By Glenn Chapman (AFP) – 12 hours ago
LAS VEGAS, Nevada — Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.
A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.
"Out of all the companies called today, not one company shut us down," said Offensive Security operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition that kicked off on Friday.
The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.
Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.
One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.
"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.
"It is much easier to use social engineering techniques to get to the same place."
Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.
The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.
"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."
A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."
"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.
"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."
One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.
The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.
"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."
Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.
Information about "exploiting human vulnerabilities" was available at the social-engineer.org websit.
Showing posts with label black hat hackers. Show all posts
Showing posts with label black hat hackers. Show all posts
Saturday, July 31, 2010
Attacking the edges of secure Internet traffic
By JORDAN ROBERTSON (AP)
LAS VEGAS — Researchers have uncovered new ways that criminals can spy on Internet users even if they're using secure connections to banks, online retailers or other sensitive Web sites.
The attacks demonstrated at the Black Hat conference here show how determined hackers can sniff around the edges of encrypted Internet traffic to pick up clues about what their targets are up to.
It's like tapping a telephone conversation and hearing muffled voices that hint at the tone of the conversation.
The problem lies in the way Web browsers handle Secure Sockets Layer, or SSL, encryption technology, according to Robert Hansen and Josh Sokol, who spoke to a packed room of several hundred security experts.
Encryption forms a kind of tunnel between a browser and a website's servers. It scrambles data so it's indecipherable to prying eyes.
SSL is widely used on sites trafficking in sensitive information, such as credit card numbers, and its presence is shown as a padlock in the browser's address bar.
SSL is a widely attacked technology, but the approach by Hansen and Sokol wasn't to break it. They wanted to see instead what they could learn from what are essentially the breadcrumbs from people's secure Internet surfing that browsers leave behind and that skilled hackers can follow.
Their attacks would yield all sorts of information. It could be relatively minor, such as browser settings or the number of Web pages visited. It could be quite substantial, including whether someone is vulnerable to having the "cookies" that store usernames and passwords misappropriated by hackers to log into secure sites.
Hansen said all major browsers are affected by at least some of the issues.
"This points to a larger problem — we need to reconsider how we do electronic commerce," he said in an interview before the conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.
For the average Internet user, the research reinforces the importance of being careful on public Wi-Fi networks, where an attacker could plant himself in a position to look at your traffic. For the attacks to work, the attacker must first have access to the victim's network.
Hansen and Sokol outlined two dozen problems they found. They acknowledged attacks using those weaknesses would be hard to pull off.
The vulnerabilities arise out of the fact people can surf the Internet with multiple tabs open in their browsers at the same time, and that unsecured traffic in one tab can affect secure traffic in another tab, said Hansen, chief executive of consulting firm SecTheory. Sokol is a security manager at National Instruments Corp.
Their talk isn't the first time researchers have looked at ways to scour secure Internet traffic for clues about what's happening behind the curtain of encryption. It does expand on existing research in key ways, though.
"Nobody's getting hacked with this tomorrow, but it's innovative research," said Jon Miller, an SSL expert who wasn't involved in the research.
Miller, director of Accuvant Labs, praised Hansen and Sokol for taking a different approach to attacking SSL.
"Everybody's knocking on the front door, and this is, 'let's take a look at the windows,'" he said. "I never would have thought about doing something like this in a million years. I would have thought it would be a waste of time. It's neat because it's a little different."
Another popular talk at Black Hat concerned a new attack affecting potentially millions of home routers. The attack could be used to launch the kinds of attacks described by Hansen and Sokol.
Researcher Craig Heffner examined 30 different types of home routers from companies including Actiontec Electronics Inc. and Cisco Systems Inc.'s Linksys and found that more than half of them were vulnerable to his attack.
He tricked Web browsers that use those routers into letting him access administrative menus that only the routers' owners should be able to see. Heffner said the vulnerability is in the browsers and illustrates a larger security problem involving how browsers determine that the sites they visit are trustworthy.
The caveat is he has to first trick someone into visiting a malicious site, and it helps if the victim hasn't changed the router's default password.
Still: "Once you're on the router, you're invisible — you can do all kinds of things," such as controlling where the victim goes on the Internet, Heffner said.
LAS VEGAS — Researchers have uncovered new ways that criminals can spy on Internet users even if they're using secure connections to banks, online retailers or other sensitive Web sites.
