Here’s news about yet another cryptocurrency hack that has impacted Japan. Zaif, the Japanese cryptocurrency exchange platform has been attacked and hackers have got away with 6.7 billion yen ($60 million) worth of company and user funds. It’s the Osaka-based Tech Bureau Corp that operates Zaif.
Reuters reports- “Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.”
The hack has reportedly happened on September 14, 2018, between 5 p.m. and 7 p.m. local time and it was noticed by the exchange on September 17, 2018. The breach was reported to the authorities the next day.
The Reuters report, dated September 20, 2018, says, “Tech Bureau, which had already been slapped with two business improvement orders by regulators this year, said its Zaif exchange was hacked over a two-hour period on Sept. 14. It detected server problems on Sept. 17, confirmed the hack the following day, and notified authorities, the exchange said on Thursday.”
As mentioned, Japan’s Financial Services Agency (FSA) has already issued two business improvement orders (one in March 2018, the other in June 2018) to Tech Bureau Corp for its lax management structure. These had happened in a span of three months, the first one in March 2018 and the second one in June 2018. Reports say that FSA is likely to issue a third warning now.
The cryptocurrency stolen include bitcoin, monacoin, and bitcoin cash; of the $60 million stolen, $37.8 million were bitcoin funds. Bitcoin Magazine reports, “Of the stolen money, the hacker siphoned 4.5 billion yen (about $40 million USD) from user accounts and 2.2 billion yen (just under 19.5 million USD) from the company’s own assets. The three virtual currencies stolen include bitcoin, monacoin and bitcoin cash. Of those, $37.8 million were bitcoin funds (5,966 BTC).”
The hackers had stolen all the cryptocurrency from a server that manages the exchange’s hot wallet (the wallet that remains online for immediate transactions). The exact number of bitcoin cash and monacoin stolen would come to light once Tech Bureau Corp gets its servers back up.
The cryptocurrency exchange has suspended its services temporarily. The services would be restored once the network is restored. Reports also say that Tech Bureau Corp plans to pay back its customers and that the company had already arranged for a 5 billion yen ($44.59 million) investment.
The Reuters report says, “Following the hack, Tech Bureau said it had agreed with JASDAQ-listed Fisco Ltd (3807.T) to receive a 5 billion yen ($44.59 million) investment in exchange for majority ownership. The proceeds from the investment would be used to replace the digital currencies stolen from client accounts. However, Fisco said in a statement the 5 billion yen in “financial assistance” may change in value if the amount affected by the heist changes upon further investigation.”
This data breach proves to be another setback for Japan, a country that has been trying its best to regulate its cryptocurrency exchanges. The Tokyo-based Coincheck had suffered a hack earlier this year, incurring a loss of $530 million worth of NEM tokens.
The popular culture has depicted hackers as evildoers in movies, in TV series and even in the primetime news. However, the commodification of technology-enabled our modern environment of patch-cycles and hotfix treadmills. We use bloated software every day, and the size of the software is not decreasing, it followed the trend of Moore’s Law for many decades.
Today, the real world of technology is highly dependent on white hat hackers in order to keep their platforms secure. Facebook, Microsoft, Google, and even the almighty Apple are generously paying hackers large amounts of money, usually in the six-digits in order to discover loopholes and flaws in their software. There is a trend towards the normalization of the term hacker, to include not only the knowledgeable cybercriminals, but also those that are highly skilled in IT, which helps fix security issues.
The negative image of being a hacker remains, but this time around – white hat hackers are hitting two birds with one stone. Companies are starting to accept that they cannot keep their software secure by themselves alone, they need external eyes in order to pass a certain acceptable quality of their products and services.
Even in the age of cybersecurity news, there are still many companies that missed the train, the importance of penetration testing and ethical hacking activities. Ethical hackers are self-taught professionals, that loves computers and technology, with the goal of helping companies to harden their cybersecurity.
Vulnerabilities in software, hardware and firmware are money waiting to be earned. That is both true for a black hat and white hat hackers. Blackhat hackers earn a lot of money from the profits of their ransomware, phishing and cyberjacking activities.
