Mitnick In The News
How Nmap, SuperScan and others make hacking your details easy
Jun 30, 2016 - The Australian, by Chris Griffith
I’m at a one-day computer hacking class in Sydney. After a warm-up session learning to pick door locks, it’s down to business trying to extract money from accounts at the make-believe Komodo Bank of Asia, a specially built website where we can ply our skills.
The class, put on by digital professional development firm Decoded, teaches hacking skills — not for nefarious online activity but so people realise how easy it is to exploit installations and networks with poor security.
Poor can be the result of ineptitude at implementing security but, as becomes apparent in this course, it’s often installations not thinking or bothering about security and employees doing silly things. A lack of thought is a malicious hacker’s best friend.
The hacking world is a case of good cop-bad cop. The baddies are the “black hats”, sinister individuals who in the worst cases steal millions of credit card numbers and bank account login details, build denial-of-service attacks that overwhelm websites, and create computer worms that bring down sections of the internet.
I’m learning the skills as a potential “white hat”, someone who breaks into installations and alerts a company about its security flaws. Armed with these skills you could also break into your own network to uncover its security vulnerabilities. Alternatively, you may want a more intimate understanding of a computer system’s weaknesses.
Do a Google search and there’s a plethora of hardware and software promoted online to help you. For starters, there are “packet sniffers” that monitor unencrypted traffic going to and from a network. You may be lucky and detect credit card number details and passwords among the traffic.
There are port scanners that identify which ports or channels are open between a computer network and the internet. Think of ports as holes in a computer firewall left open to let communications flow. Those open ports also are a way in for hackers. The scanners tell you the nature of the traffic passing across the different ports, and which ports are open and closed.
If you’re a hacker, there’s plenty of software to download, reviews, how-to-guides and even YouTube videos to teach you the skills. Software such as Nmap and SuperScan are well regarded tools. Websites such as cvedetails.com offer up detailed information about security vulnerabilities.
So why is all this online? Mainly because the white hats need to master the same tools that the black hats leverage.
My white hat class turned into an adventure. We discovered that Komodo Bank of Asia was using a poorly protected SQL database to store customer data and balances. SQL, or structured query language, is a universally used language for manipulating databases. It was developed by IBM in the 1970s and it’s everywhere.
In this case, it was a walk in the park to alter the SQL code using a technique called SQL injection to display details of all customers’ accounts including logins, passwords and balances.
I had to answer my victims’ security question to log in, sure, but that was a walk in the park too. I found the answer I needed on their LinkedIn profile. The moral is: never select security questions whose answers exist on social media or any public media. That includes the question “What is your mother’s maiden name?” If it isn’t on Facebook it may be found on a genealogy website.
After logging in, I could smile politely at my classmates as I quietly tapped out commands that stealthily transferred funds from their Komodo accounts into mine. (They were doing the same to me.)
Komodo Bank of Asia may be a chronically insecure website and it’s true the security is deliberately full of holes. The website was created hastily on a flight to Hong Kong, we’re told. In comparison, real banks are a quantum leap ahead, but they’re not necessarily impenetrable, as hacking guru Kevin Mitnick demonstrated on stage last year at a keynote session at Sydney’s CeBIT technology fair.
SQL injection is a popular technique. There are claims online of how a person used it to remotely log into a traffic management system and look up and delete a speeding fine. While that particular case is likely fantasy, injecting SQL commands has allowed hackers to change the contents of poorly secured databases and destroy databases altogether.
Later the course turned to setting up a fake website and fake emails for phishing. Copying the rudiments of a real financial institution website and duplicating it is a two-click process on most browsers. You then need to fool someone to log into it. That’s achieved by email. Just enticing one person to sign in with their real bank account user name and password can be a major killing.
The course included interesting titbits. One was that Apple founders Steve Jobs and Steve Wozniak’s first collaboration in 1972 was to make a “blue box” that produces tones that fooled the AT&T phone system in the US. You played the tones into the handpiece microphone. The tones let users make illegal long-distance calls at no cost The practice was called phreaking.
Another was that the world’s first computer virus was the Creeper by Bob Thomas. The worm could jump from computer to computer and replicate itself, but it did nothing other than display: “I’m the creeper, catch me if you can.” It was followed by Reaper, which also hopped from computer to computer eradicating Creeper in its wake.
It’s not just computers and networks you need to secure. Cars and webcams are obvious targets.
There’s last year’s demonstration hacking of a Jeep’s entertainment, dashboard and driving controls from inside a house 15km away. And in 2014 a Russian website offered access to 73,000 unsecured webcams inside homes and in public places in 256 countries. Their owners hadn’t set individual usernames and passwords, or had left them as admin/admin.
The upcoming internet of things looms as a treasure trove of hacking opportunities, especially with a search engine such as www.shodan.io that seeks to index all kinds of connected devices.
Needless to say, demand for white hackers is huge.
Armidale-based ethical hacker Adrian Wood says it is tripling each year, and there are now big job shortages.
In the US there is a shortage of about 50,000 security professionals.
Wood’s company, Whitehack, conducts about 16 to 20 audits a month. Disturbingly, Wood usually manages to penetrate the systems he audits. Clients for this service range from medium to large enterprises, but smaller companies are starting to be proactive.
Often the security breach involves employees using their work password on multiple sites.
Wood can search for a work email on breached public sites such as LinkedIn, glean the password and attempt to log in to the work system from there. “That works more often than it should,” he says. “People are still having trouble with the simple things.”
He also will test for other exploits. Compromising a company’s database with SQL injection also succeeds.
Wood says software developers often include security as an afterthought, typically the result of managers giving them insufficient time to write and check code.