Friday, August 07, 2009

Twitter admin email password reset incident

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short:
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity

Labels: , , , , ,

Blogged 11:09 0 comments

Links to this post:

Create a Link

Tuesday, January 13, 2009

Hacker desperate to avoid extradition to the US

Hacker Gary McKinnon has to date successfully avoided extradition to the US to face up to his hacking of US military systems in 2001/2002. He continues to make full use of the British and European legal systems, his latest exploit involving allegedly admitting to an offense under the UK Computer Misuse Act in an apparent attempt to be incarcerated at Her Majesty's pleasure rather than, perhaps, end up languishing in an orange jump suit in Cuba.

Admitting to the CMA offense is surely a desperate measure since it is hardly likely to improve his defense if he ever stands before the US courts.

This is all an object lesson in the perils of hacking Uncle Sam's. It could literally be a life-changing experience.

Labels:

Blogged 11:24 0 comments

Links to this post:

Create a Link

Sunday, January 04, 2009

Is hacking a governance failure?

The president of a company that develops software for oil and gas exploration was sentenced to 12 months' supervised probation and fined $2,500 for hacking a competitor using an airport's wireless network connection, according to eWeek. The company is also facing charges that it sold restricted software products to Cuba, potentially implying a wider governance failure if proven rather than simply a rogue employee, albeit a very senior one.

Governance concerns are also raised by the alleged hacking of the World Bank's systems by an IT outsourcing supplier although the supplier denies the accusations. The supplier's website proudly announces that it won "the coveted Golden Peacock Global Award for Excellence in Corporate Governance for 2008" [an award that I personally hadn't heard of, but what do I know?], so it is possible that, if true, the hacker was a lone Black Hat that the company's award-winning governance processes failed to identify and/or stop.

Labels: ,

Blogged 18:30 2 comments

Links to this post:

Create a Link

Tuesday, December 30, 2008

New awareness module on hacking


What makes hackers tick? Who are they? What is the difference between hacking and cracking? Are phreaks and social engineers hackers too? And most of all what can we do to avoid being hacked? We can't promise to answer these questions fully but our latest NoticeBored security awareness module does at least address them.

Please sign-up here to receive the free monthly awareness newsletter. We will be using Google Groups in future rather than Topica to circulate the newsletters but unfortunately this means everyone on the current mailing list must make the effort to join the Google Group to continue getting them [we'd have migrated all your email addresses ourselves except that some might consider that a privacy violation!].

Labels: ,

Blogged 21:10 0 comments

Links to this post:

Create a Link

Thursday, October 02, 2008

Dual use IT

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)!

The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?

[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].

That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.

Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.

Of course, thieves will see things differently.

Labels: , ,

Blogged 18:09 1 comments

Links to this post:

Create a Link

Wednesday, July 23, 2008

SQL as an audit tool

Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes.

Abstract:
"Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits."

In the same issue, Fred Cohen discusses the specification of control requirements for [real-time process] control systems and SCADA, an area that relatively few information security managers and IT auditors have experienced. I have had some exposure to this at power generation and engineering companies but admit I know next to nothing about it. Having seen conference presentations on "exploring" SCADA networks and Building Management Systems, I'm sure these are targets for curious hackers who relish the challenge of understanding obscure comms protocols and exploiting inadequate security controls. Fred's comments about the ever-deepening Internet connectedness of such networks and the historical lack of attention to security ring very true. I often wonder what fun would lay in store for hackers with access to the networks and devices, perhaps exploiting the numerous wireless command and control systems out there. Let's hope they are responsible enough to use their powers for good not evil.

All in all, another excellent issue. [The fact that I'm one of many on the EDPACS editorial board is purely coincidental, of course!]

Labels: , , , ,

Blogged 16:41 0 comments

Links to this post:

Create a Link

Wednesday, June 25, 2008

Information cards

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers.

Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.

So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.

If you change your address, you only have to update it in your personal data store, and all the relationships you have established with your Information Card will be updated automatically.


OR

'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?

Use "I-Cards" to:

- login to websites with a single click

- create relationships with those you want to do business with

- manage your personal data in one place that only you and those you allow have access.

- wield the claims that other people and institutions say about you.

- prove that you are who you say you are without revealing details using trusted identity providers.


The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.

I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.

The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.

I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.

