Imagine this online hacking scenario: someone stealing information from your computer while you are uploading an image on Facebook. Scary, yes. Implausible? Think again; it may sound like its coming from a cyberpunk tale, but it’s quite possible with the latest online hacking techniques.

A collaborative effort between researchers from the University of Illinois at Urbana-Champaign and the Indraprastha Institute of Information Technology in New Delhi, India have come up with “Steganobot”, a new generation botnet, which attaches itself to Facebook profiles and gains access to the user’s confidential data such as e-mail passwords while uploading Facebook pictures. The researchers said that Stegobot was developed to show how easy it could be for a hacker to exploit Facebook photos upload feature to sneak into the user’s computer.

Botnet Malware: Online Hacking Evolution

Malware is an extremely serious threat to modern networks. In recent years, anew form of general-purpose malware known as bots has arisen. Bots are unique in that they collectively maintain communication structures across nodes to resiliently distribute commands and data through a command and control (C&C) channel. The ability to coordinate and upload new commands to bots gives the botnet owner vast power when performing online hacking activities of a criminal nature, including the ability to orchestrate surveillance attacks, perform DDoS extortion, sending spam for pay, and phishing.

The evolution of botnets for online hacking has primarily been driven by the principle of `whatever-works’. Early botnets followed a centralized architecture. However, the growing size of botnets led to scalability problems. Additionally, the development of online hacking defense mechanisms that detect centralized command-and-control servers further accelerated their demise. This led to the development of a second generation of decentralized botnets.

Meet Steganobot: New Botnet developed to Study Future Online Hacking Threats

Stegobot initially gains access to computers through the usual channels such as infected attachments or directs to malware-laden content. After gaining access, Stegobot applies a technique called “steganography” to conceal data in the image files without affecting the picture’s appearance.

Topological Diagram of Steganobot

The botnet incorporates the information into any image you are uploading on Facebook. And then it waits for one of your friends to see your profile. Stegobot can then infect your computer even if your friend has not clicked on the corrupted image. In case your friend is also infected with the botnet, then any photo they upload will also pass on the stolen data. And the relaying of the data can eventually land into the hands of a botmaster, who will be then able to access your identity.

The study focuses on the development of a decentralized botnet based on a model of covert communication where the nodes of the network only communicate along the edges of a social network. This is made possible by recent advances in malware technologies. Social malware refers to the class of malware that propagate through the social network of its victims by hijacking social trust. Instances include targeted surveillance attacks on the Tibetan Movement and the non-targeted attack by the Koobface worm on a number of online social networks including Facebook.

By adopting such a communication model, a malicious network such as a botnet can make its traffic significantly more difficult to be differentiated from legitimate traffic solely on the basis of communication end-points. Additionally, to frustrate defense efforts based on traffic flow classification, Steganobot’s development team intends to explore the use of covert channels based on data concealment techniques. What if criminals used steganographic data hiding techniques which exploit human social behavior patterns in designing botnets? Would it be possible to design such a botnet? How would it be superior to existing botnets, and where would it be inferior to the same? These are some of the questions this study hopes to answer in this paper.

The research related to Stegobot is quite significant as this online hacking threat is virtually undetectable. Of late we have seen a spate of online hacking across the world. Whether it has been a government website or the IMF network, everything online seems vulnerable. Online hacking techniques such as botnets have only strengthened the contemporary need for more secure and foolproof methods to safeguard online identity. For continued updates about malware protection and safe web behavior, keep reading our online hacking weblog.

As you’d have guessed from the previous posts about ethical hacking on our online hacking weblog, Over the past few months, Facebook has been running a bounty program of sorts aimed at rewarding white hat hackers for detecting security holes in the site.  At last count, Facebook had shelled out nearly $40,000 within the first three weeks of this program; if nothing else, this little piece of statistic does illustrate the merits of outsourcing your website’s cyber security jobs to freelance ethical hackers

Bug Bounty: Facebook Pays You for Ethical Hacking

The objective of the “bug bounty” program is to encourage cyber security experts to help ramp up Facebook’s security against online hacking attacks. Facebook has already paid above $7,000 for detecting as many as six serious bugs in the site. The social networking company is running the ethical hacking program alongside its other measures to ward off internet-based threats to the site.

Facebook chief security officer Joe Sullivan has revealed some details of the ongoing bug bounty program in a blog post. He said in the post that the ethical hacking had helped make Facebook more secure by revealing “novel attack vectors, and helping us improve lots of corners in our code”. Sullivan revealed that the minimum sum paid for bug detecting is $500, which can be extended up to $5,000 depending upon the seriousness of the loophole detected. Facebook has already shelled out the maximum bounty once.

