The Hindu Business Line : Get `loaded' for the attack

Ankit Fadia strikes again, with new kitaabein in the `project hacking' series, from Vikas (www.vikaspublishing.com) . Let's begin with Google Hacking: An ethical guide. The preface by co-author Diwakar Goel informs that with specially crafted inputs you can find `tons of sensitive personal as well as organisational information' using search engines. "From helping to stay anonymous, finding sites with vulnerabilities, gathering information about the target network, to finding exploit code - search engines can do it all."

The first three chapters are on what Google is really about; Googling; and advanced search operations. Then you are `loaded' for the attack. First, ensure anonymity, which comes easily. Identity in cyberspace is basically with your IP (Internet Protocol) address, explain the authors. "Whether you are on a dial-up connection or cable, you will be assigned a unique IP address each time you connect to the Internet." Using www.showmyip.com you can know `what kind of information a site can extract when you visit its page'. Registration information can be gleaned using `Whois' on the Net.

Database on www.dnsstuff.com can be eye-opener: "Just enter your IP into it and see for yourself what information is revealed about you." To guard your identity, use proxy servers, guides the book.

"A proxy server can be roughly understood as a third man who communicates on your behalf. Instead of establishing a direct connection between you and the Web site, the proxy server splits the process: you connect to the proxy server, and the proxy server connects to the Web site you requested for."

Visiting cached pages is another way to remain anonymous, because Google acts as the intermediary; so too, with `language tools', you can translate an entire page give Google the URL, view the translated pages without the knowledge of the site. Web or CGI proxies such as www.anonymizer.ru `allow you to enter a URL and surf it anonymously directly'. The authors advise that you can use proxy methods "to access sites that have been blocked on your Internet connection, as often happens in colleges, schools, workplaces, etc."

Towards the end of the book is `More Google fun' where you'd learn: how to use GMail as storage, by deploying a tool from www.visoe.dk/code/gmail.htm; a 4-line JavaScript code that can be used `to download Google Videos directly as `.avi' files'; and get free reminders as SMS on your mobile phone from Google Calendar.

Encryption can be defeated

The bad news, though, is that encryption can be defeated.

"Do you worry while being connected to the broadband? Do you worry whether your password is safe or not, or whether someone is intercepting your message? Do you fear that you will have to pay huge bills if someone intercepts your password?"

These questions appear in the opening chapter of another Fadia book titled Encryption: Protecting your data, co-written by Jaya Bhattacharjee.

First, what is encryption? "The process of encoding the contents of the plain text in such a way that its contents cannot be deciphered or read by outsiders is called encryption," define the authors. They explain encryption algorithms such as RC4, RC5, DES, RSA, elliptic curve and Rijndael. A chapter on encryption tools discusses Caesar, Karen's Hasher, Yodas Crypter, Truecrypt, Omziff and so forth.

The book has a chapter on practical examples of encryption applications. For instance, electronic payments can be secured through SET (secure electronic transaction) protocol, a standard for credit card deals over insecure networks. Another method is NetCheque, "a distributed accounting service supporting the credit-debit model of payment."

NetCash, which is yet another way to secure electronic payments, `provides scalable electronic currency that is accepted across multiple administrative domains'.

The bad news, though, is that encryption can be defeated. "The idea that strong cryptography is good security by itself is wrong," observe the authors. "While brute-force decryption is possible, modern forms of encryption have made this process too long to be valuable. However, there is still a risk if the end points of the communication are vulnerable... "

No security, only opportunity

There is no security on this earth, there is only opportunity'.

The third kitaab is Intrusion Alert: An ethical hacking guide to intrusion detection, by Fadia with Manu Zacharia. Chapter 1 opens with a disquieting quote of General Douglas MacArthur: `There is no security on this earth, there is only opportunity'.

The book cautions that attackers of today are sophisticated in intrusion methodologies, and they spend `a large part of their time and effort seeking ways to exploit weaknesses in the communication methods and systems used by common services, such as Web sites and email'.

Do you know that attackers routinely send abnormal commands or data to these services to find more about the target systems' vulnerabilities?

"Traditional firewalls are not able to assess the validity of such communications because they do not understand them."

You may want to snigger or snort that intrusions happen to others and not you; but it helps to know that Snort is `a very flexible network intrusion detection system'. Snort is a modern security application that can serve as a packet sniffer and logger too, explain the authors.

"Snort uses an ordered set of behaviours to determine what traffic matches its rules and should be alerted."

Hacking material that you can add to your bookrack.

Tailpiece

"He is a hacker!"

"How do you know?"

"See, no footprints!"