Posts Tagged hack
Why would anyone want to hack my car?
Posted by Daniel Snyder in Computer Security, Security News on September 8, 2010
Your car could well be the next target for hackers… or is it? Why would anyone want to hack your car anyway? This past summer has seen numerous articles on the new threat of car hacking “the crime of the future”… The threat is simple, someone doesn’t like you, so they hack into your car from a distance taking control of it and causing it to crash, or perhaps they are not quite that malicious, so instead they remotely interfere with your cars normal systems in some way so as to become an annoyance.
Is this reality or still science fiction?
No, it is a reality, and this past summer at a security conference in California a man named Stefan Savage and his team presented their research and demonstrated how using a cars computer system they were able to break in and take control of the vehicle, doing things such as breaking and accelerating (all against the will of the driver). Now that we are seeing a lot more wireless access, the problem of car-hacking could be one anticipated to grow. In fact there has already been documented cases. In one case a car salesman in Texas remotely broke into vehicles of people who were late on their payments, he would do things such as honking their horn or disabling the car altogether. It is reported that up to 100 people found their cars inoperable after his hack. He was reportedly fired from the dealership.
Savage has been quoted as saying “To be fair, you should expect that various entry points in the automotive environment are no more secure in the automotive environment than they are in your PC,” [The New York Times].
Can car hacking be profitable for the perpetrator?
The majority of computer crime these days is taking place for one reason… money! And the things that are being pursued are primarily those that have the potential to reap large monetary rewards quickly. Is it possible to hack a car for profit? Yeah, probably in some kind of unusual way and obscure way, but probably not on any large scale. Does that mean we won’t see it happening? No, I’m certain this will be something that hackers want to play with a little, but probably won’t turn into any kind of major threat. You also have to consider that major auto manufacturers are not going to play around with their security. Just because up till now car security is no better than your average PC, doesn’t mean it is going to stay that way. Savage admits “I think at this point these attacks are much more fantastical than a real thing people need to be concerned about today.” I agree, I don’t anticipate we will be seeing much destructive car hacking action in the near future.
What are your thoughts? Are you concerned?
Sources:
Discover Magazine, Forget car-jacking, car-hacking is the crime of the future. CNET News
ATM Biometrics Coming to a Corner Store Near You!
Posted by Daniel Snyder in Security News on August 24, 2010
Looks like ATM machines around North America are due for a security upgrade. This year Barnaby Jack demonstrated both local and remote ATM attacks at Black Hat 2010, and showed how easy it could be to hack an ATM and make it spit cash. Barnaby Jack also revealed a multi-platform ATM rootkit and discussed protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.
Biometric Iris Scanners Coming to A Corner Store Near You!
One protection mechanism that we are now seeing become reality is biometrics. Although it has been in the works for years, it looks like all the futuristic spy movies we watched as kids are coming true as biometric iris scanning ATM machines are looming on the horizon, and in some parts of the world already in action. Of course you’re not likely to see one in your local corner store just yet, but they may well be coming soon! According to Jeff Carter of Global Rainmakers Inc. we’re all going to be connected to the iris system within the next decade.
The computer in a biometric ATM can identify a bank customer and scan their iris even from a distance of greater than three feet. The camera inside the machine takes a focused photo of the eye in black & white, while the system then measures the structure of the iris, and how light and dark areas fall upon it, a successful ID generates a code which is essentially the customers PIN. The latest method of biometrics is “finger vein” technology — an authentication system developed by Japanese tech giant Hitachi. Poland’s cooperative BPS bank says it’s the first in Europe to install a biometric ATM — allowing customers to withdraw cash simply with the touch of a fingertip. The company says that an infrared light is passed through the finger to detect a unique pattern of micro-veins beneath the surface – which is then matched with a pre-registered profile to verify an individual’s identity. “This is a substantially more reliable technique than using fingerprints,” Peter Jones, Hitachi’s head of security and solutions in Europe.