Sullivan adds that Facebook’s White Hats initiative has received positive response worldwide. He goes on to describe how Facebook received applause on launching their responsible disclosure policy last year, in which Facebook told ethical hacking researchers that they had the freedom to report the bugs in accordance with the policy without fearing adverse action by Facebook.

Turning to Ethical Hacking to Counter Rising Threats

Facebook’s bug bounty program comes in the backdrop of escalating threats to the social networking site from cyber criminals and vandals. According to reports, Facebook has been a prime target of the cyber criminals and that they are looking out for different ways to extract confidential and useful information from Facebook users and promote spamming on the site, necessitating the move to harness ethical hacking talent from the world over.

Facebook has apparently gone extra mile by inviting bug hunters to ensure site’s safety. Reports have claimed that Facebook is now in talks with third party institutions which are ensuring that the company’s privacy policy also covered the white hat ethical hacking researchers.

Researchers from more than 16 countries have successfully submitted bounty bugs, Facebook said. Its public “thank you” list names dozens of ethical hacking contributors.

That will be all for now, but we’ll continue to feature more news articles on ethical hacking on our online hacking weblog.

Fight the Hacking Menace

Electronic fraud and Internet-related offenses such as hacking are fast-turning into a serious law-and-order issue, especially in the Western world. With internet technology becoming an ever pervasive part of our lives, it is becoming more and more crucial to be aware of security issues with respect to hacking and the dos-and -don’ts of being a netizen so as to not be a victim. Also, with corporations becoming more aware of the need for computer security, a qualification in cyber security can make for a lucrative career, turning you into a veritable cyber-Marshall who combats the evil of hacking. What’s more, a lot of these courses are available online!

Of course, there exist proper brick-and-mortar institutions that offer similar courses, but online learning affords you the luxury of learning at your own pace. Effectively, it lets you plan your course to suit your life instead of the other way round.

A Course to Counter Hacking

While you’ll learn many things in this course, of utmost importance is the part where they teach you about countering cyber-terrorism. Cyber-terrorism is still a tentative term and aspects of it are still emerging. However, one can say that cyber-terrorism is where the menace of hacking, hitherto ranging from merely annoying fiddling to financial crimes or even corporate espionage, has now turned into a full-blown hazard threatening the national security of various countries and endangering millions of lives.

Cyber terrorism is the sort of hacking where a hacker breaks into a system containing sensitive classified information pertaining to a nation’s security interests; the access is usually granted via the internet, but sometimes a hacker may have to connect to a more secure, exclusive network through the internet, thus involving another layer of security that has to be compromised. The classified information thus accessed may be made public for all to see, or just sold to the highest bidder. Such hackers can even be in the employ of intelligence agencies seeking to spy on another country. Cyber-terrorism is just an extension of one way that hacking has been used by the business world for quite some time: corporate espionage by breaking into a rival company’s systems. The difference is that the stakes are much higher in this case than just corporate hacking. The anonymous nature of the Internet makes it easy for certain groups to attack rival groups or target individuals with impunity.

A few of the other topics of relevance that are taught in the course are cyber law, computer forensics, fighting malware and cyber-compliance. There is also a fair degree of stress on countering intrusion with software/ hardware and firewalls.

In a Nutshell

What it comes down to is protecting sensitive information and checking unauthorized access to any data. Implications of this can be very wide, from preventing national-security level espionage, to saving critical computer systems from malicious software, and even to preventing identity theft that ultimately leads to credit card fraud or possibly something more nefarious.

A computer is like a gun; it can be used for evil or for good, and that depends on the man controlling it. By being a cyber security professional, you are choosing to take things in your hands and do your bit to counter the threat of hacking.

Be the Hacker to Counter Online Hacking

When it comes to combating cyber-crimes such as online hacking, the methods and technologies used mean that there’s a very thin line that divides you, the cyber-security expert, from the criminal hacker (or cracker) you are meant to stop. In such a case, it is most important to be aware of yourself and where you stand, as also being aware of your opponent, the evil genius computer hacker (sounds melodramatic, but humor us) and his strengths and weaknesses.

