Professional Documents
Culture Documents
Subject:: Supervisor: Dr. Sheikhi Creators: Alireza Honardoost Seyed Ali Toliat Alireza Sherkatavval
Subject:: Supervisor: Dr. Sheikhi Creators: Alireza Honardoost Seyed Ali Toliat Alireza Sherkatavval
subject:
HACK
supervisor:
Dr. Sheikhi
creators:
Alireza Honardoost Seyed Ali Toliat
Alireza Sherkatavval
What’s the meaning of HACK?
Literary meaning: gnimia tuohtiw netfo ,yaw tneloiv dna hguor a ni seceip otni tuc ot
.yltcaxe
Terminological meaning: redro ni noissimrep tuohtiw smetsys retupmoc rehto otni teg ot
.lagelli gnihtemos od ro noitamrofni tuo dnif ot
5of the Biggest Computer Hacks
in History
.1Operation Shady RAT
These attacks began in sloot ssecca etomer fo noitazilitu sti rof TAR demaN si hcihw , 2006
.dlrow eht ni erehwyna morf dellortnoc yletomer eb ot sretupmoc wolla taht
Those victimized include the United Nations, worldwide businesses, the World Anti-Doping
Agency, the International Olympic Committee, etc.
Between August fo seires a dettimmoc semaJ nahtanoJ , 1999 ,27 rebotcO dna ,1999 ,23
.smetsys suoirav otni snoisurtni
What brought him to the attention of federal authorities, however, was his intrusion into the
computers of one of the divisions of the United States Department of Defense.
.3Melissa Virus
Comodo, a company that provides those certificates(SSL), was hacked in 2011 by an Iranian
programmer.
He could create fake security certificates that led people to believe that they were logging into
Yahoo or Google. It allowed the hacker to eavesdrop on any email sent from these services
and gain personal information.
.5Playstation Network Hack
This particular hack clearly demonstrates that more than just computers are at risk of being
compromised.
In fo ssol eht ni detluser hcihw ,metsys krowteN noitatSyalP eht dessecca rekcah a , 2011
77 emos rof noitamrofni lanosrep dna atad million users.
The company had to shut down for 20 days and lost an estimated $171 million.
Types of Hackers
Hackers
People involved in stealing data, harming the systems, or intruding systems to evaluate their
security are knowledgeable people with wrong and right intentions known as Hackers.
There are different types of hackers. Let’s take a look at the types of hackers and the
methods of hack attacks and techniques.
.1White Hat Hackers
White hat hackers are certified to hack the systems that work for governments or
organizations as per the rules and regulations set by the government.
Motives & Aims: na dna sessenisub gnipleh era srekcah fo sepyt eseht fo slaog ehT
’skrowten ni spag gnitceted rof etiteppasecurity
.2Black Hat Hackers
Black hat hackers attack other systems to access systems where they do not have
authorized entry and steal the data or destroy the system.
Motives & Aims: To hack into organizations ’networks and steal bank data, funds, or
sensitive information.
They usually use the stolen resources to profit themselves by selling them on the black
market or harass their target company.
.3Gray Hat Hackers
The Gray hat hacker falls in between the black hat hackers and white hat hackers. They are
not certified, hackers. These types of hackers work with either good or bad intentions .
Motives & Aims: The difference is, they don’t want to rob people nor want to help people in
particular.
Rather, they enjoy experimenting with systems to find loopholes, crack defenses, and
generally find a fun hacking experience.
- There are other types of hackers that include:
.4Script Kiddies
.9Hacktivist
In many cases, an attacker can modify or delete this data, causing persistent changes to the
application's content or behavior.
- Here are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise
in different situations.
Some common SQL injection examples include:
Retrieving hidden data.stluser lanoitidda nruter ot yreuq LQS na yfidom nac uoy erehw ,
Subverting application logic eht htiw erefretni ot yreuq a egnahc nac uoy erehw ,
.cigol s'noitacilppa
UNION attacks.selbat esabatad tnereffid morf atad eveirter nac uoy erehw ,
Examining the database erutcurts dna noisrev eht tuoba noitamrofni tcartxe nac uoy erehw ,
.esabatad eht fo
Blind SQL injection eht ni denruter ton era lortnoc uoy yreuq a fo stluser eht erehw ,
.sesnopser s'noitacilppa
How to prevent SQL injection?
