WHITE & BLACK

WHITE HATS Vs BLACK HATS

The white hat is also one of Edward de Bono's Six Thinking Hats.

A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. The term is derived from American western movies, where the good cowboy typically wore a white cowboy hat and the bad cowboy wore a black one. Realizing that the Internet now represents human voices from all around the world makes the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them — but this is a simplification. A blade hat will wish to secure his own machine, and a white hat might need to break into a black hat's machine in the course of an investigation. What exactly differentiates white hats and black hats is open to interpretation, but white hats tend to cite altruistic motivations.

The term white hat hacker is also often used to describe those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity. Many such people are employed by computer security companies; these professionals are sometimes called sneakers. Groups of these people are often called tiger teams.

The primary difference between white & black hat hackers is that a white hat hacker claims to observe the hacker ethic. Like black hats, white hats are oftenintimately familiar with the internal details of security systems, and can deleve into obscure machine code when needed to find a solution to a tricky problem

 An example of a hack: Microsoft Windows ships with the ability to use cryptographic libraries built into the operating system. When shipped overseas this feature becomes nearly useless as the operating system will refuse to load cryptographic libraries that haven't been signed by Microsoft, and Microsoft will not sign a library unless the U.S. government authorizes it for export. This allows the U.S. government to maintain some perceived level of control over the use of strong cryptography beyond its borders.

 

While hunting through the symbol table of a beta release of Windows, a couple of overseas hackers managed to find a second signing key in the Microsoft binaries. That is, without disabling the libraries that are included with Windows (even overseas), these individuals learned of a way to trick the operating system into loading a library that hadn't been signed by Microsoft, thus enabling the functionality which had been lost to non-U.S. users.

 

Whether this is good or bad may depend on whether you respect the letter of the law, but is considered by some in the computing community to be a white hat. type of activity. Some use the term grey hat or (very rarely) brown hat to describe someone on the borderline between black and white.

 In recent years the terms Whitehat and Blackhat have been applied to the Search Engine Optimization (SEO) industry. Black hat SEO tactics, also called spamdexing, attempt to redirect search results to particular target pages, whereas white hat methods are generally approved by the search engines.

SECURITY TESTING

Once answers to these three questions have been determined, a security evaluation plan is drawn up that identifies the systems to be tested, how they should be tested, and any limitations on that testing. Commonly referred to as a "get out of jail free card," this is the contractual agreement between the client and the ethical hackers, who typically write it together. This agreement also protects the ethical hackers against prosecution, since much of what they do during the course of an evaluation would be illegal in most countries. The agreement provides a precise description, usually in the form of network addresses or modem telephone numbers, of the systems to be evaluated. Precision on this point is of the utmost importance, since a minor mistake could lead to the evaluation of the wrong system at the client’s installation or, in the worst case, the evaluation of some other organization’s system.

Once the target systems are identified, the agreement must describe how they should be tested. The best evaluation is done under a "no-holds-barred" approach. This means that the ethical hacker can try anything he or she can think of to attempt to gain access to or disrupt the target system. While this is the most realistic and useful, some clients balk at this level of testing. Clients have several reasons for this, the most common of which is that the target systems are "in production" and interference with their operation could be damaging to the organization's interests. However, it should be pointed out to such clients that these very reasons are precisely why a "no-holds-barred" approach should be employed. An intruder will not be playing by the client's rules. If the systems are that important to the organization's well-being, they should be tested as thoroughly as possible. In either case, the client should be made fully aware of the risks inherent to ethical hacker evaluations. These risks include alarmed staff and unintentional system crashes, degraded network or system performance, denial of service, and log-file size explosions.

Some clients insist that as soon as the ethical hackers gain access to their network or to one of their systems, the evaluation should halt and the client be notified. This sort of ruling should be discouraged, because it prevents the client from learning all that the ethical hackers might discover about their systems. It can also lead to the client's having a false sense of security by thinking that the first security hole found is the only one present. The evaluation should be allowed to proceed, since where there is one exposure there are probably others. The timing of the evaluations may also be important to the client. The client may wish to avoid affecting systems and networks during regular working hours. While this restriction is not recommended, it reduces the accuracy of the evaluation only somewhat, since most intruders do their work outside of the local regular working hours. However, attacks done during regular working hours may be more easily hidden. Alerts from intrusion detection systems may even be disabled or less carefully monitored during the day. Whatever timing is agreed to, the client should provide contacts within the organization who can respond to calls from the ethical hackers if a system or network appears to have been adversely affected by the evaluation or if an extremely dangerous vulnerability is found that should be immediately corrected.

