Wednesday, November 26, 2014

Footprinting...

Digital footprint

From Wikipedia, the free encyclopedia

A digital footprint is the data that is left behind by users on digital services.^[1] There are two main classifications for digital footprints: passive and active. A passive digital footprint is created when data is collected without the owner knowing, whereas active digital footprints are created when personal data is released deliberately by a user for the purpose of sharing information about oneself by means of websites or social media.^[1]

Passive digital footprints can be stored in many ways depending on the situation. In an online environment a footprint may be stored in an online data base as a "hit". This footprint may track the user IP address, when it was created, and where they came from; with the footprint later being analyzed. In an offline environment, a footprint may be stored in files, which can be accessed by administrators to view the actions performed on the machine, without being able to see who performed them.

Active digital footprints can also be stored in many ways depending on the situation. In an online environment, a footprint can be stored by a user being logged into a site when making a post or edit, with the registered name being connected to the edit. In an off line environment a footprint may be stored in files, when the owner of the computer uses a keylogger, so logs can show the actions performed on the machine, and who performed them. One of the features of keylogger is to monitor the clipboard for any changes as the user will sometimes have a very good habit of copying and pasting the passwords, taking the screenshots.

Tony Fish expounded upon the possible dangers of digital footprints in a 2007 self-published book.^[2] The closed loop takes data from the open loop and provides this as a new data input. This new data determines what the user has reacted to, or how they have been influenced. The feedback then builds a digital footprint based on social data, and the controller of the social digital footprint data can determine how and why people purchase and behave.

Web browsing[edit]

The digital footprint applicable specifically to the World Wide Web is the internet footprint;^[3] also known as cyber shadow or digital shadow, information is left behind as a result of a user's web-browsing and stored as cookies. The term usually applies to an individual person, but can also refer to a business, organization and corporation.^[4]

Information may be intentionally or unintentionally left behind by the user; with it being either passively or actively collected by other interested parties. Depending on the amount of information left behind, it may be simple for other parties to gather large amounts of information on that individual using simple search engines. Internet footprints are used by interested parties for several reasons; including cyber-vetting,^[5] where interviewers could research applicants based on their online activities. Internet footprints are also used by law enforcement agencies, to provide information that would be unavailable otherwise due to a lack of probable cause.^{[citation needed]}

Social networking systems may record activities of individuals, with data becoming a life stream. Such usage of social media and roaming services allow digital tracing data to include individual interests, social groups, behaviours, and location. Such data can be gathered from sensors within devices, and collected and analyzed without user awareness.^{[citation needed]}

Privacy issues[edit]

Digital footprints are not a digital identity or passport, but the content and meta data collected impacts upon internet privacy, trust, security, digital reputation, andrecommendation. As the digital world expands and integrates with more aspects of life, ownership and rights of data becomes important. Digital footprints are controversial in that privacy and openness are in competition.^[6] Scott McNealy, CEO of Sun Microsystems, said in 1999 Get Over It when referring to privacy on the Internet.^[7] This later became a commonly used quote in relationship to private data and what companies do with it.^{[citation needed]}

While digital footprint can be used to infer personal information, such as demographic traits, sexual orientation, race, religious and political views, personality, or intelligence^[8] without individuals' knowledge, it also exposes individuals private psychological sphere into the social sphere.^[9] Lifelogging is an example of indiscriminate collection of information concerning an individuals life and behaviour.^[10] There are ways to make your digital footprint difficult to track.^[11] Illustrating examples of the usage or interpretation of data trails can be found at the example of Facebook-influenced creditworthiness ratings,^[12] the judicial investigations around German social scientist Andrej Holm,^[13] advertisement-junk mails by the American company OfficeMax ^[14] or the border incident of Canadian citizen Ellen Richardson.^[15]

Wednesday, November 19, 2014

This article is from Simplilearn's blog and it's worth reading

HOW TO BECOME A PAID ETHICAL HACKER?