“Every person, place, and thing on this planet will be connected [to the iris system] within the next 10 years,”
But what’s happening now is Global Rainmakers Inc. (GRI), based out of New York City, has announced that it will use iris scanning technology to begin creating what it claims will be “the most secure city in the world” in Leon, Mexico. The task is to hook up all of GRI’s city wide iris scanners to a massive database created with law enforcement authorities.
“In the future, whether it’s entering your home, opening your car, entering your workspace, getting a pharmacy prescription refilled, or having your medical records pulled up, everything will come off that unique key that is your iris,” Jeff Carter, CDO of GRI tells tech website FastCompany.com. Jeff Carter claims “Every person, place, and thing on this planet will be connected [to the iris system] within the next 10 years,”.
You can read more about Global Rainmakers plans at Prison Planet, here.
Seems to me that things are changing so rapidly, the world around us is quickly become like that of every futuristic movie we’ve ever seen. Nothing is impossible anymore, and with creations and technology such as this the world is supposed to become a more secure place. Do you see this as a step forward, or do you have any objections to this kind of technology?
Sources: CNN World, "Biometric ATM gives cash via 'finger vein' scan." Prison Planet, "Biometric Iris Scanning Technology Rolled Out across entire city". Black Hat USA 2010 ATM Marketplace "Back to the Future: Biometrics Revisited"
Passwords: Brute Force Attack on You
Posted by Daniel Snyder in Computer Security, Password Advice on June 18, 2010
We’ve previously discussed guess attacks and dictionary attacks on your passwords. And we’ve determined now that password security is of the utmost importance. Just today I repaired a machine for a customer and their Vista login password was an old phone number of theirs. Seven digits that could easily be found with an archived search of readily available online databases. As much as passwords are a pain, your security and identity is far more important. Rather deal with a slightly complex password and a little bit of extra thought, than deal with the pain of a stolen identity and lost funds! With what we’ve learned thus far, there is still yet another method attackers can utilize to gain your password.
What’s a brute force attack?
In a brute force attack a hacker would utilize software that would essentially try every possible password. In theory, if there is no limit to the number of attempts, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively short.
A common password length recommendation is eight or more randomly chosen characters combining letters, numbers, and special characters (punctuation, etc). This is the key, and a must follow rule of thumb when it comes to making passwords. In addition, don’t use the same password on every website, and especially don’t use same or similar passwords on social networking sites, as you do for banking and online shopping sites that may store your credit card information.
Brute Force attacks get a little more complicated of course, and there are variations, both generic and smart attacks. More can be read about this here.
See these other articles on Information Carnivore:
Passwords are a pain
Hackers may already know your password
Dictionary Attacks on your password
Passwords: Dictionary Attacks
Posted by Daniel Snyder in Computer Security, Password Advice on June 18, 2010
Hackers may already know your password. In a previous post, I wrote about guess attacks by hackers on your password. In this brief post I’m going to write about another method that an attacker could use to get your password. So by now, you’ve already made the important decision to use a different password for your facebook account than you do for your online banking. Good. Still, users often choose weak passwords. I listed some examples of ‘guessable passwords’ in the previous post. There are of course some additional simple examples that hackers can target in what is called a Dictionary Attack.
How can a dictionary attack be used to guess my password?
If your password is a single word which can be found in a dictionary, if it is a given name or family name or if it is too short (generally even six or seven characters is too short), or if your password fits into a criteria that attackers would call predictable (eg, patterns of alternating vowels and consonants, alternating numbers and letters etc). Password research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries and, perhaps, the user’s personal information
Hackers can use readily available cracking programs into which they enter personal information about the user being attacked and generate common variations for passwords suggested by that information.
If you’ve been following the articles here on information carnivore in the ‘password’ category than you are now able to make some wise password choices. But there is one other form of attack that may be used to gain your password. Brute Force Attacks…
Short history on hacking [infographic]
Posted by Daniel Snyder in Security News on June 14, 2010
Thanks to onlinemba.com
Via: Online MBA
The tricks hackers use, and what you can do to foil them.