“We have long enjoyed a close relationship with the security research community. To honor all the cutting-edge external contributions that help us keep our users safe, we maintain a Vulnerability Reward Program for Google-owned web properties, running continuously since November 2010. Note that the scope of the program is limited to technical vulnerabilities in Google-owned browser extensions, mobile, and web applications; please do not try to sneak into Google offices, attempt phishing attacks against our employees, and so on,” explained Google in their official page, discussing their software bounty program.
Facebook on their part, has their own take with the bounty program: “If you believe you have found a security vulnerability on Facebook (or another member of the Facebook family of companies), we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Facebook’s discretion, based on risk, impact, and other factors.”
Microsoft has been running a bounty program for five years now: “Microsoft offers direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques. Since June 2013, we have also offered bounties for certain classes of vulnerabilities reported to us. These bounty programs help Microsoft harness the collective intelligence and capabilities of security researchers to help protect customers. Some bounty offerings are time limited so please refer to the table below for complete information on each program.”
In spite of the cybersecurity business progressing at a promising rate, malware keeps on plaguing businesses. Indeed, it was discovered that the greater part of the data breach has occurred after a malware infected attachment enters the system: this record for right around 66% of all malware attacks and with no sign that hackers take their foot off the throttle, this figure could be just a guess, it could even be more.
A preventative move should be made yet with security experts assets spread thin, what more would organizations be able to do to improve their security?
The new generation of hackers comprehends the naivety and the unexpected nature that devours several within an association. In the event that an endeavour has a thousand representatives, it just takes one to open an infected attachment for the malware attack to be successful. The numbers are in their favour.
These malware plagued attachment are generally sent by means of email with the intention to trick the innocent users, or there will be a fake link to be clicked. Along these lines, businesses must adopt a proactive strategy to enable employees to perceive a suspicious email and through the best possible channels, these dangers can be essentially wiped out.
A beginning stage is to teach the workforce on the most proficient method to recognize a potential phishing email. This incorporates filtering the email for clear spelling botches; if the senders’ email is unrecognized, or the email urges you to give basic data like a username, password or money related details.
Tools for Security
Using existing malware is a common tactic used by cybercriminals, so patching and regularly updating operating systems is a critical component of security. This will help to deter known malware attacks as well as fix known system flaws. The patching needs to occur as soon as it is available as delaying this leaves a large window of opportunity for the organization to be attacked.
Utilizing existing malware is a typical strategy used by hackers, so fixing and routinely updating the system is a basic segment of security. This will help in safeguarding the malware attack and fix the system flaw. Fixing needs to do immediately as postponing it will leave the organization vulnerable to cyber attacks.
A tool touted to diminish the impact malevolent email is application whitelisting. By confining which applications are operational and constraining the access certain email accounts have, will guarantee that malicious mail doesn’t get in touch with critical servers.
Moreover, implementing email validation system, the domain based message validation, reporting and Conformance (DMARC) will likewise be useful in refining and removing spam or spoof emails.
Sandboxing is another method that many uses to channel messages before they reach the servers and can help detect unknown attachment that is malware infected. In spite of the fact that this can be helpful, its adequacy might decay since a considerable lot of the new strain of malware made is intended to evade sandboxing detection.
The defence methods mentioned will do a great deal in reducing the success rate of a malicious email getting through the system, but there is always more that can be done.
The defence techniques mentioned will complete a lot in lessening the success rate of malicious email traversing the system. Hackers are perpetually developing their modus of attack, by actualizing the methodologies above and that constantly monitors and fixes known vulnerabilities will at last outcome in a more grounded guard and less effective malware assaults.
Take a look at the obscure email with the nature of the alert and if it looks pipe dream, there’s in all probability a substantial avocation why. Once an email has been flagged, a methodology should be set up for individuals to report the thing to the security team to check the probability.
While educating the employees will make them more mindful, security is about layers so an extra line of protection is required. An essential arrangement that ought to be obligatory for each organization to have is anti-virus. This empowers the client to channel/filter messages and attachment and also offer by and large security to PCs, yet this by itself won’t do the trick in managing the further advance attack.