For as long as the internet has been around, network security has always been an issue. In the last few decades, there has been an explosion of interest in ethical hacking. Whereas traditional hackers exploit networks for malicious reasons, ethical hackers work on the side of the 'good guys’ to protect computer systems from dangerous intrusions.

Basically, ethical hacking is the process of penetrating or intruding in a computer system for the purpose of security testing. Ethical hackers are mostly hired by companies to conduct penetration testing. Such hackers are experts in computer security, as they play a very important part in ensuring a company’s IT system security. If you want to become a paid ethical hacker, you need to be knowledgeable in social engineering techniques. You also need to have the necessary skills to identify the weaknesses and vulnerabilities of IT systems so that necessary measures may be taken to properly secure them.

Ethical hackers must explore different hacking methods to check if a company’s IT system can be penetrated using different methods. Basically, their job is to mimic the actions of a hacker and exhaust all possible hacking options to prevent illegal hacking. A career in ethical hacking can be very rewarding and profitable, as hackers are usually paid a lot of money. However, before you can become an ethical hacker, you must have the necessary experience, knowledge and skills in networking and programming. You also need to have a good grasp of all available operating systems so that you can properly anticipate different hacking methods. Before you decide to become an ethical hacker you need to know the different types of hackers. This way, you will be able to make an informed decision on what type of ethical hacker you want to be.
Types of Ethical hackers
1. Hacktivists

Hacktivism is the process of hacking into a computer system illegally for political or social reasons. The hackers can leave a large message on the main page of the website or even disrupt the traffic to that website. Some people use this as a form of protest.

2. Cyberwarrior

This is another gray area of ethical hacking. Cyberwarriors are computer experts and hackers who participate in cyber-warfare. Basically, these are actions undertaken by a nation or state to infiltrate another country’s networks or computers to cause disruption. Whether or not this type of hacking is ethical is all in the eye of the beholder.

3. Black Box Penetration testers

This is a hacker who is hired by a company or an individual to infiltrate a computer network or system. This hacker acts as a malicious hacker, trying to find vulnerabilities in a network that would allow him to attack it. Such a hacker has no prior knowledge of the network he/she is trying to infiltrate. By spotting vulnerabilities, he can advise the individual or company about what is needed to strengthen the website from future hacking.

4. White box penetration testers

This type of hacker is hired by an individual or a company to break into a network or system. This hacker is just like the black box hacker since they are both legally breaking into a system in an effort to help the company that hired them. The only difference between the two is that the white box hackers are given complete knowledge of the network they are infiltrating. Basically, the hacker simulates an attack from an insider of the organization.

5. Licensed penetration tester

This hacker performs the duties of black and white box penetration testers. Such hackers look for vulnerabilities and weaknesses in networks and systems.

All the aforementioned ethical hackers must be re-certified every 3 years.
How to Become a Paid Ethical Hacker?
1. Evaluate your skills

Start by evaluating your skills. The best internet security specialists have a natural passion for technology and computers. Such people also have good quantitative skills and are good at problem solving. A prospective student with these interest and aptitudes is a good candidate for an ethical hacking course.

2. Find a good school

If you want to become a paid ethical hacker, then a course that is related to cyber security and IT is a prerequisite. You also need to have knowledge of all the software and hardware involved in illegal hacking. All this can be learnt in a good college. Internet security programs are now worldwide, just look for a good school where you can learn all the necessary skills in ethical hacking.

3. Learn hacking skills

Since ethical hacking takes a lot of skills, necessary training and experience are extremely important before you can become a licensed ethical hacker. Ethical hacker courses cover different topics such as hacking laws, hacking wireless networks, viruses and worms and phishing. Students also learn about the techniques hackers use to circumvent firewalls and password protection. The students will need to be exposed to real-life scenarios and threats. This provides them with an opportunity to utilize tools that are used by hackers, in order to understand how to thwart the illegal use of those tools.

