You are on page 1of 44

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM

)

23rd June 2008

Computer Security
From Basics to Pro Hacker

By Jit Ray Chowdhury
Dinabandhu Andrews Institute of Technology and Management

Roll 04 BCA 6th SEMESTER

Email ID:-jit.ray.c@gmail.com Contact No:- 9831546599
1

Jit Ray Chowdhury

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Your computer could be watching your every move!
Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg

Jit Ray Chowdhury

2

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Introduction
Basic protection for Dummies

Jit Ray Chowdhury

3

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Virus!!
They don’t just attack you computer but actually first they attack you as mostly they need some user interaction to get your PC infected and for that they play with your mind and fool you to do so.
Jit Ray Chowdhury

4

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Protecting against Virus.
For protecting your PC from virus you not only need to have a updated antivirus and firewall installed but also be aware of the ways virus fools you.
Example:- like you commonly run external scripts send by virus on your scrapbook.
Jit Ray Chowdhury

5

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Must Know About
A program that monitors your actions. While they are sometimes like a remote control program used by a hacker, software companies to gather data about customers. The practice is generally frowned upon.

YW SP

RE A

Definition from: BlackICE Internet Security Systems http://blackice.iss.net/glossary.php

An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

N JA O E TR RS O H

Jit Ray Chowdhury

6

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Symptoms
• Targeted Pop-ups • Slow Connection • Targeted E-Mail (Spam) • Unauthorized Access • Spam Relaying • System Crash • Program Customisation
Jit Ray Chowdhury

SPYWARE SPYWARE / TROJAN SPYWARE TROJAN HORSE TROJAN HORSE SPYWARE / TROJAN SPYWARE
http://jit.ray.c@googlepages.com

7

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Spyware-Network Overview
• Push •Advertising •Pull •Tracking •Personal data

Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.

Jit Ray Chowdhury

8

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Virus, Worm, Trojan Horse, Spyware
• Virus cannot replicate themselves but worm and Trojan can do that. • A virus cannot be spread without a human action such as running an infected file or program but worm and Trojan have the capabilities to spread themselves automatically from computer to computer through network connection.
Jit Ray Chowdhury

9

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

• A virus do not consume system memory but worm consumes too much system memory and network bandwidth. • Trojans are used by malicious users to access your computer information but viruses and worms can’t do so, they simply infect your computer. • Spyware collect data from your computer without consent for Precision Marketing by various companies
Jit Ray Chowdhury

10

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Hackers
The Attitude to the Infinity

Jit Ray Chowdhury

11

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

What is Hacker?
• It’s about technical adeptness , being delight in solving problems and overcoming limits. • There is a community of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker.
Jit Ray Chowdhury

12

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

• The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’.

Jit Ray Chowdhury

13

http://jit.ray.c@googlepages.coom http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

• There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and freaking the phone system. Real hackers call these people ‘crackers’ and have nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end. • The basic difference is this: hackers build things, crackers break them.

Jit Ray Chowdhury

14

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

The Hacker Attitude
• Don’t learn to Hack, Hack to Learn. • The world is full of fascinating problems waiting to be solved. • No problem should ever have to be solved twice. • Boredom and drudgery are evil. • Attitude is no substitute for competence.
Jit Ray Chowdhury

15

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Don’t learn to Hack, Hack to Learn
Hackers solve problems and build things, and they believe in freedom and voluntary mutual help.. You also have to develop a kind of faith in your own learning capacity — a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece — and so on, until you're done.

Jit Ray Chowdhury

16

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

The world is full of fascinating problems waiting to be solved
Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is drained by distractions like money, and social approval.
Jit Ray Chowdhury

17

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

No problem should ever have to be solved twice.
• Creative brains are a valuable, limited resource. They shouldn't be wasted on reinventing the wheel when there are so many fascinating new problems waiting out there • To behave like a hacker, you have to believe that the thinking time of other hackers is precious — so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones
Jit Ray Chowdhury

18

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Boredom and drudgery are evil.
• Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil . • To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).
Jit Ray Chowdhury

19

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Attitude is no substitute for competence.
• To be a hacker, you have to develop some of these attitudes. But copying an attitude alone won't make you a hacker. Becoming a hacker will take intelligence, practice, dedication, and hard work. • Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence. • The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there's a certain basic toolkit of skills which you have to have before any hacker will dream of calling you one. This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete.
Jit Ray Chowdhury

20

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Basic Hacking Skills
• Learn how to program. • Get one of the open-source Unixes and learn to use and run it. • Learn how to use the World Wide Web and write HTML. • If you don't have functional English, learn it.

Jit Ray Chowdhury

21

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Class of Hackers
• Black hats Individuals with extraordinary computing skills, resorting to malicious or destructive activities. Also known as ‘Crackers.’ • Gray Hats Individuals who work both offensively and defensively at various times. • White Hats Individuals professing hacker skills and using them for defensive purposes. Also known as ‘Security Analysts’.

Jit Ray Chowdhury

22

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

• Script Kiddies Person, normally … not technologically sophisticated, who randomly seeks out a specific weakness over the internet to gain root access to a system without really understanding what he is exploiting because the weakness was discovered by someone else. • Phreak Person who breaks into … telecommunications systems. • Ethical Hacker May be Independent or maybe group of consultants Claims to be knowledgeable about black hat activities.

