ETHICAL HACKING

BY

NAME: B KAMESWARA RAO

E-id:bagadi.kameswararao@gmail.com
PHNO:9640319768
ABSTRACT:
You need protection from hacker shenanigans. An Ethical Hacker possesses the skills, mindset, and tools of a
hacker but is also trustworthy. Ethical Hackers perform the hacks as security tests for their systems. Ethical
Hacking also known as penetration testing or white-hat, hacking involves the same tools tricks and techniques
that hackers use, but with one major difference: Ethical Hacking is legal. Ethical Hacking is performed with the
targets permission. The intent of Ethical Hacking is to discover vulnerabilities from a hackers view point so
systems can be better security. Its part of an overall information risks management program that allows for on
going security improvements. Ethical Hacking can also ensure that vendor’s claims about the security of their
products are legitimate.

This paper describes brief introduction about ethical hacking : their skills, their expertise , their attitudes, and
how to protect our self.
 the less talented, or less careful, intruders would
accidentally bring down a system or damage its files,
and the system administrators would have to restart it
Introduction: or make repairs. Instead of using the more accurate
term of “computer criminal,” the media began using
The term “hacker” has a dual usage in the computer
the term “hacker”. Since calling someone a “hacker”
industry today. Originally, the term was defined as:
was originally meant as a compliment, computer
security professionals prefer to use the term “cracker”
HACKER:
or “intruder” for those hackers who turn to the dark
1. A person who enjoys learning the details of side of hacking. For clarity, we will use the explicit
computer systems and how to stretch their capabilities terms “ethical hacker” and “criminal hacker” for the
—as opposed to most users of computers, who prefer rest of this paper.
to learn only the minimum amount necessary. 2. One
who programs enthusiastically or who enjoys Levy's Principles: First and foremost to “Levy's

programming rather than just theorizing about principles is the concept of the hacker ethic and the
programming. popularization of them to popular culture”. In the words
of Levy himself, the principles dictate;
There are those, however, who challenge
the idea that information should be secure (in most 1. Access to computers—and anything which
instances), or who argue that networks that are might teach you something about the
insecure ought to be attacked, in some sense, in the way the world works—should be unlimited and total.
interest of some greater good. Although the term 2. Always yield to the Hands-on Imperative!
'ethical hackers' means different things to different 3. All information should be free.
people, one might apply it to this group. We have 4. Mistrust authority—promote decentralization.
many different hackers like True hackers, Hardware 5. Hackers should be judged by their hacking,
hackers , game hackers and so on. not bogus criteria such as degrees, age,
race or position.
Initially these computer intrusions were 6. You can create art and beauty on a computer.
fairly benign, with the most damage being the theft of 7. Computers can change your life for the better
computer time. Other times, these recreations would
take the form of practical jokes. However, these In summary, the hacker ethic deals with
intrusions did not stay benign for long. Occasionally the idea that individuals are performing a duty for the
common good, an analogy to a modern day 'Robin that varies from credit card numbers to social security
Hood'. The hacker community as a result are prided numbers and home addresses.
on the fact that they are the rebellion against authority
In their search for a way to approach the
figures that restrict this level of computer freedom.
problem, organizations came to realize that one of the
Hackers are only judged by their ability as opposed to
best ways to evaluate the intruder threat to their
the various systems in places that currently dictate
interests would be to have independent computer
authority, such as schools and universities. Mostly the
security professionals attempt to break into their
hacker ethic idealizes the notion of hacking being an
computer systems. In the case of computer security,
art-form, something revered as opposed to disputed
these “tiger teams” or “ethical hackers” would employ
and frowned upon. Popularized by 'phreakers' in the
the same tools and techniques as the intruders, but they
1970s and 80s, this is something that is not only
would neither damage the target systems nor steal
evident, but also widespread among the growing
information. Instead, they would evaluate the target
community. As Manuel Castells, another lecturer
systems' security and report back to the owners with the
involved in the field of computing, it is something
vulnerabilities they found and instructions for how to
that reflects not only on this community, but also of
remedy them.
the wider social, political and financial world. In a
sense, “hacking is something that should affect
This method of evaluating the security of a
everyone”, but it is whether or not the interpretation
system has been in use from the early days of
that is given to hackers by Steven Levy compared
computers. In one early ethical hack, the United States
with negative stereotypes of the media that dictate
Air Force conducted a “security evaluation” of the
this perception
Multics operating systems for “potential use as a two-
About ethical hacking: level (secret/top secret) system.” Their evaluation found
With the growth of the Internet, that while Multics was “significantly better than other
computer security has become a major concern for conventional systems,” it also had “… vulnerabilities in
businesses and governments. They want to be able to hardware security, software security, and procedural
take advantage of the Internet for electronic security” that could be uncovered with “a relatively low
commerce, advertising, information distribution and level of effort.” They performed tests that were simple
access, and other pursuits, but they are worried about information-gathering exercises, as well as other tests
the possibility of being “hacked.” At the same time, that were outright attacks upon the system that might
the potential customers of these services are worried damage its integrity. Clearly, their audience wanted to
about maintaining control of personal information know both results. The tool did not tell the user how the
vulnerability might be exploited, because there would hardware vendors. These systems management skills
be no useful point in doing so. are necessary for the actual vulnerability testing, but are
equally important when preparing the report for the
Who are ethical hackers? client after the test.