4. Get certification

Once you gain the right skills and experience, get a license to become a certified ethical hacker.
Ethical Hacking Certification

Students who complete an ethical hacking course are qualified to take a Certified Ethical Hacker exam offered by the EC Council. The EC Council is the provider of certified ethical hacker training. If a person doesn’t want to take a course in ethical hacking but still wants to become a certified ethical worker, he/she must provide proof of eligibility. This may include at least 2 years of verified information security work experience. The candidate must score at least 70 % to pass. This test covers topics such as hacking techniques and technology.
Careers for Certified Ethical Hackers
Certified ethical hackers can provide their services as consultants. The rates can range between $15,000 and 45, 000 per assignment.

It takes a certain degree of trust before you can be hired as an ethical hacker. This is because as a hacker, you will be able to enter confidential systems that contain hundreds or thousands of vital information. Therefore, apart from getting all the necessary skills and certification, make sure you earn this trust.

Read this nice article from Wikipedia about Ethical Hacking

White hat (computer security)

From Wikipedia, the free encyclopedia

The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.^[1]Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing.^[2] White-hat hackers may also work in teams called "sneakers",^[3] red teams, or tiger teams.^[4]

History[edit]

One of the first instances of an ethical hack being used was a "security evaluation" conducted by the United States Air Force of the Multics operating systems for "potential use as a two-level (secret/top secret) system." Their evaluation found that while Multics was "significantly better than other conventional systems,"^{[citation needed]} it also had "... vulnerabilities in hardware security, software security and procedural security"^{[citation needed]} that could be uncovered with "a relatively low level of effort."^{[citation needed]} The authors performed their tests under a guideline of realism, so that their results would accurately represent the kinds of access that an intruder could potentially achieve. They performed tests that were simple information-gathering exercises, as well as other tests that were outright attacks upon the system that might damage its integrity. Clearly, their audience wanted to know both results. There are several other now unclassified reports that describe ethical hacking activities within the U.S. military.^[4] The idea to bring this tactic of ethical hacking to assess security of systems was formulated by Dan Farmer and Wietse Venema. With the goal of raising the overall level of security on the Internet and intranets, they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. They gathered up all the tools that they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. Their program, called Security Administrator Tool for Analyzing Networks, or SATAN, was met with a great amount of media attention around the world in 1992.^[4]

Tactics[edit]

While penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects and patch installations, for example – ethical hacking, which will likely include such things, is under no limitations when asked for by stake holders in the company. A full blown ethical hack might include emailing staff to ask for password details, rummaging through executive’s dustbins and usually breaking and entering – all, of course, with NO knowledge and consent of the targets. ONLY the owners, CEO's and Board Members (stake holders) whom asked for such a security review of this magnitude are aware. A complete understanding, and sometimes if allowed by those stake holders, a complete non-understanding of the hack attempt is allowed to test penetration points. To try to replicate some of the destructive techniques a real attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late at night while systems are less critical.^[2] In most recent cases these hacks perpetuate for the long term con, (days, if not weeks, of long term human infiltration into an organization). Some examples include leaving usb/flash key drives with hidden auto-start software in a public area, as if someone lost the small drive and an unsuspecting employee found it and took it.

Some other methods of carrying out these include:

DoS attacks

Social engineering tactics

Security scanners such as:

W3af
Nessus
Nexpose

Frameworks such as:

Metasploit

Such methods identify and exploit known vulnerabilities, and attempt to evade security to gain entry into secured areas. They are able to do this by hiding software and system 'back-doors' that could be used as a link to the information or access the non-ethical hacker, also known as 'black-hat' or 'grey-hat', may want to reach.

Welcome Message

Dear G12.3 ATHS students,

This blog will be used to post and comment on information related to our study in Computer Security.

Feel free to post, comment and even ask questions!

Mr. Mohammad Hameed