Okay, I just got back from my first day at the Ethical Hacker class. First, let me give you a background from where I come from.
See, my very first formal IT class was for Security+. And, like many other industries, the first class you take tends to color everything you do in that field. As an example, my first martial arts school was Taekwondo, so I tend to use more kicking than, say, a karateka. So when we deal with networking, I tend to think more on how to secure them, rather than implement or fix them.
So, I’m already scared of networks and the Internet. Of course, it’s necessary to use in today’s world as an IT technician, but a certain amount of trepidation accompanies what I do at work. Keep that in mind: a small amount of trepidation.
Today’s class was quick, and spent more on legality of ethical hacking. We spent about 15 minutes of just looking at publicly accessible items, breaking no laws, and not even TOUCHING our target site. With about five minutes, we had:
- The webmaster’s name
- His work phone
- His personal mobile phone
- His direct employer (hint: he does NOT work directly for the company)
- How long he’s been in that position
- What type of server the website is hosted on
- What types of technologies were used in the website (like javascript, Java, active server pages, etc.)
Okay, it took all of about half an hour to show us this. That’s half an hour WITH explanations and questions. That means all this information could be found within less than five minutes – and the attacker would never even be detectable at this stage by the target. And would not have broken any laws at all within that period.
So keep this in mind when the world starts talking about protecting your GMail with two-factor authentication, or when your IT department requires larger and more complex passwords.