Ethical Hacking 101

They could be attacking you right now, and you wouldn’t even know it. Whether you’re walking through an airport, tapping away on your laptop at your favorite coffee shop or accessing a free Wi-Fi network on your cell phone, you can be the victim of a hacker.

“In order to know how to better secure yourself, you have to know how they hack,” explains Professor Faisal Kaleem, who is teaching a pilot class this summer called “Ethical Hacking.” “I spend a lot of time teaching students ethics in real life and then I show them how these things happen.”

To illustrate his points to the class, Kaleem draws on any number of scenarios from everyday life. The course shows students different types of attacks on multiple computing devices, gives them hands-on experience with the latest hacking tools and techniques, and teaches countermeasures required to protect valuable and vulnerable data. The course also teaches them the difference between right and wrong.

“It’s not easy, but you have to do whatever is in your power to protect yourself, while following the law,” said Kaleem, who teaches in the Department of Electrical and Computer Engineering.

An ethical hacker, Kaleem said, is defined as “a computer and network security expert who explores the weaknesses in different types of computing systems on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit.” To test the security of any computing device, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them.

The course, which enrolled about 20 students from the College of Engineering & Computing this summer, is very hands on. Each student is provided with multiple virtual machines containing a variety of tools/software that can do everything from auditing passwords to accessing someone’s personal data through an unsecured network. Students can use these publicly available tools to target machines in an isolated environment.

“These tools are easily accessible online,” Kaleem explaied. “You don’t have to be a rocket scientist to search for these tools and software. The students learn how the hackers run these tools to do bad things.”

For instance, there are different tools available that not only sniff passwords floating across the network but can crack them as well. Any password that is a word in a dictionary can be easily cracked in less than two seconds. Kaleem teaches students about the dangers of entering personal financial information on websites, and why you should only do financial transactions on a dedicated computer that you trust.

Also on the syllabus: why and how to secure home wireless networks and why relying only on out-of-the-box security settings for any computing device could make their valuable information vulnerable.

“Using the virtual machines I am able to show them how this works, and they are able to do some experiments with me,” Kaleem said.

Ethical hacking is also often referred to as penetration testing, intrusion testing and red teaming – a term that has its roots in the 1970s when the United States government used groups of experts called red teams to hack its own computer systems. Today, many large companies maintain teams of ethical hackers.

Students in the class perform penetration testing, a method of evaluating the security of a computer system or network by simulating an attack from hackers. They learn tools and techniques for analyzing malicious software, including viruses, trojans and worms. They study how social engineering and phishing attacks (attempts to acquire information by masquerading as a trustworthy entity) occur.

While the term “hacker” has negative connotations, many of those who engage in hacking are engaged in testing the boundaries of what can be done on a computer in order to make things better. Kaleem acknowledged that as with everything else they learn, students in the course could use what they’ve learned with good or bad intentions. Hence the emphasis on ethics and appropriate conduct in every class.

Kaleem told to the class, “The reason I am exposing you to these tools is to learn how to protect the systems you are responsible for. If you do something bad with malicious intentions, you’re going to be held responsible. The FBI might be knocking on your door.”

Students said the course’s title got their attention. They have put what they learned in class to immediate use, going home to improve the security on their own computers.

“The class is really interesting,” said Mary Grosholz, who is majoring in computer engineering. “He goes through and shows you all the things that the criminals would do so that way you can protect yourself from it. I’ve got people from different schools who want to come here and take the class because it’s not offered anywhere they go. It’s educational.”

Jean Paul Garbezza, a mechanical engineering student who has taken other classes with Kaleem, said he was surprised to lean how vulnerable users on public networks can be to hackers.

“If you’re on a public network people can see what you’re doing,” he said. “They can see the actual pages you’re on, see what you see on your screen, get your passwords, and you won’t even know about it.”

The elective course will be available to all FIU students in the future. For the general community, Kaleem shared 10 tips to protect yourself from hackers.