V3.co.uk entered the world of hacking yesterday by participating in a 'Hack the Lab' session arranged by network security firm Stonesoft.

A fictitious web site was created especially for participants to hack into and the results were interesting and a little frightening.

Using tools such as Nmap (port scanner), Netcat (multi-purpose tool), Metasploit (command line tool) and John the Ripper (password cracker), which are all freely available on the internet, we had a crack.

We successfully managed to hack into the fabricated web site and obtained not only admin login details, but credit card details of the owners and customers in under just under half an hour.

This was done using a Virtual Network Computing (VNC) tool, which we installed on the fictitious admin machine to gain remote desktop access.

Alan Cottom, technical engineering specialist at Stonesoft, was on hand to explain the principles.

There are usually five steps that an attacker goes through when looking to carry out a hack:

1. Selecting the target: There are mainly two types of hackers. Those who focus on an individual or organisation for financial/political gain and those who are opportunistic, who scan ports looking to find vulnerable systems.

2. Gathering information: Once a target has been selected, the hacker embarks on the most important process which is the research phase. Attackers aim to gather as much information as possible, including business/domain/contact names, web site addresses, phone numbers and emails. These are all primary pieces of information that a hacker is eager to acquire. The more information an attacker has, the easier it is to gain access into a system.

Individuals must be careful about posting computer details on forums as hackers commonly browse these to pick up information about potential targets.

Hackers are always on the look out for mergers and acquisitions as these are seen as 'soft targets' because businesses usually want to link IT systems quickly and may sacrifice security, Cottom said.

3. Exploiting vulnerabilities: Hackers do not waste their time breaking into firewalls, they look to exploit vulnerable areas of a system i.e. through a web server that may not have been patched properly or a test machine that has remained connected.

4. Leaving a back door: After access has been found, a hacker always leaves a back door to regain entry, by planting a root kit or a remote shell. Some may even modify access rules.

5. Covering tracks: The best attackers will look to disable auditing processes and delete event logs.

The first thing a good administrator will do if he/she suspects there has been an attack is check the logs, so hackers will want to cover their tracks by disabling these, Cottom said.

There have been several high profile hacks recently including the infiltration of Google's Gaia password system in January. This occurred when an employee clicked on an MMS link and had their machine infiltrated, which was used to gain access to the firm's admin system.

However, Twitter experienced one of the most embarrassingly simple hacks last year when a user used a brute force password cracker to gain admin access. Passwords were changed, private information was viewed, and tweets were sent out from users such as Britney Spears.

Twitter could have avoided this by simple employing a lockout of accounts after three-password attempts.

Essential Security Tips from Stonesoft
- Use alphanumeric passwords, but not ones that are so complicated that you need to write them down.
- Keep anti-virus software and patches up-to-date.
- Do not click on suspicious links in emails or instant messages.
- Turn office hardware off at night.
- Take a look at some Intrusion Prevention Software.

V3.co.uk will post a video demo of Alan Cottom explaining the stages of hacking soon.

July 29, 2010 | Permalink | Comments (0)

Google has increased the maximum payment for those who find a bug in its Chromium web browser to $3,133.7.

The Chromium Security Reward scheme was launched in January and Google claims that the program has been a success.

"We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security," Google said in a blog post this week.

"Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution."

The maximum reward for a single bug has been increased substantially from $1,337 to $3,133.7. But this will only be paid to those who find critical bugs in Chromium, the company said.

The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity, Google added.

Google follows in the tracks of Mozilla, which upped its bounty payment to $3,000 last week.

Even though Google has added $3,000 to the reward, not all users are happy, however.

"I highly doubt a $3,133.7 payoff is justifiable. If you figure an individual (or team) put in a combined effort of 160 hours, you're getting paid roughly $19 per hour," noted one commenter on the Google blog.

"I personally wouldn't waste my resources on someone who can not be justified being paid more than $19/hr. Neither would I waste my time providing any information to anyone who values their operating budget for security at $19/hour per incident."

Looks like someone woke up on the wrong side of bed.....or maybe he was just upset that the reward is no longer code for elite.

July 21, 2010 | Permalink | Comments (0)

Mozilla has disabled a malicious password stealing add-on known as Mozilla Sniffer, which was uploaded on 6 June and downloaded by 1,800 users.

The add-on contained code that intercepted login data submitted to any web site, and sent this data to a remote location.

Mozilla discovered the bug on 12 July, and added it to its block list prompting the add-on to be uninstalled.

"All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected," Mozilla said in a blog post.