The attacks demonstrated at the Black Hat conference here show how determined hackers can sniff around the edges of encrypted Internet traffic to pick up clues about what their targets are up to.
It's like tapping a telephone conversation and hearing muffled voices that hint at the tone of the conversation.
The problem lies in the way Web browsers handle Secure Sockets Layer, or SSL, encryption technology, according to Robert Hansen and Josh Sokol, who spoke to a packed room of several hundred security experts.
Encryption forms a kind of tunnel between a browser and a website's servers. It scrambles data so it's indecipherable to prying eyes.
SSL is widely used on sites trafficking in sensitive information, such as credit card numbers, and its presence is shown as a padlock in the browser's address bar.
SSL is a widely attacked technology, but the approach by Hansen and Sokol wasn't to break it. They wanted to see instead what they could learn from what are essentially the breadcrumbs from people's secure Internet surfing that browsers leave behind and that skilled hackers can follow.
Their attacks would yield all sorts of information. It could be relatively minor, such as browser settings or the number of Web pages visited. It could be quite substantial, including whether someone is vulnerable to having the "cookies" that store usernames and passwords misappropriated by hackers to log into secure sites.
Hansen said all major browsers are affected by at least some of the issues.
"This points to a larger problem — we need to reconsider how we do electronic commerce," he said in an interview before the conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.
For the average Internet user, the research reinforces the importance of being careful on public Wi-Fi networks, where an attacker could plant himself in a position to look at your traffic. For the attacks to work, the attacker must first have access to the victim's network.
Hansen and Sokol outlined two dozen problems they found. They acknowledged attacks using those weaknesses would be hard to pull off.
The vulnerabilities arise out of the fact people can surf the Internet with multiple tabs open in their browsers at the same time, and that unsecured traffic in one tab can affect secure traffic in another tab, said Hansen, chief executive of consulting firm SecTheory. Sokol is a security manager at National Instruments Corp.
Their talk isn't the first time researchers have looked at ways to scour secure Internet traffic for clues about what's happening behind the curtain of encryption. It does expand on existing research in key ways, though.
"Nobody's getting hacked with this tomorrow, but it's innovative research," said Jon Miller, an SSL expert who wasn't involved in the research.
Miller, director of Accuvant Labs, praised Hansen and Sokol for taking a different approach to attacking SSL.
"Everybody's knocking on the front door, and this is, 'let's take a look at the windows,'" he said. "I never would have thought about doing something like this in a million years. I would have thought it would be a waste of time. It's neat because it's a little different."
Another popular talk at Black Hat concerned a new attack affecting potentially millions of home routers. The attack could be used to launch the kinds of attacks described by Hansen and Sokol.
Researcher Craig Heffner examined 30 different types of home routers from companies including Actiontec Electronics Inc. and Cisco Systems Inc.'s Linksys and found that more than half of them were vulnerable to his attack.
He tricked Web browsers that use those routers into letting him access administrative menus that only the routers' owners should be able to see. Heffner said the vulnerability is in the browsers and illustrates a larger security problem involving how browsers determine that the sites they visit are trustworthy.
The caveat is he has to first trick someone into visiting a malicious site, and it helps if the victim hasn't changed the router's default password.
Still: "Once you're on the router, you're invisible — you can do all kinds of things," such as controlling where the victim goes on the Internet, Heffner said.
Thursday, February 18, 2010
More than 75,000 computer systems hacked in one of largest cyber attacks
The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.
News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.
This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness's chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups' sophistication in cyberattacks is approaching that of nation states such as China and Russia.
The attack also highlights the inability of the private sector -- including industries that would be expected to employ the most sophisticated cyber defenses -- to protect itself.
"The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats," Yoran said. "The things that we -- industry -- have been doing for the past 20 years are ineffective with attacks like this. That's the story."
The intrusion, first reported on the Wall Street Journal's Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.
The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or "bots," enabled the attackers to commandeer users' computers, scrape them for log-in credentials and passwords -- including to online banking and social networking sites -- and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.
"Because they're using multiple bots and very sophisticated command and control methods, once they're in the system, even if you whack the command and control servers, it's difficult to rid them of the ability to control the users' computers," Yoran said.
The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.
Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage. washingtonpost
Monday, January 11, 2010
Personal data susceptible to hackers
The newspaper, citing state documents, said all the breaches happened in the past two years.
