hacking – Page 4

Bank Security

Having found by coincidence a (minor, perhaps exploitable as part of a more-complex attack) security problem with the website of a major high street bank, one would think it would be easier than it evidently is to get it reported and fixed. Several phone calls over a couple of days, and the threat of making a complaint about a representative if they didn’t escalate me to somebody who’d actually understand what I was explaining, I’ve finally managed to get the message through to somebody. How hard was that? Too hard.

If this still doesn’t work, what’s the next step? I’m thinking (1) change banks; (2) explain why to the bank; (3) explain why to the world. Seriously, I expect better from the people looking after my money.

And on that note: time for bed.

Edit: Meanwhile, we see that the PlayStation Network hack may have resulted in the theft of personal information from users’ accounts. While most of the media seems to be up in arms about the fact that this might have included credit card information, I’m most pissed-off about the fact that it might have included unencrypted passwords. Passwords should be stored using irreversible encryption: there’s no legitimate excuse not to do this, these days (the short version for the uninterested: there is a technique which can be used to store passwords encrypted in a pretty-much irreversible format, even if the hacker steals your entire computer: it’s very easy to do, protects against all kinds of collateral damage risks, and Sony evidently don’t do it). If any of Sony’s users use the same password for their email account, social network accounts, online banks, etc. (and many of them will, despite strong recommendations to the contrary), the hackers are probably already getting started with social hacking attempts against their friends, identity theft attacks, etc. Sony: you are a fail.

LiveJournal Needs To Tighten Security

Hmm… as part of my ongoing work with Abnib v3.0, I’ve noticed a couple of interesting little quirks in the way that LiveJournal handles security for “friends only” and “private” posts. In fact, I’m pretty sure I’ve found a way to – for any given user – produce a list of the times, dates, and URLs of all posts made by anybody – even ones to which I don’t have access. Not terribly disturbing news, as I still can’t get access to the content of the posts or even the comments to them, but it’s an “opening” – a “way in” – which could potentially lead to a full-blown exploit.

For example, I can tell you that there is a post on Andy’s blog that I’m not allowed to read, that he wrote on the 17th of Januaryat about quarter past four in the afternoon (I hope you don’t mind me using you as my “guinea pig”, Andy – you’re the first person I came to who had a “recent” private post).

The numbers near the end of LiveJournal post URLs are supposed to be semi-random to prevent people from just “guessing” their way to posts, but it turns out this isn’t necessary. I’ve e-mailed LiveJournal to try to explain their flaw to them, but as I can’t be arsed to debug it myself (hey: not my weblog at risk, here), I don’t know yet how much of a priority they’ll make it.

Ho hum.

Edit: Further investigations have revealed that I can easily get the title (but not the content or the comments) of any LiveJournal post, including protected ones. For obvious reasons, I’ve now stopped using my friends’ weblogs as testbeds, and I’ve set up a couple of “play” accounts to try things out with. I wonder if I can get the content of posts? That’d be an interesting challenge.

An Interview With Gary McKinnon

There’s a stunning interview you can listen to on BBC World Service with Gary McKinnon, the Briton who hacked into US military and research computers in order to hunt for evidence of UFO activity. In the interview he talks about how he did it, what he found, and how he was caught, as well as his feelings over the fact that he may be extradited to the US for up to a 70 year prison sentence for something which, in the UK, he couldn’t get more than four years. It’s well worth listening to. You’ll want a copy of Real Alternative installed (like Real Player, except good).

More Geeky Fun – Hack Security Cameras

This was one of my most-popular articles in 2005. If you enjoyed it, you might also enjoy:

The Ten Weirdest Sex Toys I’ve ever seen (2009)!
A dirty-looking calendar I found at work (2011).
My beliefs about why it’s wrong to lie to children about Santa (2009), complete with pictures of naughty elves.
An argument I had (2011) with the Office of National Statistics about nonmonogamy and the census.
Open Source Shaving (2009).

Here’s a giggle – somebody’s found a cleverly crafted Google search string that will reveal the (unprotected) web interfaces of a particular kind of Panasonic web-capable security camera. Just point a web browser at http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=inurl%3A%22ViewerFrame%3FMode%3D%22, then select one of the cameras (you might have to try a few before you get a working one). If you get a motorised one, you can even remotely control it! Here’s some I found earlier:

Update 17th August 2011: fixed broken link to Panasonic website!

A Demonstration Of The Next Generation Of ‘Phishing’ Attacks

[this post has been partially damaged during a server failure on Sunday 11th July 2004, and it has been possible to recover only a part of it]

[further content was recovered on 13 October 2018]

If you’ve been on the internet for any length of time at all, you’ll probably have come across the concept of a phishing [wikipedia] attack, or even been the target of one. The idea is that Joe Naughty sends you an e-mail, pretending to be your bank, credit card company, or whatever, and when you click the link in the e-mail it takes you to your bank’s web site. Or that’s what you think, anyway. Actually, you’re at Joe Naughty’s web site, and it just looks like your bank’s web site. And so he tries to trick you into giving him your bank details, so he can rob you blind.

I was recently the target of such an attack (one related to the CitiBank browser-bar scam [bbc news]). In this particular attack, the fake site tries to trick you into thinking it is the real site by making your Internet Explorer address bar ‘disappear’, and then replaces it with a picture of an Internet Explorer browser bar saying that you’re on the real site.

I decided that this was a particularly crude hack, and that I could do better. And …

Royal Welsh Show

I’m writing this from the (badly-protected: just had to go to a page with a particularly funky JavaScript to break out of their front-end browser) BBC Wales bus at the Royal Welsh Show, where Alex and I are working on behalf of SmartData.

Suppose I’d better get back to work and let these kiddies have the ‘net connection back…

Claire’s Back

=o)

Last night was fun. After spending most of a day hacking into the BBC’s weather centre (I wanted a weather forecast XML stream, but couldn’t find a free one, so with Kit’s help I stole one instead), he, Claire (recently returned) and I went down to the beach after midnight with a bottle of Caern O’Moor Bramble Wine and enjoyed the first cool air the town has seen in most of a week.

I had a weird dream last night. Apparently, so did Kit. Must’ve been something in the wine.

Cool Thing Of The Day

Cool And Interesting Thing Of The Day To Do At The University Of Wales, Aberystwyth, #41:

Discover a major security flaw in the university network, that provides any user with half a brain, a computer in their room, some practice, and a lot of patience, the means to get the password of anybody else on your local workgroup, leaving them exposed to malicious attacks, e-mail theft, use of their print quota, and all kinds of other problems. It’s such a serious problem that I’m not going to go into further detail here, in case this e-mail gets into the hands of somebody on the network. Later, discover that this loophole has already been discovered and is abused by at least one third year student. I’ve arranged for John (who aided me in discovering the problem) and I to meet with network services management to inform them of the problem – simply because we feel threatened by it

The ‘cool and interesting things’ were originally published to a location at which my “friends back home” could read them, during the first few months of my time at the University of Wales, Aberystwyth, which I started in September 1999. It proved to be particularly popular, and so now it is immortalised through the medium of my weblog.