The Information Commissioner’s Office (ICO) has fined Equifax £500,000 for its 2017 data breach that affected 15 million Brits. A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.
Some of the compromised systems were also US-based.
But the ICO ruled Equifax’s UK branch stated that “Equifax failed to take appropriate steps” to protect UK citizens’ data.
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
At the time of the breach, Equifax said that 14.5 million of the exposed records did not contain information that put Brits at risk since it dated from 2011 to 2016, but later admitted that sensitive information affecting almost 700,000 customers was accessed, including email addresses, passwords, driving license numbers, and phone numbers.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said Elizabeth Denham, Information Commissioner.
This is compounded when the company is a global firm whose business relies on personal data. The ICO revealed that Equifax had also been warned before by the US Department of Homeland Security in March 2017 about a critical vulnerability in its systems. Appropriate steps to fix the vulnerability were not taken, according to the ICO.
Equifax was not happy with the findings and penalty said the firm’s spokesperson. He further said that “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologize again to any consumers who were put at risk.”
Elizabeth Denham, Information Commissioner further said: “We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
Newegg Inc., the leading online electronics retailer, has suffered a massive hack, with credit card data being stolen in large numbers.
It was an attack by the Magecart group that had caused the data breach, involving stealing of credit card data used for customer payments for over a month.
In fact, with this attack, newegg.com finds its place among some other high-profile eCommerce portals that have fallen victim to the financial theft group Magecart. The group, which specializes in skimming credit card details from unsecured payment forms on eCommerce websites, had recently carried out attacks at Ticketmaster Inc. and British Airways.
Security firm RiskIQ Inc., in a post that details the Newegg attack, says, “While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg.”
RiskIQ Inc. has come out with the post after conducting a research, in collaboration with Volexity; the research involved analyzing the Magecart attacks using unique capabilities and datasets that RiskIQ Inc. has.
The Newegg hack had started on August 14, it involved injecting 15 lines of code into the payments page in Newegg’s website and mobile application.
In a detailed report, SiliconANGLE.com explains how the hack was carried out. The report says, “As with the recent Ticketmaster Inc. and British Airways airways hacks, the hackers placed the script to intercept credit card data on the final checkout page…The process, called “web-based card skimming,” saw the data sent to a server of a similarly named domain, in this case neweggstats.com. It came complete with an HTTPS certificate controlled by the hackers, obfuscating the fact that the credit data was being stolen.”
The researchers probing the incident confirmed how the hack was similar to the British Airways hack. The RiskIQ Inc. post explains, “The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways. In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”
Newegg has confirmed the incident; the company has initiated the process of informing its customers. The company has confirmed that there had been a malware strike, following which some information might have been breached. The company is yet to ascertain which customer accounts could have been affected. Still, customers have been alerted and asked to keep an eye on their accounts for suspicious activities. Investigations are on; Newegg would soon come out with more details.
Though it has not been clarified as to how big a hack it is, an observation by RiskIQ could make us think as to how large the hack, which went on for over a month, could be. The RiskIQ post observes, “With the size of the business evaluated at $2.65 billion in 2016, Newegg is an extremely popular retailer. Alexa shows that Newegg has the 161st most popular site in the U.S. and Similarweb, which also gathers information on site visits, estimates Newegg receives over 50 million visitors a month. Over an entire month of skimming, we can assume this attack claimed a massive number of victims.”
GovPayNow.com, a payment processing firm that accepts US State and local government billing payments are currently in the hot seat, as an estimated 14 million of their customers’ records have been stolen. The records involved in the data breach include full names, address, phone numbers, and the last four digits of the customer’s credit card. GovPayNow.com has been the primary payment processing company covering payments for fines and penalties incurred by a US citizen.
“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” said GovPayNet’s representative. The company has further defended itself from the negative perception of the public, in their defensive posturing the company emphasized: “The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”
Brian Krebs, a security expert of Krebsonsecurity.com has exposed that six years worth of personally identifiable data is now in the hands of third parties, and the poor victims are now in serious risk of identity theft. The data breach window started from 2012 until the last weekend, a very long time from the standpoint of security experts, not compared to an average data breach case.
