Results 1 to 40 of 40

Thread: [Computer Security] Demonstration of the aurora hack: how hacking works.

  1. #1

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    [Computer Security] Demonstration of the aurora hack: how hacking works.

    I've been pushing for a computer security section on vbforums. And in the discussion, one of the members was interested in how exploits like stuxnet works. In this post, I'm going to write a guide on how to demonstrate a professional hack called Aurora. You can read about the history of this hack here: http://en.wikipedia.org/wiki/Operation_Aurora It was written by the Chinese government, and it was used to gain access to Google. In response to this hack, Google left China.

    Before we begin with this tutorial, there is a few things we need to cover. First and foremost, do not attempt to use this exploit on unaware machines without permission. You would be in violation of the computer fraud and abuse act, and you will rightfully go to prison. This is a demonstration for security purposes that we will do on our own machines. Never attempt to defeat security of remote machines without express written permission. Even if your doing it for educational purposes, you will still go to prison. In addition, you will follow these instructions at your own risk. Do not deviate from my instructions.

    The purpose of this post is to teach you why updates are important. I also want to teach you a little bit about professional hacking. You need to know what you are up against so that you can train people in your respected companies. I would recommend crafting spam emails in house and track employees who click on them. If they click, they go through training. In a basic nutshell, I want you to be better programmers and IT personnel.

    So to begin, we need some tools:
    1. A copy of an unpatched windows XP with IE6.
    2. A copy of backtrack with metasploit.
    3. A virtual machine like vmware.

    Setup Instructions:
    1. Install Windows XP and Backtrack on the virtual machine.
    2. Start both operating systems on the virtual machine.
    3. In windows xp, check the ipaddress by going to command prompt and typing "ipconfig"
    4. In backtrack, check the ipaddress b going to the terminal (if your in gui mode) and typing "ifconfig"
    5. Make sure both operating systems are able to ping each other. If they don't, change the network settings in your virtual machine. In windows command prompt, you can check the ip address by typing "ipconfig". In backtrack, you type "ifconfig" in terminal. On each system, "ping IPADDRESSHERE" is the command to ping.

    Now that we have our network setup properly, we now need to setup the exploit.

    <removed by admin>

    Now that we have configured the exploit, we need to get it running.
    Type "exploit" in terminal.

    You should now see that the exploit is now running on an ip address. It will give you a url like http://YOURIPADDRESSHERE:80/

    Now that we have everything up and running, it's time to deploy the hack.
    1. In windows XP, start up IE6.
    2. Type in the URL given in metasploit that so that IE6 connects to the server. IE6 will get laggy as the exploit fills up memory and cracks the system.
    3. In backtrack, you should see the machine trying to connect to the exploit server.
    4. Once you see a session is open, type "session -i 1" in backtrack terminal.
    5. Next, type "run migrate" This will move our exploit deeper into the victim machine so that we are no longer dependent on the user running IE6.
    6. Now lets upgrade our privileges on the victim machine by typing "get system" in terminal.
    7. You can type "ps" to see all of the processes running on the machine. You can now access that machine like a putty connection.

    Professional hackers create applications like these so that they can get into corporate systems. These groups usually consist of two teams:
    1. Technical team that deals with the exploits.
    2. Application domain team that deals with subject matter material. If the target is a chemical company, they'll have chemist and knowledgeable people in the industry in the application domain team. They create very convincing emails that attempt to get people in the company to click on a link so that they can get access to their system like we did in this tutorial. In addition, they'll review the application domain information that they are seeking to steal.

    You need to train all employees that use computers on spam emails. Also, as I stated above, try to write very convincing emails and test your employees constantly. If they click on them, they need training.

    I hope you people got something out of this =)
    Last edited by brad jones; Jun 26th, 2014 at 08:06 AM. Reason: Can't give step-by-step on an illegal exploit
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  2. #2
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Maven View Post
    I would recommend crafting spam emails in house and track employees who click on them. If they click, they go through training.
    Pretty nearly ALL the in-house emails where I work are already spam.
    My usual boring signature: Nothing

  3. #3
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Thank you very much - I've passed this along to some folks

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  4. #4

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Shaggy Hiker View Post
    Pretty nearly ALL the in-house emails where I work are already spam.
    And there is a certain portion of the population of employees probably clicking on them. The risk here is that one of those URLs might be like the URL we crafted above in the aurora exploit.

    The legal system is changing in regards to security. We're starting to see laws emerge where companies have to notify the media when a breach has occurred with an exposures of more than 500 people's information. http://www.business.ftc.gov/document...ification-rule

    We still haven't seen it for general companies yet, but it's probably coming. Businessmen need to think about their risk exposure on the security front.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  5. #5
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    This only applies to health information - any other info is in no way 'protected' (and I use that term loosely - notifying the government that you have potentially compromised data is like a brewery hosting an AA meeting). Further, a bank, for example, telling you that you've been robbed, doesn't make up for the fact that you've been robbed.

    What you say is true - businesses need to think about their risk exposure - but not in the way I think you mean it; these regulations serve only to protect the business and not end consumers, unfortunately.

