Do you wanna be a digital citizen? then read this!

WHITE BOX VS BLACK BOX TESTING

 

• 

• 
  

  Testing is a process of validating and verifying that an application, software, website and product is working as expected. Both the testing forms mentioned above are equally important and depends on the domains in which they're applied. The primary purpose is to detect software failures so that the defects may be discovered and corrected. Let us discuss them in detail:

  White Box Testing

  It is a method of testing in which the internal structure is checked and code is verified, keeping in mind the design specification. Here are some points:

  • The application is tested at the source code level.
  • Testing for loops, if-else statements, etc are part of white-box testing.
  • Done by testers and developers.

   

  Black Box Testing

  Black Box Testing is performed without having much knowledge of the internal workings of the software. Here are some points:

  • It tests how the software behaves as a whole and analyzes client requirement specifications.
  • Usually done with those who have no knowledge of the actual code.
  • Done by end-users, testers and developers.

   

  Comparison

  ·Role:

  White Box Testing: Its role is to find common defects in code.
  Black Box Testing: It verifies that the requirements are met and examines the functionality of an application.

  ·Granularity

  Granularity in testing is a way to determine the expected result for a test case.
  White Box Testing: High granularity.
  Black Box Testing: Low granularity when compared with white box testing.

  ·Other names:

  White Box Testing: It is also known as glass box, transparent box, structural testing and non-functional testing
  Black Box Testing: It is also known as closed box, functional testing.

  ·Performed by:

  White Box Testing: This type of testing is done by testers and developers.
  Black Box Testing: This is done by end-users, testers and developers.

  ·Domain

  White Box Testing: It is suited for all domains.
  Black Box Testing: It is suited only for business domain testing.

  ·Algorithm Testing

  White Box Testing: Algorithm testing is suitable for white box testing.
  Black Box Testing: Algorithm testing is not considered suitable for black box testing.

  ·Basis for Test Cases

  White Box Testing: The test case is based on detail design.
  Black Box Testing: The test case is built around requirements and specifications.

  ·Programming Knowledge

  White Box Testing: For performing black box testing, programming skills are necessary to test the internal structure. Sometimes, a programmer with high level knowledge is required.
  Black Box Testing: For performing black box testing, programming skills are not required. It is done with those who usually have no knowledge of the actual code.

  ·Maintenance

  White Box Testing: Maintenance is difficult as it uses debuggers, compilers and other tools.
  Black Box Testing: Maintenance is easier.

  ·Test Case

  White Box Testing: Test Cases are easier to design.
  Black Box Testing: It’s difficult to design test cases in black box testing.

  ·Time

  White Box Testing: It is time-consuming as internal structure is tested.
  Black Box Testing: Takes less time when compared with White Box.

  ·Testing Stage

  White Box Testing: It is performed early in the testing process.
  Black Box Testing: It is applied during the later stages of testing.

  ·Errors

  White Box Testing: It attempts to find errors in internal logic of program.
  Black Box Testing: It attempts to find the following errors:

  • initialization errors
  • incorrect functions error
  • database access errors

  ·Levels

  White Box Testing: Applicable to lower levels of testing:

  • Unit testing, and
  • Integration Testing.

  Black Box Testing: Applicable to higher levels of testing:

  •  Acceptance Testing, and
  •  System Testing

  ·Implementation Knowledge

  White Box Testing: Implementation Knowledge is required.
  Black Box Testing: Implementation Knowledge is not necessary for black box  testing.

  ·Selection of Test Cases

  White Box Testing: Large number of test cases are to be written for white box.
  Black Box Testing: It is based on the selection of sample test cases.

  ·Internal Structure

  White Box Testing: The internal structure is known.
  Black Box Testing: Tests how the software behaves as a whole, so internal structure is not known.

  ·Techniques

  White Box Testing techniques:

  • Control flow testing
  • Data flow testing
  • Branch testing
  • Path testing
  • Statement coverage
  • Decision coverage

  
  Black Box Testing techniques:

  • Decision table testing
  • All-pairs testing
  • Equivalence partitioning
  • Boundary value analysis
  • Cause–effect graph
  • Error guessing

Read and Answer the following short survey about digital divide

What is the Value of a Penetration Test?

