My thoughts about hacking... [Part 1]

[DomainReseller]

Is security really that critical? If so, why are some of the largest software companies providing such a bad example for the rest of the industry? Why would someone want to target my website? Why is security often overlooked?

These are all common questions that arise on a daily basis within the online industry. The rest of this article will provide some detailed answers, along with practical examples and true scenarios.

I've spoken with numerous hackers over the past short while. I can't count the number of times I've heard the line "Ignorant site owners deserve to be hacked". In my opinion, that's like claiming that cars without alarms deserve to be stolen, or homes without alarm systems deserve to be burglarized. It's not just wrong - it's illegal.

Security risks and vulnerabilities affect the entire online industry. When a single website is hacked, there are usually multiple other victims. This is most commonly seen with widely distributed software. A potential attacker has the ability to install the software on a test environment, locate the vulnerabilities, then attack random victims even before anyone else is aware of the potential exploits. Once a vulnerability is located, the attacker simply needs to search for other environments using the same software, and within minutes there are hundreds, often thousands of potential victims.

Typically, in the race to market, software providers are encouraged to release their products as soon as the applications are usable. Critical development procedures are often overlooked or intentionally bypassed. One such miss is an application vulnerability assessment. Although the product may be usable, the effects of a vulnerable application could be severe.

Sadly, nobody is "off limits" when it comes to hacking. Most hackers feel safe committing online crime, since the online industry has evolved much faster than the security industry. Many applications are not created with the intent to recognize hacking attempts. Some hackers view their actions as a competition - Who can attack the most valuable website? Who can exploit the most user databases? In many cases, these attacks are bragged about within the hacker's immediate network. The competitive nature of these hacking groups has become so severe, there have been reports of attacks between competing organizations.

You might ask, "If I use industry standards, won't my environment be secure?". The short answer: no, but it helps. Hackers are not restricted by industry standards. Most security companies only implement new standards once at least one victim is reported. This often gives hackers plenty of time to locate other vulnerable environments, and before long, the number of victims can increase rapidly. Hackers are some of the most innovative individuals within the online industry. The most logical way to combat them is to use similar methodology for security purposes.

---

Source: http://igosh.org/forums/showthread.php?t=544

Written by Matt Tanenbaum
International Group of Online Security Help
http://www.iGosh.org/
June 7, 2008

 

[weblord]

The most logical way to combat them is to use similar methodology for security purposes.

i like your last line it is such a mystery, so there are similar tools to combat them? i bet these are hacker tools as well, as they say to catch a hacker you need a hacker.

I for one have been hacked before but I found out it's because of my carelessness, logging into public cyber cafes for one, mostly here in the PHilippines the owner themselves have installed keyloggers to spy on their users if they see they're going to porno sites, they disallow that person to come back to their cybercafe.

 

[DomainReseller]

Hacking tools are not required to detect vulnerabilities. Tools are generally used to save time, they simply perform automated functions that the hacker would normally do manually. Site owners can be more innovative when it comes to security by performing basic penetration tests to ensure that their environments are not vulnerable. If the site owner lacks the knowledge required to perform this task (as most website owners appear to), iGosh.org offers vulnerability assessments and other security services.

 

[weblord]

so your site does defensive and offensive ways of combating hackers, combating depicts like you will hack the hacker. it's been discussed here before in our country that there are companies offering services to rehack hackers to get to the information stolen.

Hacking tools are not required to detect vulnerabilities. Tools are generally used to save time, they simply perform automated functions that the hacker would normally do manually. Site owners can be more innovative when it comes to security by performing basic penetration tests to ensure that their environments are not vulnerable. If the site owner lacks the knowledge required to perform this task (as most website owners appear to), iGosh.org offers vulnerability assessments and other security services.

 

[Dave_Z]

Even ICANN and IANA had a few of their sites hacked recently. Talk about few
arguably bad examples.

 

[DomainReseller]

so your site does defensive and offensive ways of combating hackers, combating depicts like you will hack the hacker. it's been discussed here before in our country that there are companies offering services to rehack hackers to get to the information stolen.

We do not perform any malicious attacks. The only hacking attempts that we perform are on secure test environments. When a client requests that we provide a vulnerability assessment for their existing online environment, their environment is transfered to an off-site test server. Once the environment is cloned, we test the environment the same way that a hacker would. This method ensures that the security measures implemented are at least one step ahead of any hacker who might try to maliciously attack the site or server.

Contrary to your statement, we do not "rehack hackers". We do not "get revenge" on hackers using any illegal methods. The only action we take involving a specific hacker is providing the proper authorities with information regarding the attack, including any information we locate about the attacker.

