IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.
A blog from V3.co.uk

« June 2010 | Main | August 2010 »

How hacking works and steps to combat it

V3.co.uk entered the world of hacking yesterday by participating in a 'Hack the Lab' session arranged by network security firm Stonesoft.

A fictitious web site was created especially for participants to hack into and the results were interesting and a little frightening.

Using tools such as Nmap (port scanner), Netcat (multi-purpose tool), Metasploit (command line tool) and John the Ripper (password cracker), which are all freely available on the internet, we had a crack.

We successfully managed to hack into the fabricated web site and obtained not only admin login details, but credit card details of the owners and customers in under just under half an hour.

This was done using a Virtual Network Computing (VNC) tool, which we installed on the fictitious admin machine to gain remote desktop access.

Alan Cottom, technical engineering specialist at Stonesoft, was on hand to explain the principles.

There are usually five steps that an attacker goes through when looking to carry out a hack:

1. Selecting the target: There are mainly two types of hackers. Those who focus on an individual or organisation for financial/political gain and those who are opportunistic, who scan ports looking to find vulnerable systems.

2. Gathering information: Once a target has been selected, the hacker embarks on the most important process which is the research phase. Attackers aim to gather as much information as possible, including business/domain/contact names, web site addresses, phone numbers and emails. These are all primary pieces of information that a hacker is eager to acquire. The more information an attacker has, the easier it is to gain access into a system.

Individuals must be careful about posting computer details on forums as hackers commonly browse these to pick up information about potential targets.

Hackers are always on the look out for mergers and acquisitions as these are seen as 'soft targets' because businesses usually want to link IT systems quickly and may sacrifice security, Cottom said.

3. Exploiting vulnerabilities: Hackers do not waste their time breaking into firewalls, they look to exploit vulnerable areas of a system i.e. through a web server that may not have been patched properly or a test machine that has remained connected.

4. Leaving a back door: After access has been found, a hacker always leaves a back door to regain entry, by planting a root kit or a remote shell. Some may even modify access rules.

5. Covering tracks: The best attackers will look to disable auditing processes and delete event logs.

The first thing a good administrator will do if he/she suspects there has been an attack is check the logs, so hackers will want to cover their tracks by disabling these, Cottom said.

There have been several high profile hacks recently including the infiltration of Google's Gaia password system in January. This occurred when an employee clicked on an MMS link and had their machine infiltrated, which was used to gain access to the firm's admin system.

However, Twitter experienced one of the most embarrassingly simple hacks last year when a user used a brute force password cracker to gain admin access. Passwords were changed, private information was viewed, and tweets were sent out from users such as Britney Spears.

Twitter could have avoided this by simple employing a lockout of accounts after three-password attempts.

Essential Security Tips from Stonesoft
- Use alphanumeric passwords, but not ones that are so complicated that you need to write them down.
- Keep anti-virus software and patches up-to-date.
- Do not click on suspicious links in emails or instant messages.
- Turn office hardware off at night.
- Take a look at some Intrusion Prevention Software.

V3.co.uk will post a video demo of Alan Cottom explaining the stages of hacking soon.

July 29, 2010 | | Comments (0)

WPA2 and private browsing called into question

With the Black Hat conference taking place later this week it seems apt that there are some interesting security problems being announced that are worth keeping an eye on.

Firstly, it's been discovered that many "private" browser sessions are in fact nothing of the sort, and that hackers could gain access to sites visited, despite claims to the contrary by many firms.

A report on the New Scientist web site claims that researcher Collin Jackson from the Carnegie Mellon University in Pittsburgh found ways that hackers could detect which sites were visited even with the security mode enabled.

A hacker could, "guess what sites you've been to based on traces left behind", Jackson is reported as saying.

Secondly, a wireless security researcher from AirTight Networks claims to have discovered a vulnerability in the WPA2 security protocol for Wi-Fi protection that compromises user security, which has been termed Hole 196.

Md Sohail Ahmad explained that the Hole 196 loophole allows malicious users to bypass private key encryption and authentication to sniff and decrypt data from other users, scan Wi-Fi devices and install malware.

Although AirTight acknowledged that to exploit this vulnerability a hacker would have to be on the same network, corporate thieving and espionage is a key concern to many large corporations, making the threat very real.

The vulnerability has been given the name Hole 196 as it relates to a line on page 196 of the IEEE 802.11 Revised Standard published in 2007 from which the exploit is made possible.
Ahmad will be demonstrating the vulnerability at the Black Hat Arsenal (and again at DEFCON18) in a presentation wonderfully titled "WPA Too?!" on 29 July.

July 26, 2010 | | Comments (0)

Google increases payment to bug hunters

Google has increased the maximum payment for those who find a bug in its Chromium web browser to $3,133.7.

The Chromium Security Reward scheme was launched in January and Google claims that the program has been a success.

"We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security," Google said in a blog post this week.

"Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution."

The maximum reward for a single bug has been increased substantially from $1,337 to $3,133.7. But this will only be paid to those who find critical bugs in Chromium, the company said.

The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity, Google added.

Google follows in the tracks of Mozilla, which upped its bounty payment to $3,000 last week.

Even though Google has added $3,000 to the reward, not all users are happy, however.

"I highly doubt a $3,133.7 payoff is justifiable. If you figure an individual (or team) put in a combined effort of 160 hours, you're getting paid roughly $19 per hour," noted one commenter on the Google blog.

"I personally wouldn't waste my resources on someone who can not be justified being paid more than $19/hr. Neither would I waste my time providing any information to anyone who values their operating budget for security at $19/hour per incident."

Looks like someone woke up on the wrong side of bed.....or maybe he was just upset that the reward is no longer code for elite.

July 21, 2010 | | Comments (0)

Mozilla blocks password thieving add-on

Mozilla has disabled a malicious password stealing add-on known as Mozilla Sniffer, which was uploaded on 6 June and downloaded by 1,800 users.

The add-on contained code that intercepted login data submitted to any web site, and sent this data to a remote location.

Mozilla discovered the bug on 12 July, and added it to its block list prompting the add-on to be uninstalled.

"All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected," Mozilla said in a blog post.

Mozilla Sniffer was not developed or reviewed by Mozilla. It was in an experimental state, and all users that installed it should have seen a warning indicating it is was not reviewed, Mozilla said.

A security flaw was also discovered in version 3.0.1 of the CoolPreviews add-on.

The vulnerability is triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the attacking script is given control over the host computer.

So far 177,000 users have a vulnerable version installed. This is less than 25 per cent of the install base and it will continue to decrease as more users are prompted to update to a new version, Mozilla noted.

July 15, 2010 | | Comments (0)

Oracle patches 59 flaws

Oracle has excelled itself again with a mammoth Critical Patch Update (CPU), releasing a whopping 59 fixes yesterday, including 21 for its Sun Products Suite.

Among the highest severity vulnerabilities, given a CVSS base score of 10.0, are a flaw in the TimesTen In-Memory Database and two in the Oracle Secure Backup product.

There were 17 fixes in total scheduled for Oracle applications including PeopleSoft and JDEdwards suite, the Supply Chain Products suite and the E-Business suite.

However, the biggest set of fixes was reserved for Sun's Solaris products.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," noted the CPU.

"Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack."

Removing user privileges or the ability to access certain packages from users that do not need the privileges may help reduce the risk of successful attack, although must only be seen as a temporary solution, said Oracle.

It will be a busy time for security administrators, who also had to cope with the latest Patch Tuesday from Microsoft, which saw the release of four fixes for five vulnerabilities capable of allowing remote code execution attacks.

July 14, 2010 | | Comments (0)


Site credentials: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093