hacking

Gnucitizen established a new community project called House of Hackers. The purpose is to create an area where 

"...support the hacker culture, mindset, way of life, ideologies, political views, vision, etc."

If you are into hacking, and interested in keeping with the community, I suggest you pop over and take a look.

Have you ever wondered how to learn how to do SQL-injection attacks? Rescue is here!

You are now able not only to read about attacks and try to understand their logics, you can now set up your own lab and start doing injections directly. Thanks to Gerasimos Kassaras (I had a hard time spelling that, and will not even try to pronounce it), who have written this excellent walk-through on the topic!

He will even walk you through setting up IIS and the other tools required!

Still not into SQL-injections?

Well, you should be. Security now and in the future will be about two things - information management on one hand, and application security on the other hand.  

Many of my readers are curious about hacking, testing and the ins and outs of setting up a security testing facility.

So here goes a nice white paper authored by Harry Bulbrook at the Durham Technical Community college, explaining how to set up a secure lab for testing and learning. It is a year old, but it still is a great resource that enables you to easily set up and maintain your lab without interfering with your production network.

I enjoy the occasional fun of testing IT security devices and systems. Yes, I cannot hide that fact.

And as many of you know, I am always a bit surprised by the ignorance most people show when it comes to understanding even the most basic threats.

I came by this whitepaper made by a Mr. Antoniewicz, at Foundstone (part of McAfee). Most whitepapers tends to focus on how wonderful the manufacturers tools and solutions are, and quite frankly, I find most of the boring.

Not so this time.

Mr. Antoniewicz has authored a nice overview of some of the methods of hacking WIFI. He does not provide you a step-by-step how-to, but it is not far from it. Most of my readers may find it too technical - but I suggest you speed read it anyway - as it will help you realize just how vulnerable you are! 

Go on! Read it! 

Securing and being in control of your website is increasingly important. Times have changed dramatically since I first started back in 1994 - when the worries was focused around backups and keeping the connections from being dropped.

Today, websites are no longer static. They have evolved into application front ends to back-offices, ERP, CRM, shopping-solutions and logistics. They are tightly bonded with your core business ICT systems.

Still, all too many people seems to think that since websites use HTML to render their pages, there is no need to spend big money on security. True, you add HTTPS for payment, and you might have an audit once in a while. But hacking your own site? Nah, not many do that.

I argue that you should. It is much better - also from a cost-efficiency point of view - to discover your weaknesses yourself. Before hackers corrupts your website. Because now you can patch and plan your actions up front - instead of having to put out fires.

You see - someone will hack you. Is it not better that you be the one to find the holes?

This new version of Burp, from PortSwigger, is there to help you. Take a look at it, and take control!

Not sure how to do the hacking yourself? Then read the book: The Web Application Hackers's handbook 

Authored by the same guys!  

Not convinced? Well, then, why don't you just sit tight and wait for some script kiddie or a real hacker come pay your web application a visit?  

The Roberto Preatoni case is picking up speed around the world. This post is a quick update on the stories around, with links.

The background is found here. Short:

Roberto is a well known and respected security guy from Italy. He did a consulting job for the Telecom Italy, where he took part in the Tiger team back in 2003-2003. The Tiger Team where there to do pentesting. Some of the Tiger team members where arrested in January 2007, accused of spying. Now Roberto got arrested on the same charges.

This list is with newest first – as I have found them, or they have been reported to me. If you know other sources not yet covered, please add your comments! I will try to keep this list up to date.

Nov. 10: A Spannish (I guess) blog on security covers the news. Just a quick background on Roberto.
John Dunn blog offers some thoughts.

Nov. 6. - 9: 

Edit: A good quality Techworld update - still nothing new.

Edit: Microsoft want Roberto at Blue hat!
Italian version of same news. And at the TeckNudge.

Edit: A few more coverages:

• Matasano has some very relevant questions.
• From CSOOnline.
• Buzzworld-compliant offers a link to the eweek post (see below).
• The Register has a pasteup here.

