Jun 8, 2012

Go Phish: Hacking Laid Bare

Jun 8th, 2012 - 4 mins read

In the wake of the latest security breach disaster to spread through our news feeds, hacking is once again on the forefront of everyone’s thoughts. LinkedIn, the business-oriented social networking titan, hit a colossal iceberg when six million user passwords were published on a Russian hacker’s website. Though encrypted, hackers have been invited to help decipher them, along with stolen passwords from U.S. dating site eHarmony.

The main concerns to filter through the public are the obvious ones: have I been affected, will it happen again, what Russian hacker etc. etc. etc. But what always crops up at times like these when hacking takes centre stage in news headlines, is the overwhelming curiosity as to who the hell these ‘hackers’ are? What do they look like? What do they actually DO? Are they sun-starved, sweaty-palmed, asexual computer-obsessives wearing unwashed t-shirts with technology puns day-in, day-out? Or are they clad in floor-length leather overcoats and ski-wear sunglasses and actually exist in The Matrix? Do they operate in militaristically organised cells with silver jumpsuit uniforms and bafflingly neat hair? OR, are they just…..really normal…?

Two years ago, Reddit posted a Q+A thread with a real-life, convicted computer hacker – normal guy who got into hacking by way of an early interest in programming. All manner of questions were thrown at him, and it makes for pretty interesting reading. Especially considering he’s a self-confessed “pretty nice guy” who “never hacked anything for financial gain” and doesn’t consider himself a “criminal”. He even confesses to getting into hacking because he “saw a documentary about hackers at defcon” and “thought they were completely awesome”. After mailing the leader of one of the top teams in the CTF, asking how to become a hacker, he was told to “by ‘Hacking Exposed’ and read it cover to cover 5 times”.

Check out some of the best questions/answers below…

How does one begin to get to a level where you were, hacking into computers. I’ll leave a disclaimer saying I have no intention to hack into anything, computers are not my forte. It’s just a curiosity.

Learning to write software would be a good start. The more you know about how software works, the better chance you have of exploiting it. For example, if you learn, say, how to write a dynamic web site with PHP, then SQL injection, cross-site scripting and cross-site request forgery will make sense to you. Go a bit deeper, and actually understand HTTP, and you will better understand things like HTTP header splitting. If you then learned C, and how programs and data are laid out in memory, you’d be able to understand buffer overflow attacks and heap exploits. Once you get really into how your source is compiled and executed, you’ll understand things like integer overflows. Of course, there are other avenues, but I’m more of a software guy than anything else.

Did you listen to techno music all the time like the hackers in the movies?

I listened to oldschool techno and a lot of italo. I still do, but have widened my tastes somewhat. It’s still exclusively electronical music though 😉

Did you do anything malicious when you entered these computer systems? i.e., deface, replace or remove websites or other important data? Was it just for the thrill of reading someone else’s confidential information?

I only defaced a website once, simply because it was too high-profile not to deface.

Without naming specifics, how big was your highest-profile target?

Fortune-500-big. NIPRnet-big.

Typically, how secure are modern web sites?

Not very secure. SQL-injections are everywhere.

If teenagers can figure out how to hack into systems what chance do we have against well funded sources that want to do real harm?

Not a very big chance. Personally I think that there are government agencies in the US, China, Russia etc. that have already backdoored each other to hell and back.

I work in the IT industry. I am curious if there is anything that we can do to protect our computersnetworks from guys like you. Is there anything we can do? If you some how WANT to get into our network is there anything that CAN stop you?

In short, if you have a network that is connected to the internet and someone wants to get in, they will eventually get in. If you are running the latest versions of all possible software you might think you are safe. But what if someone comes along with a 0day, or someone hacks the home computer of one of your administrators?

I have always figured that. So basically put our head between our legs and kiss our ass goodbye.

And on that note, perhaps it’s time to change all your passwords, download all possible anti-hacking software, encrypt all your files and finally go totally off grid so you’re never at risk again.


[Read the full thread here]



Jun 8th, 2012 - 4 mins read