"Many thousands" of them had been reported from June to November and included confidential information from major institutions such as Blue Cross Blue Shield of Massachusetts and JPMorgan Chase Bank, the Globe said
Some of the information ended up in the wrong hands because of the theft of a laptop computer or loss of computer data tape. But most breaches can be traced to hacker breaking into computer networks, the Globe said.
Businesses and other institutions must develop a "culture of security" to protect the sensitive documents they control, said Barbara Anthony, undersecretary of consumer affairs and business regulation.
All such institutions are required to inform customers and state regulators about any breaches in security that might cause identity theft. Breaches include the leak of names, and numbers for Social Security, driver's license, bank account, and credit or debit cards, the newspaper reported.
"In 60 percent of the cases, the breaches were due to criminal acts. Forty percent were negligence," said Anthony of 807 breach notifications received by the state by November. US News
Saturday, December 5, 2009
Suspect hacker calling residents
Identifying himself only as "Mark", he does not state a surname or a company, but says he is phoning regarding a complaint of slow internet connection.
He then asks the computer user to give him remote access by typing in logmein123.com.
The instructions should not be followed and people should contact their service provider, police have said. BBC
Saturday, September 26, 2009
Ethical hackers gathered this week in Miami to talk about the latest cyber terrorism threats.
Hundreds of hackers on the side of good -- or ethical hackers -- gathered at the 14th Hacker Halted global conference this week, held for the first time in Miami, to talk about strategies to thwart cyber terrorists.
Ethical hackers understand how to hack a system in order to better protect against attacks, or to know where the vulnerabilities are in a program.
``A good defense is a good offense,'' said Sean Arries, a security engineer at Terremark Worldwide. ``If you understand your opponent and you understand how the attacker is going to attack you, then it makes it a lot easier for you to defend yourself.''
Arries gave a cautionary presentation detailing how hackers can take advantage of a vulnerability in Windows Vista and Windows Server 2008 -- a gateway for hackers that Microsoft hasn't yet patched.
Arries did a scan of 43,000 domains and found 110 of those sites were vulnerable to that exploit.
``Now 110 is quite a lot, because that becomes a staging process for an attacker to launch against other sites and internal networks,'' he added.
Bloggers have been writing about this flaw for two weeks, so it wasn't exactly news to the audience. But while going through slides filled with programming code, he warned attendees that hackers will likely launch a worm to take advantage of this flaw any day now.
``We are in a scramble state to secure our clients and customers and secure ourselves interally before this worm shows up -- and it will be coming,'' Arries said in an interview afterward.
Not everyone who comes to events like this is a good guy, so to speak. Talk to anyone at that conference and they believe at least some ``black hat'' hackers were among them in anonymity -- or more likely, programmers who work in a morally gray area.
``The same techniques that you learn to protect a system are the same things people look at to break into systems,'' said Howard A. Schmidt, president of the Information Security Forum. ``You have the good guys trying to out-thwart the bad guys, and the bad guys going to learn from the good guys. ''
BLACK HATS
In the world of hacker conferences, Hacker Halted, which ended Friday, is pretty tame compared to the DefCon and Black Hat conferences in Las Vegas.
``That's where you get more of the black hat subculture to learn what's going on and extract information that maybe you should or shouldn't be privy to,'' said Solutient technical trainer Ernie Campbell, who flew in from Cleveland to attend.
Malicious hackers are usually grouped into subsets.
There are the ``script kiddies,'' a derogatory term given to hackers who use programs to cause trouble because they don't have the skills to write their own code. There's also the typical movie stereotype of pale guys pounding down energy drinks in a basement full of computer screens as they wreak havoc.
``That certainly exists, but it is a small, small subculture,'' said Erik Laykin, managing director of Duff & Phelps in Los Angeles and honorary chairman of the Electronic Commerce Council, which organized the conference.
The hackers that Laykin and other investigators focus on are the criminal hackers -- many working out of the country -- who keep coming up with ways to steal financial information.
CONSTANT JOB
And while these criminals work 24/7, it's a constant job of playing catch up for the ethical hacker who is trying to stay on top of the latest exploits. And as people become more attached to mobile devices, cellphones will be the target down the road.
But it could be worse than that.
``Defibrillators that are implanted in people's chests today have electronic remote sensors so they can be reprogrammed using wireless technology. That's an early technology that's potentially susceptible to hacking,'' Laykin said.
``Now if I can hack a computer, why can't I hack somebody's defibrillator or pacemaker? Scary stuff.''
Miami Herald
Subscribe to:
Posts (Atom)
Posts
