SlideShare ist ein Scribd-Unternehmen logo

Introduction to hackers

Als PPT, PDF herunterladen
Harsh Sharma
Harsh Sharma

Intro To Hackers By Harsh Sharma 3rd Year Student @ Mehr Chand Polytechnic College, Jalandhar. aka Hacker

BildungTechnologie
1 von 22
Hackers, Crackers, and Network Intruders Sponser www.harshpchacks.blogspot.com By Harsh Sharma
Agenda • Hackers and their vocabulary • Threats and risks • Types of hackers • Gaining access • Intrusion detection and prevention • Legal and ethical issues
Hacker Terms • Hacking - showing computer expertise • Cracking - breaching security on software or systems • Phreaking - cracking telecom networks • Spoofing - faking the originating IP address in a datagram • Denial of Service (DoS) - flooding a host with sufficient network traffic so that it can’t respond anymore • Port Scanning - searching for vulnerabilities
Hacking through the ages • 1969 - Unix ‘hacked’ together • 1971 - Cap ‘n Crunch phone exploit discovered • 1988 - Morris Internet worm crashes 6,000 servers • 1994 - $10 million transferred from CitiBank accounts • 1995 - Kevin Mitnick sentenced to 5 years in jail • 2000 - Major websites succumb to DDoS • 2000 - 15,700 credit and debit card numbers stolen from Western Union (hacked while web database was undergoing maintenance) • 2001 Code Red – exploited bug in MS IIS to penetrate & spread – probes random IPs for systems running IIS – had trigger time for denial-of-service attack – 2nd wave infected 360000 servers in 14 hours • Code Red 2 - had backdoor installed to allow remote control • Nimda -used multiple infection mechanisms email, shares, web client, IIS • 2002 – Slammer Worm brings web to its knees by attacking MS SQL Server
The threats • Denial of Service (Yahoo, eBay, CNN, MS) • Defacing, Graffiti, Slander, Reputation • Loss of data (destruction, theft) • Divulging private information (AirMiles, corporate espionage, personal financial) • Loss of financial assets (CitiBank)
Types of hackers • Professional hackers – Black Hats – the Bad Guys – White Hats – Professional Security Experts • Script kiddies – Mostly kids/students • User tools created by black hats, – To get free stuff – Impress their peers – Not get caught • Underemployed Adult Hackers – Former Script Kiddies • Can’t get employment in the field • Want recognition in hacker community • Big in eastern european countries • Ideological Hackers – hack as a mechanism to promote some political or ideological purpose – Usually coincide with political events
Types of Hackers • Criminal Hackers – Real criminals, are in it for whatever they can get no matter who it hurts • Corporate Spies – Are relatively rare • Disgruntled Employees – Most dangerous to an enterprise as they are “insiders” – Since many companies subcontract their network services a disgruntled vendor could be very dangerous to the host enterprise
Top intrusion justifications • I’m doing you a favor pointing out your vulnerabilities • I’m making a political statement • Because I can • Because I’m paid to do it
Gaining access • Front door – Password guessing – Password/key stealing • Back doors – Often left by original developers as debug and/or diagnostic tools – Forgot to remove before release • Trojan Horses – Usually hidden inside of software that we download and install from the net (remember nothing is free) – Many install backdoors • Software vulnerability exploitation – Often advertised on the OEMs web site along with security patches – Fertile ground for script kiddies looking for something to do
Back doors & Trojans • e.g. Whack-a-mole / NetBus • Cable modems / DSL very vulnerable • Protect with Virus Scanners, Port Scanners, Personal Firewalls
Software vulnerability exploitation • Buffer overruns • HTML / CGI scripts • Poor design of web applications – Javascript hacks – PHP/ASP/ColdFusion URL hacks • Other holes / bugs in software and services • Tools and scripts used to scan ports for vulnerabilities
