A session by Manu Zacharia at BarcampKerala6, Ragiri College, cochin http://www.matriux.com

1. # ethical hacking -
hacking in its real sense
by Manu Zacharia
MVP (Enterprise Security), C|EH, C|HFI,
Certified ISO 27001:2005 LA, MCP, CCNA, AFCEH

2. CONTENTS
INTRODUCTION
WHO IS A HACKER?
STATISTICS & CASE STUDY
ETHICAL HACKING & PEN TEST
CONCLUSION & Q ‘n’ A
www.matriux.com

3. WHO AM I
Manu Zacharia
Security Evangelist

4. WHO AM I

5. # hacking
• What’s the image that comes to your mind
when you hear about “hacker” or “hacking”?

6. BEFORE WE START….

7. # hacking
• Commonly defined in the media as:
“Illegal intrusion into a computer system
without the permission of the computer
owner/user”

8. # misconceptions
• Most people associate hacking with
breaking the law.
• Assume that everyone who engages in
hacking activities is a criminal

9. # hacking
But what is hacking in its real sense?

10. # hacker defined
HACKER (Originally, someone who makes
furniture with an Ax.

11. # hacker
• Someone involved in computer
security/insecurity
• An enthusiastic home computer hobbyist
• A programmer(ing) culture
that originated in US
academia in the 1960’s -
nowadays closely related
with open source / free
software.

12. # history of hacking
• Started off – MIT – Late 1950’s
• Tech Model Rail Road club of MIT
• Donated old telephone equipment
•They re-worked & re-created a complex
system that allowed multiple operators to
control different parts of the track by dialing into
the appropriate sections.

13. # hacking & open source

14. # they called it hacking
They called this new and inventive use of
telephone equipment hacking

15. # hacker evolution
• The conventional boundaries were broken
also at MIT Rail Road Club.

16. # do you know him?
• Often known as “Programmer's programmer”
• Creator of Ghostscript, a highly-portable, high-
quality, Open Source implementation of the
PostScript language.
• Founder of Aladdin Enterprises
• Authored or co-authored various RFCs - RFC 190,
RFC 446, RFC 550, RFC 567, RFC 606, RFC 1950,
RFC 1951 and RFC 1952

17. # do you know him?
• Dr. L. Peter Deutsch
• Started programming at the age of 11.
• He was accepted to the MIT Rail Road
club at the age of 12 when he demonstrated
his knowledge of the TX-0 and his desire to
learn.

18. # TX-0
• Fully transistorized computer
• Transistorized Experimental computer zero
• TX-0 - affectionately referred to as tixo
(pronounced "tix oh")

19. # short-pant hacker
• Age
• Race,
• Gender,
• Appearance,
• Academic degrees, and
• Social status were defied in search for free information

20. # hacking
Know the difference between a cracker and
a hacker.

21. # the money factor

22. # why study & select security?
• The 3 upcoming technology areas (Triple-
S – 3S).
• Synchronize (Collaboration)
• Store (Storage),
• Secure – (Security)
• Its challenging
• You need to have the “stuff”

23. # scope for a security pro
• Almost all the major / critical networks like:
• Defense,
• Communication,
• Financial,
• Infra networks, (Power Grids,)
• Comn networks, etc

24. # financials “skilled” sec pro
• Average hourly rate – $40 – $60
• Skilled Pen Testers – $100 – $120 - $150
• 100 X 8 hrs = 800
• 800 X 5 days = 4000
• 4000 X 20 working days = 80,000
• $ 80,000 to INR (Rs 50) = 40,00,000

25. # it‘s a long journey

26. # bytes ‘n’ bullets
“bytes are replacing bullets in the crime
world”

27. THE BIG PICTURE
• World wide internet usage (2008) -
694 Million
• World wide internet usage (2009) -
1.4 Billion
Source: comScore Networks
• Internet usage – growth rate (India)
= 142 %

28. THE BIG PICTURE
160 152
140
120
100
80 74
60 52
40 31 30 24 23 18 16 16
20
0
Top 10 Online Populations by Country
Excludes traffic from public computers such as Internet cafe and, access from
mobile phones or PDAs.

29. BEFORE WE START….
INTERNET USERS - INDIA
50.6 USERS
40 42
39.2
22.5
16.5
5.5 7
2000 2001 2002 2003 2004 2005 2006 2007
Report of the Internet and Mobile Association of India (IAMAI) and IMRB
International

30. # the bigger picture
• 1.4 Billion users can communicate with
your system
or
• Your system can communicate with 1.4
Billion users.