Labels: , , , , , , , ,

Blogged 13:07 0 comments

Links to this post:

Create a Link

Tuesday, March 18, 2008

Addressing the growing botnet threat

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections.

If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available.

A little collection of information security-related podcasts from CERT. They are aimed at busy executives with largely nontechnical content.

Labels: ,

Blogged 13:41 0 comments

Links to this post:

Create a Link

Friday, March 14, 2008

Drive-by malware alert

McAfee is warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia (or NSI for corporates) are useful tools to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when new patches are released. PSI, the personal home-use version, is free and recommended.

Labels: ,

Blogged 14:03 0 comments

Links to this post:

Create a Link

Friday, December 07, 2007

No Tech Hacking


No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon, when in stock) looks like an interesting new book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, famous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

According to an interview in CSO Magazine, Johnny describes himself as a Christian hacker with plans to get the hacker community involved in charitable work. His writing reveals that he surely understands the Dark Side but, on the other hand, he does indeed openly promote the classical hacker ethic. Still, I'm quite sure Johnny would be the first to agree that social engineering and other hacker techniques could be classified as "dual use".

Kevin Mitnick clearly has Dark Side experience on his CV but, like Johnny, has achieved a lot without getting too deep into the technology.

I haven't read the book yet but it's on my Christmas wishlist (hint hint Santa).

Labels: ,

Blogged 15:17 0 comments

Links to this post:

Create a Link

Thursday, December 06, 2007

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

Labels: , , ,

Blogged 09:50 0 comments

Links to this post:

Create a Link

Monday, December 03, 2007

Social engineering awareness module released

Security awareness - the key to counter social engineering attacks
Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls.

Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak!

In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a competitor. The social engineers may also need other pieces of information, such as login details for the network and a database server, in order to get to their ultimate goal.

Social engineers may also be interested in information about employees. Private investigators, for example, investigating suspected marital infidelity, may try to find out what time an employee normally leaves for home and where he is planning to go on his next business trip. Journalists might go fishing for information to corroborate a news story. Fraudsters and identity thieves would be interested in Social Security Numbers, bank account and credit card numbers, dates of birth etc.

Social engineers depend on being able to fool people into believing they have a legitimate right to information. The deception often works best if they look just like us: they dress like us, talk like us, behave like us. Which social engineer do you think would be more successful at ‘tailgating’ (following an employee into a building): someone who appears to be just another regular employee or someone wearing a stripy top and black face mask and carrying a bag marked SWAG? What about someone dressed as a maintenance engineer or policeman: would you refuse to let them pass? The deception is even easier on the telephone or email, since there are no visual clues to a person’s identity.


December’s NoticeBored security awareness module identifies numerous social engineering risks and controls, and is lightly sprinkled with real world examples of incidents reported in the general news media. Making employees alert to the possibility of social engineering is the first step towards resisting attack.

[Please see December’s NoticeBored newsletter for more background and an analysis of the social engineering threat.]

Labels: , ,

Blogged 07:08 0 comments

Links to this post:

Create a Link

Monday, September 17, 2007

Viagra spam from Pfizer computers

A story in Wired shows that even major corporates are vulnerable to hackers and spammers. At least 138 Pfizer computers have been blacklisted for distributing spam for drugs such as Viagra, a Pfizer product, and Cialis, a competitor's product. The computers have presumably been taken over as 'bots' or 'zombies', remotely controlled by the hackers and used to distribute spam. It is entirely possible that the compromised machines have access to Pfizer's valuable proprietary information. Previous stories about Pfizer employees using peer-to-peer software, for example, indicate the kinds of information security weaknesses that could have led to the infections but, not surprisingly, Pfizer is not saying much about it.

Labels: , ,

Blogged 17:37 0 comments

Links to this post:

Create a Link

Wednesday, August 01, 2007

IT professional accused of hacking former employer

An IT professional has been accused of hacking into a former employer's server to 4,000 confidential documents:
"A press note issued by S. Balu, Deputy Superintendent of Police, Cyber Crime Cell, said police had arrested M.S. Ramasamy, a 37-year-old software engineer from Avadi, on charges of hacking and stealing confidential and proprietary information from the server of Caterpillar, a US-based construction and mining company ... When contacted, Mr. Balu said the accused had gained access to the company’s server headquartered at Peoria in Illinois, US, using another employee’s user ID and password and downloaded over 4,000 confidential documents. A closed circuit camera had visuals of him accessing the server at the time when the files were downloaded. "

Labels: , ,

Blogged 19:39 0 comments

Links to this post:

Create a Link

Thursday, July 19, 2007

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."