Password guessing • Default or null passwords • Password same as user name (use finger) • Password files, trusted servers • Brute force – make sure login attempts audited!
Password/key theft • Dumpster diving – Its amazing what people throw in the trash • Personal information • Passwords • Good doughnuts – Many enterprises now shred all white paper trash • Inside jobs – Disgruntled employees – Terminated employees (about 50% of intrusions resulting in significant loss)
Once inside, the hacker can... • Modify logs – To cover their tracks – To mess with you • Steal files – Sometimes destroy after stealing – A pro would steal and cover their tracks so to be undetected • Modify files – To let you know they were there – To cause mischief • Install back doors – So they can get in again • Attack other systems
Intrusion detection systems (IDS) • A lot of research going on at universities – Doug Somerville- EE Dept, Viktor Skorman – EE Dept • Big money available due to 9/11 and Dept of Homeland Security • Vulnerability scanners – pro-actively identifies risks – User use pattern matching • When pattern deviates from norm should be investigated • Network-based IDS – examine packets for suspicious activity – can integrate with firewall – require one dedicated IDS server per segment
Intrusion detection systems (IDS) • Host-based IDS – monitors logs, events, files, and packets sent to the host – installed on each host on network • Honeypot – decoy server – collects evidence and alerts admin
Intrusion prevention • Patches and upgrades (hardening) • Disabling unnecessary software • Firewalls and Intrusion Detection Systems • ‘Honeypots’ • Recognizing and reacting to port scanning
Risk management Probability Impact Ignore (e.g. delude yourself) Prevent (e.g. firewalls, IDS, patches) Backup Plan (e.g. redundancies) Contain & Control (e.g. port scan)
Legal and ethical questions • ‘Ethical’ hacking? • How to react to mischief or nuisances? • Is scanning for vulnerabilities legal? – Some hackers are trying to use this as a business model • Here are your vulnerabilities, let us help you • Can private property laws be applied on the Internet?
Port scanner example
Computer Crimes • Financial Fraud • Credit Card Theft • Identity Theft • Computer specific crimes – Denial-of-service – Denial of access to information – Viruses Melissa virus cost New Jersey man 20 months in jail • Melissa caused in excess of $80 Million • Intellectual Property Offenses – Information theft – Trafficking in pirated information – Storing pirated information – Compromising information – Destroying information • Content related Offenses – Hate crimes – Harrassment – Cyber-stalking • Child privacy
Federal Statutes • Computer Fraud and Abuse Act of 1984 – Makes it a crime to knowingly access a federal computer • Electronic Communications Privacy Act of 1986 – Updated the Federal Wiretap Act act to include electronically stored data • U.S. Communications Assistance for Law Enforcement Act of 1996 – Ammended the Electronic Communications Act to require all communications carriers to make wiretaps possible • Economic and Protection of Proprietary Information Act of 1996 – Extends definition of privacy to include proprietary economic information , theft would constitute corporate or industrial espionage • Health Insurance Portability and Accountability Act of 1996 – Standards for the electronic transmission of healthcare information • National Information Infrastructure Protection Act of 1996 – Amends Computer Fraud and Abuse Act to provide more protection to computerized information and systems used in foreign and interstate commerce or communications • The Graham-Lynch-Bliley Act of 1999 – Limits instances of when financial institution can disclose nonpublic information of a customer to a third party

