Hacking

Download Report

Transcript Hacking 

-Ajay Babu .D
y5cs022.
Contents
 Who is hacker?
 History of hacking
 Types of hacking
 Do You Know?
 What do hackers do?
- Some Examples on Web application hacking.
 How can protect the system?
 What should do after hacked?
Who is hacker?
 Hack
 Examine something very minutely
 Hacker
 The person who hacks
 Cracker
 System intruder/destroyer
History of hacking
 Telephone hacking
 Use telephone freely
 It’s called phreaking
 Computer virus
 Destroy many computers
 Network hacking
 Hack the important server remotely and
destroy/modify/disclose the information
Types of hacking
Normal
data transfer
Interruption
Interception
Modification
Fabrication
Do you know?

75% of attacks today happen at the Application (Gartner). Desktop
augmented by Network and then Web Application Security.

Many “easy hacking recipes” published on web.

3 out of 4 vendor apps that are tested had serious SQL Injection
bugs!

“The cost of correcting code in production increases up to 100
times as compared to in development...”
What do Hackers do?
 A few examples of Web application hacks
 SQL Injection
 Cross-site Scripting (# 1 threat today!)
SQL Injection Attacks
“SQL injection is a security vulnerability that
occurs in the database layer of an application. Its
source is the incorrect escaping of dynamicallygenerated string literals embedded in SQL
statements. “ (Wikipedia)
Uses SQL script
injection to
access data
Hacker
Web App
SQL Injection Attacks
 Example of attack:
 SQL Query in Web application code:

“SELECT * FROM users WHERE login = ‘” + username + “’
and password= ‘” + password + “’;”
 Hacker logs in as: ‘ or ‘’ = ‘’; -
SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --';
and password=‘’;
 Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; -
SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP
TABLE users; --'; and password=‘’;
 SQL Injection examples are outlined in:
 http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
 http://www.unixwiz.net/techtips/sql-injection.html
SQL Injection Attacks Demo
SQL Injection Attacks Demo
SQL Injection Attacks Demo
Cross-Site Scripting (XSS) Attacks
XSS: Script Injection Demo
XSS: Script Injection Demo
Preventing
SQL injection and XSS
 SCRUB Error handling
 Error messages divulge information that can be used
by hacker…
 VALIDATE all user entered parameters
 CHECK data types and lengths
 DISALLOW unwanted data (e.g. HTML tags,
JavaScript)
How can protect the system?
 Encrypt important data
 Ex) .pgp, .ssh
 Do not run unused information
 Remove unused programs
 Setup firewall
 Ex) IP chain
 Check unintentional change
 Backup the system often
What should do after hacked?
 Shutdown the system
 Or turn off the system
 Separate the system from network
 Restore the system with the backup
 Or reinstall all programs
 It can be good to report the police
Thank you
-Ajay Babu .D
Y5cs022.