Ethical Hacking: Hacking GMail. Teaching Hacking.

  • Published on
    14-Jan-2016

  • View
    230

  • Download
    2

Transcript

Ethical Hacking:Hacking GMailHands-On Ethical Hacking and Network DefenseTeaching HackingHands-On Ethical Hacking and Network DefenseWhat do Hackers Do?Get into computer systems without valid accounts and passwordsOpen encrypted files without the keyTake over Web serversCollect passwords from Internet trafficTake over computers with remote access trojansAnd much, much moreHands-On Ethical Hacking and Network DefenseEthical HackersEthical Hackers do the same thing criminal hackers do, with one differenceEthical Hackers have permission from the owner of the machines to hack inThese "Penetration Tests" reveal security problems so they can be fixedHands-On Ethical Hacking and Network DefenseTwo Hacking ClassesCNIT 123: Ethical Hacking and Network DefenseHas been taught since Spring 2007 (four times)Face-to-face and Online sections available Fall 2008CNIT 124: Advanced Ethical HackingTaught for the first time in Spring 2008Hands-On Ethical Hacking and Network DefenseCertificate in Network SecurityHands-On Ethical Hacking and Network DefenseAssociate of Science Degree Hands-On Ethical Hacking and Network DefenseStudent AgreementRequired for every student in CNIT 123: Ethical Hacking and Network Defense or CNIT 124: Advanced Ethical HackingHands-On Ethical Hacking and Network DefenseSniffing Plaintext PasswordsHands-On Ethical Hacking and Network DefenseInsecure Login PagesHTTP does not encrypt dataAlways look for HTTPS on login pagesHands-On Ethical Hacking and Network DefenseTool: CainClick NIC icon to start snifferClick Sniffer tab, Password tab on bottomFrom http://www.oxid.it/cain.htmlHands-On Ethical Hacking and Network DefenseAuthentication CookiesHands-On Ethical Hacking and Network DefenseGMail Uses HTTPSSniffing for passwords won't workMost Web mail services now use HTTPS tooHands-On Ethical Hacking and Network DefenseCookiesThousands of people are using Gmail all the timeHow can the server know who you are?It puts a cookie on your machine that identifies youHands-On Ethical Hacking and Network DefenseGmail's CookiesGmail identifies you with these cookiesIn Firefox, Tools, Options, Privacy, Show CookiesHands-On Ethical Hacking and Network DefenseCross-Site Request Forgery (XSRF)Hands-On Ethical Hacking and Network DefenseWeb-based EmailRouterTarget Using EmailAttacker Sniffing TrafficTo InternetHands-On Ethical Hacking and Network DefenseCross-Site Request Forgery (XSRF)Gmail sends the password through a secure HTTPS connectionThat cannot be captured by the attackerBut the cookie identifying the user is sent in the clearwith HTTPThat can easily be captured by the attackerThe attacker gets into your account without learning your passwordHands-On Ethical Hacking and Network DefenseDemonstrationHands-On Ethical Hacking and Network DefenseXSRF CountermeasureUse https://mail.google.com instead of http://gmail.comNo other mail service has this option at all, as far as I knowHands-On Ethical Hacking and Network DefenseReferencesCainhttp://www.oxid.it/cain.htmlHamsterhttp://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.htmlHands-On Ethical Hacking and Network DefenseContactSam BowneComputer Networking and Information TechnologyCity College San FranciscoEmail: sbowne@ccsf.eduWeb: samsclass.infoLast modified 6-26-08Hands-On Ethical Hacking and Network Defense

Recommended

View more >