    The root cause needs understanding: the 99% of programmers who really do not understand their obligation to apply basic security principles - much like locking their front door.

    But to your original post, it doesn't really explain the exploit; specifically: "2. Type in the URL given in metasploit that so that IE6 connects to the server. IE6 will get laggy as the exploit fills up memory and cracks the system." Everything else teaches us nothing - this is where the actual meat and potatoes is.
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  6. #6
    ex-Administrator brad jones's Avatar
    Join Date
    Nov 2002
    Location
    Indianapolis
    Posts
    6,608

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    The moderators will be removing this thread - or at least most of the original post.

    While it is fine to discuss hacks, giving a step-by-step tutorial on how to do an illegal hack can't be allowed. If there were a non-illegal use case for discussing this hack, it would be different; however, that is not the context of the original post.

    Discussion is fine. Overviews are fine. Step-by-step how-tos on illegal things, nope, not fine.

    Sorry.

    Edit: The exploit set-up steps were removed. If the OP wants to provide those outside of this forum, that is up to him; however, we can't have step-by-step guidance on this forum for a topic of the intent to do something illegal - even if just "for learning."
    Have you given out your reputation points today? Select the Rate This Post link to give points for good posts!
    -------------------------------------------------------------
    Brad! Jones
    Lots of Software, LLC
    (I wrote: C Programming in One Hour a Day) (Dad Jokes Book) (Follow me on Twitter)

    --------------------------------------------------------------

  7. #7
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    I gave that info to a security person at a HIPAA shop - and this was his in his response

    Funny (ok, kind of funny) story about metasploit...3 or 4 years ago I was looking through all of the hosts on our network, and I saw one I didn't recognize. I walked through the building twice looking for something new plugged into a network jack and I didn't find anything. So I ran some scans against the system to try to identify what it was, and ultimately I ended up using metasploit to get a cmd shell on the system and installed VNC to get full Keyboard, Video, and Mouse control of the system. It turned out that it was the Crestron tablet that's used to control the A/V system in the large conference room. It runs Windows XP and can't be patched. That was the very first time I used metasploit, and I had admin privileges on the system in a few minutes.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  8. #8
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Maven View Post
    ...The purpose of this post is to teach you why updates are important. I also want to teach you a little bit about professional hacking. You need to know what you are up against so that you can train people in your respected companies. I would recommend crafting spam emails in house and track employees who click on them. If they click, they go through training. In a basic nutshell, I want you to be better programmers and IT personnel.
    ...
    You need to train all employees that use computers on spam emails. Also, as I stated above, try to write very convincing emails and test your employees constantly. If they click on them, they need training.
    That same security person echoed these feelings - goes to conferences with other security folk and discuss just these types of things.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  9. #9

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by brad jones View Post
    The moderators will be removing this thread - or at least most of the original post.

    While it is fine to discuss hacks, giving a step-by-step tutorial on how to do an illegal hack can't be allowed. If there were a non-illegal use case for discussing this hack, it would be different; however, that is not the context of the original post.

    Discussion is fine. Overviews are fine. Step-by-step how-tos on illegal things, nope, not fine.

    Sorry.

    Edit: The exploit set-up steps were removed. If the OP wants to provide those outside of this forum, that is up to him; however, we can't have step-by-step guidance on this forum for a topic of the intent to do something illegal - even if just "for learning."

    Metasploit is a tool used in professional security to do penetration testing. It's widely used in professional security in fortune 500 and big high tech companies like Microsoft. In fact, Microsoft has had demonstrations very similar to this tutorial for their programming teams in order to try to give them a wake up call. It's not illegal to use this tool unless your trying to use it to attack remote systems without permission. You can only use it on your own systems or systems you have permission to do such testing on.

    I'm not very concerned about someone using the tutorial and hacking google or anything that matters. Their security teams are constantly testing their network with metasploit, and everyone in the security world knows about it; instead, I'm more concerned about small shops and individuals. At the same time, I"m sure there is quite a lot of people here that work for small shops. Their not going to have an idea of how exposed their security is until they use professional tools to do penetration testing. You can also test your own computer and your families computers (with permission) to try to keep them secure. But you're really flying blind without a good tool like this.

    At any rate, my warning was mostly concerned with people trying to break into their friends computer or something of that nature. Attempting to gain access to remote machines or disrupt them in anyway without permission is a felony. And everyone in security knows about metasploit and you would get caught.

    But your right in that there is a fine line here. I'm trying to show security without showing too much. Which is why I didn't go into the "actual meat and potatoes" as one of the posters above very pointedly stated.

    Overall, people need to start getting real on security. Everyone is plugging into the internet, and everyone is at real risk. The code people are writing is what introduces these exploits. So please try to learn to write secure code. It's an important part of learning to program.