Most instances of SQL injection can be prevented by using parameterized queries (also
known as prepared statements) instead of string concatenation within the query.
The following code is vulnerable to SQL injection because the user input is concatenated
directly into the query:
String query = "SELECT * FROM products WHERE category = '"+ input;"'" +
Statement statement = connection.createStatement;)(
ResultSet resultSet = statement.executeQuery(query);
This code can be easily rewritten in a way that prevents the user input from interfering with
the query structure:
PreparedStatement statement = connection.prepareStatement("SELECT *
FROM products WHERE category = ?");
statement.setString(;)tupni ,1
ResultSet resultSet = statement.executeQuery;)(
Parameterized queries can be used for any situation where untrusted input appears as data
within the query, including the WHERE clause and values in an INSERT or UPDATE
statement.
They can't be used to handle untrusted input in other parts of the query, such as table or
column names, or the ORDER BY clause .
For a parameterized query to be effective in preventing SQL injection, the string that is used
in the query must always be a hard-coded constant, and must never contain any variable
data from any origin .
Do not be tempted to decide case-by-case whether an item of data is trusted, and continue
using string concatenation within the query for cases that are considered safe.
It is all too easy to make mistakes about the possible origin of data, or for changes in other
code to violate assumptions about what data is tainted.
.2Denial of Service/Distributed Denial of Service
(DoS/DDoS)
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal
traffic of a targeted server, service or network by overwhelming the target or its surrounding
infrastructure with a flood of Internet traffic.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway,
preventing regular traffic from arriving at its destination.
How does a DDoS attack work?
DDoS attacks are carried out with networks of Internet-connected machines. These networks
consist of computers and other devices which have been infected with malware, allowing
them to be controlled remotely by an attacker .
These individual devices are referred to as bots (or zombies), and a group of bots is called a
botnet.
When a victim’s server or network is targeted by the botnet, each bot sends requests to the
target’s IP address, potentially causing the server or network to become overwhelmed,
resulting in a denial-of-service to normal traffic.
Hacking Activity (Ping of Death)
We will assume you are using Windows for this exercise. We will also assume that you have
at least two computers that are on the same network.
You will need to set up your own network for this exercise, because DOS attacks are illegal
on networks that you are not authorized to do so.
Open the command prompt on the target computer and enter the command “ipconfig uoY .”
.nettirw si retupmoc tegrat eht fo sserdda PI eht erehw stluser eht teg lliw
For this example, we are using Mobile Broadband connection details. Take note of the IP
address.
Note:.krowten NAL a esu tsum uoy dna ,evitceffe erom eb ot elpmaxe siht roF
Switch to the computer that you want to use for the attack and open the command prompt.
We will ping our victim computer with infinite data packets of .65500
Enter the following command:
ping <IP address> –t 65500
Many use a combination of different attacks to foil security teams, evade detection, and
maximize results .
In fact, about one-third of the DDoS attacks mitigated by Akamai this year have involved three
or more attack vectors, including an impressive 1.44 Tbps attack that employed nine different
attack vectors.
- Here are 10 concrete actions you can take to strengthen your system or company's security
posture against DDoS attacks:
Two mechanisms for server-side clickjacking protection are X-Frame-Options and Content
Security Policy.
)1X-Frame-Options
X-Frame-Options was originally introduced as an unofficial response header in Internet
Explorer 8 and it was rapidly adopted within other browsers.
The header provides the website owner with control over the use of iframes or objects so that
inclusion of a web page within a frame can be prohibited with the deny directive:
X-Frame-Options: deny
Alternatively, framing can be restricted to the same origin as the website using the
sameorigin directive:
X-Frame-Options: sameorigin
or to a named website using the allow-from directive:
X-Frame-Options: allow-from https://normal-website.com
ar.sherkatavval@gmail.com