The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

Labels: , , ,

Blogged 14:02 0 comments

Links to this post:

Create a Link

Saturday, June 16, 2007

The difference between black and white

The next DefCon hackers' conference will include a competition to Øwn the box. The idea of the game is for DefCon participants to hack network systems brought along by willing (or is that gullible?) sys admins. If (when) someone successfully compromises (Øwns) a box and finds the hidden random number, they get to keep (own) the box and celebrate their amazing mastery of the black arts.

The white hats who configure and donate the boxes are not allowed to interact with their own boxes (although how the the conference organizers will stop them doing so via the network is unclear). The announcement suggests they should 'take the weekend off' and play Vegas (or more likely hack their peers' systems). Meanwhile, the black hats will work around the clock to bust the systems, presumably living on energy drinks, pizzas and party pills.

To the conference organizers and most of the participants - the black hats - this is all just a lark, a bit of fun. To the sys admins and security pros desperately trying to defend their systems against this kind of attack on a daily basis - the white hats - it's rather more than a simple game. The black hats need only find and exploit one serious hole per system, whereas the whities have to plug all the holes simultaneously. It's inherently unfair. Whitie life sucks.

Still, it sounds like fun to me. Am I turning into a black hat? What can the panel advise?

Labels:

Blogged 12:03 0 comments

Links to this post:

Create a Link

Friday, June 15, 2007

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Labels: , , , , , ,

Blogged 10:29 0 comments

Links to this post:

Create a Link

Monday, February 26, 2007

Book review: Google Hacking

Google Hacking for Penetration Testers by Johnny Long is a terrifying book if you are a slightly paranoid information security professional at a major corporation. You'll soon be avidly turning the pages with a growing look of shock and fear on your face, gripped by the unfolding horror story. Google Hacking puts the spotlight firmly on those dark places that many security managers fear to tread: firewall, IDS and IPS configurations, security patching practices, web application security ... need I say more?

Read this book if you dare.

Labels: ,

Blogged 15:52 0 comments

Links to this post:

Create a Link

Friday, February 23, 2007

TJX customer database hacked

A database hacking incident at TJX has evidently exposed bank card and drivers’ license details of millions of customers at its American, Canadian and Perto Rican TK Maxx and other stores. The systems appear to have been hacked as far back as July 2005, some 18 months before the incident was discovered. [Generally speaking, credit card database hackers often kill the goose that lays the golden eggs by exploiting so many cards that they are traced back to the hacked originator in much less than 18 months. Perhaps the TJX hackers only recently obtained sufficient information to exploit, or perhaps they are true hackers not crackers, in other words they were driven by curiosity not malice and greed. This story is still unfolding.]

More database security, hacking, identity theft and incident management links

Labels: , , ,

Blogged 09:57 0 comments

Links to this post:

Create a Link

Monday, December 25, 2006

Congressional aide socially engineered

A congressional aide has admitted asking two jokers at Attrition.org to hack into his college's network and adjust his college grades. The jokers (who he evidently believed to be l33t hax0rs, except that he would have not the foggiest idea what those words mean) led him into believing they would do what he wanted, and in the course of the incident, got him to reveal his Social Security Number and other personal information to make their hacking job easier. The email exchange is very amusing: the victim had no clue that he was being taken for a ride, even providing photographs of a [secret] squirrel at one point to validate his location. Be sure to read the news piece on Network World that revealed the victim's details and printed his admission and apology for making a big mistake ... and led to him being fired ... but his 15 minutes of fame now include a Wikipedia entry.