Posted by Daniel Snyder in Security News on June 11, 2010
Kim Zetter and Andrew Brandt, PCWorld.com
With the click of a mouse on one computer, the screen of the laptop a few feet away flashes wildly as a flood of data flies silently across a private network cable connecting the two machines. Within a minute the laptop’s file sharing password is compromised.
“The computer is having a bad day,” says a reporter as he watches the effect of the attack on his machine. “Packets are coming at it so fast, the firewall doesn’t know what to do.”
Some hackers claim they can teach a monkey how to hack in a couple of hours. We asked two hackers, Syke and Optyx (at their request, we are using their hacking pseudonyms rather than their real names), to give us non-simian reporters a demonstration.
What we got was a sometimes-frightening view of how easily nearly anyone’s computer–at home or at work, protected or not–can be cracked by a determined hacker. But we also found out that computer users can make a hacker’s job much harder by avoiding a few common mistakes.
Syke, a 23-year-old white-hat hacker, and Optyx, a 19-year-old self-proclaimed black hat, both work in computer security (Syke, until recently, for a well-known security software vendor; Optyx for an application service provider).
They launch their attack on our notebook from desktop computers located in the windowless basement that is New Hack City, a sort of hacker research-and-development lab (and part-time party lounge).
The lab’s rooms are filled with over a dozen Sun SPARC servers, assorted network hubs and mountains of ethernet cable, an arcade-size Ms. Pac Man game, and a DJ tower stocked with music-mixing equipment for all-night hacker jams.
Hacking 101
“You should understand,” says Optyx, as he enters a few commands that bring our machine to its knees, “no matter what people do, hackers will always find a way to get into systems.”
Just as he says this, Optyx uses a program to get the laptop to spew out a bit of data identifying its operating system and version.
He then runs the program that cracked the file sharing password in the blink of an eye. We watch as he uses another tool to root through files in the laptop’s shared directory.
As hacking goes, the methods our two instructors use on our laptop are not very elegant–the equivalent of using brute force to knock in a door–and through the machine’s software firewall, we are immediately aware that the machine is being hacked. But, save from disconnecting our machine from the network cable, we’re powerless to stop it.
Most hacking attacks, however, are much more invisible.
Open Sesame
The methods hackers use to attack your machine or network are fairly simple. A hacker scans for vulnerable systems by using a demon dialer (which will redial a number repeatedly until a connection is made) or a wardialer (an application that uses a modem to dial thousands of random phone numbers to find another modem connected to a computer).
Another approach used to target computers with persistent connections, such as DSL or cable connections, employs a scanner program that sequentially “pings” IP addresses of networked systems to see if the system is up and running.
Where can a hacker find such tools? On the Internet, of course.
Sites containing dozens of free, relatively easy-to-use hacking tools available for download are easy to find on the Net. While understanding how these tools work is not always easy, many files include homegrown documentation written in hacker shoptalk.
Among the programs available are scanning utilities that reveal the vulnerabilities on a computer or network and sniffing programs that let hackers spy on data passing between machines.
Hackers also use the Net to share lists of vulnerable IP addresses–the unique location of Internet-connected computers with unpatched security holes. Addresses of computers that have already been loaded with a Trojan horse are available for anyone to exploit (in many cases without the owner of the computer knowing).
Once the hacker finds a machine, he uses a hacker tool such as Whisker to identify in less than a second what operating system the machine is using and whether any unpatched holes exist in it. Whisker, one of a handful of legitimate tools used by system administrators to test the security of their systems, also provides a list of exploits the hacker can use to take advantage of these holes.
Security Software Alone Can’t Stop Them
Syke and Optyx explain that several conditions make it easier for them to hack into a system. Lax security is one of them–such as when a company uses no passwords on its system or fails to change Windows’ default passwords.
