Most people don’t really care about security. We hope and believe our computers take care of security for us. Posting the latest Facebook update pretending to be our cat is far more important. The cat and mouse game could work, if your computer was the cat. It’s not. The best we can do is play catch-up and hope the hackers take more time to develop an exploit than it takes to run an instantaneous, worldwide, fix. Of course, there is no such thing.
I’ve played and worked with computers for around 17 years. Probably a lot longer if you count my terrible snake clone for the BBC Micro. My hobby developed into a career as the internet… exploded. I have at least looked at, if not tried to code in, the majority of major languages and systems. From C to Zend, Matlab to MySQL.
My esoteric hobby has had several advantages. My obsession with the least interesting parts of computing – the mundane code – has lead to some interesting discoveries. The ability to charge for my hobby being my favourite, learning how to infiltrate most websites on the internet being a close second. I am a devoted white hat developer but not everyone follows the same ethics. My first website was hacked to show nothing but a beheading video… When I was 13. Learning security was an obvious step for me. I was obsessed with how people get hacked.
I will not deny that I’ve had some fun but it’s always been that. Virii intended for their original purpose – as a practical joke for friends. I have worked with hundreds of websites to close exploits which could have been used by people with malicious intent. I would rather get a few angrily defensive emails from developers than see terrorists use these same exploits to perpetuate their chosen brand of insanity.
Make sure your tinfoil hat is comfortable. This post will digress. I will go off on tangents. This is my rant. Feel free to call me out in the comments. Until then…
Am I a target?
A common misconception is that “my computer isn’t worth hacking”. This just isn’t true. Some of the many reasons people get hacked can include: resource abuse, data exfiltration, virus spreading, and last but by no means least… because they can. E-peen is fully extended with coders trying to develop a reputation in the hacking scene. The majority of websites and services are exploited simply because they can be. Often with a fitting excuse being created after the fact.
If your device is connected to the internet it will, at some point, be the target of an attack. Successful or not. Computers are constantly scanning the internet on the lookout for vulnerabilities. Finding exploitable websites is usually just a case of firing up your chosen scanner with a target domain, I.P. and/or I.P. range. Anyone with even basic knowledge of coding could attack hundreds of thousands of websites, computers and mobile devices using supposed “white hat” tools such as MetaSploit, w3af, sqlmap, and BeEF. Most people don’t, but the few that do can be real dicks. The “internet of things” is close, but worrying.
So we’ve built the tension. The end is nigh. Hack all the things is no longer just a meme. What could I do if I wanted to become less of a target? Well, there are a few simple steps anyone can take that can greatly reduce the risk of becoming yet another hacking statistic.
Secure all the things!
Top 5 lists are for losers. So this is a lenthy top 4 list. Because all hacks fit into 4 categories. Insult me in the comments if you disagree.
Avoiding the vast majority of exploits is actually pretty simple but, as it’s a change of habit, can take some prompting. Most of the tips below offer ways to help prevent you getting hacked, which shouldn’t be ignored. I believe it’s far easier to complete an update than it is to restore files corrupted by CryptoLocker or something similar.
- Password management
- Resource abuse (Ddos, FXP, etc)
The internet is inherently insecure. It is relativly easy to pretend to be anyone, send emails as another person or pretend to be another website. If you are not careful you could enter your Facebook details into a malicious website. The biggest step required to become less of a target for hackers is simple diligence.
Internet diligence really boils down to one thing: If you click links in emails or on social media, check the website you are visiting is the correct website by confirming the URL is as expected. An extremely long link or shortening services such as bit.ly could be used to cloak malicious data.
It sounds simple but is easy to overlook as the evolution of social media requires clicking on links from unknown sources. Just remember to check the site if it asks you for login details. Recently, I was almost phished by an advert in Google’s Adsense which used a cloaked URL… It happens to the best of us
The best way to mitigate exploitation is to simply keep your operating system and applications up-to-date. I know it can be time consuming and a bit of a pain, but it is the single best way to pro-actively prevent becoming a victim. Patches for most major software are released pretty quickly after disclosure and updating usually just means clicking a button.
A list of common updates should include:
- Operating system updates (Windows, Mac, Linux, Mobile)
- Server software updates (LAMP, CMSs, libraries)
- System software (Flash, Java, FTP client, etc)
It’s a short list but could include hundreds of updates. If you don’t use software, removal is recommended. Two good examples are Flash and Java. These two are among the most attacked and unused software on the internet. Many websites have abandoned Java due to the constant security issues and HTML5 has all but replaced Flash for most developers. Most modern software will update itself if set to. If it isn’t set to autoupdate, you should do it manually at least once a month.
