V3.co.uk entered the world of hacking yesterday by participating in a 'Hack the Lab' session arranged by network security firm Stonesoft.

A fictitious web site was created especially for participants to hack into and the results were interesting and a little frightening.

Using tools such as Nmap (port scanner), Netcat (multi-purpose tool), Metasploit (command line tool) and John the Ripper (password cracker), which are all freely available on the internet, we had a crack.

We successfully managed to hack into the fabricated web site and obtained not only admin login details, but credit card details of the owners and customers in under just under half an hour.

This was done using a Virtual Network Computing (VNC) tool, which we installed on the fictitious admin machine to gain remote desktop access.

Alan Cottom, technical engineering specialist at Stonesoft, was on hand to explain the principles.

There are usually five steps that an attacker goes through when looking to carry out a hack:

1. Selecting the target: There are mainly two types of hackers. Those who focus on an individual or organisation for financial/political gain and those who are opportunistic, who scan ports looking to find vulnerable systems.

2. Gathering information: Once a target has been selected, the hacker embarks on the most important process which is the research phase. Attackers aim to gather as much information as possible, including business/domain/contact names, web site addresses, phone numbers and emails. These are all primary pieces of information that a hacker is eager to acquire. The more information an attacker has, the easier it is to gain access into a system.

Individuals must be careful about posting computer details on forums as hackers commonly browse these to pick up information about potential targets.

Hackers are always on the look out for mergers and acquisitions as these are seen as 'soft targets' because businesses usually want to link IT systems quickly and may sacrifice security, Cottom said.

3. Exploiting vulnerabilities: Hackers do not waste their time breaking into firewalls, they look to exploit vulnerable areas of a system i.e. through a web server that may not have been patched properly or a test machine that has remained connected.

4. Leaving a back door: After access has been found, a hacker always leaves a back door to regain entry, by planting a root kit or a remote shell. Some may even modify access rules.

5. Covering tracks: The best attackers will look to disable auditing processes and delete event logs.

The first thing a good administrator will do if he/she suspects there has been an attack is check the logs, so hackers will want to cover their tracks by disabling these, Cottom said.

There have been several high profile hacks recently including the infiltration of Google's Gaia password system in January. This occurred when an employee clicked on an MMS link and had their machine infiltrated, which was used to gain access to the firm's admin system.

However, Twitter experienced one of the most embarrassingly simple hacks last year when a user used a brute force password cracker to gain admin access. Passwords were changed, private information was viewed, and tweets were sent out from users such as Britney Spears.

Twitter could have avoided this by simple employing a lockout of accounts after three-password attempts.

Essential Security Tips from Stonesoft
- Use alphanumeric passwords, but not ones that are so complicated that you need to write them down.
- Keep anti-virus software and patches up-to-date.
- Do not click on suspicious links in emails or instant messages.
- Turn office hardware off at night.
- Take a look at some Intrusion Prevention Software.

V3.co.uk will post a video demo of Alan Cottom explaining the stages of hacking soon.

July 29, 2010 | Permalink | Comments (0)

Mozilla has disabled a malicious password stealing add-on known as Mozilla Sniffer, which was uploaded on 6 June and downloaded by 1,800 users.

The add-on contained code that intercepted login data submitted to any web site, and sent this data to a remote location.

Mozilla discovered the bug on 12 July, and added it to its block list prompting the add-on to be uninstalled.

"All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected," Mozilla said in a blog post.

Mozilla Sniffer was not developed or reviewed by Mozilla. It was in an experimental state, and all users that installed it should have seen a warning indicating it is was not reviewed, Mozilla said.

A security flaw was also discovered in version 3.0.1 of the CoolPreviews add-on.

The vulnerability is triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the attacking script is given control over the host computer.

So far 177,000 users have a vulnerable version installed. This is less than 25 per cent of the install base and it will continue to decrease as more users are prompted to update to a new version, Mozilla noted.

July 15, 2010 | Permalink | Comments (0)

Facebook's ongoing problems continue after security firm AVG announced that it has discovered hacking taking place on the site in the form of "political hacktivism" emanating from Turkey, seemingly in retaliation for the recent events in Gaza.

Research by the firm found that all manner of attacks including web site defacements, denial-of-service, information theft and virtual sabotage were coming from two different sources, suggesting only two groups or individuals are involved.

Roger Thompson, AVG's chief research officer, said that although the number attacked so far was relatively small, perhaps less than fifty, there was always a risk that it could increase in number very quickly.

"The number of hacked accounts is fairly small which would indicate that it is not an automated attack. This is the first time, as far as I am aware, that Facebook has been a victim of political hacktivism," he said.

"Given the attack seems to be run by Turkish hackers, and that they once claimed a world record for defacing 37,000 pages in day, we should not discount the thought they might find an automated way to move."

Late last year Twitter was targeted by a group calling itself the Iranian Cyber Army, which hijacked the web site domain name.