Successful ethical hackers possess a What do ethical hackers do?

variety of skills. First and foremost, they must be
completely trustworthy. While testing the security of a An ethical hacker's evaluation of a system's security seeks
client's systems, the ethical hacker may discover answers to three basic questions:
information about the client that should remain secret.
W can an intruder see on the target systems?
In many cases, this information, if publicized, could
W can an intruder do with that information?
lead to real intruders breaking into the systems,
Do does anyone at the target notice the intruder's attempts or
possibly leading to financial losses. During an
evaluation, the ethical hacker often holds the “keys to
the company,” and therefore must be trusted to exercise
If the owners or operators of the target systems do not
tight control over any information about a target that
notice when someone is trying to break in, the intruders
could be misused. limited-access labs with physical
can, and will, spend weeks or months trying and will
security protection and full ceiling-to-floor walls,
usually eventually succeed. When the client requests an
multiple secure Internet connections, a safe to hold
evaluation, there is quite a bit of discussion and
paper documentation from clients, strong cryptography
paperwork that must be done up front. The discussion
to protect electronic results, and isolated networks for
begins with the client's answers to questions similar to
testing.
those posed by Garfinkel and Spafford:

Ethical hackers typically have very strong

1.What are you trying to protect?
programming and computer networking skills and have
been in the computer and networking business for 2.What are you trying to protect against?
several years. They are also adept at installing and
3.How much time, effort, and money are you willing to
maintaining systems that use the more popular
expend to obtain adequate protection?
operating systems (e.g., UNIX** or Windows NT**)
used on target systems. These base skills are augmented
These assets should also include
with detailed knowledge of the hardware and software
secondary information sources, such as employee
provided by the more popular computer and networking
names and addresses (which are privacy and safety or her nickname, or handle, near the top of the page in
risks), computer and network information (which order to guarantee credit for the break-in.
could provide assistance to an intruder), and other
organizations with which this organization
collaborates (which provide alternate paths into the
target systems through a possibly less secure partner's
system).

A complete answer to (2) specifies more

than just the loss of the things listed in answer to (1).
There are also the issues of system availability,
wherein a denial-of-service attack could cost the
client actual revenue and customer loss because Figure1
systems were unavailable. The world became quite
familiar with denial-of-service attacks in February of
2000 when attacks were launched against eBay**,
Yahoo!**, E*TRADE**, CNN**, and other popular
Web sites. During the attacks, customers were unable
to reach these Web sites, resulting in loss of revenue
and “mind share.” The answers to (1) should contain
more than just a list of information assets on the
organization's computer. The level of damage to an
organization's good image resulting from a successful
Figure 2
criminal hack can range from merely embarrassing to
a serious threat to revenue. As an example of a hack
Some clients are under the mistaken impression that
affecting an organization's image, on January 17,
their Web site would not be a target. They cite
2000, a U.S. Library of Congress Web site was
numerous reasons, such as “it has nothing interesting
attacked. The original initial screen is shown in
on it” or “hackers have never heard of my company.”
Figure 1, whereas the hacked screen is shown in
What these clients do not realize is that every Web
Figure 2. As is often done, the criminal hacker left his
site is a target. The goal of many criminal hackers is
simple: Do something spectacular and then make sure
that all of your pals know that you did it. Another Answers to the third question are
rebuttal is that many hackers simply do not care who complicated by the fact that computer and network
your company or organization is; they hack your Web security costs come in three forms. First there are the
site because they can. For example, Web real monetary costs incurred when obtaining security
administrators at UNICEF (United Nations Children's consulting, hiring personnel, and deploying hardware
Fund) might very well have thought that no hacker and software to support security needs. Second, there
would attack them. However, in January of 1998, is the cost of usability: the more secure a system is,
their page was defaced as shown in Figures 3 and 4. the more difficult it can be to make it easy to use. The
difficulty can take the form of obscure password
selection rules, strict system configuration rules, and
limited remote access. Third, there is the cost of
computer and network performance. The more time a
computer or network spends on security needs, such
as strong cryptography and detailed system activity
logging, the less time it has to work on user problems.
Because of Moore's Law, this may be less of an issue
for mainframe, desktop, and laptop machines. Yet, it
still remains a concern for mobile computing.