Applying Sun Tzu & The Art of War to the ‘ War Against Online Hacking ‘

Ancient Chinese philosopher Sun Tzu has said something to the same effect: for certain victory, one must at all times recognize yourself and acknowledge of your enemy; being aware of yourself but not recognizing your enemy’s nature lowers your odds of victory to merely probable, while not being aware of either will lead to certain defeat.

Heed the immortal words of Sun Tzu, know yourself. Or perhaps more to the point, know your computer system; the security holes and the loopholes. Think like an online hacking expert as to how you would invade the system if you were a hacker; to stop the hacking attack, you must become the hacker, find the weaknesses, and plug them in anticipation of the actual online hacking attempt.

Your diligence or ingenuity in writing code is no guarantee of security from being compromised. You must be proactive and use an online hacking mindset in discovering faults in the system that can be exploited to gain unauthorized entry.  Even then, your job may only be half done.

Trying to trace a hacker on the Internet can be as elusive a task as looking for irrefutable proof that the ‘Loch Ness Monster’ exists. Of course, technologies exist in the field of cyber-forensics that can enable tracking online hacking miscreants, but as the proverb goes: a bird in the hand is better than two in the bush. So, it is better to thwart any attempts at online hacking than to detect and punish the hacker later, because a stitch in time saves nine. It might also save your company from featuring on the nine ‘o clock news as the latest victim.

Simply learning the most commonly exploited loopholes and the most widely used access methods would not help, especially if you slavishly follow what you’ve learnt by heart. You’ll be mistaken in your assumption that you’re secure from all online hacking activity. You must instead learn to be dynamic; understand that ordinarily, a hacker is one-step ahead of the law and would easily thwart all textbook attempts to prevent hihim from hacking into the system. You must therefore erase this lead a hacker has over you by being unpredictable yourself, then only shall you fulfill the tenets described by Sun-Tzu and only then shall you be assured of victory. Armed with this knowledge shall you go forth to fight online hacking.

Stay tuned to this online hacking weblog for more updates, articles and opinions of the world of (cyber)crime-fighting.

Online hacking has become the bane of any business that has a presence online. However, the threat posed by online hacking is but a small part of the unfolding scenario. There are so many possibilities of different kinds of electronic attacks that may harm a business in myriad forms, from crippling data systems to stealing top-secret business relevant data.

A New Way to Fight Online Hacking

Computer forensics is a specialized branch of computer security and much like the police forensic specialists who investigate a crime scene, digital forensic experts examine a online hacking break-in or security compromise incident for clues that might point to the perpetrator or at least to the method used, so as to avoid any hacker using the same online hacking method or other modus operandi in the future.

Before you call in the cavalry, however, there are some things you need to know. When it comes to security compromises — as a result of online hacking or otherwise — in the corporate world, there’s no if; there’s only the when and the how bad. Trying to control the when is only a matter of delaying the inevitable, but you can control the latter by being a little careful.

The Enemy Within

Security compromises need not always be by access from a remote location. Employees who recently left are a big security risk simply for the fact that they can gain access to the building on some pretext or the other; chances are that they’d still be carrying a pass-card that the folks in IT forgot to render invalid. Then again, there’s not much you can do about the employees who actually are working for you; strict information security policies can act as a deterrent, but only so far. You could tell yourself that you should have done a better job by hiring ethically sound people, but is there really a reliable way to test one’s moral fiber? In a large concern especially, there’s no knowing where a compromise attempt will come from.

That is why, while it is all very well to invest in building as online hacking proof a system as possible, it is equally crucial to pay attention when the security policies and related legal issues are revised. That will help you learn tidbits regarding post-incident what-to-dos regarding damage control once the system has been compromised. Keeping track of online hacking news and developments also helps. Also, this is where the science of computer forensics comes in.

Defining Computer Forensics

A textbook definition of computer forensics is: the maintenance, classification, retrieval, analysis, and documentation of computer evidence. Some authoritative works on the digital forensics define it as the scientific collection, scrutiny, and maintenance of data contained in electronic media whose information can be admissible as evidence in a court of law. This last rider of the evidence being usable in a court of law adds certain technicalities to the mix: the collection part being particularly dicey as there are a lot of ways of gathering electronic data that may amount to illegal (or unauthorized) surveillance and intrusion of privacy, wiretaps being an example.

Ethically and legally speaking, there’s a very thin line that separates computer forensic investigations from criminally motivated online hacking, and the former have to tread that line with utmost care.

Ethical Hacking: A Contradiction Unto Itself?

