Warning: take great care if visiting, or downloading “useful tools”
from, dubious websites. Some of them may exploit security
vulnerabilities in your system or indeed yourself to install
Trojans and other malware. IsecT Ltd. is not responsible
for third party websites, nor for your information security.

General [anti-]hacking resources

Clifford Stoll, astronomer, academic researcher and author of The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, retains a deep interest in information security. Both cited works describe a real-life hacker attack and Cliff’s actions to identify and shut the intruder out of the university network he managed. The Cuckoo’s Egg (~$12 from Amazon), although now getting a bit long in the tooth, has been reprinted several times and is still a good read.

Eric Raymond’s quote (above) is one of many gems in his thought -provoking piece How To Become A Hacker.

A good collection of anti-hacking tools is available at Hacking Exposed, the website for Hacking Exposed (fifth edition), the 2005 book by Stuart McClure, Joel Scambray and George Kurtz (~$33 from Amazon). It explains how to protect one’s systems and networks, partly by demonstrating how hackers commonly exploit system and network vulnerabilities (also known as bugs). Covering Windows, UNIX, wired and wireless networking, VOIP and web hacking, the only significant category missing is application-level hacking. As with ‘set a thief to catch a thief’, the hacking techniques described in this book go a long way towards teaching software developers the value of secure coding practices and thorough software testing. The content is fairly technical but is well written and therefore extremely useful even if one is not actually a fully paid-up hacker or propeller head..

Lance Spitzner’s book Honeypots - Tracking Hackers (~$29 from Amazon) is a truly outstanding contribution to the field of information security and essential reading for security architects, network administrators and other geeks interested in securing systems and networks against hackers.

How To Become A Hacker is a primer on the philosophy and ethics of hacking, more than the mechanics of hacking. Starting from the point of view that “hackers build things, crackers break them”, this is a thoughtful, well-written and stimulating piece of creative writing. “Contrary to popular myth, you don’t have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking.”

2600 magazine started in the phreaky days when a 2600 Hz whistle could be used to fool the telephone systems into making free calls. 2600 became an old shoe, well used but comfortable. Nothing to do with leather. The typewriter font harked back to the days when it was printed on cheap paper and circulated as an underground publication amongst phreaks (before they had that name) and hackers (real hackers, hackers who love exploring and taking control of technology without breaking it). 2600 shut up shop in 2005 but seems to have been resurrected ....

Bugtraq is THE mailing list for the disclosure of security vulnerabilities, hosted by SecurityFocus. It is a high-volume list (unfortunately). A search of the archives will generally reveal lots of reported problems with your chosen platform or application. SecurityFocus also hosts the penetration testing, VulnDev (vulnerability development), honeypots and forensics mailing lists for specialists in each of these fields, and has lots of solid technical articles on subjects such as incidents, firewalls and IDS (Intrusion Detection Systems), Windows and UNIX security. It’s surely one of the most useful sites for IT security professionals. Just for example, what do you know about the use of NTFS Alternate Data Streams to hack Windows systems?

The history of hacking 1960-2003 gave an overview of the development of hacking and phreaking. Two books about hacking have been released as free text files: The Hacker Crackdown and Approaching Zero. Both are quite old now but give an insight into the hacking and phreaking world as of the 1980s and early ’90s e.g. “Hackers are an engaging bunch, even the ‘bad’ ones: bright, curious, technically gifted, passionate, prone to harmless boasting, and more than a little obsessed. They are usually creative, probing, and impatient with rules and restrictions.”

The weekly Cyber Security Bulletins from US-CERT summarize reported software security vulnerabilities such as buffer overflows. While there are so many bugs being reported on a weekly basis, there is not much hope of securing our computer systems against determined attackers. It’s like drinking from the fire hose. (See also the NoticeBored modules on integrating security with the development process and Bugs!).

