Boost Fertility New Invention Ups Success Rates.pdf
Bar Camp 11 Oct09 Hacking
1. # ethical hacking -
hacking in its real sense
by Manu Zacharia
MVP (Enterprise Security), C|EH, C|HFI,
Certified ISO 27001:2005 LA, MCP, CCNA, AFCEH
2. CONTENTS
INTRODUCTION
WHO IS A HACKER?
STATISTICS & CASE STUDY
ETHICAL HACKING & PEN TEST
CONCLUSION & Q ‘n’ A
www.matriux.com
11. # hacker
• Someone involved in computer
security/insecurity
• An enthusiastic home computer hobbyist
• A programmer(ing) culture
that originated in US
academia in the 1960’s -
nowadays closely related
with open source / free
software.
12. # history of hacking
• Started off – MIT – Late 1950’s
• Tech Model Rail Road club of MIT
• Donated old telephone equipment
•They re-worked & re-created a complex
system that allowed multiple operators to
control different parts of the track by dialing into
the appropriate sections.
14. # they called it hacking
They called this new and inventive use of
telephone equipment hacking
15. # hacker evolution
• The conventional boundaries were broken
also at MIT Rail Road Club.
16. # do you know him?
• Often known as “Programmer's programmer”
• Creator of Ghostscript, a highly-portable, high-
quality, Open Source implementation of the
PostScript language.
• Founder of Aladdin Enterprises
• Authored or co-authored various RFCs - RFC 190,
RFC 446, RFC 550, RFC 567, RFC 606, RFC 1950,
RFC 1951 and RFC 1952
17. # do you know him?
• Dr. L. Peter Deutsch
• Started programming at the age of 11.
• He was accepted to the MIT Rail Road
club at the age of 12 when he demonstrated
his knowledge of the TX-0 and his desire to
learn.
18. # TX-0
• Fully transistorized computer
• Transistorized Experimental computer zero
• TX-0 - affectionately referred to as tixo
(pronounced "tix oh")
19. # short-pant hacker
• Age
• Race,
• Gender,
• Appearance,
• Academic degrees, and
• Social status were defied in search for free information
22. # why study & select security?
• The 3 upcoming technology areas (Triple-
S – 3S).
• Synchronize (Collaboration)
• Store (Storage),
• Secure – (Security)
• Its challenging
• You need to have the “stuff”
23. # scope for a security pro
• Almost all the major / critical networks like:
• Defense,
• Communication,
• Financial,
• Infra networks, (Power Grids,)
• Comn networks, etc
24. # financials “skilled” sec pro
• Average hourly rate – $40 – $60
• Skilled Pen Testers – $100 – $120 - $150
• 100 X 8 hrs = 800
• 800 X 5 days = 4000
• 4000 X 20 working days = 80,000
• $ 80,000 to INR (Rs 50) = 40,00,000
26. # bytes ‘n’ bullets
“bytes are replacing bullets in the crime
world”
27. THE BIG PICTURE
• World wide internet usage (2008) -
694 Million
• World wide internet usage (2009) -
1.4 Billion
Source: comScore Networks
• Internet usage – growth rate (India)
= 142 %
28. THE BIG PICTURE
160 152
140
120
100
80 74
60 52
40 31 30 24 23 18 16 16
20
0
Top 10 Online Populations by Country
Excludes traffic from public computers such as Internet cafe and, access from
mobile phones or PDAs.
29. BEFORE WE START….
INTERNET USERS - INDIA
50.6 USERS
40 42
39.2
22.5
16.5
5.5 7
2000 2001 2002 2003 2004 2005 2006 2007
Report of the Internet and Mobile Association of India (IAMAI) and IMRB
International
30. # the bigger picture
• 1.4 Billion users can communicate with
your system
or
• Your system can communicate with 1.4
Billion users.
31. # the bigger picture
• Out of the 1.4 Billion, some can rattle your
door to your computer to see if it is locked
or not
• locked – Its fine
• not locked – not fine
32. # can you handle it
• Out of the 1.4 Billion, if 1% connects to
your system, what will happen?
•1%=?
34. # case study
• The most powerful and costliest
(physics) experiment ever built
• 5000 high power magnets arranged in a
27 km giant tunnel.
• will re-create the conditions present in
the Universe just after the Big Bang
• Large Hadron Collider (LHC)
• CERN - European Organization for
Nuclear Research
• Hacked on 10 Sep 08
40. # credit & debit cards?
• How many of you use credit cards?
• What is the trust factor here?
41. # case study
• Hackers have broken into Web servers
owned by domain registrar and hosting
provider Network Solutions, planting rogue
code that resulted in the compromise of
more than 573,000 debit and credit card
accounts over a period of three months
47. # traditional security concept
Protecting the resources by locking it under
and lock and key
48. # current security concept
• Security is a state of well being
• Security is all about being prepared for
the unexpected.
49. # information security
The
• policies,
• procedures and
• practices
required to maintain and provide assurance of the
• confidentiality,
• integrity, and
• availability
of information
51. # penetration testing
Penetration testing is a time-constrained
and authorized attempt to breach the
architecture of a system using attacker
techniques.
Also known as EH
52. # why penetration testing
To test if internal users can break security
To test external threats can break your
corporate security
Compliance with standards
Ensure and assure state of security to all
stake holders
55. # types of pen testing
• Black Box Testing
•No prior knowledge
• White Box Testing
•Detailed knowledge of targeted network and
systems
•Emulates attackers with insider knowledge
• Grey Box Testing / Hybrid Testing
•Combination of black and white testing.
56. # elements of pen testing
Three Elements for a Penetration Testing are:
• People
• Process
• Technology
Elements should be properly balanced to get
the maximum quality output.
57. # technology
Two Types of technology associated with Pen Test:
• Pen Testing Tools and Technology
Example – Info Gathering Tools
Network Scanning Tools
• Technology implemented at the clients / testing site.
Example – OS Implemented
Database used
58. # pen testing team
Consists of generally three teams
• Red Team – Attackers / pen testers
• Blue Team – Defenders
• White Team – Intermediate Team
59. # rules of engagement
• Definition: “ROE are detailed guidelines established
before the start of an information security test that give
the test team authority to conduct the technical and
nontechnical activities defined in the ROE without
additional permission.”
• It is the basis on which the PT is performed.
• It will serve as a contract between the customer and the
testing agent.
61. # security & women
•Shon Harris – Author
of CISSP Study Guide
and Info Sec Expert
• Laura Chappell–
Security Expert –
Packet Analysis
62. Most frequently asked questions
Read, Read and Read – Make it a habit
Thorough understanding
OS Concepts
Networking Concepts (TCP/IP)
Programming / Coding (2 to 3
languages – Assembly, C, C++, Python,
Perl, PHP, MySQL / SQL)
62
68. # matriux
Free and Open source project – OS
You can be part of it – how?
Write your scripts or programs and
send it to us
Test the OS and ensure its stability
Documentation or Graphics
68
69. # forum
http://chat.theadmins.info
or
irc://irc.chat4all.org/#theadmis
69
70. HACKING
“If you are a hacker everyone knows you, if
you are a good hacker nobody knows
you.."