/edit

 

• eWeek covers the case here. A nice article that gives some background.
• This blogpost from Spoonfork at security.org.my offers a couple of highly relevant questions on security in general. Nothing new about the case, though.
• Planet-Websecurity offer some details, but nothing new. The article is copied from Sunnet Beskerming.
• Techworld covers it (seems like cut’n’paste of the Computerworld story)
• Ryan Naraine at Zdnet.com did some more digging.
• Security.nl posted this article. Translation is needed, but it seems like it is just a summery of the same we know at this stage.
• Digi.no (Norwegian) with some more details.
  Including that Roberto was on his way to the Paranoia conference in Norway. I am posting an update on this after I have talked to Arnfinn Roland, the guy who had to step in for Roberto.
• Computerworld who brought the news to the world.
• Dave Lewis had a short cover of the same.
• The news was first broken (to me) by Alex Echelberry over at Sunbelt.

To many of us, hacking WEP encryption is yesterdays news. However, to those not so technical out there, I would like to show you how easy and quick it is to hack a WEP-enabled wireless access point. 

Do not worry if you do not understand what is going on - just take notice of how quickly it is done, and how confident the hacker is. That is all you need to know and care about. 

And of course - I no longer need to beat this old dog, now, do I? You do realize it is time to review and audit your wireless security, right?

Thought so.  

If you ever wondered how computer hardware can be hacked, this blog is for you!

FlyLogic Engineering is a gang of hardware geeks (in the most positive sense of the word), that devotes themselves and their blog to hacking (security) hardware. Not only do they hack USB-tokens in to smithereens, they tell you how they do it, and why.

Most importantly, they show you in practice how secure some hardware is (or not, actually). Why is this important? Well, the human mind seems to find it easier to trust physical devices than logical ones. That means that you and your users will automatically trust a USB-smart card or any other hardware device easier than if you are given a software to do the exact same thing.

But as FlyLogic shows so clearly, hardware is not necessarily more secure - and even tamper proof hardware is not especially unavailable to the experts.

Since FlyLogic has this as a living, we can only assume that others do too.

So make sure you evaluate the risk of using hardware tokens for your security, and that you do your homework before selecting a vendor.

It is a little early to say – but after 10 months of publicity, TJX is not only holding its fort, they are making a profit!

TJX have turned a potential fatal breech into a profitable venture. A quick recap:

• In January 2007, the news broke loose that hackers had gained access to TJX sentrally stored customer data, resulting in the theft of 47 million credit card numbers (amongst other privacy data). Everyone can see that has to be bad for business.
• Then it turns out that the hackers had been doing this for over a year. Ouch. That gotta hurt real bad too.
• After a while, we learn that the hackers gained access through a (unprotected – using WEP) wireless network at one of the shops. Did I say unprotected? Oh. That hurts again. Then again, this was back in the stone age – aka summer of 2005.

We should be expecting TJX to suffer big time. Media has been all over this case. Bloggers too. I have been no better.

It would be reasonable to expect TJX to suffer lower revenue stream. A weaker company would have fallen over. And consumers would turn their backs to the shops.

But only some of this happened. Lets see the status per october 2007 (from Yahoo Finance):

• TJX has a revenue stream of $4.1B and $4.3B the first two quarters 2007, and $5.1 Q4 2006. If they continue to increase the revenue in Q3, and do a strong Q4 – as you will expect as it is the xmass and end-of-year – they will do as good as 2006, or even exceed those $17.44Billion revenue from 2006. Not a huge loss, nothing near the expected anger from the consumers.
• What if we look at growth rate? The past three years, TJX has grew with aprox. one US$billion per year. They risk not to grow with that amount this year – but as we saw above, they look to target or exceed revenue from 2006. It seems TJX will ride the storm well.
• Lets take a look at the profit, then. Even if the consumers don’t seem to abandone TJX, surely there must be expenses? And surely there are – some will show up this year, most will not (see next bullet). Profit. (in thousands)
  Q3 2006: 1.114,316
  Q4 2006 (ends jan. 27): 1.159,153
  Q1 2007 (ends apr. 28): 990,866 – so there is 170 million drop in the first quarter after the breech go public. And considering this is the first quarter of the year, this is not a dramatic drop.
  Q2 2007 (ends jul. 28): 1.035,601
  It seems to me that profit is not affected in the dramatical way we should be expecting.
• Risk can be transferred. It is called insurance. Someone else will pay a large amount of the bill.
• What about the law suits, I hear you ask. TJX is quick there too – they have offered a check of $20 and a gift voucher to all affected customers. They initially tried to be a bit more dirty – a $50 gift voucher and no check, but that was too obvious. What happens with a gift voucher? You go to the store and spend it. Along with some other cash – there is plenty of stuff to buy, and when you are in the shop in the first place, why not do some spendings. TJX know. After all, they are in the consumer market space!
• Market value? Well, the consumers don’t seem to care much.
• The share holders? Surely they must have run away? Hah, no, 2007 is their best year ever. TJX shows a steady growth of value, and the bad news in January could not take the shares down to June 2006 values. TJX is nothing but a money machine.
• What about the breech in the first place? Well, this was in 2005, a WEP protected WIFI point was hacked. Most of my readers would know how to do that themselves – and in less than 10 minutes. If you don’t, take my word for it. WEP does give you protection against those who do not know how to hack it, though.