Having a unique password for every website is one of the best ways to prevent account hijacking. Your email password should be the most secure as it truly is the one ring to pwn them all. If someone can gain access to your email account they can easily hack any other associated account. I have recommended LastPass as a means of securely managing passwords for several years. It is free and has been audited several times with very little complaint from the security professionals I respect the most.
Which of the following two passwords is stronger, more secure, and more difficult to crack?
You may expect that this is a trick question and you’d be right. The first of the two passwords is actually stronger. Password cracking works on a binary basis – Is the password correct? Yes / No. So each character added will effectively double the entropy. Password entropy can be counter-intuitive with length being the main factor.
Interested in how passwords really work? I suggest you read Steve Gibson’s Password Haystacks if you are in to really techy stuff… It’s a great read!
The idea is simple: think of a long password that is easy to remember but contains upper and lower case characters with punctuation. Then simply remember how many dots, dollar signs or other symbol you have at the beginning or end for each site. Security through obscurity isn’t a recommended technique but it’s better than nothing!
Aside: an easy way to check if a website is handling passwords properly is to reset it. If your password is sent to you, in an email or text, they probably aren’t hashing the data correctly and your password could be at risk. Any secure database handling of passwords will implement a one way hashing process to ensure the only person that can know your password is you.
Resource Abuse (Ddos, FXP, etc)
A hacked server or device can cause many issues. Resource abuse is usually the result of ignoring the above. Often an affect of using a default password, outdated software, or account compromise. For this reason I’m going to include a typical attack scenario from around 5 years ago. This is an offensive way by which folders can be created to obfuscate their true contents. Inspecting, editing, deleting such folders is difficult unless you know the attack vector. It is now a well known and secured vector making it essentially pointless (no copy/pasta here skidz).
FXP is a very little-known form of hacking. It refers to File Transfer Protocol. FXP, although almost dead, is analogous to many hacking techniques. It leverages exploits to distribute illegal material. Hackers target FTP servers (or websites to setup services such as FTP, Torrents, Usenet, etc) to store illegal warez. And even worse on hacked servers. FXP was incorporated into the wider spectrum of “collaborative resource management” around 5 years ago, but the logic remains true. If you can hack it some one will then find a reason to justify it after the fact.
Assumptions: we have found a public server in which we can create folders, upload, and download.
First we will create a folder called…
/.ÿÿcom1 ÿ%d ÿ /
This will tell us a lot about the server. The folder created could be shown a number of ways, depending on the server setup. ÿ is a Unix escape character so will try to execute the return command when encountered. This depends on setup. It essentially tells the server to return to the last folder, confusing both server and client as to the folder trying to be entered. %d is one of many command tokens which will try to force a text prompt in some clients/servers. This will usually disrupt further information gathering. There are several other techniques but you get the idea. Forgetting to filter one character can lead to a lot more than you may think. Sneaky people will stuff hacked publci servers with dodgy contents.
Below are variants of the ending folder name with a brief explanation:
/.ÿÿcom1 ÿ%d ÿ / < Folder name as entered. Not vulnerable. /.ÿÿcom1ÿ%dÿ/ < Enter by clicking? Not vulnerable. /com1%d / < ÿ obfuscates previous character. Vulnerable. /.ÿÿcom1 ÿ ÿ / < Command token executed. Vulnerable. /com1%d / < Path obfuscated. Vulnerable. /.ÿcom1 / < Command token executed and path obfuscated. Vulnerable.
This may mean nothing to the average person. To a hacker it means they can distribute any file they choose with little chance it will get discovered. The combination of possible folder names is almost infinite which makes automated detection almost impossible. A single character can often lead to total security failure. Append-Apostrophe-Sec… I mean LulzSec used a simple apostrophe to “pwn” some of the biggest government agencies on the plant. Sabu was only caught because he accessed IRC using his real IP. He also ordered car parts to his home address. Not all hackers are that stupid.
I can understand why people don’t care about security, or getting hacked. I kind of bored myself writing this ~1800 word article. Then and had to considerably reduce it. I can understand why companies don’t spend more on security. It seems pointless until you get hacked and have to recover every email ever sent to/from your company.
Leave a Reply