A typical Microsoft Security Bulletin described three patches to close off critical security vulnerabilities in Windows and Word. Now that these vulnerabilities are in the public domain, it’s open season for hackers to try to exploit them before everyone gets patched. The patching treadmill is a logistical nightmare for organizations running business-critical applications on numerous distributed technology platforms, creating risks to the deployment. It is critically important to strike a balance between delaying the patching (increasing the window of opportunity for the hackers) and patching too soon (before patches have been tested on all applicable platforms). (See also the NoticeBored module on change management).

After 20 years, Phrack magazine’s editorial team put down their quills and shut down the press. The last issue was released at US hacker conventions in July 2005. The hacking and phreaking world mourned the loss, shed a brief tear ... and turned back to the Web for their information fix.

The Toronto Globe And Mail ran a well-written piece about the upsurge of computer crime, making the point that criminals are turning to electronic crime due to the enormous opportunities opened up by the combination of numerous insecure systems on the Internet, widespread lack of awareness of basic security measures by users, and the disjointed trans-national law enforcement activities. This is not just scare-mongering: the story is illustrated with news of hacking incidents and quotes from professionals in the field.

The Honeynet Project deliberately sets up servers on the Internet to be hacked. This is not some suicidal tendency but a fascinating research project to understand the latest hacking techniques and tools. They encourage the deployment of honeytokens (files or data records that nobody should be accessing), honeypots and even entire honeynets whose value lies in being probed, attacked, or compromised. The Pentagon is considering the use of honeypots as one of its controls defending military networks

Know Your Enemy - Learning About Security Threats (2^nd edition) (~$31 from Amazon) is yet another good read from the Honeynet Project team. Read our book review elsewhere on this site.

AntiOnline is a virtual meeting room for hackers and security people - a “worldwide community of security, network and computer professionals, students and keen amateurs who come here to learn the principles and details of computer/network security.” The discussion fora are very active and the site boasts a good collection of security tools and papers.

Fighting Computer Crime - a new framework for protecting information (1998) by Donn Parker (~$28 from Amazon) is a classic text from one of the ‘old guard’. Donn has been a computer security professional for more than three decades and has amassed immense experience of dealing with computer criminals. He has strong views on the futility of risk analysis in this field due to the limits of our knowledge.

Help I think I’ve been hacked is a common cry on IT bulletin boards. Non-technical people usually don’t understand why hackers have hacked them, nor how they did it. All they want to do is get the hackers out - no mean feat without IT knowledge, even using the antivirus and antispyware tools commonly available. Keeping the hackers out is a further challenge but at least former hacking victims should be well aware of the threat.

Geoff Shivley’s bio tells the story of how his phreaking exploits gradually turned into computer hacking, along the way giving an insight into the hacker mindset.

Microsoft invited hackers to demonstrate their skills against Windows systems in an event dubbed the ‘Blue Hat conference’ (Microsoft’s answer to the infamous Black Hat hackers’ conferences, perhaps?).

Barcelona is home to a hacking school, more precisely a course teaching students about information security risks and control techniques. The course is backed by ISECOM, the Institute for Security and Open Methodologies, which describes itself as an ‘open-source collaborative community ... dedicated to providing practical security awareness, research, certification and business integrity’.

Hacking and anti-hacking tools

Johnny I Hack Stuff is the website of ‘Johhny Long’, author of the book Google Hacking for Penetration Testers (~$28 from Amazon). Johnny explains how to construct interesting Google queries in order to identify vulnerabilities such as security holes in system and application software, disclosure of sensitive information and so on.

Metasploit is an open project developing the tools to exploit known vulnerabilities. Open tools of this nature have pros and cons. On the downside, they can be used by hackers and crackers to exploit vulnerable systems. On the upside, the white hats have access to the same tools for penetration testing their own networks.

Dumpster diving covers a broad range of pastimes from those who casually remove and recycle all manner of useful but discarded materials from dumpsters, waste bins or skips, through to those who target much more valuable booty including personal data on credit card bills/bank statements, internal phone books, system admin manuals, computer printouts in general and so forth.

Perusing this list of 100 websites gives a flavor of what certain hackers find interesting - hacking/cracking tools and how-to courses, warez and cracked serial numbers for examples.

