Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ethical Hacking: Hacking GMail. Teaching Hacking.

Published byErika Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "Ethical Hacking: Hacking GMail. Teaching Hacking."— Presentation transcript:

1 Ethical Hacking: Hacking GMail

2 Teaching Hacking

3 3 What do Hackers Do? Get into computer systems without valid accounts and passwords Get into computer systems without valid accounts and passwords Open encrypted files without the key Open encrypted files without the key Take over Web servers Take over Web servers Collect passwords from Internet traffic Collect passwords from Internet traffic Take over computers with remote access trojans Take over computers with remote access trojans And much, much more And much, much more

4 4 Ethical Hackers Ethical Hackers do the same thing criminal hackers do, with one difference Ethical Hackers do the same thing criminal hackers do, with one difference Ethical Hackers have permission from the owner of the machines to hack in Ethical Hackers have permission from the owner of the machines to hack in These "Penetration Tests" reveal security problems so they can be fixed These "Penetration Tests" reveal security problems so they can be fixed

5 5 Two Hacking Classes CNIT 123: Ethical Hacking and Network Defense Has been taught since Spring 2007 (four times) Face-to-face and Online sections available Fall 2008 CNIT 124: Advanced Ethical Hacking Taught for the first time in Spring 2008

6 6 Certificate in Network Security

7 7 Associate of Science Degree

8 8 Student Agreement Required for every student in CNIT 123: Ethical Hacking and Network Defense or CNIT 124: Advanced Ethical Hacking Required for every student in CNIT 123: Ethical Hacking and Network Defense or CNIT 124: Advanced Ethical Hacking

9 Sniffing Plaintext Passwords

10 10 Insecure Login Pages HTTP does not encrypt data HTTP does not encrypt data Always look for HTTPS on login pages Always look for HTTPS on login pages

11 11 Tool: Cain Click NIC icon to start sniffer Click NIC icon to start sniffer Click Sniffer tab, Password tab on bottom Click Sniffer tab, Password tab on bottom From http://www.oxid.it/cain.html From http://www.oxid.it/cain.html

12 Authentication Cookies

13 13 GMail Uses HTTPS Sniffing for passwords won't work Sniffing for passwords won't work Most Web mail services now use HTTPS too Most Web mail services now use HTTPS too

14 14 Cookies Thousands of people are using Gmail all the time Thousands of people are using Gmail all the time How can the server know who you are? How can the server know who you are? It puts a cookie on your machine that identifies you It puts a cookie on your machine that identifies you

15 15 Gmail's Cookies Gmail identifies you with these cookies Gmail identifies you with these cookies In Firefox, Tools, Options, Privacy, Show Cookies In Firefox, Tools, Options, Privacy, Show Cookies

16 Cross-Site Request Forgery (XSRF)

17 17 Web-based Email Router Target Using Email Attacker Sniffing Traffic To Internet

18 18 Cross-Site Request Forgery (XSRF) Gmail sends the password through a secure HTTPS connection Gmail sends the password through a secure HTTPS connection That cannot be captured by the attacker That cannot be captured by the attacker But the cookie identifying the user is sent in the clear—with HTTP But the cookie identifying the user is sent in the clear—with HTTP That can easily be captured by the attacker That can easily be captured by the attacker The attacker gets into your account without learning your password The attacker gets into your account without learning your password

19 19 Demonstration

20 20 XSRF Countermeasure Use https://mail.google.com instead of http://gmail.com Use https://mail.google.com instead of http://gmail.comhttps://mail.google.com http://gmail.comhttps://mail.google.com http://gmail.com No other mail service has this option at all, as far as I know No other mail service has this option at all, as far as I know

21 21 References Cain Cain http://www.oxid.it/cain.html http://www.oxid.it/cain.html Hamster Hamster http://erratasec.blogspot.com/2007/08/sidejac king-with-hamster_05.html http://erratasec.blogspot.com/2007/08/sidejac king-with-hamster_05.html

22 22 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information Technology City College San Francisco City College San Francisco Email: sbowne@ccsf.edu Email: sbowne@ccsf.edu Web: samsclass.info Web: samsclass.info Last modified 6-26-08 Last modified 6-26-08

Download ppt "Ethical Hacking: Hacking GMail. Teaching Hacking."

Similar presentations

Accessing Public Wi-Fi: Security Issues Sankar Roy Department of Computing and Information Sciences Kansas State University.

Accessing Public Wi-Fi: Security Issues Sankar Roy Department of Computing and Information Sciences Kansas State University.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne.

How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne.
Sterling Heights Public Library Agenda n We’ll learn how to “clean up” the computers n We’ll review how SLC’s mail system works n We’ll review SpamLion.

Sterling Heights Public Library Agenda n We’ll learn how to “clean up” the computers n We’ll review how SLC’s mail system works n We’ll review SpamLion.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.

1 Eastern Michigan University Asad Khailany, Eastern Michigan University Dmitri Bagatelia, Eastern Michigan University Wafa Khorsheed, Eastern Michigan.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
ASP Cookies Y.-H. Chen International College Ming-Chuan University Fall, 2004.

ASP Cookies Y.-H. Chen International College Ming-Chuan University Fall, 2004.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Remote Assistance  Using this program you can allow someone to work on your computer, chat with you and view your screen with your permission  The other.

Remote Assistance  Using this program you can allow someone to work on your computer, chat with you and view your screen with your permission  The other.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Similar presentations

Ads by Google