It is common for potential clients to delay the evaluation of their systems until only a few weeks or days before the systems need to go on-line. Such last-minute evaluations are of little use, since implementations of corrections for discovered security problems might take more time than is available and may introduce new system problems.

In order for the client to receive a valid evaluation, the client must be cautioned to limit prior knowledge of the test as much as possible. Otherwise, the ethical hackers might encounter the electronic equivalent of the client's employees running ahead of them, locking doors and windows. By limiting the number of people at the target organization who know of the impending evaluation, the likelihood that the evaluation will reflect the organization's actual security posture is increased. A related issue that the client must be prepared to address is the relationship of the ethical hackers to the target organization's employees. Employees may view this "surprise inspection" as a threat to their jobs, so the organization's management team must be prepared to take steps to reassure them.

PENETRATION TESTING

Penetration testing by ethical hackers is among the most thorough methods for finding vulnerabilities and increasing protection for a dynamic network of computers. Correctly performed, a penetration test is a covert test in which a paid consultant or ethical hacker plays the role of a hostile attacker who tries to compromise system security. Since the ultimate goal is penetration, the ethical hacking is ideally performed without warning systems administrators – but upper management must approve the testing.

Incorrectly performed, penetration testing also has a potential for creating damage. While other types of testing are usually performed cooperatively with an organization's staff, damage caused by penetration testing may go unnoticed for some time.

 

Crackers routinely scan networks of computers for security flaws that can be exploited (exploits) and then post this sensitive information on the Internet for others to take advantage of. This is one reason why ethical hackers regularly browse known cracker websites and mailing lists to monitor cracker activity. Finding security flaws before crackers do lowers the risk exposure of an organization:

  
o  Even a single incident could cost significantly
           -both financial and reputation damage.
o  It reduces vulnerabilities and points of intrusion.
o  A tight system reduces the probability of attack
   -the attackers will go to easier and more attractive
     targets,
o  An on-going program lowers insurance rates.

Penetration testing using ethical hacking provides both assurance and insurance: assurance that the given environment will resist attack and insurance that the organization is acting in a prudent manner. Because penetration testing invariably ends up discovering security holes on client networks/computers, most clients do not want to talk on record about the results of such tests. However, numerous generic examples exist where penetration testing has saved businesses embarrassment and loss of reputation:

·      Online services organization always tested prior to new releases.

-     Financial institutions saved embarrassment prior to release of a new online brokerage offering.

·      Another financial institution has a policy of testing before any internet application goes live

Ethical Hacking services work on the principle of Challenge/Response.The ethical hacking service uses every possible, probable and plausible attack on the security system to expose often hidden vulnerabilities. These can then be comprehensively addressed with GTL Security Solutions. The steps that are included in the Penetration service include: Auditing web applications,Code and design reviews.Vulnerability exploitation (simulation of known attacks),Host Based,Network Based. Our four-step implementation methodology includes:

 

 

·      Information Gathering

·      Detect services running on the system

·      Estimate network topology

·      Determine entry points into the system

·      Developing the attack process

 

Penetration testing is an accepted technique. The National Institute for Standards and Technology (NIST) has recently released a document describing a methodology for using network-based tools for testing. Although ethical hacking is an effective measurement tool and a crucial component of any security program, it should only be part of a larger security program. A comprehensive security program incorporating ethical hacking can be used to discover and correct frequent errors early in the design, implementation, and test process which shortens development time and cost. Ethical hackers provide feedback to system designers and discover problems that may otherwise go undetected. The problem is that crackers can do their own penetration testing and do it more frequently. The best a penetration test can do is to provide a snapshot in time. Periodic testing is necessary to ensure compliance against a baseline. Tools are evolving to do continuous monitoring of security configurations.

Penetration testing is recommended as a recurring activity so that the system is constantly monitored and field-tested against threats. This is especially useful for companies that add new applications to their system. Given the fact that all applications are expected to work seamlessly - vulnerability in one application can expose the system to malicious attacks.

 

The various benefits to Clients are

 

·      Increased preparedness

·      Robust security infrastructure that is regularly field-tested.

·      Enhanced security against new threat perceptions.

·      Continual uptime of your IT system without any un-wanted outages.

·      Enhanced ROI as the serviceability of the IT infrastructure is lengthened.

The principles of the Hacker Ethic were:

Access to computers—and anything which might teach you something about the way the world works should be unlimited and total. Always yield to the Hands-on Imperative!

All information should be free.

Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.

You can create art and beauty on a computer.

Computers can change your life for the better.

