Ethical Hacking - University Of Ottawa

2y ago
112 Views
12 Downloads
7.06 MB
370 Pages
Last View : 1d ago
Last Download : 2m ago
Upload by : Roy Essex
Transcription

EthicalHackingAlana MaurushatUniversity of Ottawa Press

ETHICAL HACKING

ETHICAL HACKINGAlana MaurushatUniversity of Ottawa Press2019

The University of Ottawa Press (UOP) is proud to be the oldest of the francophoneuniversity presses in Canada and the only bilingual university publisher in NorthAmerica. Since 1936, UOP has been “enriching intellectual and cultural discourse”by producing peer-reviewed and award-winning books in the humanities and socialsciences, in French or in English.Library and Archives Canada Cataloguing in PublicationTitle: Ethical hacking / Alana Maurushat.Names: Maurushat, Alana, author.Description: Includes bibliographical references.Identifiers: Canadiana (print) 20190087447 Canadiana (ebook) 2019008748X ISBN 9780776627915(softcover) ISBN 9780776627922 (PDF) ISBN 9780776627939 (EPUB) ISBN 9780776627946 (Kindle)Subjects: LCSH: Hacking—Moral and ethical aspects—Case studies. LCGFT:Case studies.Classification: LCC HV6773 .M38 2019 DDC 364.16/8—dc23Legal Deposit: First Quarter 2019Library and Archives Canada Alana Maurushat, 2019, under Creative Commons License Attribution—NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0/Printed and bound in Canada by Gauvin PressCopy editingProofreadingTypesettingCover designCover imageRobbie McCawRobert FergusonCSÉdiscript enr. and Elizabeth SchwaigerFragmented Memory by Phillip David Stearns, n.d., PersonalData, Software, Jacquard Woven Cotton. Image Phillip DavidStearns, reproduced with kind permission from the artist.The University of Ottawa Press gratefully acknowledges the support extended toits publishing list by Canadian Heritage through the Canada Book Fund, by theCanada Council for the Arts, by the Ontario Arts Council, by the Federation forthe Humanities and Social Sciences through the Awards to Scholarly PublicationsProgram, and by the University of Ottawa.

Table of ContentsChapter I: Why Ethical Hacking? .11.11.21.3237You .Me .Ethical Hacking .Chapter II: Essential Terms and Concepts . 192.12.22.32.42.5Types of Ethical Hackers .Definitions and Typology of Ethical Hacking .Conventional Computer-Security-Threat Model .Common Methods Used in Ethical Hacking .Other Relevant Terms .1921222330Chapter III: Methodology and Quantitative Studies of EthicalHacking: Evidence-Based Decision and Policy-Making. 353.13.23.33.43.53.5.13.5.23.6Report for Public Safety Canada, 2011 .Summary of Findings .GDELT Analysis Service—Event Data(with Kevin Kim) .Google’s BigQuery (with Richard Li) .Dark-Net Analysis of Malware andCyber-Jihad Forums .Cyber-Jihad Forums (with Adrian Agius) .Hacking Forums (with Richard Li) .Observations .3538404345455055Chapter IV: Legal Cases Around the World(with Jelena Ardalic) . 57Chapter V: Select Ethical-Hacking Incidences: Anonymous. 97Chapter VI: Select Ethical-Hacking Incidences: Chaos ComputerClub, CyberBerkut, LulzSec, Iranian Cyber Army, and Others . 137