Figure 3

Each of these kinds of testing can be

performed from three perspectives: as a total
outsider, a “semi-outsider,” or a valid user. A total
outsider has very limited knowledge about the target
Figure 4
systems. The only information used is available
through public sources on the Internet. This test that an Ethical Hacker has authorization to probe the
represents the most commonly perceived threat. A target. A Certified Ethical Hacker is a skilled
well-defended system should not allow this kind of professional who understands and knows how to look
intruder to do anything. A semi-outsider has limited for the weaknesses and vulnerabilities in target
access to one or more of the organization's computers systems and uses the same knowledge and tools as a
or networks. This tests scenarios such as a bank malicious hacker.
allowing its depositors to use special software and a
Protection: Basically, firewalls protect your computer
modem to access information about their accounts. A
from unauthorised access attempts. There are two
well-defended system should only allow this kind of
kinds of firewall. Networked computers tend to be
intruder to access his or her own account information.
connected to the Internet through just one or two
A valid user has valid access to at least some of the
computers (hence only one Internet connection is
organization's computers and networks.
required). These computers behave as firewalls by

The Certified Ethical Hacker (CEH) : blocking any unauthorised packets. Any other packets
are passed on to the computer they are intended for.
Certification is a professional This kind of firewall is called a corporate firewall.
The kind of firewall you may be more familiar with is
a personal firewall- this is a program that runs on your
computer, and blocks any unauthorised incoming
certification provided by the
packets. Personally, I use ZoneAlarm. The great thing
International Council of E-Commerce Consultants.
about ZoneAlarm is that it is easy to configure. Also,
The definition of an Ethical Hacker is very similar to
it only allows chosen programs to access the Internet-
a Penetration Tester. The Ethical Hacker is an
allowing you to block hackers that use standard
individual who is usually employed with the
protocols such as FTP. In case of emergency, it also
organization and who can be trusted to undertake an
has an emergency stop button, which allows you to
attempt to penetrate networks and/or computer
block allfree by private individuals and charities.
systems using the same methods as a Hacker. Illegal
Businesses, governments, and educational institutions
hacking (i.e.; cracking computer systems) is a felony
can download ZoneAlarm on the basis of a 60-day
in the United States and most other countries. But
free trial. See ZoneLab's website for more
when this type of hacking is done by request and
information. access to the Internet immediately.
under a contract between an Ethical Hacker and an
ZoneAlarm can be downloaded and used for
organization, it is legal. The most important point is
Remember that although a firewall stops hackers from automatically, protect your corporations vital assets,
getting in, it will not remove any existing 'backdoor' by making Web application security a top priority.
software from your machine. For this, you need a
good anti-virus product like Norton or Sophos. Also Bibliography:
make sure that you use your anti-virus software
1. Beaver, Kevin, CISSP (2003). Ethical hacking: Ten
regularly, and that you keep it up-to-date.
crucial lessons. Retrieved on June
21, 2006 . http://searchsecurity.techtarget.com.
Conclusion:
2. Bernard, Allen (January, 2004). The Pros & Cons
Even for those who do not count of ethical hacking. Retrieved on June 25, 2006.
themselves among the ranks of the ethical hackers, it http://www.cioupdate.com.
is important to be aware that security often does come
3. Brandt, Andrew (2003). Class on virus creation
at the expense of openness, convenience and
Draws Industry Ire. Retrieved on July 15, 2006.
efficiency. University systems are acutely aware of
http://www.pcworld.com/resource/printable/article.
this (as are hackers), and in keeping with general
commitments to openness and the free exchange of
4. Clarkson, Logan (2006). Teaching Students to
ideas, have much less secure systems. Information
hack: Curriculum issues in Information Security,
technology security is often the challenge of
ACM Library. Informit Network (2006). Ethics,
balancing the demands of users with the need for data
hacking and religion. Retrieved on July 1, 2006 .
confidentiality and integrity.
5. Palmer, Charles (April, 2001). Ethical Hacking.
Fortunately, automated tools are
Retrieved on June,20,2006 from
available to transcend human error and perform
http://www.research.ibm.com
automatic vulnerability assessment on web
applications by attempting every possible hacker 6. Mitnick,Kevinhttp://www.theregister.co.uk..
attack and reporting the success of the attack and
severity of the vulnerability. With Carnegie Mellon’s 7.

CERT Co-ordination Center reporting over 52,658 HackersandPainters,PaulGrahamhttp://www.paulgraham.

cyber security incident in 2001, whether you choose com/hp.html

to address this serious vulnerability manually or

 8.
DigitalMillenniumCopyrightActhttp://www.gseis.ucla.ed
u/iclp/dmca1.htm

9.
HackersandPainters,PaulGrahamhttp://www.paulgraham.
com/hp.htm