One rule that IBM's ethical hacking effort had from the very beginning was that we would not hire ex-hackers. While some will argue that only a "real hacker" would have the skill to actually do the work, we feel that the requirement for absolute trust eliminated such candidates. We likened the decision to that of hiring a fire marshal for a school district: while a gifted ex-arsonist might indeed know everything about setting and putting out fires, would the parents of the students really feel comfortable with such a choice? This decision was further justified when the service was initially offered: the customers themselves asked that such a restriction be observed. Since IBM's ethical hacking group was formed, there have been numerous ex-hackers who have become security consultants and spokespersons for the news media. While they may very well have turned away from the "dark side," there will always be a doubt.

 

The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief, by thinking like a thief. The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. The most important point is that an Ethical Hacker has authorization to probe the target. The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

Who is a Hacker

Hacker: Intruder and criminal

The most common usage of "hacker" in the popular press is to describe those who subvert computer security without authorization or indeed, anyone who has been accused of using technology (usually a computer or the Internet) for terrorism, vandalism, credit card fraud, identity theft, intellectual property theft, and many other forms of crime. This can mean taking control of a remote computer through a network, or software cracking. This is the pejorative sense of hacker, also called cracker or black-hat hacker or simply "criminal" in order to preserve unambiguity.

Hacker: Brilliant programmer

The positive usage of hacker (the "proper" usage). One who knows a (sometimes specified) set of programming interfaces well enough to write software rapidly and expertly. This type of hacker is well-respected, although the term still carries some of the meaning of hack, developing programs without adequate planning.. At their best, hackers can be very productive. The downside of hacker productivity is often in maintainability, documentation, and completion. Very talented hackers may become bored with a project once they have figured out all of the hard parts, and be unwilling to finish off the "details". This attitude can cause friction in environments where other programmers are expected to pick up the half finished work, decipher the structures and ideas, and bullet-proof the code. In other cases, where a hacker is willing to maintain their own code, a company may be unable to find anyone else who is capable or willing to dig through code to maintain the program if the original programmer moves on to a new job.

Hacker: Security expert

There is a third meaning which is a kind of fusion of the positive and pejorative senses of hacker. The term white hat hacker is often used to describe those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity. Many such people are employed by computer security companies.

Hacker: Computer Modifier

Another type of a Hacker is one who hacks, or often changes the hardware in his/her computer. These changes often include adding memory, storage or LED's and cathode ray tubes for light effects. These people often show off their talents in contests, and many enjoy LAN Parties.

Initially these computer intrusions were fairly benign, with the most damage being the theft of computer time. Other times, these recreations would take the form of practical jokes. However, these intrusions did not stay benign for long. Occasionally the less talented, or less careful, intruders would accidentally bring down a system or damage its files, and the system administrators would have to restart it or make repairs. Other times, when these intruders were again dented access once their activities were discovered, they would react with purposefully destructive actions. When the number of these destructive computer intrusions became noticeable, due to the visibility of the system or the extent of the damage inflicted, it became "news" and the news media picked up on the story. Instead of using the more accurate term of "computer criminal," the media began using the term "hacker" to describe individuals who break into computers for fun, revenge, or profit. Since calling someone a "hacker" was originally meant as a compliment, computer security professionals prefer to use the term "cracker" or "intruder" for those hackers who turn to the dark side of hacking. For clarity, we will use the explicit terms "ethical hacker" and "criminal hacker" for the rest of this paper.

  

FUNCTIONS OF ETHICAL HACKERS

An  ethical hacker's evaluation of a system's security seeks answers to three basic questions:

•     What can an intruder see on the target systems?

•     What can an intruder do with that information?

•     Does anyone at the target notice the intruder's

   attempts or successes?

 

While the first and second of these are clearly important, the third is even more important: If the owners or operators of the target systems do not notice when someone is trying to break in, the intruders can, and will, spend weeks or months trying and will usually eventually succeed.

When the client requests an evaluation, there is quite a bit of discussion and paperwork that must be done up front. The discussion begins with the client's answers to questions similar to those posed by Garfinkel and Spafford:

·      What are you trying to protect?

·      What are you trying to protect against?

·      How much time,effort, and money you willing to expend to obtain adequate protection?

 

A surprising number of clients have difficulty precisely answering the first question: a medical center might say "our patient information," an engineering firm might answer "our new product designs," and a Web retailer might answer "our customer database."

All of these answers fall short, since they only describe targets in a general way. The client usually has to be guided to succinctly describe all of the critical information assets for which loss could adversely affect the organization or its clients. These assets should also include secondary information sources, such as employee names and addresses (which are privacy and safety risks), computer and network information (which could provide assistance to an intruder), and other organizations with which this organization collaborates (which provide alternate paths into the target systems through a possibly less secure partner's system).

