The Dark Arts – Remote File Inclusion

In the waning hours of 2010, a hacking group known as Lulzsec ran rampant across the Internet, leaving a path of compromised servers, a trail of defaced home pages, leaked emails, and login information in their wake. They were eventually busted via human error, and the leader of the group becoming an FBI informant. This handful of relatively young hackers had made a huge mess of things. After the digital dust had settled – researches, journalists, and coders began to dissect just how these seemingly harmless group of kids were able to harness so much power and control over the World Wide Web. What they found was not only eye-opening to web masters and coders, but shined a light on just how vulnerable all of our data was for everyone to see. It ushered in an era of renewed focus on security and how to write secure code.

In this Dark Arts series, we have taken a close look at the primary techniques the Luzsec hackers used to gain illegal access to servers. We’ve covered two them – SQL injection (SQLi) and cross-site scripting (XSS). In this article, we’ll go over the final technique called remote file inclusion (RFI).

DISCLAIMER: Fortunately, the surge of security-minded coding practices after the fall of Lulzsec has (for the most part) removed these vulnerabilities from the Internet as a whole. These techniques are very dated and will not work on any server that is maintained and/or behind a decent firewall, and your IP will probably get flagged and logged for trying them out. But feel free to set up a server at home and play around. Continue reading “The Dark Arts – Remote File Inclusion”

Don’t be a Code Tyrant, Be A Mentor

Hardware hacking is a way of life here at Hackaday. We celebrate projects every day with hot glue, duct tape, upcycled parts, and everything in between. It’s open season to hack hardware. Out in the world, for some reason software doesn’t receive the same laissez-faire treatment. “Too many lines in that file” “bad habits” “bad variable names” the comments often rain down. Even the unsafest silliest of projects isn’t safe. Building a robot to shine lasers into a person’s eyes? Better make sure you have less than 500 lines of code per file!

Why is this? What makes readers and commenters hold software to a higher standard than the hardware it happens to be running on? The reasons are many and varied, and it’s a trend I’d like to see stopped.

Software engineering is a relatively young and fast evolving science. Every few months there is a new hot language on the block, with forums, user groups, and articles galore. Even the way software engineers work is constantly changing. Waterfall to agile, V-Model, Spiral model. Even software design methodologies change — from pseudo code to UML to test driven development, the list goes on and on.

Terms like “clean code” get thrown around. It’s not good enough to have software that works. Software must be well commented, maintainable, elegant, and of course, follow the best coding practices. Most of these are good ideas… in the work environment. Work is what a lot of this boils down to. Software engineers have to stay up to date with new trends to be employable.

There is a certain amount of “born again” mentality among professional software developers. Coders generally hate having change forced upon them. But when they find a tool or system they like, they embrace it both professionally, and in their personal projects. Then they’re out spreading the word of this new method or tool; on Reddit, in forums, to anyone who will listen. The classic example of this is, of course, editors like the vi vs emacs debate.

Continue reading “Don’t be a Code Tyrant, Be A Mentor”

Shut the Backdoor! More IoT Cybersecurity Problems

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut the Backdoor! More IoT Cybersecurity Problems”

Is Your Child A Hacker?

Parents in Liverpool, UK, are being prepared to spot the signs that their children might be hackers. The Liverpool Echo reports on the launch of a “Hackers To Heroes” scheme targeting youngsters at risk of donning a black hat, and has an expert on hand, one [Vince Warrington], to come up with a handy cut-out-and-keep list. Because you never know when you’re going to need one, and he’s helped the Government so should know what he’s talking about.

Of course, they’re talking about “Hacker” (cybercriminal) while for us the word has much more positive connotations. And it’s yet another piece of ill-informed media scaremongering about technology that probably fits like so many others in the “People are having fun. Something Must Be Done About It!” category. But it’s still something that will probably result in hassle for a few youngsters with an interest in technology, and that’s not encouraging.

The full list is reproduced below, if you’re a parent it seems you will need to watch your children if:

  1. They spend most of their free time alone with their computer
  2. They have few real friends, but talk extensively to online friends about computers
  3. Teachers say the child has a keen interest in computers, almost to the exclusion of all other subjects
  4. They’re online so much it affects their sleeping habits
  5. They use the language of hacking, with terms such as ‘DdoS’ (pronounced D-dos), Dossing, pwnd, Doxing, Bots, Botnets, Cracking, Hash (refers to a type of encryption rather than cannabis), Keylogger, Lulz, Phishing, Spoof or Spoofing. Members of the Anonymous Hackivist group refer to their attacks as ‘Ops’
  6. They refer to themselves and their friends as hackers or script kiddies
  7. They have multiple social media profiles on one platform
  8. They have multiple email addresses
  9. They have an odd sounding nickname (famous ones include MafiaBoy and CyberZeist)
  10. Their computer has a web browser called ToR (The Onion Router) which is used to access hacking forums on the dark web
  11. Monitoring tools you’ve put on the computer might suddenly stop working
  12. They can connect to the wifi of nearby houses (especially concerning if they have no legitimate reason to have the password)
  13. They claim to be making money from online computer games (many hackers get started by trying to break computer games in order to exploit flaws in the game. They will then sell these ‘cheats’ online).
  14. They might know more than they should about parents and siblings, not being able to resist hacking your email or social media
  15. Your internet connection slows or goes off, as their hacker rivals try to take them down
  16. Some circumstantial evidence suggests children with Autism and Asperger’s could be more vulnerable to becoming hackers.

