Ethical Hacking

6. Recent Legislation and Computer Hacking

There should be a law against it!

There is. And quite a lot of them!

  • Computer Misuse Act
  • Copyright, Designs & Patent Act 1988
  • Data Protection Act (DPA) & General Data Protection Regulation (GDPR)
  • Communications Act 2003

Notice that these laws more or less provide protection to everything that can be done on computer devices. They protect users from others misusing any of your equipment by changing it physically or with software. They provide protection to your intellectual property or what you create and store on your computer and they help protect privacy. Finally, it offer safeguards to what you say and what you transmit between computer devices.

Then there are the laws that govern what invesitgatory bodies (e.g the Police) are permitted to do. From searching for and confiscating equipment, what they can look for on equipment and what invesitgatory bodies (e.g GCHQ) can do to interecept, read or listen to communications.

Cyber Laws
Not Responsible ... or are they?

Telling the difference between the 'good' guys and the 'bad' guys used to be easy. People were either White hat or Black hat hackers and it was easy to identify which laws were broken and when. However, given the rise of 'hacktivism' together with the growth of ethical hacking, it is getting harder and harder to distinguish who is doing what when.

Now, 'hats' come in all colours. From 'Grey' hat hackers to 'Bue' or 'Red' hat guys.

Hacking Hats
Kane Gamble

A recently famous hacker often reported as 'Teen hacks the CIA'. One of the most secure organisations in the world, so you would of thought.

Until that is a young lad from Coalville UK, managed to do it.

Use the internet to find out what he did and how he did it.

Lauri Love

Lauri is another famous hacker. The Americans wanted to extradite to the States where he could have been jailed for 99 years.

People may have thought this harsh but fair.

Find out what he did. And discover why the extradition attempt failed.

Gary McKinnon

'Free Gary McKinnon' ran the campeign. Find out what he did and why he did it.

The British government agreed to send him to America, but it didn't happen. Why not?

Do you think it's right that people should use their medical condition to avoid the consequences of their actions? After all, ignorence is supposed to be no excuse in the eyes of the law and everybody knows its wrong to hack

We are legion

While the sterotype of hackers as 'spotty faced friendless loners with no social life and an inability to communicate with any one in real life (IRL)' may exist, it's not really true ... and of course they all wear hoodies.

In reality, hackers are very social, especially on line and will readily form groups with others to exchange tricks and tips, share ideas and swap information.

On occassion they will work together to 'hack' into targets driven by shared political ideas as a protest or as an act of 'hacktivism'.

Anonymous
Tasks

Create nother page with a suitable title in your Notebook and answer the following questions.

  1. Explain what is:-
    1. Grey hat hacker
    2. Blue hat hacker
    3. Red hat hacker
  2. Research Edward Snowden. What did he do? Was he right to do what he did or should be be jailed for treason?
  3. Use the internet to discover the top ten most infulential hacking groups. Write them down as a list with a very brief descrition of the aims.
  4. If you were to join a hacking group, which hacking group would join and give your reasons.
  5. Discuss your choice with your neighbour. Is their choice ethical? Is yours? Who's right?
Edward Snowden
Denial of Service

This is where a target is so flooded with messages that it becomes impossible to work. All good fun until it happens to you, and if you are a business, time spent off line can be valuable. So its a common test.

There are two types of attacks DDoS and Dos

  1. Distributed Denial of Service(DDoS) attack. This is recruiting a large number of computers to create a 'botnet' that all make requests to a single server.
  2. Denial of Service (DoS) attack. The use of one computer to generate lots of calls to a servers. This is the simplest and most common and there are many favoured programs that can be used. SET, Metasploit and Ettercap can be used.

There are quite a few dedicated DoS programs that can be used. The one used here (Xerxes) is one of the simplest and best. So follow along and clone it on the desktop. Use xerxes gcc xerxes.c -o xerxes to compile the script. Watch the movie to see how easy it is to use. Don't worry, that the video is using the Linux Parrot interface, everything works the same.

Try it on www.jhigh.co.uk. The attack will fail which is what you want as a pentester, because you then know the site is protected against a DoS attack.

Already in Kali Linux is Ettercap a program encountered in mitm attacks. For a DoS attack, launch Ettercap, choose unified sniffing then manage plugin. From the plugins menu, find dos_attack. Run it with the IP address of the target website (ping the address to find the IP address). Use the website isitdownnow.com to discover the website status.

While the attact doesn't appear to do much, it can be used as part of another attack, for example to harvest credentials when the target has to reboot thier computer to exscape the DDoS attack or to complete the installation of malware during the reboot process.

Always make sure you have permission to try this out against a server.

No BeEF with you!

DoS attacks servers, flooding them with requests to the point they can no longer respond. Browsers through, present another attack vector.

The Browser Exploitation Framework (BeEF) is penetration testing tool that targets the browser. It goes beyond the webserver and its associated security defences and aims to attack the browser directly to see whether it can be hijacked and used as point to launch further attacks.

From a pentester's viewpoint, it is probably the next set tests to try, after attempting a DoS and DDoS attack.

For the next example, make sure you have a vulnerable copy of Windows installed - check with your teacher. We are going to use the javavacript fille hook.js on an html page which is going to be detected by BeEF on Kali Linux machine from which we are going to launch further attacks.

Download some code for creating your own html file. Code

The situation we've used in slightely artificial in that we hard coded the hook.js file into the structure of the web page. In real life, we might spoof the site with a button containing a suitable tempting image which tricks the user into installing the file.

The BeEF program detects the click and tells the pentester that they are ready to begin a series of attacks. Try a few yourself, not forgetting the key which tells you which work and are undetectable, those that work but can be detected, those which haven't been tested and those that won't.

Unlike Metasploit, the payloads or hacks are seaprated out into different categories based on the operating system. Instead they are orientated towards browsers and different applications.

Moving onto the next level we combine the use of BeEF to hook into a browser to establish a persistent link between the attack computer and target and then use Metasploit to create a payload to open a meterpreter session so the computer is pwned.

You should be able to:-
  • Provide examples of a range of laws that apply to all hackers.
  • Identify the different types of hackers
  • Provide example of influential hacker groups together with their motivations.
  • Test whether webservers are vulnerable to DoS attacks.
  • Conduct a pentesting attack on browsers.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee