Hackers Daily
Hacking the stories that matter.
What Is Hacking?
It is amazing, and rather disconcerting, to realize how much software we run without knowing for sure what it does. We buy software off the shelf in shrink wrapped packages. We run setup utilities that install numerous files, change system settings, delete or disable older versions and superseded utilities, and modify critical registry files. Every time we access a Web site, we may invoke or interact with dozens of programs and code segments that are necessary to give us the intended look, feel, and behavior. We purchase CD’s with hundreds of games and utilities or download them as shareware. We exchange useful programs with colleagues and friends when we have tried only a fraction of each program’s features.
Then, we download updates and install patches, trusting that the vendors are sure that the changes are correct and complete. We blindly hope that the latest change to each program keeps it compatible with all of the rest of the programs on our system. We rely on much software that we do not understand and do not know very well at all.
Many people fear hackers because they have been instilled with a negative view from the press, however, you owe many advancements made in computer software and hardware to hacking.
Hacker is a term used to describe different types of computer experts, who employ a tactical, rather than strategic, approach to computer programming, administration, or security. In computer programming, hacker means a programmer who hacks or reaches a goal by employing a series of small changes or additions to extend existing code and/or resources. In technical fields outside of computing, hacker is sometimes extended to mean an expert who has particularly detailed knowledge and uses this knowledge to cleverly circumvent limits to reach solutions.
Hacker means different things to some people.
- To the popular press: means someone who breaks into computers
- Among programmers: it means a good programmer
But the two meanings are connected. To programmers, “hacker” connotes mastery in the most literal sense. A hacker is someone who can make a computer do what he wants - whether the computer wants to or not.
To add to the confusion, the noun “hack” also has two senses. It can be either a compliment or an insult. It’s called a hack when you do something in an ugly way. But when you do something so clever that you somehow beat the system, that’s also called a hack. The word is used more often in the former than the latter sense, probably because ugly solutions are more common than brilliant ones.
Notice the definition given for the word “hack” according to the Encarta Dictionary for a good example of the two tenses to this word.
- computer enthusiast: somebody who is interested or skilled in computer technology and programming
- amateur player: somebody who enjoys a sport but lacks skill in it
Believe it or not, the two senses of “hack” are also connected. Ugly and imaginative solutions have something in common: they both break the rules. And there is a gradual continuum between rule breaking that’s merely ugly (using duct tape to attach something to your bike) and rule breaking that is brilliantly imaginative (discarding Euclidean space).
As a hacker myself, I have often been criticized for the stand I take on computer technology, and when people get over their shock usually ask me, “How can you possibly condone hacking and reverse engineering?”
These questions are usually prompted by a limited understanding of hacking, and the fact that the negative connotation of both fields is frequently touted in the press.
To many people, the idea of hacking may conjure up stylized images of electronic vandalism, espionage, dyed hair, and body piercings. Most people associate hacking with breaking the law, therefore dubbing all those who engage in hacking activities to be criminals. Granted, there are people out there who use hacking techniques to break the law, but hacking isn’t really about that. In fact, hacking is more about following the law than breaking it.
The essence of hacking is finding unintended or overlooked uses for the laws and properties of a given situation and then applying them in new and inventive ways to solve a problem.
Hacking is a tool… much like a stethoscope is a tool. A stethoscope could be used by a burglar to listen to the lock mechanism of a safe as the tumblers fall in place. But the same stethoscope could be used by your family doctor to detect breathing or heart problems. Or, it could be used by a computer technician to listen closely to the operating sounds of a sealed disk drive to diagnose a problem without exposing the drive to potentially-damaging dust and pollen. The tool is not inherently good or bad. The issue is the use to which the tool is put. It is much the same with hacking; it is not inherently good or evil unless it is used to good or evil purposes.
It says a great deal about our work that we use the same word for a brilliant or a horribly cheesy solution. When we cook one up we’re not always 100% sure which kind it is. But as long as it has the right sort of wrongness, that’s a promising sign. It’s odd that people think of programming as precise and methodical. Computers are precise and methodical. Hacking is something you do with a gleeful laugh.