Reading the list, we can’t help wondering how many Hackaday readers would recognise as perfectly normal behaviours from their own formative years. And some of them look ripe for misinterpretation, for example your internet connection slowing down does not automatically mean that little [Jimmy] is selling a billion compromised social media accounts on the Dark Web.

Particularly concerning though is the final association of computer crime with children who are autistic or have Asperger’s Syndrome. Picking on a minority as a scapegoat for a public moral panic is reprehensible, and is not responsible journalism.

Still, you have to laugh. They remembered to include a stock photo of a hacker using a keyboard, but they’ve completely missed the telltale sign of a real hacker, which is of course wr1t1n9 11k3 r341 1337 h4xxx0rzzz.

Via The Register.

Liverpool skyline, G-Man (Public domain) via Wikimedia Commons.

Do you trust your hard drive indication light?

Researchers in the past have exfiltrated information through air gaps by blinking all sorts of lights from LEDs in keyboards to the main display itself. However, all of these methods all have one problem in common: they are extremely noticeable. If you worked in a high-security lab and your computer screen started to blink at a rapid pace, you might be a little concerned. But fret not, a group of researchers has found a new light to blink (PDF warning). Conveniently, this light blinks “randomly” even without the help of a virus: it’s the hard drive activity indication light.

All jokes aside, this is a massive improvement over previous methods in more ways than one. Since the hard drive light can be activated without kernel access, this exploit can be enacted without root access. Moreover, the group’s experiments show that “sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bit/s (bits per second), depending on the type of receiver and its distance from the transmitter.” Notably, this speed is “10 times faster than the existing optical covert channels for air-gapped computers.”

We weren’t born last night, and this is not the first time we’ve seen information transmission over air gaps. From cooling fans to practical uses, we’ve seen air gaps overcome. However, there are also plenty of “air gaps” that contain more copper than air, and require correspondingly less effort.

Continue reading “Do you trust your hard drive indication light?”

Ask Hackaday: Are Unlockable Features Good for the User?

There are numerous examples of hardware which has latent features waiting to be unlocked by software. Most recently, we saw a Casio calculator which has the same features as its bigger sibling hidden within the firmware, only to be exposed by a buffer overflow bug (or the lead from a pencil if you prefer a hardware hack).

More famously, oscilloscopes have been notorious for having crippled features. The Rigol DS1052E was hugely popular on hacker benches because of it’s very approachable price tag. The model shipped with 50 MHz bandwidth but it was discovered that a simple hack turned it into the DS1102E 100 MHz scope. Tektronix has gotten in on this action as well, shipping modules like I2C, CAN, and LIN analyzation on the scope but requiring a hardware key to unlock (these were discovered to have a horribly insecure unlock method). Similar feature barriers are found on Rigol’s new reigning entry-level scope, the DS1054Z, which ships with protocol analyzation modules (among others) that are enabled only for the first 70 hours of scope operation, requiring an additional payment to unlock them. Most scope manufacturers are in on the game, and of course this is not limited to our tools. WiFi routers are another great example of hardware hosting firmware-unlockable features.

So, the question on my mind which I’d like to ask all of the Hackaday community is this: are unlockable features good for us, the people who use these tools? Let’s take a look at some of the background of these practices and then jump into a discussion in the comments.

Continue reading “Ask Hackaday: Are Unlockable Features Good for the User?”

Retrotechtacular: Social Hacking is Nothing New

If you watch enough mainstream TV and movies, you might think that hacking into someone’s account requires a huge monitor, special software, and intricate hand gestures. The reality is way more boring. Because people tend to choose bad passwords, if you have time, you can task a computer with quietly brute-forcing the password. Then again, not everyone has a bad password and many systems will enforce a timeout after failed attempts or require two-factor authentication, so the brute force approach isn’t what it used to be.

Turns out the easiest way to get someone’s password is to ask them for it. Sure, a lot of people will say no, but you’d be surprised how many people will tell you. That number goes up dramatically when you make them think you are with the IT department or their Internet provider. That’s an example of social engineering. You can define that many ways, but in this case it boils down to getting people to give you what you want based on making them believe you are something you aren’t.

Everything Old…

We think of social engineering as something new, but really–like most cybercrime–it is just the movement of old-fashioned crime to the digital world. What got me thinking about this is a service from Amazon called “Mechanical Turk.”

That struck me as odd when I first heard it because for product marketing it is pretty bad unless you are selling turkey jerky or something. If you tell me “Amazon Simple Storage Service” I can probably guess what that might be. But what’s Mechanical Turk?

Mechanical Turk

Continue reading “Retrotechtacular: Social Hacking is Nothing New”