Chapter VII: Online Civil Disobedience . 1957.17.27.37.3.17.3.27.3.37.4Online Civil Disobedience in Context . 196Timeline . 200Case Studies . 201Anonymous, Operation Titstorm . 202German Lufthansa Protest . 205Twitter #TellVicEverything Campaign . 206Observations . 207Chapter VIII: Hacktivism . 2118.18.28.38.3.18.3.28.3.38.4Hacktivism in Context . 211Timelines . 212Case Studies . 216Anonymous, Post-Christmas Charity Donations . 216Neo-Nazi Website . 217WikiLeaks, Operation Payback . 217Observations . 219Chapter IX: Penetration/Intrusion Testing and VulnerabilityDisclosure . ration Testing and Vulnerability Disclosurein Context . 223Timeline . 225Case Studies . 227Australian Security Expert Patrick Webster . 227Cisco Router . 228LulzSec Hacking to Incentivize Sony to Fix KnownSoftware Bugs . 230Guardians of Peace, North Korea, and theSony Pictures Hack . 231Vulnerability Hunter Glenn Mangham . 231Da Jiang Innovation . 233Observations . 233Chapter X: Counterattack/Hackback . 23710.1 Counterattack/Hackback in Context . 23810.2 Case Studies . 24110.2.1 LulzSec, MasterCard and PayPal, and Barr. 242

10.2.210.2.310.310.4Illegal Streaming Link Sites . 243Automated Counter-DDoS . 244The Legalization of Hackback . 245Observations . 248Chapter XI: Security Activism . 25311.111.211.2.111.2.211.2.311.2.411.3Security Activism in Context . 253Case Studies . 254Spamhaus Project . 254Spam Fighter . 254Botnet Removal Communities . 256Cyber-Security Researcher Y . 258Observations . 259Chapter XII: Ethical-Hacking Challenges in Legal Frameworks,Investigation, Prosecution, and Sentencing . 26312.112.212.312.412.512.612.712.8Criminal Landscape: Convention on Cybercrime andthe Canadian Criminal Framework . 264Attribution . 267Jurisdiction . 269Evidence . 271Integrity, Volatility of Evidence, and theTrojan-Horse Defence . 272Damages . 274Sentencing and Dealing with Mental Disorders—Addiction and Autism Spectrum (with PhD candidateHannah Rappaport) . 274Observations . 279Chapter XIII: Ethical Hacking, Whistle-Blowing, andHuman Rights and Freedoms . 28713.113.213.3The Canadian Charter of Human Rightsand Freedoms. 288Whistle-Blowing and Ethical Hacking . 294Observations . 295

Chapter XIV: Toward an Ethical-Hacking Framework . 29914.114.214.314.414.514.614.7Ethical Hacking in Context . 299Encourage Legitimate Space for Virtual Protests . 301Guidelines and Policy . 302Code of Conduct for Hackback . 303Transparency of Government Engagementwith Hackback . 305Security Research Exemption andPublic-Interest Consideration . 305Concluding Remarks. 306Bibliography . 309Appendix: Interview Questions . 357

CHAPT ER IWhy Ethical Hacking?This book aims to explore the issue of ethical hacking from anunconventional and unique viewpoint, one that draws upon myown vast experience in this area. My background spans seventeenyears and has incorporated roles as a law and cyber-security professor, human-rights activist, cyber-policy consultant, technologydeveloper, and cybercrime investigation advisor. It is this experience that I will draw upon to form the pillars of the book, whichdeparts from some of the conventional thinking in this area. This isnot a book about Anonymous or about hacking organizations per se,though case studies from various incidences are certainly explored.This book is about various types of activities that are often referredto as “ethical hacking”—hacking for an ethical reason—whereby itwill be argued that law and policy ought not to be the same hereas for those hacking activities that are purely for economic gain orto cause harm or mischief. As will be seen, I have grouped ethicalhacking into five groups: online civil disobedience;hacktivism;penetration testing and security-vulnerability disclosure;counterattack/hackback; andsecurity activism.

