Tuesday, April 7, 2009

Unveiling the Mysterious World of an Ethical hacker

One of my recent articles got published in TheSmartTechie Magazine. Here's the unedited article for your reading pleasure-

The Ethical Hacker Snapshot
What is the first thing that comes to your mind when you think of the word ‘hacker’? Let me attempt to draw a snap here; a kid in his late teens or early 20’s displaying modern demeanors — wearing a turned around cap, having ruffled hair, wearing a spectacle, and dressed up casually in jeans and t-shirt. Someone who looks a bit immature in his mannerisms but at the same time sounds like a deep thinking individual, possibly knowing everything about computers and with a malicious intention to break into computer systems and networks and cause harm to individuals and organizations. If you are like many others who are baffled by the mystery surrounding the hackers, your image of a hacker may not be too different from the one described above. In short, there is always a notorious vagueness surrounding the word ‘hacker’. So, who is a hacker anyways, and what’s so ‘ethical’ about a hacker?

The Ethical Hacker Defined:
The Oxford dictionary’s definition of the word ‘hacker’ is ‘someone who uses a high degree of computer skill to carry out unauthorized acts within a network.’ And the definition of the word ‘ethical’ is ’being morally correct’. So in plain terms, an ‘ethical hacker’ is someone who uses a computer to gain unauthorized access to data in a computer or network and at the same time is morally correct and does not have a malicious intent. In industry jargon, an ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking to detect vulnerabilities that a malicious cracker could exploit. Some experts even argue that hackers, by definition, are supposed to have ethical intent and so there is no need for the phrase ‘ethical hacker’. In this article, I have used the term ‘ethical’ in an attempt to counter the negative impression that exists around hackers. On the contrary, a cracker is someone who is also a computer and network expert and attacks a computer system or network and has a malicious intent, unlike a hacker. An ethical hacker is also sometimes called a ‘white hat’; a term that comes from old Western movies where the ‘good guy’ always wore a white hat and the ‘bad guy’ wore a black hat. So, a hacker does not have a criminal intent but a cracker does.
A Few Cracker Stories
In 2007, nearly 3,000 customer records were accessed by crackers who hacked into the system of a small bank in central U.S. Though there is no official record of how this happened reports say that this was possibly done by using SQL Injection attacks. Whoever thinks that online banking is convenient may get a perspective of the considerable risk at which this convenience comes. In February 2007, more than 10,000 online game servers that were hosting games such as Return to Castle Wolfenstein, Halo, Counter-Strike, and many others were attacked by ‘RUS’ hacker group. The Distributed DoS attack was made from more than a thousand computer units located across the former republics of the erstwhile Soviet Union. A lot of research is carried out on the Wi-Fi networks by means of Wardriving. In Wardriving, the researcher looks for Wi-Fi networks using a PDA or portable computer while in a moving vehicle. The prime idea behind Wardriving is to find out the vulnerable Wi-Fi networks, and if the Wardriver has a malicious intent he can use this information to break into vulnerable wireless networks using the computer or network resources. In the recent terrorist attack incidents, vulnerable wireless networks were used to send emails to media houses, which certainly left ignorant Wi-Fi users in much of a trouble. The Internet is full of news stories related to organizations’ and even home users’ computer security being compromised by crackers. Hackers are the people who help prepare the organizations against such attacks of even more drastic consequences.

Exploring the Mind of an Ethical Hacker
As Ankit Fadia, one of India’s renowned computer security experts put it an ethical hacker, or simply a hacker, is someone who
* Likes to think out of the box.
* Likes to try out and experiment with the things not mentioned in a computer book. * Has unlimited curiosity.
* Is highly creative and innovative.
* Believes in testing and stretching the limits of his own technological abilities. * Has an ability to think and stand on his own feet and achieve things that are beyond the capacity of a normal person.
* Is trustworthy and honest. Hackers in reality are actually good, pleasant, and extremely intelligent people who, by virtue of their knowledge, help organizations in a constructive manner to secure documents of strategic importance.

Similarity Between Ethical Hacking and Software Testing
The prime purpose of software testing is to detect the bugs in a software application before the customer does it. On similar lines, the purpose of hacking is to find the vulnerabilities before a cracker with malicious intention does it. A hacker needs a kind of brazen mindset for breaking things in order to carry out hacking. The same kind of mindset is found among persons performing security testing on software applications. Like a typical software security tester a hacker also needs to have loads of perseverance, as the success ratio of finding a vulnerability is not always quite high and it usually requires trying out different things persistently and creatively to find out something wrong with a particular computer system or a network. One of the important things that a hacker usually relies on to carry out a simulated attack is called ‘penetration testing’. A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. There are lots of freely available tools as well as commercial ones that can help one perform Penetration tests on websites, computer networks, and so on.

Epilogue
To catch a thief, you must think like a thief. That’s the basis of ethical hacking. One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called Red Teams to hack its own computer systems. One of the key roles of Red Team activity was that it challenged preconceived notions by demonstration and served to elucidate the true problem state that the attackers might be attempting to exploit. In a similar way organizations and government agencies hire ethical hacking services to gain insights into the vulnerability assessment of their own computer systems and networks to know how sensitive information is externalized and can be exploited by the crackers. Gaining information about the loopholes in a system, the ethical hacking services work to plug the holes and make the systems more secure and less exploitable. Are you aware of the ‘cyber thieves’ stalking your organization’s computers and networks? If not, ethical hacking will sure give you an answer.