FAQs | What we've been asked

If you want to know about us or about questions related to hacking/security, please ask via yehg contact form.

Ques: What does 'YGN' in "YGN Ethical .." stands for? Acronym of your group men's names?
=> It stands for the city we live in. YanGoN.

Ques: How do you think guys here who are learning hacking?
=> Most of them learn hacking to do illegal hacking, which will never do them good. They think hackers are those who deface/destroy web sites or systems on the Net. They are criminals. Cyberlaws in all countries take serious actions against cybercrimes. Every malicious activity can lead you to jail and charge you thousands of $ depending on how much damage you have caused. Don't follow ways to criminal. Look at cybercrime.gov.

Ques: How do you want to suggest for learning hacking?
=> A short and quick advice is - Learn all security/hacking basics and perspectives. Then choose one specialized area. There are dozens of specialized fields in security/hacking. So, if you're now a DBA or interested in Databases, then learn all databases - MS SQL, Oracle, Db2, MySQL and learn database hacking techniques and tools. You can be confident yourself you're smarter and more knowledgable than an average penetration tester.

Ques: What is the main difference between web developer and web application security guy?
=> Most web developers are not aware of and attentive to every security flaw that may exist in their applications. They adopt secure practice only if certain flaw such as SQL injection is notoriously prevalent. Even if they take secure approach, their approach can be broken because they don't know detailed knowledge in such flaws. Web App Sec guys must know every web application related vulnerabilities and countermeasures whether they are small or big. In security-critial applications like online-banking, so-called small flaws can pave the door way for attackers.

Ques: I underestimate XSS. How much big things can that Javascript alert box do ?
=> It's not to blame for an average who can't see biggest risk come together with a faw. JavaScript alert box is used to quickly test whether a web site is vulnerable to XSS or not. If this is vulnerable, it has to be determined what type of XSS flaw exists - Reflected, Dom-based, Attribute-based, Stored ..etc. Then attackers select distributable means which is either sending links to innocent people or posting links in newsgroups ...etc for attacking web site users. For example, they can inject a malicious script that launches any executables in your computer or that overwrites NTDETECT.COM without which your Windows system can't boot or worse changes your Home Router settings without your knowledge. Did you notice overall efficieny between a PC with and without an Internet connection though you ever update your Antivirus? Antivius solutions can't protect web-related threats much. For attacking web site administrators, they can inject scripts that automate stealing sensitive information, automate critical settings or inserting backdoor iframe that steals key logging and much more. Be aware that XSS is not all about Stealing Cookie as widely known.

Ques: Can you tell me variants about Blackhat, Whitehat and Grayhat?
=> Quoted from Grayhat Hacking: The Ethical Hacker's Handbook (ISBN: 0-07-159553-8)“If an individual uncovers a vulnerability and illegally exploits it and/or tells others how to carry out this activity, he is considered a black hat. If an individual uncovers a vulnerability and exploits it with authorization, he is considered a white hat. If a different person uncovers a vulnerability, does not illegally exploit it or tell others how to do it, but works with the vendor - this person gets the label of gray hat.”