This is not the first time that GovPayNet has been involved in a cybersecurity issue, in May 2018, their subsidiary Securus Technologies was involved with unauthorized real-time location tracking of mobile phone users in North America. Securus Technologies was also a victim of a data breach, where online credentials of law enforcement officials were stolen. These online credentials have capabilities to track the location of crime suspects via their mobile phones.
Critical infrastructure protection creates a new set of problems for national security. Different actors are involved. The focus is on civilian and commercial systems and services. Military force is less important. The scope of these new problems depends on how we define national security and how we set thresholds for acceptable damage. From a legal or public safety perspective, no country will accept even a single attack on the infrastructure or interruption of services.
If the goal is to prevent cyber-attacks from costing a single day of electric power or water service, we have set a very high standard for security. However, from a strategic military perspective, attacks that do not degrade national capabilities are not significant. From this perspective, if a cyber-attack does not cause damage that rises above the threshold of the routine disruptions that every economy experiences, it does not pose an immediate or significant risk to national security.
Among the different kinds of malware threats, ransomware still retains its dominance, according to the Europol Internet Organised Crime Threat Assessment 2018.
The Europol Assessment report says, “Even though the growth of ransomware is beginning to slow, ransomware is still overtaking banking Trojans in financially-motivated malware attacks, a trend anticipated to continue over the following years. In addition to attacks by financially motivated criminals, significant, public reporting increasingly attributes global cyber-attacks to the actions of nation states. Mobile malware has not been extensively reported in 2017, but this has been identified as an anticipated future threat for private and public entities alike.”
It further adds, “Illegal acquisition of data following data breaches is a prominent threat. Criminals often use the obtained data to facilitate further criminal activity. In 2017, the biggest data breach concerned Equifax, affecting more than 100 million credit users worldwide. With the EU GDPR coming into effect in May 2018, the reporting of data breaches is now a legal requirement across the EU, bringing with it hefty fines and new threats and challenges.”
The findings of the report gain relevance in the light of the ransomware attacks in the recent past, including high profile ones (WannaCry, NotPetya etc) and low-profile ones (Cerber, Cryptolocker, Locky etc), which have done great damages to businesses all over the world. Ransomware and ransomware attacks show an ever-evolving nature, with cybercriminals shifting attention from spam campaigns to highly targeted attacks, planned and executed against specific organizations.
The Europol report says, “As we have seen with other cyber-attacks, as criminals become more adept and the tools more sophisticated yet easier to obtain, fewer attacks are directed towards citizens and more towards small businesses and larger targets, where greater potential profits lie”
The report also warns organizations about the rising popularity of the cryptojacking malware among cybercriminals. The report points out, “Despite the revenues generated by ransomware, there are some predictions that cryptominers may overtake ransomware as money generators”. It further says, “Such attacks are infinitely more appealing to cybercriminals wishing to keep a low profile, requiring little or no victim engagement and, at least currently, minimal law enforcement attention
(with browser based mining not actually being illegal). Given that during 2017 Bitcoin prices reached a value of almost EUR 17 000 and the more easily mineable Monero reached almost EUR 400 (per coin), the risk vs reward clearly favours cryptomining, given that a typically quoted ransomware payment is around EUR 250.”
Europol also warns that remote access trojans still are a danger and data-stealing malware continues to be used in campaigns launched against businesses (mostly from the finance industry) as well as governments. The report also discusses telecommunication frauds, payment fraud, online child sexual exploitation etc.
Europol also stresses on the need for collaboration and additional training in the combat against cybercrime on the global level.
Internet-of-Things are slowly but surely making its presence felt both in the enterprise and everyday personal computing. It is a fresh area for innovation, as the smartphone market and the PC market are already both saturated. Those that needs a PC already have one, and those that requires a smartphone already bought themselves a smartphone. Not all household or companies have an IoT device, hence the growth in this area is still has huge potential.