More social engineering, hacking and accountability resources

Labels: , , , , ,

Blogged 12:10 0 comments

Links to this post:

Create a Link

Wednesday, December 20, 2006

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

Labels: , , , ,

Blogged 18:15 0 comments

Links to this post:

Create a Link

Tuesday, December 19, 2006

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

Labels: , , , , ,

Blogged 09:00 0 comments

Links to this post:

Create a Link

Monday, December 18, 2006

Phone hacker sues bank for payment

Having been prosecuted and then discharged without conviction for hacking the Reserve Bank of New Zealand's telephone system, Gerry Macridis is now threatening legal action to be paid $7,500 for his unsolicited security advice. Gerry claims to have acted honourably by identifying security flaws in the bank's system and advised them of what they needed do to to resolve them. I've never met Gerry and based on the news reports I have no reason to doubt his integrity but his somewhat naive and direct approach must be a thorn in the bank's side.
More hacking links

Labels: ,

Blogged 12:50 0 comments

Links to this post:

Create a Link

Wednesday, October 11, 2006

Xerox copy center hack

A presentation at Black Hat 2006 by Brendan O'Connor covered Vulnerabilities in Not-So Embedded Systems. Specifically, it described a hack on a Xerox mulitfunction device (copy-scan-print). The machine has an embedded AMD CPU running Linux and Apache with the Xerox applications layered on top. Accessing the device remotely thanks to its web and telnet interfaces, the hacker exploited vulnerabilities in parameter handling by the applications to compromise the root account. To Brendan, this was a bit of a lark. He clearly enjoyed explaining how to hack the machine and, for example, photocopy and scan a stray paper clip and set it up as a default printing template. For Xerox, however, the presentation and exploit represents a security incident that forced them to roll out urgent security fixes to their understandably irate customers. It seems unlikely to have enhanced their reputation in the market.
More security incident management and hacking links

Labels: ,

Blogged 13:02 0 comments

Links to this post:

Create a Link

Wednesday, July 26, 2006

Insider threat case study

"The computer sabotage trial of a systems administrator who was found guilty of attacking the network he had been hired to protect at UBS PaineWebber is sending out a sobering message, and one that can't be stressed enough: No matter what network security you have in place, it may not be enough to protect you from one of your own. It's almost a clich, but one that many companies still do not take seriously."

[Good insider threat case study here]

"And O'Malley also says executives need to step it up when it comes to keeping an eye on employees who are full of complaints, or are on a bad streak with the company. "Sure it will happen again," he says. "And in all likelihood it will happen because of an insider They always say, 'Oh, he was a trusted insider.' Bingo! That's the problem. He was a trusted insider."

More information security management and hacking links

Labels: , ,

Blogged 19:09 0 comments

Links to this post:

Create a Link

Monday, June 05, 2006

Industrial espionage laid bare

As a former NSA employee, Ira Winkler is well known on the speaking circuit for disclosing some of the cloak-and-dagger techniques used by genuine spies. His book, Spies Among Us, should be required reading for all MBA students and managers. Secrets of Superspies, a conference keynote presentation by Ira, has the usual hallmarks of his case-study style plus the analysis to explain why corporate espionage is a realistic probability for any corporation with secrets, patents or other valuable intellectual property and unethical competitors. It's enough to make me even more paranoid.
More confidentiality, social engineering and hacking resources

Labels: , , ,

Blogged 21:42 0 comments

Links to this post:

Create a Link

Saturday, May 06, 2006

Spycar anti-spyware tester

Spycar comprises a suite of routines designed to mimic various forms of spyware (in a benign fashion, of course) and thereby test your anti-spyware tools. The sequence completes with a scoring and clean-up tool that politely reverts the test changes. Having been created by Ed Skoudis of Counter-Hack fame and colleagues from the SANS ISC, one can be reasonably confident that the tests are both effective and safe. The Spycar name is a tip-o'-the-hat towards the EICAR anti-virus test sequence, an old but still useful means of confirming that your antivirus tools are working. Ed, if you're watching, how about phishcar and Troycar too?
More (anti-)malware links

Labels: ,

Blogged 08:38 0 comments

Links to this post:

Create a Link

Friday, March 10, 2006

How To Become A Hacker

How To Become A Hacker by Steven Raymond ably explains the difference between hackers, crackers and script kiddies. It teases out the ethics and ethos of hacking, and explains the value system that bonds true hackers together. An excellent treatise.
More [anti-]hacking resources

Labels:

Blogged 21:29 0 comments

Links to this post:

Create a Link

Monday, January 30, 2006

Researchers: Rootkits headed for BIOS

A SecurityFocus article picks up on the possibility of rootkits in the computer's BIOS. The same principle applies to rootkits in video BIOS and network card BIOS. The thing about these locations is that a reboot won't clear them, nor will a normal complete system rebuild - not even a new hard drive will clear them ... unless, that is, the code in the BIOS is just a stub, a loader for the main payload on disk. Given that the machine BIOS, by its very nature, gives low level access to the hardware, it is conceivable that a stub could load the remainder from another BIOS store, or from a normally inaccessible area on disk (such as a sector marked bad).
More [anti-]hacking resources