 

[weblord]

ok thanks for the clarification.
so here are your 2 prospects btw
and burst.net

Even ICANN and IANA had a few of their sites hacked recently. Talk about few
arguably bad examples.

 

[ajkula]

Hackers? Out there are kids wanna be hackers and on the other side, there are well organized criminal groups: Russian Business Network, Network Crack Program Hacker and Hunkers Union of China. First ones "earn" few bucks or nothing with their activities, second ones "earn" billions. There is no solution for RBN, NCPH and HUC today. They are well organized, smart and evil...and very wealthy now (I think they will try to go on legal side in near future). RBN, NCPH and HUC give bad reputation to Russian and Chinese online community in global.

Warning for domainers: these days lot of domains which belonged to RBN will drop (e.g. rbnnetwork.com, akimon.com etc). These domains probably have lot of traffic, but don`t be stupid to pick them.

Interesting to read: Cybercrime Now Worth $105 Billion, Bypasses Drug Trade

 

[DomainReseller]

Hackers? Out there are kids wanna be hackers and on the other side, there are well organized criminal groups: Russian Business Network, Network Crack Program Hacker and Hunkers Union of China. First ones "earn" few bucks or nothing with their activities, second ones "earn" billions. There is no solution for RBN, NCPH and HUC today. They are well organized, smart and evil...and very wealthy now (I think they will try to go on legal side in near future). RBN, NCPH and HUC give bad reputation to Russian and Chinese online community in global.

Warning for domainers: these days lot of domains which belonged to RBN will drop (e.g. rbnnetwork.com, akimon.com etc). These domains probably have lot of traffic, but don`t be stupid to pick them.

Interesting to read: Cybercrime Now Worth $105 Billion, Bypasses Drug Trade

Your response is a very common misconception. Although there are some large criminal groups, many of the severe attacks are performed by young hackers, or "kids wanna be hackers". Their minimal experience does not eliminate the threat. Within the online industry, it's common for users to accidentally locate security risks, although it's impossible for users to "accidentally locate security". Based on this factor, the odds are automatically against the site owner. Innovation is required to maintain a secure online environment.

Additionally, the "minor" hacking attempts are criminal as well. The problem with these attacks is that they are usually overlooked by government agencies, even though the long term effects can be catastrophic. Countless companies have lost a substantial amount of revenue or even gone out of business due to "minor" hacking attempts.

 

[thebrokenbox]

That was a great read. looking forward to part 2. I think one of the greatest things iGosh cna do is to inform people that hackings do happen, every day, and that people need to protect themselves before it's too late.

 

[DomainReseller]

thebrokenbox:

Your feedback is appreciated. Part two is in progress. It should be available sometime next week.

 

[labrocca]

Your article is biased as you have an agenda to promote your service.

I can tell your full of hot air by this statement.

Hacking tools are not required to detect vulnerabilities.

Ugh...what do you think hacking tools are? Netstat...it's a hacking tool. Need I say more?

I personally don't accept the "he derserved to be hacked" routine. Whenever people make excuses for their evil deeds I am not impressed. Just say you're a bastard and get off on others misery.

One thing you are right about...most "hackers" are just script kiddies that talk a LOT of smack. However I can tell you for fact that I get dozens of attempts to my server every day. Beware the Russians. They are hackers of a new breed..doing it for monetary gain such as creating spambots.

Hacking is also not a term that neccessarily has a negative connotation. There are degrees of hacking. Black hat, white hat, and grey hat are usually how hackers term themselves. Then of course there are crackers and phreaks too.

Your response is a very common misconception. Although there are some large criminal groups, many of the severe attacks are performed by young hackers, or "kids wanna be hackers".

You have any proof of this? What do you consider a "severe attack"?

The most logical way to combat them is to use similar methodology for security purposes

lol...duh..but you said that hacking tools are not required...well then what "methodology" are you talking about?

I would love to test a box you think you have secured. I own a hacker forums and if you think you can secure a box well and want to REALLY test it..give me an IP.

Oh and after checking out your site...what references do you have that people should trust you. Do you have any certifications? What makes you qualified?

We have eliminated this concern by creating local test environments which enable us to mirror your entire website or server environment, then test for security risks and vulnerabilities without the risk of data loss or downtime.

You offer this service for FREE? Out of the goodness of your heart...awe. But I don't buy it. Your domain is 2 months old. Again...I wouldn't trust you to enter my server.

 

[Ronald Regging]

All this talk about russian hackers and gaping vulnerabilities reminds me of the movie Hackers. Hack the planet man! Seriously, we can hack the school's sprinkler system and find the pool on the roof.

Why are people so mystified with hacking? Take the time to look into it a bit and you'll find it's not as exciting and glamorous as everyone makes it out to be. A movie about a real hacker would be boring as hell.