Few of the reasons organizations invest in penetration testing:

• Determining the feasibility of a particular set of attack vectors
• Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
• Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
• Assessing the magnitude of potential business and operational impacts of successful attacks
• Testing the ability of network defenders to successfully detect and respond to the attacks
• Providing evidence to support increased investments in security personnel and technology to C-level management, investors, and customers
• Meeting compliance  (for example: the Payment Card Industry Data Security Standard (PCI DSS) requires both annual and ongoing penetration testing (after any system changes)
• Post security incident, an organization needs to determine the vectors that were used to gain access to a compromised system (or entire network). Combined with forensic analysis, a penetration test is often used to re-create the attack chain, or else to validate that new security controls put in place will thwart a similar attack in the future.

Shoulder surfing

Shoulder surfing (computer security) 

In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.

Occurrence

Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:

• fill out a form
• enter their PIN at an automated teller machine or a POS terminal
• use a telephone card at a public payphone
• enter a password at a cybercafe, public and university libraries, or airport kiosks
• enter a code for a rented locker in a public place such as a swimming pool or airport
• enter a PIN or password on their smartphone
• public transport is a particular area of concern.

Prevention

Some automated teller machines have a sophisticated display which discourages shoulder surfers from obtaining displayed information. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. Although this prevents an observer obtaining some information, e.g. account balance, it is generally not required to protect the PIN, because the PIN is typically not displayed during entry.

Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models.

Footprinting...

Digital footprint

From Wikipedia, the free encyclopedia

A digital footprint is the data that is left behind by users on digital services.^[1] There are two main classifications for digital footprints: passive and active. A passive digital footprint is created when data is collected without the owner knowing, whereas active digital footprints are created when personal data is released deliberately by a user for the purpose of sharing information about oneself by means of websites or social media.^[1]

Passive digital footprints can be stored in many ways depending on the situation. In an online environment a footprint may be stored in an online data base as a "hit". This footprint may track the user IP address, when it was created, and where they came from; with the footprint later being analyzed. In an offline environment, a footprint may be stored in files, which can be accessed by administrators to view the actions performed on the machine, without being able to see who performed them.

Active digital footprints can also be stored in many ways depending on the situation. In an online environment, a footprint can be stored by a user being logged into a site when making a post or edit, with the registered name being connected to the edit. In an off line environment a footprint may be stored in files, when the owner of the computer uses a keylogger, so logs can show the actions performed on the machine, and who performed them. One of the features of keylogger is to monitor the clipboard for any changes as the user will sometimes have a very good habit of copying and pasting the passwords, taking the screenshots.

Tony Fish expounded upon the possible dangers of digital footprints in a 2007 self-published book.^[2] The closed loop takes data from the open loop and provides this as a new data input. This new data determines what the user has reacted to, or how they have been influenced. The feedback then builds a digital footprint based on social data, and the controller of the social digital footprint data can determine how and why people purchase and behave.

Web browsing[edit]

The digital footprint applicable specifically to the World Wide Web is the internet footprint;^[3] also known as cyber shadow or digital shadow, information is left behind as a result of a user's web-browsing and stored as cookies. The term usually applies to an individual person, but can also refer to a business, organization and corporation.^[4]

Information may be intentionally or unintentionally left behind by the user; with it being either passively or actively collected by other interested parties. Depending on the amount of information left behind, it may be simple for other parties to gather large amounts of information on that individual using simple search engines. Internet footprints are used by interested parties for several reasons; including cyber-vetting,^[5] where interviewers could research applicants based on their online activities. Internet footprints are also used by law enforcement agencies, to provide information that would be unavailable otherwise due to a lack of probable cause.^{[citation needed]}

Social networking systems may record activities of individuals, with data becoming a life stream. Such usage of social media and roaming services allow digital tracing data to include individual interests, social groups, behaviours, and location. Such data can be gathered from sensors within devices, and collected and analyzed without user awareness.^{[citation needed]}

Privacy issues[edit]

Digital footprints are not a digital identity or passport, but the content and meta data collected impacts upon internet privacy, trust, security, digital reputation, andrecommendation. As the digital world expands and integrates with more aspects of life, ownership and rights of data becomes important. Digital footprints are controversial in that privacy and openness are in competition.^[6] Scott McNealy, CEO of Sun Microsystems, said in 1999 Get Over It when referring to privacy on the Internet.^[7] This later became a commonly used quote in relationship to private data and what companies do with it.^{[citation needed]}