In October 2000 hackers broke into Microsoft’s system and viewed source code for the latest versions of Windows and Office after discovering a default password that an employee never bothered to change.
Other common mistakes: When system administrators don’t update software with security patches, they leave vulnerable ports open to attack. Or when they install expensive intrusion detection systems, some fail to monitor the alarms that warn them when an intruder is breaking in.
Still another boon to hackers is a firewall or router that is misconfigured, allowing hackers to “sniff” pieces of data–passwords, e-mail, or files–that pass through the network.
Got Root?
Once a hacker cracks into a system, his next goal is to get root, or give himself the highest level of access on the machine. The hacker can use little-known commands to get root, or can search the documents in the system’s hard drive for a file or e-mail message that contains the system administrator’s password.
Armed with root access, he can create legitimate-looking user accounts and log in whenever he wants without attracting attention. He can also alter or delete system logs to erase any evidence (such as command lines) that he gained access to the system.
But a hacker doesn’t need root access to affect a system. He can misroute traffic intended to go to one company’s Web server to a different one. Or, exploiting a well-documented bug (for which there’s a patch that many sites haven’t applied), a hacker can replace any Web page with his own text using a simple set of UNIX commands typed into the browser’s Address bar.
Denying Service
A more serious threat, however, comes from skilled hackers who launch a denial-of-service attack, in which a Web server is flooded with so many requests that it stops responding altogether.
Previously one of the most common attacks, DoS attacks are now much harder to accomplish. Large Internet companies counter them by buying larger Internet pipes, which are harder to fill with the junk data hackers throw at them. The more bandwidth a company has, the more service the hacker needs to interrupt in order to produce a noticeable effect.
Hackers quickly learned that a single computer couldn’t send enough phony requests to deny service, so they came up with a clever approach that employs dozens of hacked computers, working in synch to execute a distributed denial-of-service attack.
A DDoS attack uses as many computers as the hacker can control (called “zombies”) to send bogus data requests to a targeted server. To unleash the attack, the hacker sends just one command, which propagates to all of the zombies and causes a near-instantaneous death-by-data on the Web server.
A hacker can also use an army of compromised computers to steal data–such as credit card numbers and proprietary corporate files–without leaving a clear trail. The hacker hops from machine to machine and then launches an attack that passes through all of them, creating a maze of connections for authorities to sift through.
University systems are prime targets for such activity, since administrators often leave student accounts active after students have graduated. A hacker can take over the account and use it as a base to attack another system.
In December 2000 hackers broke into a U.S. Air Force system in Virginia and downloaded code for controlling communication and spy satellites to a computer in Sweden. The Swedish company that owned the system housing the data had no idea hackers were using its computer, and cooperated with authorities.
From Sweden the activity was traced to a university machine in Germany, which authorities also believe was being used by a distant hacker.
Online Espionage
Hackers can silently collect information from a machine for months without being detected. Using a Trojan horse, a hacker can log keystrokes on a computer (to obtain a user’s passwords) or use a “sniffing” program to collect sensitive data as it passes from one computer to another.
Sniffer software is a bit like a radio in that it simply listens for traffic to pass by it on the network wire. Sniffers are undetectable by the user and (usually) by the system administrator.
Nowhere to Hide
It might seem that, with all the ways hackers can get into your system, there’s no safe place for your data to hide. Optyx would agree–to a point.
Casually typing commands on his keyboard that sends our laptop into further frenzy, Optyx says that simply running antivirus software alone, or having a firewall or intrusion detection system, won’t prevent the theft of data or hacking of your computer.
“If people hack your machine,” continues Optyx, “they hack it through a vulnerability.”
He recommends that, in addition to using the above tools, every user install the latest security patches on their critical software, including the operating system and the applications they regularly use. “The only way to protect yourself is to patch up the holes,” he says.
Kim Zetter and Andrew Brandt are PC World senior associate editors who cover security and privacy issues. Originally published on PC World, Apr 2, 2001.
Welcome & About Info Carnivore
Top Commenters