2ETHICAL HACKINGLet us start this journey first by talking briefly about you, aboutme, and then a lot about ethical hacking.1.1 YouThe book is designed to cater to a broad spectrum of readers, rangingfrom cyber-security experts and policy-makers to academics. Despiteits intended primary audience, the book has also been written in sucha manner as to make it accessible not only to university students butthe broader general public. The complexity and rate of change seenwithin areas of technology, cyber security, and ethical hacking makeit essential not to assume that you are across all terminology. Thereare many terms that common media and blogs use incorrectly orinterchangeable, such as “computer virus,” which turns out to be a“computer worm.” Other new methods of malicious-software propagation may emerge that a reader would not necessarily be familiarwith. In general, ethical hacking involves many technical termsthat require a foundational level of understanding in order to betterunderstand policy and other issues. For example, a denial-of-serviceattack is potentially lawful if your own device is used to participatein an online political protest. It would not be lawful to use a botnetthat connects to unknown or third-party devices to participate inthe same protest. The aim is to provide you with digestible materialthat demonstrates concepts through engaging case studies. Thesecase studies of ethical hacking, spanning the last twenty years, aredissected and catalogued in a manner that identifies the groups andmovements, their motivations, and the techniques they used. Youwill see some of the most notorious of these incidences exploredreferenced in chapters 4–6, then selected incidences are looked incontext and by issues in chapters 7–13.If you are a policy-maker, chapters 3–7 and 14 are essentialreading. Chapter 3 provides the only publicly available quantitativeanalysis of ethical hacking in the world. The stark numbers containedwithin this chapter will assist you in demonstrating why the decisions and policies you recommend are fundamentally essential. As apolicy-maker, you are all too aware that in a world of cleverly maskedsensationalism posing as substantive information it has become difficult to discern what information can be trusted. Chapters 4–6 tablelegal cases and selected noteworthy incidences from the quantitative analysis. Throughout chapters 7–13 I aim to provide you with

Why Ethical Hacking?intricate and, at times, intimate looks at the world of ethical hacking,which will assist you in generating well-informed and robust policy.Chapter 14 discusses the required frameworks and changes requiredas a matter of both policy and law.If you are a cyber-security expert or consider yourself a hacktivist, there are ethical and legal issues contained within this bookthat are essential reading. This includes policy and legal lines to becautious of, which could easily see you cross from that of “ignoreaction with caution” to one of “prosecute” by authorities. Thesecautionary tales are drawn from my experience undertaking a largerange of roles, as described above.As I know all too well, the issues surrounding cyber securityhave garnered interest from a broad demographic of society, and isnot limited to just policy-makers, experts, and academics. Even ifyou do not fit within any of the three later categories, I would stilllove for you to drop me a line at alanacybersecurity.com and let meknow your background. While I keep analytics on how many peoplevisit the site, and the general geographic area of the IP addresses, thiswill give me an opportunity to engage with you and understand thebroader community interests. But please remember that if you arelooking at the site or wish to contact me about a private or sensitivematter, this site offers no anonymity to you. So, connect with a VPN,proxy or other anonymizer such as TOR.www.alanacybersecurity.comThere is also the option of communicating later using encryption and, for journalists, I have and use Signal.1.2 MeI have a confession: I am an ethical hacker. I use technology in anon-violent way in the pursuit of a cause, political or otherwise, which isoften legally and morally ambiguous. I don’t intentionally break the law.Many of the actions I take are assumed by politicians, lawmakers,and people around the globe to be legal because there are few to nolegal precedents and scant reportage. The law is written broadly,in a way that captures far more than one might expect. Part of mymotivation for writing this book is to highlight how desperately newlaw and policy are required for ethical hackers.3