While digital footprint can be used to infer personal information, such as demographic traits, sexual orientation, race, religious and political views, personality, or intelligence^[8] without individuals' knowledge, it also exposes individuals private psychological sphere into the social sphere.^[9] Lifelogging is an example of indiscriminate collection of information concerning an individuals life and behaviour.^[10] There are ways to make your digital footprint difficult to track.^[11] Illustrating examples of the usage or interpretation of data trails can be found at the example of Facebook-influenced creditworthiness ratings,^[12] the judicial investigations around German social scientist Andrej Holm,^[13] advertisement-junk mails by the American company OfficeMax ^[14] or the border incident of Canadian citizen Ellen Richardson.^[15]

This article is from Simplilearn's blog and it's worth reading

HOW TO BECOME A PAID ETHICAL HACKER?

 

•  
  
• For as long as the internet has been around, network security has always been an issue. In the last few decades, there has been an explosion of interest in ethical hacking. Whereas traditional hackers exploit networks for malicious reasons, ethical hackers work on the side of the 'good guys’ to protect computer systems from dangerous intrusions.
  
  Basically, ethical hacking is the process of penetrating or intruding in a computer system for the purpose of security testing. Ethical hackers are mostly hired by companies to conduct penetration testing. Such hackers are experts in computer security, as they play a very important part in ensuring a company’s IT system security. If you want to become a paid ethical hacker, you need to be knowledgeable in social engineering techniques. You also need to have the necessary skills to identify the weaknesses and vulnerabilities of IT systems so that necessary measures may be taken to properly secure them.
  
  Ethical hackers must explore different hacking methods to check if a company’s IT system can be penetrated using different methods. Basically, their job is to mimic the actions of a hacker and exhaust all possible hacking options to prevent illegal hacking. A career in ethical hacking can be very rewarding and profitable, as hackers are usually paid a lot of money. However, before you can become an ethical hacker, you must have the necessary experience, knowledge and skills in networking and programming. You also need to have a good grasp of all available operating systems so that you can properly anticipate different hacking methods. Before you decide to become an ethical hacker you need to know the different types of hackers. This way, you will be able to make an informed decision on what type of ethical hacker you want to be.

  Types of Ethical hackers

  1. Hacktivists
  
  Hacktivism is the process of hacking into a computer system illegally for political or social reasons. The hackers can leave a large message on the main page of the website or even disrupt the traffic to that website. Some people use this as a form of protest.
  
  2. Cyberwarrior
  
  This is another gray area of ethical hacking. Cyberwarriors are computer experts and hackers who participate in cyber-warfare. Basically, these are actions undertaken by a nation or state to infiltrate another country’s networks or computers to cause disruption. Whether or not this type of hacking is ethical is all in the eye of the beholder.
  
  3. Black Box Penetration testers
  
  This is a hacker who is hired by a company or an individual to infiltrate a computer network or system. This hacker acts as a malicious hacker, trying to find vulnerabilities in a network that would allow him to attack it. Such a hacker has no prior knowledge of the network he/she is trying to infiltrate. By spotting vulnerabilities, he can advise the individual or company about what is needed to strengthen the website from future hacking.
  
  4. White box penetration testers
  
  This type of hacker is hired by an individual or a company to break into a network or system. This hacker is just like the black box hacker since they are both legally breaking into a system in an effort to help the company that hired them. The only difference between the two is that the white box hackers are given complete knowledge of the network they are infiltrating. Basically, the hacker simulates an attack from an insider of the organization.
  
  5. Licensed penetration tester
  
  This hacker performs the duties of black and white box penetration testers. Such hackers look for vulnerabilities and weaknesses in networks and systems.
  
  All the aforementioned ethical hackers must be re-certified every 3 years.

  How to Become a Paid Ethical Hacker?

  1. Evaluate your skills
  
  Start by evaluating your skills. The best internet security specialists have a natural passion for technology and computers. Such people also have good quantitative skills and are good at problem solving. A prospective student with these interest and aptitudes is a good candidate for an ethical hacking course.
  
  2. Find a good school
  
  If you want to become a paid ethical hacker, then a course that is related to cyber security and IT is a prerequisite. You also need to have knowledge of all the software and hardware involved in illegal hacking. All this can be learnt in a good college. Internet security programs are now worldwide, just look for a good school where you can learn all the necessary skills in ethical hacking.
  
