EVEN if David ”Evil” Cecil is guilty, he is not necessarily a hacking mastermind. Computer security professionals say breaking into websites and computer networks is now as simple as downloading free software, selecting a target and hitting ”run”.
Even without a specific target in mind, a method called ”Google hacking” allows hackers to find target servers running vulnerable software using just the search engine.
Advertisement: Story continues below
”If an attacker wants to get in, it’s just a matter of time really,” Ty Miller, the chief technology officer at Pure Hacking, said.
”You can use the search engine to find vulnerable companies and it’s trivial to gain access to company firewalls and administrative access to people’s systems and get straight into their internal network.”
Chris Gatford, of HackLabs, which like Pure Hacking is hired by organisations to break into their systems to test their security, said attackers with specific targets in mind often used a software tool called ”Metasploit”.
Hackers just point the software at a target and then wait while it searches for exploits in the system and, if there are any holes, provides access.
”Tools to perform complex attacks are readily available, they’re extremely easy to use and people have made good use of these tools for several years,” Mr Gatford said. ”I could teach you the basics of gaining unauthorised access in a day.”

Mr Miller said all it took was one piece of software on the target server to contain an unpatched security flaw for the entire system to be vulnerable. Even fully patched systems can be accessed if the attacker has what is known as a 0-day exploit.
”We do internal penetration tests where we act as a rogue employee or an attacker … usually within a day we’ve been able to take over the entire network, gaining access to every system and every application and also all of the user names and passwords for the company,” he said.
As the federal police Assistant Commissioner, Neil Gaughan, said yesterday: ”Even the best security systems are only as strong as the weakest link.”
The police charged Mr Cecil over allegedly breaking into a national broadband network service provider, but their investigation began when Sydney University’s website was defaced and a Melbourne web-hosting provider was attacked.
Website vandalism is so common that the website Zone-H.com, which catalogues website defacements, logs over 95,000 separate incidents a month. In 2002 when the site launched it was averaging 2500 monthly defacements.
Mr Miller said he was ‘’surprised” Mr Cecil was arrested considering the extent of cybercrime and the fact that arrests and convictions are rarely secured.
“When you’re no longer shocked that a company has been hacked but you are shocked that a hacker has been arrested, that’s not good,” he said.

Source:http://www.smh.com.au/technology/security/software-takes-brain-power-out-of-hacking-20110727-1i076.html

Following our recent report on the Firefox extension Firesheep, which allows wireless network users to easily hack into others’ accounts, this week has seen the release of Blacksheep, an extension that alerts users to the presence of a Firesheep hacker.

The news will be welcomed by regular users of unsecured wireless networks, such as those in cafes and bars, and marks the first major step towards properly addressing the issues surrounding the fragility of wireless networks.

It is these security issues that the original programmer of Firesheep claimed the release of his software was designed to highlight, although it was received with mixed opinions last month.

Some claimed that the extension simply opened up hacking to more users, allowing people to access others’ accounts in a way that was before only the preserve of those with high technical knowledge.

The ability for people to hack in such a way is not a new thing, however, and the programmer behind Firesheep stood by his original claim that the intention was to highlight the security issues and move towards solving them in the future.

Blacksheep certainly seems to be a step towards doing this and while it works purely as a flag for wireless network users, to let them know that a user on the same network is using Firesheep, and not an actual block or prevention tool, it is fulfilling Firesheep’s wish for wireless internet security to be addressed and solutions sought.

The developers of the new Blacksheep software, web security specialists zscaler, have it available to download for free on their website now.

Specifically mentioning the Firesheep extension, their site introduces Blacksheep as a “Free tool to protect against Firesheep Security threat.

Blacksheep alerts users if sessions are hijacked after logging in to a social network or email.”

Source:http://theeword.co.uk/seo-manchester/new_firefox_extension_combats_recent_hacking_threat.html

One of the serious threats to a user’s computer is a software program that might cause unwanted keystroke sequences to occur in order to hack someone’s identity.

This form of an attack is increasing, infecting enterprise and personal computers, and caused by “organized malicious botnets,” said Daphne Yao, assistant professor of computer science at Virginia Tech.

To combat the “spoofing attacks,” Yao and her former student, Deian Stefan, now a graduate student in the computer science department at Stanford University, developed an authentication framework called “Telling Human and Bot Apart” (TUBA), a remote biometrics system based on keystroke-dynamics information.

Their work won a best paper award at CollaborateCom ‘10, the 6th International Conference on Collaborative Computing, held in Chicago and sponsored by the Institute of Electrical and Electronic Engineers’ Computer Society, Create-Net, and the Institute for Computer Sciences.

Yao holds a patent on her human-behavior driven malware detection technology, including this keystroke anti-spoofing technique. Her technology for PC security is currently being transferred to a company. The license agreement between the company, Rutgers University (Yao’s former institution), and Virginia Tech is expected to be finalized in the coming weeks.

Internet bots are often described as web robots. They act as software applications that run automated tasks over the Internet. Bots usually perform simple and repetitive tasks, but at a much higher rate than would be possible for a human alone. When used for malicious purposes they are described as malware.

“Keystroke dynamics is an inexpensive biometric mechanism that has been proven accurate in distinguishing individuals,” Yao explained, and most researchers working with keystroke dynamics have focused previously on an attacker being a person.

The uniqueness of Yao and Stefan’s research is they studied how to identify when a computer program designed by a hacker was producing keystroke sequences “in order to spoof others,” they said. Then they created TUBA to monitor a user’s typing patterns.

Using TUBA, Yao and Stefan tested the keystroke dynamics of 20 individuals, and used the results as a way to authenticate who might be using a computer.

“Our work shows that keystroke dynamics is robust against the synthetic forgery attacks studied, where the attacker draws statistical samples from a pool of available keystroke datasets other than the target.