4ETHICAL HACKINGAs a human-rights activist I work to educate and protect onlinecivil liberties globally, but more specifically for the jurisdictions inwhich I have lived and worked, namely Canada, Hong Kong, andAustralia. When I lived in Hong Kong I provided research assistancefor the OpenNet Initiative (a collaborative partnership betweenthe Citizen Lab at the University of Toronto, the Berkman Centerfor Internet & Society at Harvard Law School, and the AdvancedNetwork Research Group at the Cambridge Security Programme,Cambridge University) to examine how Chinese authorities filteredthe Internet in 2003–2005. The testing of which sites were blockedin the Chinese firewall meant that a host of domestic Chinese lawswere violated, even though the object was merely to provide anaccurate reflection of what types of sites were blocked, along withwhere, when, and possibly why these sites were filtered. I continueto be involved in research efforts addressing civil liberties andInternet freedom for the nongovernmental Freedom House, a libertywatchdog. I was the researcher and author of the Australian InternetFreedom portion of the annual Freedom House Report, Freedom onthe Net (2011–2017). Freedom on the Net is the most widely utilizedworldwide resource for activists, government officials, journalists,businesses, and international organizations aiming to understand theemerging threats and opportunities in the global Internet landscape,as well as policies and developments in individual countries.I am a professor and researcher above all else—I currently amthe Professor of Cybersecurity and Behaviour at Western SydneyUniversity. I am in the privileged position of leading multidisciplinary research and lecturing teams across a range of cyber-securityprojects and courses. I work with industry, government, and civilsociety on a daily basis. But my views about ethical hacking can betraced to a time and place long before I became a professor of cybersecurity. Here is a bit more about what informs the research, analysis,and opinions represented in this book.I was a key researcher with the law and policy division ofthe Data to Decisions Cooperative Research Centre (D2DCRC).The D2DCRC specializes in big data/artificial intelligence fornational-security purposes. The centre involved multiple computerscientists and data scientists from universities, industry (e.g., Palantirand SASS) along with governmental departments predominantlyin Australia but also in Canada and the United Kingdom. Withthe D2DCRC, we worked on confidential matters where we helped

Why Ethical Hacking?groups make informed decisions on how new technologies werebeing built and how they would function based on proposed newlegal and policy frameworks.From an international perspective, I was fortunate enough tobe asked to speak at a United Nations workshop in China on cybersecurity and human rights, where the majority of attendees werestudents and professors in the cyber-security division of the People’sLiberation Army’s National Defence University. The questions askedand views imparted to me were enlightening, and reminded me howmuch misinformation there is in cyber security and ethical hacking.My research from my honours in law, masters, and PhD degrees—andindeed my current research—has been entirely interdisciplinary, ashas my work with government, law firms, and later with universities.For my PhD I worked with underground security-activist groupsconcerned with botnets, conducted empirical qualitative research,and worked closely with the technical community to deepen theresearch. I worked with individuals and organizatio

to as “ethical hacking”—hacking for an ethical reason—whereby it will be argued that law and policy ought not to be the same here as for those hacking activities that are purely for economic gain or to cause harm or mischief. As will be seen, I have grouped ethical hacking int

Related Documents:

Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking

private sectors is ethical hacking. Hacking and Ethical Hacking Ethical hacking can be conceptualized through three disciplinary perspectives: ethical, technical, and management. First, from a broad sociocultural perspective, ethical hacking can be understood on ethical terms, by the intentions of hackers. In a broad brush, ethical

Benefits of Ethical Hacking Topic 1: Ethical Hacking Discuss the main benefits and risks of ethical hacking. Provide examples and/or details to support your ideas. If you have seen examples of ethical hacking, please share thes

what is ethical hacking?-what is hacking and it's intent?-what determines if a person is a hacker? - what is ethical hacking?-in what ways can hackers gain unauthorized access into system?-common tools used by malicious hackers-ethical hacking and how it plays a role in combating unauthorized access by malicious hackers?

Why Ethical Hacking is Necessary Ethical Hacker needs to think like malicious Hacker. Ethical hacking is necessary to defend against malicious hackers attempts, by anticipating methods they can use to break into a system. To fight against cyber crimes. To protect information from getting into wrong hands.

Definition: Ethical Hacking Hacking - Manipulating things to do stuff beyond or contrary to what was intended by the designer or implementer. Ethical Hacking - Using hacking and attack techniques to find and exploit vulnerabilities for the purpose of improving security with the following: Permission of the owners

Ethical Hacking Foundation Exam Syllabus 8 Literature A Georgia Weidman - Penetration testing, A Hands-On Introduction to Hacking San Francisco, ISBN:978-1-59327-564-8 B Article EXIN Ethical Hacking Foundation. Free download at www.exin.com Optional C D E Stuart McClure, Joel Scambray, George Kurtz - Hacking Exposed 7: Network

Reading Data in Python Pandas DataFrame. y y Unstructured: Data without inherent structure. Quasi-Structured: Textual data with erratic format that can be formatted with effort. Semi-Structured: Textual data with apparent pattern (including errors) Structured: Defined data model (errors less likely).