Sprint in their goal to corner a portion of the growing IoT market has announced their innovation to improve the security of IoT platform. Sprint’s technology allow companies to establish a central connectivity hub which connects to IoT devices over the air to manage them. Using a customized SIM technology, Sprint wants to generate a more efficient IoT computing networking environment for the users.
“On top of our dedicated IoT core and operating system built together with Ericsson, our close collaboration with fellow SoftBank company, Packet enables an advanced distributed core network using bare metal servers at the edge that may be activated in minutes. Arm changes the way devices are managed over the air and data is analyzed while delivering unparalleled security from the chip to the cloud. Overall, Curiosity IoT reflects our unique approach in creating the absolute best operating and management environment for IoT – from system managers enhancing their increasingly IoT-centric operations to the most demanding applications in the immediate economy.” explained Ivo Rook, Sprint’s SVP for IoT.
There is a push in the IoT market to standardize, the current stance of the market of having their proprietary hardware paired with proprietary operating system. Arm with their many partners are starting to act on this problem: “IoT provides a tremendous opportunity for organizations to obtain actionable insights from their devices and data, but require strong company integrations to manage the vast industry fragmentation and security challenges. We are working with Sprint from device-to-data and bringing the IoT security and business-critical services that are vital for unlocking value from IoT.”
One of the current ways to secure IoT devices is to never join the IoT device with the rest of the WLAN. Due to the simplicity of IoT, they are always a target of cyber criminals. Use an isolated separate router or create a virtual LAN in the network switch for the IoT devices. This enables a good layer of security separating the IoT devices to the PC, smartphone, and tablet.
Users also don’t regret in discarding an IoT device in the event of an unpatchable bug/vulnerability. If a device model is abandoned by its manufacturer, discard it and use a supported model. The use of a non-supported model is like using a Windows XP PC today, the OS is no longer patched, hence risky to use online.
Below are the tips from Symantec on how to secure IoT devices today:
Research the capabilities and security features of an IoT device before purchase.
Perform an audit of IoT devices used on your network.
Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks.
Use a strong encryption method when setting up Wi-Fi network access (WPA).
Disable features and services that are not required.
Disable Telnet login and use SSH where possible.
Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
Modify the default privacy and security settings of IoT devices according to your requirements and security policy.
Disable or protect remote access to IoT devices when not needed.
Use wired connections instead of wireless, where possible.
Regularly check the manufacturer’s website for firmware updates.
Ensure that a hardware outage does not result in an unsecure state of the device.
2017 was one of the most awful years on record for cybersecurity. Organizations encountered some of the worst and dangerous cyber-attacks, some even more sophisticated. Be that as it may, while every data cost the organization an average of $1.3 million, this thought them all about IT geniuses and security. The typical measures to prevent hackers wasn’t enough.
As reported in Biz Journal, Shivaun Albright, HP’s chief technologist for printing security solutions, shared how to do just that. By using Stuart Coulson’s Seven Levels of Hacking, she explained who these bad actors are and what to look out for.
“If you really understood the motives of hackers,” Shivaun said, “Then you and your clients would be more proactive in protecting themselves.”
Know the 7 levels of hackingScript kiddies:
A script kiddie is an amateur hacker who leverages existing scripts to hack for fun, for the thrill, and for recognition. Generally, this type of hacker employs rudimentary programming skills and often doesn’t cause too much damage—but they can still cause plenty of frustration.
The hacking group:
Think of a hacking group as a team of script kiddies. What they lack in sophistication, they make up for in numbers. A hacking group is capable of causing more serious damage and disruption.
Unlike cyber criminals who hack for thrill or money, hacktivists act with a moral, social, or political motivation. Anonymous is one example of a high-profile hacktivist organization.
Black-hat pros are highly sophisticated hackers seeking to penetrate more challenging “big fish” targets, such as government bodies and large businesses. Often, these hackers aren’t looking to cause destruction, but develop new methods and means of cyber-attacks or steal valuable data.