There are those of you for whom the term ‘ethical hacking’ is an oxymoron. Hollywood and pop culture stereotypes have made sure that any ‘hacking’ activity is seen as negative and even criminally motivated. Well, it is true that hacking is, fundamentally, taking advantage of unprotected or weakly guarded sites or systems. It is equally true that this can be used to the hacker’s advantage for personal gain, often at the cost of others. It is these criminal-minded, often pointlessly destructive individuals who’re frequently referred to as hackers which, though technically incorrect, should be persisted with now if we are to even begin defining what ethical hacking is all about. So, it is already pretty clear that hackers (the criminal sort, anyway) can be a real menace due to the fact that they’re expert programmers, something that makes them superhuman as long as they have a computer close by.

Enter the Good Guys: Ethical Hacking

Ethical Hackers: Detectives for the Information Age

Because of these super-powered villains, others (often companies,) who want to strengthen the protection of their online systems turn to professionals for help. These professional hackers (the good guys, sometimes known as “white hats,”) use an ethical hacking style to help build a stronger defense against real hacking threats. By purposely “attacking” the system, they can quickly discover its security holes, and then begin to come up with ways to stall, avoid or eliminate the hacking attacks of the sinister sort.

So let’s put this charade aside now, for you can now see that not all hacks are bad. However, for the sake of convenience, we’d still have to use the same terminology to distinguish ethical hackers from the harmful hacking (dubbed ‘cracking’ in the elite world of super-programmers). The act of hacking ethically into a system in order to expose possible weak points, ones that real hackers, or “black hats” (due to less savory intentions) can exploit, can help prevent the company from loss of earnings or reputation. Indeed, a lot of companies are now employing the skills of those who can perform this task because they understand that the only way to fight against skilled hackers is with another skilled albeit ethical hacking specialist of their own!

Ethical Hacking: Set a Thief to Catch a Thief?

Well, not always. But considering that ethical hacking modus operandi comprises of breaking into online systems, the likelihood of the really good white hats being hired professionals who have made their bones as black hat hackers. But it’s not always so cloak and dagger; those with a strong proficiency in computer programming can be trained to carry out these services and a fair number of white hat hackers actually are full-time employees of the company who have the desired level of skill.

So long as your actions have been approved by the company that owns the system you break into, whatever mayhem you create during the hacking process will entirely benefit that company provided they follow up and eliminate those weaknesses exposed by you.

Ethical Hacking in a Nutshell

This is not about good or bad hackers, white hats or black hats; ultimately it is about the good of the company, and the safety of sensitive data they have. If you had a rather shady past but have since gotten over your rebel streak and decided to work for the system rather than against it, you will be highly sought after for the services you can now provide.

Ethical hacking is all about getting results when it comes to shielding online systems against break-ins, malicious attacks and date theft. You are concerned only with keeping the assets and interests safe, and only by thinking and acting like a true hacker can this be achieved.

Without a doubt, this is a smart way to safeguard your information assets against online threats. If you’re a company, do not hesitate to employ a white-hat hacker, as they are armed with the requisite level of knowledge and skills to counter a threat from another hacker. On the other hand, if you’re involved in hacking yourself, and would be willing to consider a career on the right side of the law, ethical hacking beckons.

My colleague to participate in an exclusive club and the logged on user’s website. Here he played on the club facilities for entertainment, exercise and socialization. The site had an online form to collect personal information.

My colleague is a “hacker” by the nature of the profession and just tried to enter the field and immediately found that the shape was the SQL injection vulnerability. Exploitation of this vulnerability could have created many opportunities, including access to all members of the database. Be “ethical”, he refrained from doing so.

So who is a hacker? And how the hacker to ethics? The original meaning of the word “hacker” is someone who is an expert, a guru who can ‘hack’ a program and make it do things not originally intended. Hackers have gained the nickname because they have spent hours hacking away on the keyboard. A ‘hacker’ is a malicious person who will use his technical expertise with criminal intent.

Somehow, the hacker term got associated with criminal intentions. Now it is assumed that a hacker will exploit any security weakness of a system for nefarious purposes. So we had to invent the term ‘ethical hacker’—a person with hacking skills who is ethically bound to help you identify and fix security weaknesses.

How does one become an ethical hacker? The essential ingredient which makes a hacker is unlimited curiosity about how things work, and how things can go wrong. The computer is an extremely complex system. The major components that need to work flawlessly are the operating system, application systems including web-based application systems, database systems and networking systems. And a hacker must have intricate knowledge of all these systems. An hacker should also be an accomplished ‘social engineer’. Famous hackers are also experts in exploiting human weaknesses. People are usually helpful and cooperative, which means they can also be manipulated, flattered, intimated or plain bullied by someone pretending to be an authority.