Jit Ray Chowdhury

23

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Responsibility of Hackers
• Write open-source software • Help test and debug open-source software • Publish useful information • Serve the hacker culture itself

Jit Ray Chowdhury

24

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Disciplined Life of Hackers
Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking. • Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers). • Develop your appreciation of puns and wordplay

Jit Ray Chowdhury

25

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

• Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness. • Study an actual meditation discipline. The perennial favorite among hackers is Zen. Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things. • Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.

Jit Ray Chowdhury

26

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

• The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice. • Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between "play", "work", "science" and "art" all tend to disappear, or to merge into a high-level creative playfulness. Also, don't be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills — system administration, web design, and PC hardware troubleshooting are common ones. A hacker who's a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don't do things by halves; if they invest in a skill at all, they tend to get very good at it.

Jit Ray Chowdhury

27

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Hacking
The Professionalism

Jit Ray Chowdhury

28

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Why this knowledge is necessary?
• • Internet has grown very fast and security has lagged behind. In 1988 a "worm program" written by a college student shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber attacks. • In India there is a demand for about 80,000 security professionals where as only 22,000 are available and security specialists markets are expanding unlike other technology professions.

Jit Ray Chowdhury

29

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

95% of Web Apps Have Vulnerabilities
• Cross-site scripting (80 percent) • SQL injection (62 percent) • Parameter tampering (60 percent) • Cookie poisoning (37 percent) • Database server (33 percent) • Web server (23 percent) • Buffer overflow (19 percent)
Jit Ray Chowdhury

30

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Cross-site scripting

Jit Ray Chowdhury

31

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

SQL injection
• Unvalidated input: “SQL Injection” example
username= admin password= anything’ OR ‘x’=‘x

• Original Query
SELECT count(*) FROM userinfo WHERE name=‘@username’ and pass=‘@password’

• Database will execute
SELECT count(*) FROM userinfo WHERE name=‘admin’ and pass=‘anything’ OR ‘x’=‘x’ Got logged in successfully!
Jit Ray Chowdhury

32

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Phases Involved in Ethical Hacking
• Footprinting • Scanning • Enumeration • Gaining Access • Escalating privilege • Pilfering • Covering tracks • Creating back doors • Denial of service

Jit Ray Chowdhury

33

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Footprinting
• Objective information gathering essential for attack.  Gathering Target Address range, namespace, acquisition and other

•    

Techniques Domain name lookup Whois Nslookup Sam Spade

 ARIN (American Registry of Internet Numbers)

Jit Ray Chowdhury

34

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Scanning
•  •    Objective Bulk target assessment and identification of listing services focuses the attacker’s attention on the most promising avenues of entry Techniques Ping sweep TCP/UDP port scan OS Detection

Jit Ray Chowdhury

35

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Enumeration
•  •    Objective More intrusive probing now begins as attackers begin identifying valid user accounts or poorly protected resource shares Techniques List user accounts List file shares Identify applications

Jit Ray Chowdhury

36

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Gaining Access
•  •     Objective Enough data has been gathered at this point to make an informed attempt to access the target Techniques Password eavesdropping File share brute forcing Password file grab Buffer overflows

Jit Ray Chowdhury

37

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Pilfering
•  •   Objective The information gathering process begins again to identify mechanisms to gain access to trusted systems Techniques Elevate trusts Search for clearnet passwords

Jit Ray Chowdhury

38

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Covering Tracks
•  Objective Once total ownership of the target is secured, hiding this fact from system administrators becomes paramount, lest they quickly end the romp •   Techniques Clear logs Hide tools

Jit Ray Chowdhury

39

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Creating Back Doors
• Objective privileged access is easily regained at the whim of the intruder •       Techniques Create rogue user accounts Schedule batch jobs Infect startup files Plant remote control services Install monitoring mechanisms Replace apps with Trojans  Trap doors will be laid in various parts of the system to ensure that

Jit Ray Chowdhury

40

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Denial of Service
•  •       Objective If an attacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort Techniques SYN flood ICMP techniques Identical SYN requests Overlapping fragment/offset bugs Out of bounds TCP options (OOB) DDoS

Jit Ray Chowdhury

41

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Finally
There is always more to learn like Evading IDS, Firewalls, Honey pots,Buffer Overflows, Cryptography, Sniffers and protective measures to be taken to defend against all these. But it’s time for me to leave you on your own and take up the responsibility and learn it up yourself if your are passionate enough to pursue all this.

Jit Ray Chowdhury

42

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Thank You
Questions??

Jit Ray Chowdhury

43

http://jit.ray.c@googlepages.com

Computer Security - From Basic to Pro Hacker (6th Semester BCA DAITM)

23rd June 2008

Bibliography / Links
• • • • • • • • • • • • • • • • • [0]“A Brief History of Hackerdom” - http://catb.org/~esr/writings/hacker-history/hacker-history.html [1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php [2] "Trojan Horse" Definition – Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California. [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003. [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html [6] Spyware Guide – http://www.spyware-guide.com [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm [11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html [12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp [14] Unwanted Links (Spyware) – http://www.unwantedlinks.com [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001. [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003. – http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt

Jit Ray Chowdhury

44

http://jit.ray.c@googlepages.com