A complete answer to (2) specifies more than just the loss of the things listed in answer to (1). There are also the issues of system availability, wherein a denial-of-service attack could cost the client actual revenue and customer loss because systems were unavailable. The world became quite familiar with denial-of-service attacks in February of 2000 when attacks were launched against eBay, Yahoo, ETRADE, CNN and other popular Web sites. During the attacks, customers were unable to reach these Web sites, resulting in loss of revenue and "mind share." The answers to (1) should contain more than just a list of information assets on the organization's computer. The level of damage to an organization's good image resulting from a successful criminal hack can range from merely embarrassing to a serious threat to revenue. As an example of a hack affecting an organization's image, on January 17, 2000, a U.S. Library of Congress Web site was attacked. The original initial screen is shown in Figure 1, whereas the hacked screen is shown in figure 2. As is often done, the criminal hacker left his or her nickname, or handle, near the top of the page in order to guarantee credit for the break-in.

 

Some clients are under the mistaken impression that their Web site would not be a target. They cite numerous reasons, such as "it has nothing interesting on if or "hackers have never heard of my company." What these clients do not realize is that every Web site is a target. The goal of many criminal hackers is simple: Do something spectacular and then make sure that all of your pals know that you did it. Another rebuttal is that many hackers simply do not care who your company or organization is; they hack your Web site because they can.

Answers to the third question are complicated by the fact that computer and network security costs come in three forms. First there are the real monetary costs incurred when obtaining security consulting, hiring personnel, and deploying hardware and software to support security needs. Second, there is the cost of usability: the more secure a system is, the more difficult it can be to make it easy to use. The difficulty can take the form of obscure password selection rules, strict system configuration rules, and limited remote access. Third, there is the cost of computer and network performance. The more time a computer or network spends on security needs, such as strong cryptography and detailed system activity logging, the less time ft has to work on user problems. Because of Moore's Law, this may be less of an issue for mainframe, desktop, and laptop machines. Yet, it still remains a concern for mobile computing.

 

Definition for Ethical Hacking

Ethical Hacking
 

 

"The definition of an Ethical Hacker is very similar to a Penetration Tester. The Ethical Hacker is an individual who is usually employed with the organisation and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a Hacker."  

C E H (Certified Ethical Hacker)

The Certified Ethical Hacker is a professional certification, provided by the International Council of E-Commerce Consultants (EC-Council.)

An ethical hacker is usually employed by an organization who trusts him or her to attempt to penetrate networks and/or computer systems, using the same methods as a hacker, for the purpose of finding and fixing computer security vulnerabilities. Unauthorized hacking (i.e., gaining access to computer systems without prior authorization from the owner) is a crime in most countries, but penetration testing done by request of the owner of the victim system(s) or network(s) is not.

A Certified Ethical Hacker has obtained a certification in how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a hacker.

The code for the CEH exam is 312-50. The certification is in Version 8 as of late 2013.

The EC-Council offers another certification, known as Certified Network Defense Architect (C|NDA). This certification is designed for United States Government Agencies, and is available only to members of selected agencies. Other than the name, the content of the course is exactly the same. The exam code for C|NDA is 312-99

“We don't just have great instructors, our instructors have years of industry experience and are recognized as experts. EC-Council Master instructors have real life Network Security and Ethical Hacking experience.  The bottom line with this program is that we hope the work starts when the class is over. So I think it is important to teach students how to use the material more so than expecting them to memorize all of it in a short time. "

Steve De Fino
EC-Council Master Instructor

CATEGORIES OF HACKERS

There are a number of categories of hackers such as Black Hats who are highly skilled, but have malevolent and detrimental intent White Mats, in contrast, are hackers who use their talent to protect and defend networks. Gray Hats hack for different reasons either ethically or unethically depending on the situation and circumstances at hand.

 

There are four basic kinds of hacks:

·         IP Hack: You hire someone to hack a specific IP address, giving them little or no information beforehand (Be careful if the IP address is an overseas server. You don't want hackers hacking the wrong IP address, like a foreign government's computers, causing an international incident);

·         Application Hack: A much more sophisticated hack that can delve deep into databases and down production servers. Only experienced hackers, with strict guidelines governing their actions, should be allowed to perform such tests. Never hire a "reformed" black-hat hacker for this type of test;

·         Physical Infrastructure Hack: This is where people try to get into your facilities to access your systems or go dumpster diving looking for confidential information such as passwords discarded on sticky notes;

·         Wireless Hack: War-driving is the new term to describe this type of attack where wireless access points are  exploited from the back of a van. Ethical hackers do the same thing, but report their findings back to you instead of stealing your passwords. Have them check out your teleworkers as well to see if home offices are a source of entry to your network.

The hacker community (the set of people who would describe themselves as hackers, or who would be described by others as hackers) falls into at least three partially overlapping categories.