Empfohlen

Hackers
HackersHackers
Hackers
Mohamed Boudchiche
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
silambarasansam
 
Recommending information security measures
Recommending information security measuresRecommending information security measures
Recommending information security measures
Manish Singh
 
Hacking and its terms
Hacking and its termsHacking and its terms
Hacking and its terms
kunalverma12345
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all time
PRESENTATIONSFORESL
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
General Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & EthicalGeneral Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & Ethical
diwakar sharma
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
DEEPIKA WALIA
 

Empfohlen

Hackers
HackersHackers
Hackers
Mohamed Boudchiche
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
silambarasansam
 
Recommending information security measures
Recommending information security measuresRecommending information security measures
Recommending information security measures
Manish Singh
 
Hacking and its terms
Hacking and its termsHacking and its terms
Hacking and its terms
kunalverma12345
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all time
PRESENTATIONSFORESL
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
General Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & EthicalGeneral Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & Ethical
diwakar sharma
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
DEEPIKA WALIA
 
Digital property rights
Digital property rightsDigital property rights
Digital property rights
Himanshu Pathak
 
Introduction to E commerce
Introduction to E commerceIntroduction to E commerce
Introduction to E commerce
Himanshu Pathak
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
SHERALI445
 
Hacking
Hacking Hacking
Hacking
Farkhanda Kiran
 
Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)
Esteban
 
hacking
hackinghacking
hacking
mayank1293
 
Computer crime hacking
Computer crime hackingComputer crime hacking
Computer crime hacking
tangytangling
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Lalit Kumar
 
The art of deceiving humans a.k.a social engineering
The art of deceiving humans a.k.a social engineeringThe art of deceiving humans a.k.a social engineering
The art of deceiving humans a.k.a social engineering
Suraj Khetani
 
ethical hacking
ethical hackingethical hacking
ethical hacking
Neelima Bawa
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Module
ankit sarode
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
Murray Security Services
 
Module 8 security and ethical challenges
Module 8 security and ethical challengesModule 8 security and ethical challenges
Module 8 security and ethical challenges
CRM
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
Farwa Ansari
 
What is Ethical hacking
What is Ethical hackingWhat is Ethical hacking
What is Ethical hacking
Sibghatullah Khattak
 
Ethical hacking by chandra prakash upadhyay
Ethical hacking by chandra prakash upadhyayEthical hacking by chandra prakash upadhyay
Ethical hacking by chandra prakash upadhyay
Chandra Prakash
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
vishakha bhagwat
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
RamchandraRegmi
 
Intellectual Property in Cyberspace
Intellectual Property in CyberspaceIntellectual Property in Cyberspace
Intellectual Property in Cyberspace
Mindaugas Kiskis
 
Hackers Cracker Network Intruder
Hackers Cracker Network IntruderHackers Cracker Network Intruder
Hackers Cracker Network Intruder
Erdo Deshiant Garnaby
 
How to become Hackers .
How to become Hackers .How to become Hackers .
How to become Hackers .
Greater Noida Institute Of Technology
 
9. Computer Ethics.ppt
9. Computer Ethics.ppt9. Computer Ethics.ppt
9. Computer Ethics.ppt
asm071149
 

Weitere ähnliche Inhalte

Was ist angesagt?

Computer crime hacking
Computer crime hackingComputer crime hacking
Computer crime hacking
tangytangling
 
Module 8 security and ethical challenges
Module 8 security and ethical challengesModule 8 security and ethical challenges
Module 8 security and ethical challenges
CRM
 
Ethical hacking by chandra prakash upadhyay
Ethical hacking by chandra prakash upadhyayEthical hacking by chandra prakash upadhyay
Ethical hacking by chandra prakash upadhyay
Chandra Prakash
 

Was ist angesagt? (19)

Digital property rights
Digital property rightsDigital property rights
Digital property rights
 
Introduction to E commerce
Introduction to E commerceIntroduction to E commerce
Introduction to E commerce
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Hacking
Hacking Hacking
Hacking
 
Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)Cybercrime (Computer Hacking)
Cybercrime (Computer Hacking)
 
hacking
hackinghacking
hacking
 
Computer crime hacking
Computer crime hackingComputer crime hacking
Computer crime hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
The art of deceiving humans a.k.a social engineering
The art of deceiving humans a.k.a social engineeringThe art of deceiving humans a.k.a social engineering
The art of deceiving humans a.k.a social engineering
 
ethical hacking
ethical hackingethical hacking
ethical hacking
 
Basic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st ModuleBasic of Ethical Hacking and Penetration Testing - 1st Module
Basic of Ethical Hacking and Penetration Testing - 1st Module
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
Module 8 security and ethical challenges
Module 8 security and ethical challengesModule 8 security and ethical challenges
Module 8 security and ethical challenges
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
 
What is Ethical hacking
What is Ethical hackingWhat is Ethical hacking
What is Ethical hacking
 
Ethical hacking by chandra prakash upadhyay
Ethical hacking by chandra prakash upadhyayEthical hacking by chandra prakash upadhyay
Ethical hacking by chandra prakash upadhyay
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Intellectual Property in Cyberspace
Intellectual Property in CyberspaceIntellectual Property in Cyberspace
Intellectual Property in Cyberspace
 

Ähnlich wie Introduction to hackers

Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
Jayaseelan Vejayon
 

Ähnlich wie Introduction to hackers (20)

Hackers Cracker Network Intruder
Hackers Cracker Network IntruderHackers Cracker Network Intruder
Hackers Cracker Network Intruder
 
How to become Hackers .
How to become Hackers .How to become Hackers .
How to become Hackers .
 