You may do a risk assessment, and determine that the risk of a hacker hacking you is so small, you will risk it. If you do, that is exactly what you are supposed to do – evaluate the risk at hand, and treat it accordingly.

I suspect that TJX did evaluate the risk, and did make a valid decision. After all, they did start to implement WPA only a few months after the initial breech.

I have to admit - they seem to be doing all the right things. From a business point of view, they are. They are analysing the situation, evaluating options, and choosing the road to minimize risk and maximize profit.

And it seems like they are pulling it off too! Congratulations to TJX!

 

Oh, the TJX. No, I guess I never get tired of it!

This time, I will just point you to this important message from the president and CEO they made oct. 11.

There, Carol Meyrowitz, the President and CEO, says:

"To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below."

Sorry Carol, I do not think I trust TJX enough for your advices about CC information. At least not MY CC information.

Need I remind you that it never was your CUSTOMERS who messed up? Your customers decided to TRUST you and your companies to handle the CC information. I bet the customers did take necessary precautions and common sense - how could they be expected to be prepared for YOUR breach?

I advice you to do the right things - learn from your own mistakes and fix them - not divert the attention by teaching your customers how to do things they do much better than you ever did.

 

------------------------------------------------------------------------

Due to the nature of the document, I have pasted the text below too:

 

LETTER FROM TJX’S PRESIDENT AND CEO October 11, 2007 To Our Valued Customers: At TJX, our first priority always has been and continues to be, our customers. I want each of you to know how much I personally and, on behalf of the Company, regret any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage. We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice. We have worked diligently to reach a settlement, which we believe would offer an excellent resolution for our customers, addressing the different ways that they have told us that they have been impacted by the computer intrusion(s). (Like all class action settlements, our settlement is subject to Court approval and other conditions, and therefore, customers cannot yet seek benefits.) We have provided a separate link, below, to additional information regarding the proposed settlement. To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below. Once again, we sincerely regret any inconvenience you may have experienced as a result of the attacks on our computer system. We are deeply grateful for your continued trust and patronage. Respectfully, Carol Meyrowitz President and Chief Executive Officer     INFORMATION ABOUT PROPOSED CUSTOMER CLASS ACTION SETTLEMENT Click here to view Additional Information about Proposed Customer Class Action Settlement; Subject to Court Approval and Other Conditions. INFORMATION ABOUT INTRUSION(S) View Frequently Asked Questions (FAQs) Click here to view the 2/21/07 Press Release Click here to view the 1/17/07 Press Release Helpful Information for Customers: TJX has special, toll-free helpline numbers in the U.S., Canada, the U.K., and Ireland, to assist customers with concerns about the computer intrusion(s) and to answer questions about the proposed customer class action settlement, which is subject to court approval and other conditions. In the United States: Toll-free help line: 866-484-6978 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps Click here to view Other Resources Haga clic aquí para obtener información en español. In Canada: Toll-free help line: 866-903-1408 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Cliquez ici pour des renseignements en français. In the United Kingdom and Ireland: Toll-free help line: Callers in the UK* should call 0800 779015 Callers in the Republic of Ireland should call 00 44 800 779015 * (England, Wales, Scotland, N Ireland) Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Any customers who would like to contact TJX Customer Service: Please email TJX Customer Service at: customerservice@tjx.com