  3. Learn hacking skills
  
  Since ethical hacking takes a lot of skills, necessary training and experience are extremely important before you can become a licensed ethical hacker. Ethical hacker courses cover different topics such as hacking laws, hacking wireless networks, viruses and worms and phishing. Students also learn about the techniques hackers use to circumvent firewalls and password protection. The students will need to be exposed to real-life scenarios and threats. This provides them with an opportunity to utilize tools that are used by hackers, in order to understand how to thwart the illegal use of those tools.
  
  4. Get certification
  
  Once you gain the right skills and experience, get a license to become a certified ethical hacker.

  Ethical Hacking Certification

  
  Students who complete an ethical hacking course are qualified to take a Certified Ethical Hacker exam offered by the EC Council. The EC Council is the provider of certified ethical hacker training. If a person doesn’t want to take a course in ethical hacking but still wants to become a certified ethical worker, he/she must provide proof of eligibility. This may include at least 2 years of verified information security work experience. The candidate must score at least 70 % to pass. This test covers topics such as hacking techniques and technology.

  Careers for Certified Ethical Hackers

  Certified ethical hackers can provide their services as consultants. The rates can range between $15,000 and 45, 000 per assignment.
  
  It takes a certain degree of trust before you can be hired as an ethical hacker. This is because as a hacker, you will be able to enter confidential systems that contain hundreds or thousands of vital information. Therefore, apart from getting all the necessary skills and certification, make sure you earn this trust.

Read this nice article from Wikipedia about Ethical Hacking

White hat (computer security)

From Wikipedia, the free encyclopedia

The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.^[1]Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing.^[2] White-hat hackers may also work in teams called "sneakers",^[3] red teams, or tiger teams.^[4]

History[edit]

One of the first instances of an ethical hack being used was a "security evaluation" conducted by the United States Air Force of the Multics operating systems for "potential use as a two-level (secret/top secret) system." Their evaluation found that while Multics was "significantly better than other conventional systems,"^{[citation needed]} it also had "... vulnerabilities in hardware security, software security and procedural security"^{[citation needed]} that could be uncovered with "a relatively low level of effort."^{[citation needed]} The authors performed their tests under a guideline of realism, so that their results would accurately represent the kinds of access that an intruder could potentially achieve. They performed tests that were simple information-gathering exercises, as well as other tests that were outright attacks upon the system that might damage its integrity. Clearly, their audience wanted to know both results. There are several other now unclassified reports that describe ethical hacking activities within the U.S. military.^[4] The idea to bring this tactic of ethical hacking to assess security of systems was formulated by Dan Farmer and Wietse Venema. With the goal of raising the overall level of security on the Internet and intranets, they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. They gathered up all the tools that they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. Their program, called Security Administrator Tool for Analyzing Networks, or SATAN, was met with a great amount of media attention around the world in 1992.^[4]

Tactics[edit]

While penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects and patch installations, for example – ethical hacking, which will likely include such things, is under no limitations when asked for by stake holders in the company. A full blown ethical hack might include emailing staff to ask for password details, rummaging through executive’s dustbins and usually breaking and entering – all, of course, with NO knowledge and consent of the targets. ONLY the owners, CEO's and Board Members (stake holders) whom asked for such a security review of this magnitude are aware. A complete understanding, and sometimes if allowed by those stake holders, a complete non-understanding of the hack attempt is allowed to test penetration points. To try to replicate some of the destructive techniques a real attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late at night while systems are less critical.^[2] In most recent cases these hacks perpetuate for the long term con, (days, if not weeks, of long term human infiltration into an organization). Some examples include leaving usb/flash key drives with hidden auto-start software in a public area, as if someone lost the small drive and an unsuspecting employee found it and took it.

Some other methods of carrying out these include:

• DoS attacks
• Social engineering tactics
• Security scanners such as:
  • W3af
  • Nessus
  • Nexpose
• Frameworks such as:
  • Metasploit

Such methods identify and exploit known vulnerabilities, and attempt to evade security to gain entry into secured areas. They are able to do this by hiding software and system 'back-doors' that could be used as a link to the information or access the non-ethical hacker, also known as 'black-hat' or 'grey-hat', may want to reach.

Welcome Message

Dear G12.3 ATHS students,

This blog will be used to post and comment on information related to our study in Computer Security.

Feel free to post, comment and even ask questions!

Mr. Mohammad Hameed