9. Computer Ethics.ppt
9. Computer Ethics.ppt9. Computer Ethics.ppt
9. Computer Ethics.ppt
 
Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR Chapter
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
All about Hacking
All about HackingAll about Hacking
All about Hacking
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
History and future cybercrime
History and future cybercrimeHistory and future cybercrime
History and future cybercrime
 
Cyber_Crime_Security.pptx
Cyber_Crime_Security.pptxCyber_Crime_Security.pptx
Cyber_Crime_Security.pptx
 
Hacking
HackingHacking
Hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
Web security
Web securityWeb security
Web security
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 

Kürzlich hochgeladen

An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 

Kürzlich hochgeladen (20)

Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 

Introduction to hackers

  • 1. Hackers, Crackers, and Network Intruders Sponser www.harshpchacks.blogspot.com By Harsh Sharma
  • 2. Agenda • Hackers and their vocabulary • Threats and risks • Types of hackers • Gaining access • Intrusion detection and prevention • Legal and ethical issues
  • 3. Hacker Terms • Hacking - showing computer expertise • Cracking - breaching security on software or systems • Phreaking - cracking telecom networks • Spoofing - faking the originating IP address in a datagram • Denial of Service (DoS) - flooding a host with sufficient network traffic so that it can’t respond anymore • Port Scanning - searching for vulnerabilities
  • 4. Hacking through the ages • 1969 - Unix ‘hacked’ together • 1971 - Cap ‘n Crunch phone exploit discovered • 1988 - Morris Internet worm crashes 6,000 servers • 1994 - $10 million transferred from CitiBank accounts • 1995 - Kevin Mitnick sentenced to 5 years in jail • 2000 - Major websites succumb to DDoS • 2000 - 15,700 credit and debit card numbers stolen from Western Union (hacked while web database was undergoing maintenance) • 2001 Code Red – exploited bug in MS IIS to penetrate & spread – probes random IPs for systems running IIS – had trigger time for denial-of-service attack – 2nd wave infected 360000 servers in 14 hours • Code Red 2 - had backdoor installed to allow remote control • Nimda -used multiple infection mechanisms email, shares, web client, IIS • 2002 – Slammer Worm brings web to its knees by attacking MS SQL Server
  • 5. The threats • Denial of Service (Yahoo, eBay, CNN, MS) • Defacing, Graffiti, Slander, Reputation • Loss of data (destruction, theft) • Divulging private information (AirMiles, corporate espionage, personal financial) • Loss of financial assets (CitiBank)
  • 6. Types of hackers • Professional hackers – Black Hats – the Bad Guys – White Hats – Professional Security Experts • Script kiddies – Mostly kids/students • User tools created by black hats, – To get free stuff – Impress their peers – Not get caught • Underemployed Adult Hackers – Former Script Kiddies • Can’t get employment in the field • Want recognition in hacker community • Big in eastern european countries • Ideological Hackers – hack as a mechanism to promote some political or ideological purpose – Usually coincide with political events
  • 7. Types of Hackers • Criminal Hackers – Real criminals, are in it for whatever they can get no matter who it hurts • Corporate Spies – Are relatively rare • Disgruntled Employees – Most dangerous to an enterprise as they are “insiders” – Since many companies subcontract their network services a disgruntled vendor could be very dangerous to the host enterprise
  • 8. Top intrusion justifications • I’m doing you a favor pointing out your vulnerabilities • I’m making a political statement • Because I can • Because I’m paid to do it
  • 9. Gaining access • Front door – Password guessing – Password/key stealing • Back doors – Often left by original developers as debug and/or diagnostic tools – Forgot to remove before release • Trojan Horses – Usually hidden inside of software that we download and install from the net (remember nothing is free) – Many install backdoors • Software vulnerability exploitation – Often advertised on the OEMs web site along with security patches – Fertile ground for script kiddies looking for something to do