31. # the bigger picture
• Out of the 1.4 Billion, some can rattle your
door to your computer to see if it is locked
or not
• locked – Its fine
• not locked – not fine

32. # can you handle it
• Out of the 1.4 Billion, if 1% connects to
your system, what will happen?
•1%=?

33. # case study

34. # case study
• The most powerful and costliest
(physics) experiment ever built
• 5000 high power magnets arranged in a
27 km giant tunnel.
• will re-create the conditions present in
the Universe just after the Big Bang
• Large Hadron Collider (LHC)
• CERN - European Organization for
Nuclear Research
• Hacked on 10 Sep 08

35. # case study

36. CASE STUDY

37. CASE STUDY

38. VICTIMS

39. VICTIMS

40. # credit & debit cards?
• How many of you use credit cards?
• What is the trust factor here?

41. # case study
• Hackers have broken into Web servers
owned by domain registrar and hosting
provider Network Solutions, planting rogue
code that resulted in the compromise of
more than 573,000 debit and credit card
accounts over a period of three months

42. CASE STUDY

44. # no boundaries
• What does this mean?
• Internet = No boundaries
• You(r network) could be the next target

46. # security

47. # traditional security concept
Protecting the resources by locking it under
and lock and key

48. # current security concept
• Security is a state of well being
• Security is all about being prepared for
the unexpected.

49. # information security
The
• policies,
• procedures and
• practices
required to maintain and provide assurance of the
• confidentiality,
• integrity, and
• availability
of information

50. # security jargon
# Confidentiality # Integrity
# Availability # CIA Triad
# Vulnerability # Threat
# Risk # Exposure
# Countermeasure

51. # penetration testing
Penetration testing is a time-constrained
and authorized attempt to breach the
architecture of a system using attacker
techniques.
Also known as EH

52. # why penetration testing
To test if internal users can break security
To test external threats can break your
corporate security
Compliance with standards
Ensure and assure state of security to all
stake holders

53. # steps in hacking
Phase 1 – Reconnaissance
Phase 2 – Scanning
Phase 3 – Gaining Access
Phase 4 – Maintaining Access
Phase 5 – Covering Tracks

54. # demo
Pre-attack phase
Attack Phase
Post Attack Phase

55. # types of pen testing
• Black Box Testing
•No prior knowledge
• White Box Testing
•Detailed knowledge of targeted network and
systems
•Emulates attackers with insider knowledge
• Grey Box Testing / Hybrid Testing
•Combination of black and white testing.

56. # elements of pen testing
Three Elements for a Penetration Testing are:
• People
• Process
• Technology
Elements should be properly balanced to get
the maximum quality output.

57. # technology
Two Types of technology associated with Pen Test:
• Pen Testing Tools and Technology
Example – Info Gathering Tools
Network Scanning Tools
• Technology implemented at the clients / testing site.
Example – OS Implemented
Database used

58. # pen testing team
Consists of generally three teams
• Red Team – Attackers / pen testers
• Blue Team – Defenders
• White Team – Intermediate Team

59. # rules of engagement
• Definition: “ROE are detailed guidelines established
before the start of an information security test that give
the test team authority to conduct the technical and
nontechnical activities defined in the ROE without
additional permission.”
• It is the basis on which the PT is performed.
• It will serve as a contract between the customer and the
testing agent.

60. # hacking domain
•Foot printing, •Social Engineering
•Scanning •Session Hijacking
•Enumeration •Web Server Hacking
•System Hacking •Web App Vulnerabilities
•Trojans and Backdoors •Web password cracking
•Sniffers •Wireless Hacking
•DoS, DDoS, DRDoS •Buffer Overflow
•Cryptography

61. # security & women
•Shon Harris – Author
of CISSP Study Guide
and Info Sec Expert
• Laura Chappell–
Security Expert –
Packet Analysis

62. Most frequently asked questions
Read, Read and Read – Make it a habit
Thorough understanding
OS Concepts
Networking Concepts (TCP/IP)
Programming / Coding (2 to 3
languages – Assembly, C, C++, Python,
Perl, PHP, MySQL / SQL)
62

63. 63

64. 64

65. 65

66. http://www.owasp.org/index.php/Kerala
Contact - deepu.joseph1@gmail.com

67. 67

68. # matriux
Free and Open source project – OS
You can be part of it – how?
Write your scripts or programs and
send it to us
Test the OS and ensure its stability
Documentation or Graphics
68

69. # forum
http://chat.theadmins.info
or
irc://irc.chat4all.org/#theadmis
69

70. HACKING
“If you are a hacker everyone knows you, if
you are a good hacker nobody knows
you.."

71. # contact me
Manu Zacharia
m@matriux.com
98470-96355
or
71

72. www.matriux.com