Hackers study new releases, identify weaknesses, and build superb tools with GUI front-ends to exploit these vulnerabilities. Most of the other hackers only use these tools, but they are so adept at using these tools that they are the real threat. Most ethical hackers study the same tools and become as proficient in the use of these tools as real hackers. If computer systems are tested using the same hacker’s tools, there is a good possibility of finding out most of the vulnerabilities, and then patching them.

Most ethical hackers undergo some formal or informal training on hacking tools. But the real expertise is only developed after long hours of working with these tools and learning to interpret the results correctly. It should be noted that hacking tools often give false positives or false warnings, which need to be correctly identified and weeded out. The danger is when the tools do not identify the latest vulnerabilities. A good hacker needs to know how to identify these using the basic knowledge of the system and not merely by using tools.

There are a number of certifications that an ethical hacker can acquire. But this is one profession where a certificate is no guarantee of one’s hacking skills.

An organization should minutely and independently verify the claims of an ethical hacker. Also, the type of experience should be relevant to the type of systems to be tested.

Reputation hacker ethic should be easy to check from former clients, in reality, it must be done, and any excuse to maintain confidentiality should be questioned. Remember, good hackers are as good as “social engineers”.

According to security experts, almost half of all home wireless broadband ( Wi-Fi ) networks could be hacked within five seconds.

Fraud prevention firm CPP said, the “ethical hacking” experiment was conducted across six UK cities, revealing some 40,000 vulnerable Wi-Fi networks.

“The biggest concern for consumers is the consistency of speeds they receive,” said Sky, adding that the biggest frustration for 30% of customers was that their speed differed depending on the time of day they logged on.

“And even password-protected networks are not secure,” said researchers. “A typical password can be breached by hackers in a matter of seconds.”

Michael Lynch, identity fraud expert from CPP, said: “This report is a real eye-opener in highlighting how many of us have a cavalier attitude to Wi-Fi use, despite the very real dangers posed by unauthorized use.

“We urge all Wi-Fi users to remember that any information they volunteer through public networks can easily be visible to hackers. It’s vital they remain vigilant, ensure their networks are secure and regularly monitor their credit reports and bank statements for unsolicited activity.”

Michael Phillips added: “As well as installing reliable antivirus software like Norton or McAfee, you should always make sure that you keep it up-to-date.

Michael Phillips advised “Choose separate passwords for different accounts and make sure that a wireless code that you pick will be hard to crack. “Use our free Wireless Key Generator to help you create unique, hard-to-crack your Wi-Fi network passwords.”

Leading cryptography expert Paul Kocher says the new breed of quantum computers will not be able to crack encryption currently used to secure web and wireless network traffic.

The statement follows concerns among some security experts that the high processing power of quantum compute technologies could be used to crack the encryption used by most organisations.

Kocher, chief executive at Cryptography Research Inc, said: “Quantum computing is interesting because it changes fundamentally the way we do computations.”

But, he added, “there are other things besides quantum computing that keep me awake at night. Implementation errors in algorithmic cryptography and buffer overflows cause me to lose vastly more sleep than quantum computing.”

The most secure algorithm in use today is the 256-bit advanced encryption standard, also known as AES. And Kocher says this is safe from quantum computing.

“If anybody making purchasing decisions is troubled about quantum computing, they’re worrying about completely the wrong cryptographic problems,” he said.

Nearly one in three (31 per cent) of the respondents to Fortify Software’s survey admitted their organisation had been hacked in the past, and a similar number said they didn’t know if it had.

The vast majority (83 per cent) said they thought off-the-shelf software was buggy and insecure and more than half (56 per cent) said that it was vulnerable to hackers. Consequently many are hacking into their own systems to test the defences they have built.

A small number (three per cent) confessed to attacking competitors’ systems too.

The best way to check that applications are secure is to combine all available solutions, including code and static analysis, web application firewalls, application scanners and pen testing, said 57 per cent of the group. Five per cent admitted that their organisations didnt employ technology for software security.

Of those that admitted to previous hacking experience, 29 per cent learned to hack at work; 26 per cent on the internet; 13 per cent at university; and eight per cent at school. A further eight per cent used friends to help them hone their talent.

The survey was conducted among 300 security specialists in companies of over 1,000 employees.