  • 10. Back doors & Trojans • e.g. Whack-a-mole / NetBus • Cable modems / DSL very vulnerable • Protect with Virus Scanners, Port Scanners, Personal Firewalls
  • 11. Software vulnerability exploitation • Buffer overruns • HTML / CGI scripts • Poor design of web applications – Javascript hacks – PHP/ASP/ColdFusion URL hacks • Other holes / bugs in software and services • Tools and scripts used to scan ports for vulnerabilities
  • 12. Password guessing • Default or null passwords • Password same as user name (use finger) • Password files, trusted servers • Brute force – make sure login attempts audited!
  • 13. Password/key theft • Dumpster diving – Its amazing what people throw in the trash • Personal information • Passwords • Good doughnuts – Many enterprises now shred all white paper trash • Inside jobs – Disgruntled employees – Terminated employees (about 50% of intrusions resulting in significant loss)
  • 14. Once inside, the hacker can... • Modify logs – To cover their tracks – To mess with you • Steal files – Sometimes destroy after stealing – A pro would steal and cover their tracks so to be undetected • Modify files – To let you know they were there – To cause mischief • Install back doors – So they can get in again • Attack other systems
  • 15. Intrusion detection systems (IDS) • A lot of research going on at universities – Doug Somerville- EE Dept, Viktor Skorman – EE Dept • Big money available due to 9/11 and Dept of Homeland Security • Vulnerability scanners – pro-actively identifies risks – User use pattern matching • When pattern deviates from norm should be investigated • Network-based IDS – examine packets for suspicious activity – can integrate with firewall – require one dedicated IDS server per segment
  • 16. Intrusion detection systems (IDS) • Host-based IDS – monitors logs, events, files, and packets sent to the host – installed on each host on network • Honeypot – decoy server – collects evidence and alerts admin
  • 17. Intrusion prevention • Patches and upgrades (hardening) • Disabling unnecessary software • Firewalls and Intrusion Detection Systems • ‘Honeypots’ • Recognizing and reacting to port scanning
  • 18. Risk management Probability Impact Ignore (e.g. delude yourself) Prevent (e.g. firewalls, IDS, patches) Backup Plan (e.g. redundancies) Contain & Control (e.g. port scan)
  • 19. Legal and ethical questions • ‘Ethical’ hacking? • How to react to mischief or nuisances? • Is scanning for vulnerabilities legal? – Some hackers are trying to use this as a business model • Here are your vulnerabilities, let us help you • Can private property laws be applied on the Internet?
  • 21. Computer Crimes • Financial Fraud • Credit Card Theft • Identity Theft • Computer specific crimes – Denial-of-service – Denial of access to information – Viruses Melissa virus cost New Jersey man 20 months in jail • Melissa caused in excess of $80 Million • Intellectual Property Offenses – Information theft – Trafficking in pirated information – Storing pirated information – Compromising information – Destroying information • Content related Offenses – Hate crimes – Harrassment – Cyber-stalking • Child privacy
  • 22. Federal Statutes • Computer Fraud and Abuse Act of 1984 – Makes it a crime to knowingly access a federal computer • Electronic Communications Privacy Act of 1986 – Updated the Federal Wiretap Act act to include electronically stored data • U.S. Communications Assistance for Law Enforcement Act of 1996 – Ammended the Electronic Communications Act to require all communications carriers to make wiretaps possible • Economic and Protection of Proprietary Information Act of 1996 – Extends definition of privacy to include proprietary economic information , theft would constitute corporate or industrial espionage • Health Insurance Portability and Accountability Act of 1996 – Standards for the electronic transmission of healthcare information • National Information Infrastructure Protection Act of 1996 – Amends Computer Fraud and Abuse Act to provide more protection to computerized information and systems used in foreign and interstate commerce or communications • The Graham-Lynch-Bliley Act of 1999 – Limits instances of when financial institution can disclose nonpublic information of a customer to a third party