And for the most part, hacking is all automated these days. It's not like most hackers sit there and take the time targeting a specific website and try to gain access to it using a plethora of ingenious methods. I mean it happens, but in most cases, it's just a bunch of script kiddies who run a script in the background on autopilot that tests massive amounts of sites against a database of vulnerabilities and then dings like the microwave when it finds something.

It's not exactly brain science these days and if corporate America would get their heads out of their asses and stop rushing products to market to maximize profits on something they threw together haphazardly, you wouldn't create glaring opportunities for these half-assed hackers to exploit. This is not to say that I agree with hacking, because I don't. But we do live in a nation where it's become socially acceptable to steal music and movies online, so I can understand why they might think what they do is alright. It certainly isn't for the reasons it once was, so they have to have some excuse.

But really the hacker has gone the way of the rest of the world... They've become consumers, addicted to mass production, fast food and mindless entertainment. Perhaps literally and figuratively. Theres really no purity in anything these days.

The upside to being hacked is that you can claim they destroyed proprietary software worth millions like the big corporations do and write that off on your taxes next year! Uncle Sam feels your loss.

No but seriously, I highly recommend backing up your data regularly and storing it off-site. Can't stress that enough.

 

[leftfielder]

I personally don't accept the "he derserved to be hacked" routine. Whenever people make excuses for their evil deeds I am not impressed. Just say you're a bastard and get off on others misery.

I would love to test a box you think you have secured. I own a hacker forums and if you think you can secure a box well and want to REALLY test it..give me an IP.

Oh and after checking out your site...what references do you have that people should trust you. Do you have any certifications? What makes you qualified?

You're EXACTLY correct. Having forum, whether security assessment or hacking doesn't make you qualified for anything. That's why this was posted as a personal opinion. If anything you guys should be getting together to educate people that think backing up data off-site is good enough.

No but seriously, I highly recommend backing up your data regularly and storing it off-site. Can't stress that enough.

There is more to it than just backing up the data and storing it off-site. Time is money so owners of money making sites, for example, would want to explore possible exploits BEFORE they happen. Not wait for them to happen, then restore the website after losing a days worth of revenue.

The key here is application vulnerability assessment. You ever heard of prevention is the best medicine? Your method runs away from the problem, as do most people, out of laziness. It is a great practice to backup the site so don't get me wrong. But don't make it sound as if it's okay to set the alarm in the house every night before you go to bed but leave the car door open granting thieves access to the garage door opener.

"Ensure your environments are not vulnerable" as DR stated. "Test the environment the same way that a hacker (buglar) would." Think just like a thief in the night.

 

[Rich]

There are a lot of malicious, automated scripts out there these days. IMO, I would not worry about hackers so much, if they're going to target you shit happens. Like Ronald said, always keep off-site, up to date backups. Watch your permissions! I use joomla a lot, there's a nice free mod for msql/php injection support. I've heard some horror stories about PID's and Affiliate links being switched out. Don't want to end up like this guy! lol http://www.slightlyshadyseo.com/index.php/funniest-footprint-ever/

 

[Rich]

sry, double post :tri:

 

[Peter]

i like your last line it is such a mystery, so there are similar tools to combat them? i bet these are hacker tools as well, as they say to catch a hacker you need a hacker.

Hackers don't use magical tools that are not available elsewhere. Most tools hackers use were actually intended for other purposes.

Just like a knife is used as a cutting instrument it can also be used to stab people, that was not the use it was provided for. The same is true for many hacking tools.

Sometimes all you need to hack into a server is a knowledge of a bug in a piece of software, telnet clent and a port scanner to find vulnerable machines.

And yes the best way to defend against hackers is to think like a hacker. If you can think like a hacker you can then figure how to defend against a hacker.

 

[leftfielder]

Just like a knife is used as a cutting instrument it can also be used to stab people, that was not the use it was provided for.

Nicely put. Makes me look at many things online and off in a new way.

 

[labrocca]

And yes the best way to defend against hackers is to think like a hacker. If you can think like a hacker you can then figure how to defend against a hacker.

And just as a hacker thinks of new ways to attack...I think of new ways to defend. I am constantly hardening my security. My knowledge for protection is pretty strong and I could easily use it to penetrate or DDOS other systems. If you protect against a vulnerability then obviously you know HOW the exploit works (or at least you should).

 

[Peter]

And just as a hacker thinks of new ways to attack...I think of new ways to defend. I am constantly hardening my security. My knowledge for protection is pretty strong and I could easily use it to penetrate or DDOS other systems. If you protect against a vulnerability then obviously you know HOW the exploit works (or at least you should).

Exactly. If you do not know how to carry out exploits how could you ever expect to defend against them.