This is the first part of an undetermined number of articles I will be writing about web based security. Not only will I cover how to do it safely, I will cover how hackers can attack you. My reason for covering this is because you canít effectively understand security without being able to break it. In no way do I condone using any information here for illegal activity; you will most likely end up in jail if you try to gain unauthorized access to a network. I donít intend on discussing how to get away with anything.
What will this series cover?
The full extent of what this series will cover is currently undermined, but they will all relate to web based security in the context of a corporation with a decently large number of staff. Articles will include writings about passwords, SQL injection, authentication and social engineering.
What to expect from these articles:
If you think you will be able to read my articles and become a ď1337 haxorĒ please save your time and leave after this paragraph. The fact that you would even expect to read the writing of a single person and become a hacker means you probably arenít hacker material. If you ever want to get into this subject you will need to learn how to do your own research on Google and fill in the blanks for yourself.
While I will give as much coverage to each individual subject as I can I cannot make everything comprehensive. I will name some tools, but I wonít document their usage or name alternatives. Itís your job to figure out how to use the tools and see which ones you like. If you are not familiar with both the Windows and Linux command line I suggest you become at least somewhat familiar with it.
What you should expect is an expanded knowledge of security and how crackers work. My hopes are that you will be able to better secure your systems and provide a better product to your clients or employer.
The Mindset What is a hacker?
By definition, a hacker is someone who uses a device for something it was never intended for. This can only be done though gaining an intricate knowledge of the system in question. One of the earliest examples of hackers were called phreakers, they figured out all the frequency codes to AT&Tís phone systems and learned how to place free calls. Not all hackers are criminals, not by any means , I strongly recommend you read this article on being a hacker: http://www.catb.org/~esr/faqs/hacker-howto.html
However, crackers are what most people understand a hacker to be. Crackers, also known as black hats, are the enemy. Normally they are loud, obnoxious and child like but that does not change what they are capable of. What makes them so dangerous is that they continually find new ways to break things, sometimes in the name of advancing a science, sometimes for political or financial reasons and sometimes because they just want to. The motivation is unimportant; the bottom line is that they are dangers to your systems.
Thinking like a cracker
The cracker mindset is that everything can be broken and everything has a weakness. Do you:
∑ When returning from a nighttime walk, have a mental note of how many doors were left open and if you could see anyone in the immediate proximity?
∑ Always inconspicuously look for the location of every security camera whenever you enter a building?
∑ Autofill logins with the adminís username and ď' OR 1=1; --ď before actually signing in?
∑ Have a never ending want to be smarter than whoever built the device in question?
∑ Have a fleet of fake, non-government, ID cards?
If this sounds like you, you probably already have the mentality needed. If not, give it a try, itís fun.
In short you need to think like a criminal. Now I donít suggest that you actually do crimes, just keep thinking of better ways to accomplish them.
The never ending quest for knowledge
The world of security is ever changing; you will need to continually learn new things. If you are expecting to just learn some stuff and use that information forever you are in the wrong business. This means that you will have to keep up on publications and do your own research. While it is a fine supplement, asking questions on forums and mailing lists cannot be the basis of your knowledge. You need to go out, find your own answers and be self sufficient. Without this skill you will never advance anywhere.
Some good resources: http://www.securityfocus.com/ This is a frequently updated site taking about cutting edge security threats. http://crackmes.de/ People send out challenges that they want to be cracked, mostly these involve reverse engineering computer programs. This is very fun and educational. http://mrcracker.com/ This site contains podcasts on the subject of cracking. http://www.progenic.com/ Be careful on this site, it is a list that changes frequently but may contain links which contain malware and adult content. It does provide a lot of useful sites as well so just be careful. http://xtremeroot.net/ Despite what they say they are a blackhat community. While they have a large amount of useful content, illegal activities do happen there. They have entire sections dedicated to pirating media, cracking software, they even have a section to post stolen credit card numbers (and plenty come). Tread carefully and get what you can out of the site.