Ethical HackingGROUP MEMBERS: Rwik Kumar Dutta Sarthak Singh Sushmita Sil

By InFERNO

Shweta Mishra Soumya

Mallick Sristi

Evolution Of Hacking The first hacker appeared in 1960’s at the

Massachusetts Institute Of Technology(MIT).

During the 1970’s, a different breed of hacker’s appeared: Phone Phreakers or Phone Hackers.

In the 1980’s, phreaks started to migrate to computers, and the first Bulletin Board System (BBS) appeared

During the 1990’s, when the Internet came along, hacker multiplied.

Hacking The Process of attempting to gain or successfully

gaining, unauthorized access to computer resources is called Hacking.

Hacking and its types…

` Good guys Don’t use their skill for illegal purposes Computer security experts and help to

protect from black hats

Combination of white and black hat Goal is to provide national security

Bad guys Use their skill

meticulously for personal gain

Hack banks, steal credit cards and deface websites

Ethical Hacking

Ethical hacking and ethical hacker are terms used to describe hacking performed by a company or individual to help identify potential threats on a computer or network.

An ethical hacker attempts to bypass system security and search for any weak points.

This information is then used by the organization to improve the system security to minimize or eliminate any potential attacks.

And yeah, ‘ethical hacking’ is not an oxymoron. It truly is ethical.

What constitutes ethical hacking?For hacking to be deemed ethical, the hacker must obey the following rules: Expressed (often written) permission to probe the

network and attempt to identify potential security risks. You respect the individual's or company's privacy. You close out your work, not leaving anything open for

you or someone else to exploit at a later time. You let the software developer or hardware

manufacturer know of any security vulnerabilities you locate in their software or hardware, if not already known by the company.

Hack without being on the wrong side of the law…. Hack ethically: work professionally, have high morals

and principles. Respect privacy: Treat the information gathered with

utmost respect and take care to keep it private. Work within the guidelines and limitations specified

by your client. Unless and until you violate any of the above, you

will not find yourself on the wrong side of the law. Being a ‘white hat’ hacker may give

you lesser adrenaline rush than a ‘black hat’ hacker, but you will atleast lead a good and honest life and no fear of serving prison for hacking.

As an ethical hacker, you have to evaluate the system security to answer the following: What can an intruder see on the target systems? What can an intruder do with that information? Does anyone at the target the intruders attempts or

successes? What are you trying to protect? What are you trying to protect against? How much time, money and effort are you willing to

spend to obtain adequate protection?

Why should you consider selecting ethical hacking as a profession?

To make security in systems stronger Just for fun Show Off You might be one of those people who love to break

into other’s systems but are scared of the legal implications of doing it on the sly

.

Ethical hacking-a core part of IT security industry today The IT security industry is growing at the rate of

21% per annum. In 2012,ethical hacking was estimated to be a US$

3.8 billion industry in the US alone. According to Nasscom, India will require at least

77,000 ethical hackers every year whereas we are producing only 15,000 in a year, currently.

As an intern, you can get around 2.5lakhs per annum. With one year of experience, it can go upto 4.5lakhs per annum. With work experience of 5 years or more, It can go up and beyond 10-12 lakhs.

Hacking ProcessReconnaissance(Fo

ot printing): Whois Lookup, NS Lookup, IP Lookup

Scanning and Enumeration: Port Scanning, Network Scanning, Finger

printing, Fire walking

Atack and Gaining Access: Password

Attacks, Social Engineering, Viruses

Maintaining access: Os Backdoors,

Trojans

Clearing tracks: Removing all

traces

Guidelines for making your career at ethical hacking You should have specific domain specializations in various

areas including networking and related areas, RDBMS, programming languages and OS’s specially windows and linux.

Develop strong soft skills including good communication skills, good problem solving ability, good strong ethic, good adaptibility and the mindset to stay dedicated.

Try to be Street Smart-the methodologies that you might need to adopt to solve a problem can be very unorthodox or out of the box.

Try to follow hacking conventions like DefCon and try to connect with one of DefCon affiliated local groups.

Stay updated with the latest in the IT security industry.

Resources and Certifications

Boost your career, by getting certified. EC-Council offers a C|EH(certified ethical hacker)

certification which is internationally accepted. Earn other security certificates like Security+

offered by CompTIA , the CISSP certification, the TICSA certification and many more.

Check the resources section of the EC-Council site.

You can buy books like Hacking: The Art Of Exploitation and other great learning and reference books.

Latest trends in ethical hacking Network penetration testing is dead. Web and Mobile Application Security Testing jobs

are on the rise. Beware. Web and Mobile Testing is getting

automated and commoditized. Gaining skills in deeper Business Logic Testing, Code

Review, Architecture review is important. Running scripts/tools is not enough. Understanding

the design, code and logic is critical for career growth.

Knowing to break is not good enough. Learn Prevention.

Case study: The Heartbleed bug(CVE-2014-0160 )

Heartbleed bug: caused due to (unfortunate) memory leaks in systems protected by vulnerable versions of OpenSSL.

OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according toNetcraft's April 2014 Web Server Survey. 

Named ‘heartbleed’ because the bug is in the implementation of a feature called ‘heartbeat’.

Understanding‘heartbleed’… The actual bug in ‘heatbleed’ is surprisingly quite

simple. We can easily understand it by drawing an analogy from a simple C code.

int arr[]={5,6,7};cout<<arr[10]; //Will this be an error?

No, it wont. It will try to read contents from the memory beyond what is allocated for the array and hence may return anything, might even crash your computer…

If it so happened that your server had one of your passwords or encryption keys in the memory at that moment, the info might have got leaked and somebody could then very easily snoop in your personal and private data.

Neel Mehta of Google's security team first reported Heartbleed on April 1, 2014.

Got fixed pretty soon…but a lot of damage had already been done by then.

NSA managed to use HeartBleed bug to snoop on people for two years.

Hope now you have a clearer view on what type of role ethical hacking plays in this world.

Still in need for some inspiration? Look upto these people…

Ian Murphy Kevin Mitnick

Robert Morris

Acknowledgement

We would like to thank all our teachers, friends, family members for supporting us throughout the making and preparation of this presentation.

We would also like to thank the staff and faculties of B P Poddar Institute of Management and Technology for offering us the platform to deliver our presentation.

Bibliography

En.wikipedia.org http://

www.pcworld.com/article/250045/how_to_become_an_ethical_hacker.html

http://www.computerhope.com/jargon/e/ethihack.htm

http://www.ivizsecurity.com/blog/web-application-security/trends-for-ethical-hacking/

Slideshare.net Edx.org(Introduction to Computer Science by

HarvardX) for the heartbleed case study).