Microsoft’s Security Monitoring and Attack Detection Guide is designed to help organizations plan a security monitoring and attack detection system based on Windows Security Event logs. It explains how to interpret the events (albeit within the rather limited capabilities of standard Windows tools) and which events indicate the possibility that an attack is in progress. Their Services and Service Accounts Security Planning Guide is another useful document that addresses the important issue of running Windows services under reduced-privilege user IDs (not SYSTEM!).

Acunetix Web Vulnerability Scanner tests the security of your website by launching common attacks such as Cross Site Scripting, SQL injection and more. Tools like this can help identify vulnerabilities in your web applications before hackers do. [We will publish links to more application testing tools under the forthcoming awareness topic of information security in systems development.]

Distributed Denial of Service (DDoS) attacks

Russian extortionists who used DDoS attacks to extort money from UK betting firms were arrested. Complaints to the National High-Tech Crime Unit of attacks fell after the arrest of a Russian gang believed to be behind the protection racket which forced Web-gambling firms to pay up or face extended service outages.

A US-CERT Cyber Security Tip gives advice on DoS attacks.

PC World and The Register speculate that anti-spam websites which suffered DDoS attacks may have been deliberately targeted with the Sobig worm by spammers. The anti-spam sites certainly suffered a spate of DDoS attacks in summer 2003 and spammers are known to use ‘open-relay’ (non-authenticating) email servers. [Of course, it is also possible that anti-spam sites are happy with all the publicity they can get on the theory that there’s no such thing as bad news.]

An interesting technical paper by Dave Plonka (yes, that really is his name, Rodney) discusses a serious but unintentional DDoS problem experienced by the University of Wisconsin as a result of an avalanche of network traffic to the university’s atomic clock time reference system. The source was traced to a bug in some 700,000 NetGear routers ... but with no obvious practical way to resolve the problem, the manufacturer and university face stalemate. Dave points out that the university is reluctantly able to cope with this particular situation but it represents [another] symptom of [another] important security flaw in the design of the Internet. A globally-shared network brings enormous potential - and enormous risk.

Hacking news

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese -government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.

A class-action lawsuit was filed in California on behalf of credit card holders and merchants against CardSystems Solutions, Visa and MasterCard after a security breach (hack) that potentially exposed 40 million credit cards to fraud and identity theft. The number of cards actually exposed was closer to 300,000 according to later reports. Subsequently, the NY Times reported that Visa withdrew CardSystems’ access to the Visa network and services as a result of the security failure. The drastic effects of the incident on CardSystems’ brand sent shockwaves through the marketing world.

The threat of targeted malware attacks was discussed a few months ago in the NoticeBored awareness module on malware. US-CERT Technical Cyber Security Alert is now warning of the increased threat of Trojans that (a) elude conventional protective measures such as antivirus software and firewalls, and (b) are emailed to specific targeted recipients. External disclosure (exfiltration or stealing) of data appears to be the primary purpose, for example using TCP/IP port 80 like normal web traffic, thereby passing straight through the perimeter firewalls.

A Microsoft UK website was defaced with a GIF image file supporting an arrested hacker. The Register reported that the GIF was removed. Crude website defacements of this nature are at the ‘vandal’ end of the hacking scale, way below the level of concerted terrorist IT infrastructure attacks feared by military security experts.

Yet another college server hack exposed personal information including Social Security Numbers. The college belatedly removed SSNs from the server but why they were there in the first place is not clear. “If someone has a name and Social Security number, they can apply for a credit card, so this is a major issue”. A separate news story reports that “many colleges and universities used a student’s social security number as their primary student identifier, until recently [and] some schools still have not stopped the practice.” In the UK and other developed nations, SSNs are not generally used as secrets for personal authentication purposes and individuals need to provide additional information such as something proving their home addresses: the US seems well behind the curve on this one.

The US extradited Gary Mckinnon, a 39-year old British man, for “the world’s biggest military computer hack”.

Read how a T-mobile hacker was snared by a US Secret Service sting.

General [anti-]hacking resources

Hacking and anti-hacking tools

Distributed Denial of Service (DDoS) attacks

Hacking news

Related NoticeBored links collections