Reverse engineering is a process where an engineered artifact (be it a car, jet engine, or software program) is deconstructed in a way that reveals its innermost details, such as its design and architecture.
In the software world reverse engineering boils down to taking an existing program for which source-code or proper documentation is not available and attempting to recover details regarding its’ design and implementation.
Hacking and reverse engineering is particularly useful in modern software analysis for a wide variety of purposes:
- Finding malicious code: Many virus and malware detection techniques use reverse engineering to understand how abhorrent code is structured and functions.
- Discovering unexpected flaws and faults: Even the most well-designed system can have holes that result from the nature of our “forward engineering” development techniques. Reverse engineering can help identify flaws and faults before they become mission-critical software failures.
- Finding the use of others’ code: In supporting the cognizant use of intellectual property, it is important to understand where protected code or techniques are used in applications. Reverse engineering techniques can be used to detect the presence or absence of software elements of concern.
- Finding the use of shareware and open source code where it was not intended to be used: In the opposite of the infringing code concern, if a product is intended for security or proprietary use, the presence of publicly available code can be of concern. Reverse engineering enables the detection of code replication issues.
- Learning from others’ products of a different domain or purpose: Reverse engineering techniques can enable the study of advanced software approaches and allow new students to explore the products of masters. This can be a very useful way to learn and to build on a growing body of code knowledge. Many Web sites have been built by seeing what other Web sites have done. Many Web developers learned HTML and Web programming techniques by viewing the source of other sites.
- Discovering features or opportunities that the original developers did not realize. Code complexity can foster new innovation. Existing techniques can be reused in new contexts. Reverse engineering can lead to new discoveries about software and new opportunities for innovation.
It is by poking about inside current technology that hackers get ideas for the next generation.
“No thanks”, some may say, “outside help is not needed.”
But they’re wrong. The next generation of computer technology has often - perhaps more often than not - been developed by outsiders.
In 1977 there was no doubt some group within IBM developing what they expected to be the next generation of business computer. They were mistaken. The next generation of business computer was being developed on entirely different lines by two long-haired guys called Steve in a garage in Los Altos. At about the same time, the powers that be were cooperating to develop the official next generation operating system, Multics. But two guys who thought Multics excessively complex went off and wrote their own. They gave it a name that was a joking reference to Multics: Unix.
And it was the simpler Unix that led the computer revolution, not Multics.
But what hackers fear the most is today becoming a reality! The latest intellectual property laws impose unprecedented restrictions on the sort of poking around that leads to new ideas. In the past, a competitor might use patents to prevent you from selling a copy of something they made, but they couldn’t prevent you from taking one apart to see how it worked. The latest laws make this a crime. How are we to develop new technology if we can’t study current technology to figure out how to improve it?
Data is by definition easy to copy. And the Internet makes copies easy to distribute. So it is no wonder companies are afraid. But, as so often happens, fear has clouded their judgment. The government has responded with draconian laws to protect intellectual property. They probably mean well. But they may not realize that such laws will do more harm than good.
Breaking the rules should NOT be something that also breaks the law. What hackers fear most is that the government will discover too late that the very laws that they made for their protection are what causes them to fall. Unlike high tax rates, governments can’t repeal totalitarianism if it turns out to be a mistake.
This is why hackers worry. The government spying on people doesn’t literally make programmers write worse code. It just leads eventually to a world in which bad ideas will win since there will be no one around to hack into the program and make it better. And because this is so important to hackers, they’re especially sensitive to it.
A good example of one law which scares me is the law regarding computer use in New South Wales, Australia.
Section 310 of the Crimes Act 1900 states that:
“A person who intentionally (a.) destroys, erases or alters data stored in or inserts data into a computer; or (b.) interferes with, or interrupts or obstructs the lawful use of a computer…” can be punished by severe prison sentences.
It might sound like a good law on the surface but look at it closer. Remember the description of most computer users at the beginning of this entry… is there any computer operation that doesn’t “erase”, “alter”, “destroy”, or “insert” data into a computer? No, there isn’t!
And what exactly does it mean when it says “obstructs the lawful use of a computer?” Isn’t the lawful use of a computer that computer users be allowed to “erase”, “alter”, “destroy”, or “insert” data into a computer? Yes.
