Cold Fusion
application to determine whether it was
suitable in the circumstances.
The Commissioner noted that AAPT used a
seven year-old version of Cold Fusion, which
was known to have vulnerabilities.

17. Cont...... Results of Inverstigation
While the security "patches" on the version
used by AAPT were upto-date, the failure to use
newer versions of the application that did not
have the vulnerabilities of the older version,
meant that AAPT had not taken reasonable
steps to protect the information.
The Commissioner noted that it was unclear
whether AAPT was aware of what personal
information was on the server, what Cold Fusion
applications were installed and the parts of the
server they related to or who was responsible
for the maintenance and management of the
application.

18. Cont...... Results of Inverstigation
The Commissioner identified several
deficiencies in the security of data provisions in
the contract between AAPT and WebCentral
including:
data was not assessed to determine whether
it included personal information and its
sensitivity
existing or emerging security risks were not
required to be identified and addressed.
vulnerability scanning and the effectiveness
of the Cold Fusion application was not required
to be undertaken.

19. Cont...... Results of Inverstigation
The Commissioner identified several
deficiencies in the security of data provisions in
the contract between AAPT and WebCentral
including:
data was not assessed to determine whether
it included personal information and its
sensitivity
existing or emerging security risks were not
required to be identified and addressed.
vulnerability scanning and the effectiveness
of the Cold Fusion application was not required
to be undertaken.

20. Ethical Issues
The Computer Fraud and Abuse Act of 1986
made it illegal to access a computer without
authorization and steal private information or
financial information.
It is responsibility of an orgranization to
protect the private information of it’s user.
AAPT failed to protect the users personal
information.

21. Penalties
The Commissioner recommended AAPT:
Take steps to ensure all IT applications held
internally or externally, which hold or use
personal information, are subject to vulnerability
assessment and testing and regular vulnerability
scanning.
conduct regular audits of AAPT's IT security
framework to ensure security measures are
working effectively, and that policies and
procedures relating to data security are
being complied with.

22. Cont... Penalties
 Undertake steps to ensure appropriate
classification of data it holds either internally or
externally, including whether it includes personal
information and the sensitivity of that
information.
 Review the terms of the contracts it has with IT
suppliers that hold or manage AAPT data to
ensure clarity around which party has
responsibility for identifying and addressing data
security issues (such as vulnerabilities associated
with old versions of IT applications).
As the case involved breaches of NPPs, the
Commissioner was unable to impose a penalty on
AAPT.

23. NPP2.1
An organisation may only use or disclose
personal information for the primary purpose of
collection under NPP2.1. As the publication of
the data was not for the primary purpose of the
collection, the Commissioner examined whether
the publication amounted to disclosure by AAPT.
As the data was made public through the
malicious actions of Anonymous, the
Commissioner found that the publication was not
a disclosure by AAPT.

24. Conclusion
If a hacker wants to get inside your
system, he/she will, and there is nothing
you can do about it. The only thing you can
do is make it harder for him to get in.
Always upgrade your system or
softwares regularly.