June 9, 2010 | Permalink | Comments (0)

Security firms are well known for spreading fear, uncertainty and danger (FUD) but a press release today on the Conficker worm takes the biscuit.

Security experts are largely agreed that the Conficker update scheduled for tomorrow will not bring about the end of the world as we know it. Instead the malware will probably just update itself. After all, it's not in the malware writer's interest to shut down the network that has been so laboriously built up.

Nevertheless this hasn't stopped endless press releases seeking to grab headlines. This is to be expected but some are 'jumping the shark'. Take IT security company Imerja, which has jumped on the bandwagon and come out with some truly preposterous guff.

"30 per cent of all Window's PCs could be at risk. Organisations that are in danger of being affected include the Houses of Parliament, the Ministry of Defence and a number of UK schools," said Matt Hampton, chief technical officer at Imerja.

The logical problems with this are many. Firstly, no-one knows how many PCs are unpatched in such a way to make them vulnerable to the Conficker malware - 30 per cent is a guestimate at best.

Secondly, even if the PCs are unpatched that's no guarantee that they will become infected. After all, many unpatched PCs will be corporate systems behind strong firewalls, which is why the IT administrators have been slow to patch since they are protected.

Similarly people may be protected by running anti-virus software but haven't bothered to patch their systems. People are now getting much better about running security software but running operating system updates is less common.

It also assumes that Conficker is everywhere and will automatically infect any PC that isn't patched. This is of course complete rubbish.

Some security companies have worked hard to rescue their reputations. Imerja seems to be bucking this trend, and FUD like this makes one wonder how professional they really are.

March 31, 2009 | Permalink | Comments (2)

You know how the last blog posting talks about technology being the most important thing in the anti-malware industry? Well, that probably has to be qualified a little bit, because the other key message coming from the Kaspersky Lab New Dimensions press event so far has been the importance of the engineers. So, it's actually all about the technology ... and the people.

Yes, the unsung heroes of anti-malware industry were finally given their day in the sun today - well, not literally, they were still locked away in a windowless room staring at code - as Eugene Kaspersky explained how the astonishing success of the company has been down largely to attracting and keeping talented engineers. The firm is lucky enough to have access to the talent pool of graduates from Russian universities, many of which have a reputation for excellence in engineering and technology courses. But it still has difficulty in finding enough of the best, and on occasion even loses them.

According to Kaspersky, one employee had to re-locate to another software company as it became too distressing to stay on the good side of the malware war, once he found out how much some criminals were making.

That's a pretty extreme example, of course, but what is true is that competition for the best of the best is fierce. Kaspersky also has a bit of an advantage over some of its competitors, however, because of its reputation, VP of R&D Nikolay Grebennikov told me. It is well-known in the industry for innovating, and supporting its engineers with whatever projects they might find it necessary to undertake, so it has garnered a good reputation among the security researcher community. Things get done, in other words, and with the recent creation of the Global Research and Analysis Team (although most security vendors have something like this already) there is yet another lure to tempt potential white hat recruits into the Kaspersky ranks.

December 5, 2008 | Permalink | Comments (0)

Internet and messaging security firm Websense has uncovered its first Christmas virus scam, and we aren't even out of November.

The scam, which is so devilish it can only have come from the Grinch, offers a lucky email recipient the chance to feel like they have the sort of friends who send out tedious e-cards, but has a nasty little payload.

Yep, apparently some swine has spoofed a reputable firm's type of message and put a stinky pile of malicious code in the back of it. Websense said that a URL within the postcard leads the recipient to a .exe file. If downloaded, this creates a backdoor on their computer which allows access to and control of the compromised machine. And all this from a Christmas message celebrating the season of goodwill.

However, it's difficult to not be dismayed with the type of person who would be conned by such a virus. "During the install process an image called xmas.jpg is displayed to the user as a distraction technique," Websense explains. A distraction technique - what are they, monkeys? It's amazing the impact a picture of some elves in Santa's grotto can have on IT security best practice.

Author: David Neal

November 28, 2008 | Permalink | Comments (0)

It's been widely touted recently that the threat from viruses and worms is rapidly being overcome. One of the latest proponents of this argument is Symantec, which has asserted that such threats are effectively a thing of the past.

http://www.vnunet.com/vnunet/news/2166102/symantec-shifts-focus-security

Traditional nasties are, Symantec burbles, waning as cyber-criminals turn to identity theft. But how are these nefarious scammers conducting their identity thievery? They are not hiding in dark alleyways, jumping on unsuspecting victims and making off into the choking miasma of  Olde London  Town to pass on their ill-gotten gains to some shadowy cyber-Fagin.

In fact they are using a variety of methods including key-loggers, rootkits and precisely the Trojans that Symantec says are no longer a threat to steal sensitive personal and financial details.

We, with due respect, believe that the proponents of the notion that we've seen the last of viruses, Trojans and worms are talking out of their BackOrifices.

October 18, 2006 | Permalink | Comments (2)