Mozilla Sniffer was not developed or reviewed by Mozilla. It was in an experimental state, and all users that installed it should have seen a warning indicating it is was not reviewed, Mozilla said.

A security flaw was also discovered in version 3.0.1 of the CoolPreviews add-on.

The vulnerability is triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the attacking script is given control over the host computer.

So far 177,000 users have a vulnerable version installed. This is less than 25 per cent of the install base and it will continue to decrease as more users are prompted to update to a new version, Mozilla noted.

July 15, 2010 | Permalink | Comments (0)

Facebook's ongoing problems continue after security firm AVG announced that it has discovered hacking taking place on the site in the form of "political hacktivism" emanating from Turkey, seemingly in retaliation for the recent events in Gaza.

Research by the firm found that all manner of attacks including web site defacements, denial-of-service, information theft and virtual sabotage were coming from two different sources, suggesting only two groups or individuals are involved.

Roger Thompson, AVG's chief research officer, said that although the number attacked so far was relatively small, perhaps less than fifty, there was always a risk that it could increase in number very quickly.

"The number of hacked accounts is fairly small which would indicate that it is not an automated attack. This is the first time, as far as I am aware, that Facebook has been a victim of political hacktivism," he said.

"Given the attack seems to be run by Turkish hackers, and that they once claimed a world record for defacing 37,000 pages in day, we should not discount the thought they might find an automated way to move."

Late last year Twitter was targeted by a group calling itself the Iranian Cyber Army, which hijacked the web site domain name.

June 9, 2010 | Permalink | Comments (0)

Google is now "paranoid" about security, chief executive Eric Schmidt is reported to have told an assembled bunch of 400 chief information officers at an all day event in Mountain View yesterday.

Speaking at its inaugural Atmosphere 2010 event, Schmidt is reported to have explained that the web giant learned some hard lessons from its recent brush with Chinese hackers.

It is widely believed that the hackers gained initial access to an employee's computer via a flaw in Internet Explorer 6, from which point they managed to infiltrate deeper into Google's systems.

So what does this all mean for the security or otherwise of Google's products? Well, in a strange way the hack will probably end up being good news for the web giant's customers.

Schmidt argued that the firm has since accelerated its plans to use more of its own web-based products and services internally, such as the Chrome OS. These are "inherently more secure" than the alternatives out there, he added. Over to you, Microsoft.

April 13, 2010 | Permalink | Comments (0)

Barnet Council has become the latest public sector body to suffer an embarrassing data breach, after unencrypted USB sticks and CDs containing the details of 9,000 schoolchildren were stolen following a burglary at an employee's home.

The details, which were held for statistical purposes by the council, included date of birth, gender and ethnicity, and all those affected have been informed, according to an FAQ section on the council web site.

Barnet Council also said it thought the risks associated with this data breach are very low, given that the burglars were "looking for high-value items rather than specifically to steal data".

"We, the council, has disabled any access to external storage devices so no member of staff can make unauthorised copies in the future," said the council.

"All computers leaving the council offices have to be confirmed as encrypted. A full independent review of how the council holds data has been ordered."

The incident highlights many of the problems the public sector faces in trying to tighten up its record on data breaches, namely that all the rules and guidelines in the world don't mean anything if staff are willing to disregard them.

March 31, 2010 | Permalink | Comments (0)

More proof emerged today that phishing attacks are not solely confined to the financial services space, as Panda Security revealed several new campaigns targeting World of Warcraft players.

In a blog post today, the vendor's technical director Luis Corrons highlighted the phishing emails designed to lure users into clicking on a malicious link. This link takes the user to a fake log-in page where they are asked to enter their username and password.

"As you have seen, the attack could be considered pretty good, both the message and the web site looked as if they were real, so we can assume that these are smart cyber criminals with high skills," he explained.

"But we know there are a lot of phishing kits out there, and that there are easy ways to accomplish these kind of attacks, so anyone could be able to do this."

These kinds of attacks are particularly dangerous given that many computer users use the same user name and passwords for multiple accounts, potentially giving the phishers access to online banking and other accounts.

Corrons added that the criminals, it turned out, were not so smart as they allowed the Panda research team to access their own database of stolen credentials.

Apparently, most of the scammed WoW players were using their email addresses as user names.

"I bet that the password used for WoW is the same one they are using for each and every online service (mail, Facebook etc)," wrote Corrons.

"And what's the moral of this story? Well, if such a moron is able to steal thousands of credentials, imagine what a smart cyber criminal could achieve."