This law makes computer use simultaneously illegal and legal at the same time! By this law, anyone who uses a computer can be thrown in jail for up to 10 years, or completely pardoned! Interestingly, New South Wales is one of the most proactive states in the world in prosecuting computer-related crimes.
After I wrote this entry I did receive an answer to emails I sent to several Australian law firms. According to one email I recieved, “The NSW law prohibiting computer use is phrased that way since it can frequently be difficult to determine whether or not a person had malicious intent (which is a difficulty raised with the penal codes used in other Australian states). The way the law in NSW is phrased, what is prosecuted is not the intention but the computer use itself. The law in NSW is phrased to make any computer use illegal so as to give the government the greatest scope in prosecuting crimes of a computer nature, without having to worry about the intent behind the computer use.”
What makes some of these totalitarianism laws so scary is that most hacking isn’t about doing things illegal; it’s about learning and expanding knowledge. This totalitarianism law of NSW actually threatens letting people expand their knowledge of computer by threatening to make ALL computer use illegal and prosecutable at the whim of whoever is in power at the time!!
The law may sound reasonable on the surface, and the explanation may sound like a laudable reason on the surface… but totalitarianism by its’ very nature prohibits growth and learning.
This blog is dedicated to hacking… not to be a flagrant abuse of power, but to make things better. This blog does not advise or condone doing actions that are illegal. This blog does not accept responsibility either directly or indirectly for bad choices made on the reader’s part. If any actions described in this blog are illegal where you live, do not do them… and don’t send me emails telling me that my blog should be removed because it promotes illegal ideas.
As such the owner and editor of this blog promises to always tout good (hacked, tested, reverse-engineered) ideas on this blog.
Keep hacking alive.
Keep good, tested ideas flowing.
Keep thinking outside the box.
Hacking and reverse-engineering should not be illegal when used to benefit others.
Vulnerability Scanning Doesn't Protect You.
Vulnerability scanning can have a detrimental negative impact on the security posture of your IT infrastructure if used improperly. This negative impact is due to a perceptional issue that has been driven by the vendors who sell vulnerability scanning services or the vulnerability scanners themselves. The hard facts prove that vulnerability scanners can not protect your IT Infrastructure from malicious hackers. (My team penetrates “scanned” networks on a regular basis during customer engagements). That is not to say that vulnerability scanners are useless, but it is to say that people need to readjust their perception of what vulnerability scanning really is.
While there are various types of vulnerability scanners they suffer from the same disease that most security technologies suffer from. That disease is that they are reactive to hackers and will never be proactive. The fact is that vulnerability scanners can not detect vulnerabilities unless someone has first identified the vulnerability and created a signature for its detection. This process can take quite a while and is often not an ethical one. So here is how it works…
A hacker decides to perform research against a common technology like your firewall. That hacker might spend minutes, months or even years doing research just for the purpose of identifying an exploitable security vulnerability. Once that vulnerability is identified the hacker has an ethics based decision to make. Does he notify the vendor of his discovery and release a formal advisory or does he use his discovery to hack networks, steal information and profit.
If the hacker decides to notify the vendor and release an advisory then there is usually a wait period of 1-3 months before the vendor releases a patch. This lag time means that the vendor’s customers will remain vulnerable for at least another 1-3 months, most probably longer. What’s even more interesting is that this vulnerability may have been discovered previously by a different researcher that didn’t notify the vendor. If that’s the case then that probably means that the vulnerability has been in use as a tool to break into networks for a while. Who knows, it could have been discovered months or even years ago? That type of unpublished vulnerability is known as a 0day and is the favorite weapon of the malicious hacker.
At some point the vulnerability does become public knowledge. Its also at this point that the vendors who make the vulnerability scanning technology become aware of the new risk. When they do learn about the new risk they need to develop a signature, or script for their scanning technology so that it can detect the risk. That development process can take anywhere from a few days to a few weeks depending on the complexity risk. As a result, the customers that rely on vulnerability scanning are in the dark until the vendor can publish a working and tested signature… but the hackers don’t need to wait at all. The hackers can use it almost immediately.