Labels: ,

Blogged 21:19 0 comments

Links to this post:

Create a Link

Tuesday, August 30, 2005

Hacker intrigue

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese-government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.
More [anti-]hacking and cracking resources

Labels: ,

Blogged 21:56 0 comments

Links to this post:

Create a Link

Tuesday, August 16, 2005

Techworld.com - Critical Veritas attack code loose

Contrary to uninformed opinion, MS Windows is, of course, not the only vulnerable software Out There. Right now, there’s a race between those seeking to exploit an announced vulnerability in Symantec's Veritas Backup Exec Agent for Windows and those who are desperately patching their Veritas systems.
More change management and hacking resources

Labels:

Blogged 21:51 0 comments

Links to this post:

Create a Link

Tuesday, July 26, 2005

An upside to privacy breaches?

An editorial in Chief Marketing Officer Magazine hints at a possible upside to recent privacy breaches splattered across the press. "Privacy activists are up in arms over ChoicePoint and other high-profile security breaches at institutions such Bank of America, DSW and CardSystems, where 40 million credit card accounts from Visa, MasterCard and other card issuers may have been compromised. Legislation to tackle growing worries over credit report information, data breach disclosures and spyware is in the political pipeline. Wary consumers are increasingly reluctant to share personal information with marketers." Well OK, maybe calling it an 'upside' is a bit cynical, but if the general public are more security aware, we're happy :-)
More anti-hacking resources

Labels: , , ,

Blogged 05:35 0 comments

Links to this post:

Create a Link

Friday, July 22, 2005

Hacking with Google


Johnny I Hack Stuff is the website of ‘Johhny Long’, author of Google Hacking for Penetration Testers (~$32 from Amazon). Johnny explains how to construct interesting Google queries in order to identify vulnerabilities such as security holes in system and application software, disclosure of sensitive information and so on.
More [anti-hacking] resources

Labels:

Blogged 22:28 0 comments

Links to this post:

Create a Link

How To Become A Hacker

How To Become A Hacker is a primer on the philosophy and ethics of hacking, more than the mechanics of hacking. Starting from the point of view that “hackers build things, crackers break them”, this is a thoughtful, well-written and stimulating piece of creative writing. “Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking.”
More [anti-]hacking resources

Labels:

Blogged 22:03 0 comments

Links to this post:

Create a Link

Thursday, July 21, 2005

Kevin Mitnick preaches social engineering awareness

In a keynote presentation at the Citrix iForum conference in Australia today, hacker Kevin Mitnick : said "social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it's free or very low cost, it's low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem."
More [anti-]hacking and social engineering links.

Labels: , , , ,

Blogged 22:15 0 comments

Links to this post:

Create a Link

"Underground" websites

Perusing this list of 100 "underground" websites gives a flavor of what certain hackers find interesting - hacking/cracking tools and how-to courses, warez and cracked serial numbers for examples. [Warning: take great care if visiting or downloading “useful tools” from dubious websites. Some of them may exploit security vulnerabilities in your system or indeed yourself to install Trojans and other malware.]
More anti-hacking and malware resources

Labels: ,

Blogged 21:35 0 comments

Links to this post:

Create a Link

Tuesday, July 19, 2005

US airman convicted of hacking

The European and Pacific Stars & Stripes reports that an airman based in Japan has been convicted by a court martial for trying to hack PC files on the base using a password cracker program he downloaded from the Internet. It seems the man also uploaded a password file from the base to a personal web server through the Internet, with the risk of third party interception en route.
More anti-hacking resources

Labels: , ,

Blogged 08:53 0 comments

Links to this post:

Create a Link

Sunday, July 17, 2005

Default login info

Next time you install a new device, load an operating system or install an application, don't forget to change the default installation username and password before you connect it to the network. Over 1700 are published at Virus.Org.
More anti-hacking resources

Labels: , ,

Blogged 01:24 0 comments

Links to this post:

Create a Link

Thursday, July 14, 2005

US-CERT Cyber Security Bulletins

The weekly Cyber Security Bulletins from US-CERT summarize reported software security vulnerabilities such as buffer overflows. While there are so many bugs being reported on a weekly basis, there is not much hope of securing our computer systems against determined attackers. It's like drinking from the fire hose. (We will pick up on this point in future NoticeBored modules on 'security in the SDLC' and 'bugs!'.
More anti-hacking resources

Labels:

Blogged 21:19 0 comments

Links to this post:

Create a Link

Wednesday, July 13, 2005

Patch Tuesday

Microsoft's latest Security Bulletin describes three patches to close off critical security vulnerabilities in Windows and Word. Now that these vulnerabilities are in the public domain, it's open season for hackers to try to exploit them before everyone gets patched. The patching treadmill is a logistical nightmare for organizations running business-critical applications on numerous distributed technology platforms, creating risks to the deployment. It is critically important to strike a balance between delaying the patching (increasing the window of opportunity for the hackers) and patching too soon (before patches have been tested on all applicable platforms). More will appear on this topic in next month's NoticeBored Classic module.
More anti-hacking resources

Labels:

Blogged 23:35 0 comments

Links to this post:

Create a Link

Tuesday, July 12, 2005

End of an era for Phrack

After 20 years, Phrack magazine's editorial team are hanging up the quills and closing down the press. The last issue will be released at US hacker conventions later in July. The hacking and phreaking world will mourn the loss, shed a tear maybe, and then turn back to the web for their fix.
More anti-hacking resources

Labels:

Blogged 05:34 0 comments

Links to this post:

Create a Link

Monday, July 11, 2005

'London bombing' Trojan

The day after London was bombed, a 'London bombing' Trojan started circulating. "Virus writers have created a Trojan which poses as London terrorist attack news footage. Infected emails harbouring the Trojan pose as a CNN Newsletter which asks recipients to 'See attachments for unique amateur video shots'." Shameless.
More malware, anti-hacking and crisis management links

Labels: , ,

Blogged 22:07 0 comments

Links to this post:

Create a Link

Saturday, July 09, 2005

Targeted Trojan emails

The threat of targeted malware attacks was discussed a few months ago in the NoticeBored Classic awareness module on malware. US-CERT Technical Cyber Security Alert is now warning of the increased threat of Trojans that (a) elude conventional protective measures such as antivirus software and firewalls, and (b) are emailed to specific targeted recipients. External disclosure (exfiltration or stealing) of data appears to be the primary purpose, for example using port 80 like normal web traffic, passing straight through the perimeter firewalls.
More anti-hacking and malware resources

Labels: , ,

Blogged 20:08 0 comments

Links to this post:

Create a Link

What The Hack!

What The Hack is a hacker conference taking place on a camping site in the South of The Netherlands from 28 until 31 July 2005. "The event is not just for those who already define themselves as hackers, although they will almost certainly have an excellent time. Like previous times we hope to create an opportunity for people from a great many different cultures and subcultures to meet. So no matter whether you're interested in any of the topics presented, curious about what it is we're into, feel there are some cultural connections missing that you could facilitate, or if you just want to hang out with some of the brightest and funniest people we know: please come."
More (anti-)hacking resources

Labels:

Blogged 00:28 0 comments

Links to this post:

Create a Link

Thursday, July 07, 2005

MS UK site hacked

A Microsoft UK website has been defaced with a GIF image file supporting a hacker arrested in April. The Register reports that the GIF has been removed. Crude website defacements of this nature are at the 'vandal' end of the hacking scale, way below the level of concerted terrorist IT infrastructure attacks feared by military security experts.
More anti-hacking resources

Labels:

Blogged 23:27 0 comments

Links to this post:

Create a Link

SSNs exposed by college server hack

In yet another college server hack, personal information including Social Security Numbers have been exposed. The college has belatedly removed SSNs from the server but why they were there in the first place is not clear. "If someone has a name and Social Security number, they can apply for a credit card, so this is a major issue". A separate news story reports that "many colleges and universities used a student's social security number as their primary student identifier, until recently [and] some schools still have not stopped the practice." In the UK and other countries, SSNs are not generally used as secrets for personal authentication purposes and individuals need to provide additional information such as something proving their home addresses: the US seems behind the curve on this one.
More anti-hacking resources

Labels:

Blogged 21:48 0 comments

Links to this post:

Create a Link

'Hunting season' for computer attackers

The Toronto Globe And Mail yesterday ran a well-written piece about the upsurge of computer crime. The article makes the case that criminals are turning to electronic crime due to the enormous opportunities opened up by the combination of numerous insecure systems on the Internet, widespread lack of awareness of basic security measures by users, and the disjointed trans-national law enforcement activities. This is not just scare-mongering, the story is illustrated with news of recent hacking incidents and quotes from professionals in the field. The worrying trend is every bit as clear as global warming.
More anti-hacking resources here

Labels: ,

Blogged 21:19 0 comments

Links to this post:

Create a Link

Man charged with stealing WiFi signal

A Florida man has been unauthorized access to a WiFi network. The man admitted using a laptop PC in an SUV parked outside the house to 'steal' WiFi access. The case will presumably center on whether the WiFi network was adequately secured - most aren't.
More wireless networking security and anti-hacking resources

Labels: , ,

Blogged 19:33 0 comments

Links to this post:

Create a Link

Chinese student arrested for hacking

A Chinese student has been arrested in Tokyo, allegedly for hacking into up to 14 companies' systems to obtain information on their customers.
More anti-hacking resources

Labels:

Blogged 00:04 0 comments

Links to this post:

Create a Link

Wednesday, July 06, 2005

Decoys for the Pentagon

US Military experts have proposed the use of 'decoys' (commonly known elsewhere by the term 'honeypots') as a defensive move to protect the Pentagon Network from hackers. Now there's an idea.
More anti-hacking resources

Labels: ,

Blogged 23:18 0 comments

Links to this post:

Create a Link

Tuesday, July 05, 2005

Monitoring attacks on Windows networks

Microsoft's Security Monitoring and Attack Detection Guide is designed to help organizations plan a security monitoring and attack detection system based on Windows Security Event logs. It explains how to interpret the events (albeit within the rather limited capabilities of standard Windows tools) and which events indicate the possibility that an attack is in progress.
More anti-hacking resources

Labels:

Blogged 02:11 0 comments

Links to this post:

Create a Link

Monday, July 04, 2005

Bank workers biggest ID theft threat

deseretnews.com reports that customer details have been sold to identity thieves by employees of Bank of America, Wachovia and two other banks. "We've got a nasty problem and it keeps getting worse over the past couple of months," said Peter G. Neumann, a security expert with SRI International in Menlo Park [and manager of the RISKS mailing list], Calif. "Insiders have always been a concern, it's just that (institutions) are finally admitting it."
More anti-hacking resources.

Labels: ,

Blogged 20:10 0 comments

Links to this post:

Create a Link

Friday, July 01, 2005

Help! I Think I've Been Hacked!

Help! I Think I've Been Hacked!! is a common cry on IT bulletin boards. Non-technical people usually don’t understand why hackers have hacked them, nor how they did it. All they want to do is get the hackers out - no mean feat without IT knowledge, even using the antivirus and antispyware tools commonly available. Keeping the hackers out is a further challenge but at least former hacking victims should be well aware of the threat.
More anti-hacking resources

Labels:

Blogged 21:44 0 comments

Links to this post:

Create a Link

Rootkits

Find out why you should beware rootkits on your systems. Rootkits typically install modified operating system files such as “ls.exe” (the UNIX list files command) to conceal the presence of hacking tools from naive system administrators. The tools themselves give hackers complete control of a compromised system and often provide backdoors to the system in case the primary mode of entry is blocked.
More (anti-)hacking resources

Labels:

Blogged 21:36 0 comments

Links to this post:

Create a Link

Thursday, June 30, 2005

NoticeBored July - The Hacking Threat

This month, our security awareness materials explain how hackers, crackers, phreaks and other assorted geeks go about their business. Hacking is a serious threat to organizations and individuals who depend on their information assets, and especially those of us connected to the Internet. A number of security surveys have shown however that hacking perpetrated by insiders is a threat even if your organization has no external network connections at all.
More (anti-)hacking resources here

Labels: , ,

Blogged 21:54 0 comments

Links to this post:

Create a Link

Sunday, February 27, 2005

ITsecurity.com's Security Clinic

ITsecurity.com's Security Clinic is the place to ask dumb or intelligent questions about information security. A panel of experts will respond positively to all but the lamest (questions along the lines of 'How do I hack X?' are either ignored or treated with professional disdain).

Labels:

Blogged 22:55 0 comments

Links to this post:

Create a Link