Source:http://news.oneindia.in/2010/10/31/softwareto-fight-hacking-technique-bags-award.html

A computer hacker compromised Hell’s Pizza’s database and stole a history of customers’ pizza orders simply because he could, according to a crusader against computer hacking.

Mike Prow, managing director of Aura Software, showed the Waikato branch of the NZ Computer Society at Wintec last week how a badly built website could be hacked by typing a few simple commands into its search engine.

“Does this happen in New Zealand? Two-hundred-and-thiry-thousand customer records were stolen from Hell’s Pizza.”

Details of Green Party MP Nandor Tanczos, who lives near Huntly, were stolen alongside their passwords, email and home addresses and phone numbers. Other prominent Hell’s Pizza customers were DJ Mike Puru, Target presenter Brooke Howard-Smith, comedian Dai Henwood and entrepreneur Seeby Woodhouse.

“They were hacked because they could be. New Zealand is not off the radar,” Mr Prow said. He demonstrated how someone with the programming knowledge of a first year or second year IT student could access a business or government department database by typing a few commands.

Mr Prow showed how easy it was to access data linked to people who had logged on to the site, and how to embed his own commands which made messages pop up to third-party viewers going to the site and infect them with malware – malicious software – which could cause damage to their own computer systems if not detected.

“It’s very much `user beware’,” Mr Prow said.

Mr Prow, whose business offers “white hat hacking” to clients to assess how vulnerable their systems are, gave the demonstration at the Hamilton city campus of Wintec during a New Zealand Computer Society event to warn website builders to take every possible security precaution.

“It’s all about raising security awareness,” said Mr Prow, whose talk was entitled “Teaching the Good Guys Bad Tricks”.

Source:http://www.stuff.co.nz/waikato-times/business/4050850/Hacking-is-easy-says-security-specialist

A teenager from a remote northern Saskatchewan community has been charged with hacking into a group of New York-based social networking websites.

The investigation, the first of its kind in Saskatchewan, involved the northern RCMP detachment at Creighton, the Technological Crime Unit out of Regina, a Mountie stationed in New York City and the Canadian Consulate in New York.

The accused, 19-year-old Ryan Devin Lee, is from Denare Beach, a resort village of 750 residents located 500 kilometres northeast of Saskatoon near the Manitoba border. Lee has been charged with unlawful use of a computer to commit an offence, committing mischief to data and possession of a device or instrument to commit a computer offence, according to RCMP. Lee is not in custody, and is due in Creighton Provincial Court Sept. 14, said Creighton RCMP Const. Damon Maier. Lee could not be reached Friday.

Lee allegedly launched his attack from his home in Denare Beach using a “botnet” method — recruiting hundreds or even thousands of other computers around the world to overwhelm the targeted websites.

“We jumped on this right away. You have to understand that although this shut down a social networking site, this same type of attack can be used on a computer within a hospital, a bank, a power company. It’s important we jump on this type of crime immediately,” said Cpl. Darren Sabourin of the Technological Crime Unit.

“Cybercrime is borderless.”

A New York businessperson, who operates a family of teen and adult social networking and chat sites, has been in contact with Lee for a few years through various “chat” groups, said Sabourin.

This spring, Lee asked the New York man to send him the software necessary to operate such websites. The New York man explained that the software was licensed only to him and Lee could not have it. In subsequent online chat exchanges, Lee became increasingly aggressive. With his demands rebuffed, Lee threatened to shut down the New York sites, said Sabourin.

Lee actually had an outdated version of the software already, but wanted the most recent. It’s unclear why he wanted it, Sabourin said. He may have been planning to start up his own social networking sites, or could have simply wanted to resell the software. Sabourin said there “is a lot of money to be made” in these areas.

Lee launched a “botnet” attack on the New York websites, Sabourin said. The exact details and scope of Lee’s attack are still being analyzed. However, in a typical botnet attack, a computer recruits hundreds or even thousands of other computers — often without the knowledge or control of their owners — and each of them rapidly and repeatedly log on to the target websites. The sites are overwhelmed and crash, rendering them unusable to customers and useless to advertisers. For criminals lacking such programming sophistication, a botnet attack can also be launched by paying an online provider for the service.

The New York man spent the next 10 days attempting in vain to repel the attack before calling police in early June. With the help of the Canadian Consulate in New York City, arrangements were made for the RCMP officer stationed there to take a statement from the New York man, who provided details of the attack and Lee’s name and background, Sabourin said.

After an investigation of several days, a search warrant was obtained and Lee’s Denare Beach residence was raided. Several computers and software were seized. Lee was arrested and charged.

“It may be a surprise to most people, but not to us. It doesn’t take a high degree of computer knowledge to do this. That’s what’s concerning,” Sabourin said.

“This person didn’t have any post-secondary training in computer science, simply an involvement in the hacker community.”

Sabourin said the problem is even worse than crime statistics indicate, as many businesses are reluctant to report cybercrime against them. Sabourin declined to name the New York websites, saying other hackers might then target these perceived weaknesses.

There are few online traces of Lee, at least using his full name, except for the MySpace page of his girlfriend in which they profess their love for each other. His chat ID photo shows a bushy-haired young man apparently holding a camera taking a photo of himself in a mirror.

A total of seven RCMP and one Regina police officer make up the Technological Crime Unit, which assists in complex investigations of computer crime, mobile phones and other electronics. Sabourin and another officer specialize in “critical infrastructure protection,” a program in place since 2004. They monitor the computer systems of power companies, banks and other institutions to ensure continuous service.

“It keeps the gas flowing, keeps the lights on and keeps telecommunications intact,” he said.

Source:http://www.thestarphoenix.com/health/Teen+charged+with+hacking/3425725/story.html