So in summary, there is a large risk window between the point of discovery of a vulnerability and the point at which a vulnerability scanner can detect the vulnerability. This risk and exposure window is usually never smaller than a few months, and can be as large as several years. During that time there is a very good chance that malicious hackers will be using your undiscovered risks to penetrate into your infrastructures. Whats worse is that you’ll have no idea that you’ve been hacked because like vulnerability scanning technology, Intrusion Detection technology also can’t identify threats if it doesn’t know what to look for. Moreover most Intrusion Detection technologies aren’t configured properly and as such don’t work properly.
Unfortunately the story doesn’t end there. Vulnerability scanners also suffer from significant issues with accuracy. In all cases where I’ve used (various) vulnerability scanners, the best results that I’ve ever achieved were about 30% accurate. This means that most of the vulnerabilities that were detected during my various scans weren’t actually vulnerabilities but instead were false alarms, also called false positives. More frightening is the number of vulnerabilities that I discovered while performing Real Time Dynamic Testing (manual hacking) that were entirely missed by the vulnerability scanner. If you don’t believe me then go download a free vulnerability scanner, test your network and verify the results yourself.
This inaccuracy is partially due to the architecture of the vulnerability scanners and the fact that no two networks are alike. Vulnerability scanners use static signatures or scripts that are only capable of checking a target for a vulnerability if their syntax is exactly accurate and if the target responds in a way that the scanner can understand. If however the target, lets say its a computer system, is configured in a custom way then it may not respond in a way that the scanner will understand (how many of you keep the default configuration?). This communication barrier is a large part of what causes false positives and false negatives.
An important note about false positives and false negatives. Some vendors claim that their vulnerability scanners have low rates of false positives. As with Intrusion Detection, if low false positive rates are true then its usually reasonable to say that the technology has high rates of false negatives. You can think of it as a sliding scale of 1 to 10 where 1 is 100% False Positives and 10 is 100% False Negatives. As you move up and down the scale you inevitably end up with more of one or the other, you can never eliminate them. With that said, its my opinion that more false positives are better than more false negatives.
If vulnerability scanners aren’t the right way to protect yourself then what is? You should protect yourself by exposing your business to an accurate and controlled reproduction of the threat by using a quality security provider. It is important to remember that no single hacker, good or bad, has access to all of the 0-day’s in the world. As such, it is entirely possible for a team of ethical hackers to accurately reproduce the threat that unethical hackers can create. Testing at that level enables you to identify weaknesses in your defenses that would not otherwise be detected by testing at lesser levels. What good would a penetration test or a vulnerability assessment do if the malicious hackers will test you harder?
One of the many advantages of using a team of talented hackers for security testing instead of relying on automated vulnerability scanners is that those hackers can and should perform research against unique technologies that they encounter during a security test. I practice what I preach by the way. When our team delivers an Advanced Penetration Test to a customer we always perform our own research against interesting targets. Those targets can be Web Applications, Web Services, or even custom daemons running on systems. In the end, if we find something new we’ll write an exploit (proof of concept) for the customer and include that in the final deliverable.
In closing, I am not suggesting that network vulnerability scanners are bad because they do have their place and they do serve a purpose. They are particularly useful in the hands of a skilled security expert especially when performing reconnaissance against large networks. In that scenario the scanner enables the expert to save time and to rapidly collect intelligence about targets given that the engagement is non-stealth in nature. With that said, I wouldn’t rely on scanners for anything more than just reconnaissance, at least not yet.
Mozilla Shutters Seven Firefox Flaws
Mozilla released its latest update to its Firefox browser on Tuesday, closing seven security holes, including two critical issues, according to the company’s release notes.
The critical flaws occur in the program’s layout and Javascript engines, which can be used to crash the program and possibly run malicious code, the company said in an advisory. The flaw also affects Mozilla’s SeaMonkey all-in-one Internet suite and the Thunderbird e-mail client, if Javascript is enabled, which is not the default setting.
“Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” the company stated.
The other flaws include a cross-site scripting issue that could allow Javascript to evade the same-origin policy and a problem in the way tabs are restored that could allow attackers to steal a local file, if they knew the name of the file.
Firefox users can download and apply the update, by choosing the “Check for Updates…” command in the file menu.
Still under construction…