March 29, 2010 | Permalink | Comments (1)

According to the latest internet security report from PandaLabs hackers are breaking all established records when it comes to the nefarious business of creating new threats.

The security firm said that it had recorded five million new strains of malware in just the last three months. Alarmingly most were banking trojans, the rest a mix of adware, worms, hacking tools and spyware. Trojans took a 38 per cent share of all infections, adware was responsible for 18.68 per cent, and worms 14 per cent. Country to country, Taiwan was found to have the most active infections, 29 per cent, but is closely followed by the US and the UK, which both have roughly 25 per cent.

The risk of infection continues to worsen, according to PandaLabs, which paints a bleak picture of the future. "We are currently receiving some 50,000 new examples of malware everyday, this compares to 37,000 just a few months ago. There is no reason to believe that the situation will improve in the coming months," explained Luis Corrons, technical director at PandaLabs.

PandaLabs said that crooks would throw almost every resource at their disposal in order to infect the maximum number of machines. It said that these varied from social networking attacks to search engine manipulation. The firm also fingered a few firms for exposing their users to potential risks. It called one of the vulnerabilities patched by Microsoft, 'Striking', and another, 'Alarming'.

What with all these risks out there PandaLabs suggests that users install some web security software. You shouldn't need to look too far to find a supplier of that.

October 1, 2009 | Permalink | Comments (0)

Most online users simply ignore 'invalid certificate' warnings despite the security risks involved, according to a recent study by Carnegie Mellon University.

Although VeriSign, one the biggest names behind web certification, recently announced that it has issued more than four million Secure Sockets Layer (SSL) certificates, the research brings into question just how useful they are.

"Everyone knew that there was a problem with these warnings, our study showed dramatically how big the problem was," said Joshua Sunshine, co-author of the Carnegie Mellon paper.

Although warnings can come up due to various technical issues, they exist to help protect users from being redirected to various fake sites or to help catch out typo-squatting, where online fraudsters set up sites with URLs almost identical to their target to catch out those who accidentally misspell an address when typing it in.

According to the study, most internet users simply don't know what the certificates are or what the warnings mean, while others believe they just have to me more careful on sites where these warnings appear.

Interestingly, the results seem to depend a lot on which browser was being used, primarily because the various developers use different language and prompts when displaying certificate warnings.

As a result, users of Mozilla's Firefox 3 browser were the least likely to click through after being shown a warning, and several security warnings created by the researchers themselves were even more effective. According to VerSign, this highlights the need for education and obvious prompts that can help even inexperienced web users to be aware when something may be wrong.

"This research reminds us of the importance of providing usable tools for end users to differentiate between an authentic and an inauthentic web site and emphasises the importance of educating end users on how to use those tools," said Tim Callan, vice president of product marketing at VeriSign.

"That's why the industry has created new interface conventions like the green address bar to make it easier than ever for end users to distinguish between a real site and counterfeit site."

July 28, 2009 | Permalink | Comments (2)

The European Union (EU) has adopted a new Safer Internet Programme, which will be in place as of 1 January 2009 aimed at making the web a safer place for kids.

To support the programme, the EU has announced funding of €55m over five years. This will cover initiatives to raise public awareness and promote a safer online environment, as well as prevent harmful content from being posted on the web.

According to the EU's budget breakdown, 66 per cent or €36.3m of the overall cash pot will be spent on education and promoting a safer web for kids, while the remaining €18.7m will go on tackling harmful content.

The EU also highlighted new research from Eurobarometer, which revealed that three quarters of six- to 17-year olds use the internet, while half of 10-year-olds have a mobile phone.

However, despite kids being comfortable with technology, their parents don't appear to feel the same. The study found that more than half of parents are concerned that their offspring will be the victim of online grooming or cyber bullying. In response, the majority of parents said they did not allow their kids to give out personal details or talk to strangers on the web.

What's worrying about the study is that 41 per cent of parents also admitted they don't use any kind of web filtering or monitoring software - so it's hard to work out how they stop their children from giving out their name, age and other details online, or from chatting to strangers. About two thirds of those not using any filtering tools said this was because they trusted their children, while 14 per cent said they don't know how to get hold of or use monitoring software.

Hopefully part of the €55m funding will trickle down into practical sessions for parents on the many available web filtering tools, how they work and where they can be downloaded or purchased from - and also a useful lesson in cynicism as I'm sure lots of the kids reassuring their parents that they don't give out any personal details or chat to people they don't know online are doing exactly that.

December 10, 2008 | Permalink | Comments (0)