Organized criminal gangs: Organized criminal hacker gangs are highly strategic groups typically led by a professional, seasoned criminal – like if Al Capone was alive today and had expert programming skills. These hackers strive to fly under the radar of law enforcement and are typically seeking monetary gain.
Massive computing power and practically unlimited funds are what make a nation-state hackers the most dangerous. Targets often include the military, critical public infrastructures, and major industries, like utilities or financial sectors.
The automated tool:
The final and most dangerous of the seven levels of hacking isn’t a person but a piece of software. This worm or virus-like tool can cause unprecedented amounts of damage in a short time frame and can be leveraged by any of the previous six types of hackers.
Preventing hackers at every level
Every hacker, no matter how skilled, starts by finding the weakest entry point. In some cases, this could be an unsuspecting employee or a vulnerable endpoint. There are two primary ways you can keep their organizations from falling prey to the majority of hackers out there:
Educate all employees on these threats and their responsibilities in preventing hackers—such as keeping passwords updated and identifying and reporting any suspicious communications.
Let all the employees read about this threat and their responsibility about this danger and their obligations in identifying and reporting suspicious behaviour.
Secure all endpoints—even often overlooked ones, like printers.
2017 was crammed with cybercrime, and 2018 hasn’t been great either. You can just expect hackers will turn out to be more adroit and their tools more powerful. By attempting to comprehend the dangers your organization faces and securing each endpoint, you can minimize the risk of being the next victim.
Ethical Hacking is seen as a sunrise industry in the IT sector, with the goal of helping reduce the instances of cyber hacking in today’s business environment. It is a preventive and critical action a company can establish in order to assess possible damage, how to counter the damage and fully recover from the aftermath of a real cyber attack.
Unfortunately, as ethical hacking is a niche skill, only a small subset of the IT sector has and no college or university which offers an undergraduate degree program in Ethical Hacking. The current ethical hackers at the moment are self-taught individuals. However, the education sector is trying to bridge the gaps, even with the lack of a degree offering for such knowledge, short courses to start a career in ethical hacking.
The central skill in ethical hacking a learner needs to absorb is the concept of penetration testing. Also, known as red teaming or intrusion testing, penetration testing is a sophisticated process of breaking through the systems (including people) in order to gain access. That means the pen testing team will even simulate a social engineering attack against the employees of the target company unannounced. The tests are comprehensive to audit the readiness of the organization in the event of an unauthorized remote access, virus infection, social engineering/phishing attacks, and newer exploits.
Each country has their own respective laws that may render white hat/ethical hacking as legal or illegal. But most of the issues against ethical hacking are usually quashed with clear approval and consent of the company. Firms hire ethical hackers for the benefit of the company as a whole, as part of a defense strategy in hardening their IT security. Ethical hackers know their limits and responsibilities; it is clearly defined in their contracts:
Written express permission from the firm that they will be breaking in.
Expose to the company after the pen testing all the results of their ethical hacking activity.
Make sure the systems that will be ethically hacked will be restored to its original form, after the activity.
Never violate any laws, company policies and keep the top secret and confidential files they learned from the hacking from outside access.
Aside from penetration testing, coverage of a short course in ethical hacking usually covers the following topics:
1. Wireless Hacking
2. Buffer Overflows
3. Denial of Service
6. Bug Exploitation
7. Fingerprinting and footprinting
8. Hacking Web applications and web servers
9. Session hijacking and network sniffing
10. Social Engineering
11. SQL Injections
12. TCP/IP penetration and forensics
13. Reverse Engineering
Those that want to proceed with learning ethical hacking techniques, there are some important things to be aware of:
Don’t sign-up at a random offer of ethical hacking online class. Do some research if the educational institution has a track record for such short courses. This can be determined by checking the background of the instructors, their office and their registration.
Setup a virtual hacking lab. It doesn’t need to be an expensive undertaking. This can be done with a powerful enough PC that can run a virtual machine for the simulated exploits.
Look at all the course offerings and check their feasibility. Not all short courses in ethical hacking are created equal.
Start with a free course, then if it is effective, use the ladder system to upgrade to a paid online course.