    In the future brad, I'll try to stick with just identifying penetration attempts.
    Last edited by Maven; Jun 26th, 2014 at 03:13 PM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  10. #10

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    In the future, I'll write on detection. I'll set up the penetration stuff to generate data, then show people what the data looks like in something like splunk.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  11. #11

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    In the future, I'll write on detection. I'll set up the penetration stuff to generate data (it's complicated anyway), then show people what the data looks like in something like splunk.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  12. #12

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by szlamany View Post
    That same security person echoed these feelings - goes to conferences with other security folk and discuss just these types of things.
    I think security people need to promote security practices in forums like these because a lot of people here end up working in IT or land some programming jobs. And people here really need to understand the gravity of the situation we are in right now. We are in the middle of an ongoing asymmetrical cyber war right now. And we really need to advocate to programmers what is at stake. After years of fighting, we've finally got fortune 500 companies on board. Actually, they had to see mutibillion dollar losses from security before they listened, but they are on board now. At any rate, my goal here is to get people to think about security in the systems they administrate or develop. Business trade secrets, customer and employee personal information, and national security is at great risk.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  13. #13
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Maven View Post
    I'm not very concerned about someone using the tutorial and hacking google or anything that matters. Their security teams are constantly testing their network with metasploit, and everyone in the security world knows about it; instead, I'm more concerned about small shops and individuals.
    That's a more telling point, really. I was under the impression that the Target breach that made so much news (and utterly hammered their earnings around Christmas) was not made against Target directly, but against a smaller supplier that opened up Target for them. If that is the case, the big boys may be the showy targets (augh, I actually didn't intend to make a pun out of this, but it's just the best word in this case), but security should be reasonably practiced by all.
    My usual boring signature: Nothing

  14. #14

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Shaggy Hiker View Post
    That's a more telling point, really. I was under the impression that the Target breach that made so much news (and utterly hammered their earnings around Christmas) was not made against Target directly, but against a smaller supplier that opened up Target for them. If that is the case, the big boys may be the showy targets (augh, I actually didn't intend to make a pun out of this, but it's just the best word in this case), but security should be reasonably practiced by all.
    Yes and no. The security team at target dropped the ball in a big way. They were getting fire-eye warnings that their network was compromised; however, they ignored those warnings. So they didn't have properly trained staff in security. I'm guessing they just asked their programmers to monitor security or something of that nature.

    But yes, small shops create a big hole. And I don't see it getting closed without reaching out to a broader community of IT people.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  15. #15
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    @maven - is your forte security?

    The IT security person I mentioned back a few posts ago (he's the IT guy at the client site - I'm an outside programmer) is helping us setup web access for various third-party users to enter contributions remotely into his system. Attorney's to download spreadsheets of delinquency for collection, independent payroll auditors having access to post audit results instead of giving us a s/s for import (if they had not damaged the s/s by changing row or column aspects). At any rate - in just discussing this setup it became instantly apparent that you could not open a port from the web server (in their DMZ) to their production SQL database (in their LAN). Too much data having nothing to do with the "players" who would be using this new web access. Lots of health PHI that had no reason to be on the other end of a SQL injection attack. Our possible solution is to have copies of needed data pushed to a SQL DB outside the LAN - and procedures to move third-party data from the outside world into the production DB. Even better he is going to have a web security consultant come in and discuss other alternatives. The requirement to disclose breaches is so important - it's become like disaster recovery - you had almost better expect it to happen tomorrow. And the HIPAA fines are huge. I never let my laptop out of my site - it's on me 100% of the time or locked in my office.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  16. #16

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by szlamany View Post
    @maven - is your forte security?

    The IT security person I mentioned back a few posts ago (he's the IT guy at the client site - I'm an outside programmer) is helping us setup web access for various third-party users to enter contributions remotely into his system. Attorney's to download spreadsheets of delinquency for collection, independent payroll auditors having access to post audit results instead of giving us a s/s for import (if they had not damaged the s/s by changing row or column aspects). At any rate - in just discussing this setup it became instantly apparent that you could not open a port from the web server (in their DMZ) to their production SQL database (in their LAN). Too much data having nothing to do with the "players" who would be using this new web access. Lots of health PHI that had no reason to be on the other end of a SQL injection attack. Our possible solution is to have copies of needed data pushed to a SQL DB outside the LAN - and procedures to move third-party data from the outside world into the production DB. Even better he is going to have a web security consultant come in and discuss other alternatives. The requirement to disclose breaches is so important - it's become like disaster recovery - you had almost better expect it to happen tomorrow. And the HIPAA fines are huge. I never let my laptop out of my site - it's on me 100% of the time or locked in my office.
    Security and software engineering

    Yes, its good to have an expert come in and look things over. Are you guys just using one step authentication? Are you using multi-factor authentication? I would recommend layering the security of the network. At each layer, the user has to authenticate and also provide something unique. For example, send a text message with a random number so that the user can enter it along with the password. Passwords alone don't provide ample security. And if you layer the system, a hacker might get access to the first layer but not the second layer, etc. Use different tools for each layer.

    I would also recommend banning USB sticks for employees. China tried to gain access to some fortune 500 company that will remain unnamed by dropping usb sticks in the parking lot. Employees picked them up, and they did what most people do. They took the usb sticks inside and plug them in to see whats on them, and poof the system is cracked. They are popular and you will get resistance from the rest of the firm, but they are one big security problem. I think cell phones are a risk as well, but good luck selling that one.

    Dropping USB sticks in the parking lot is another good training exercise for employees. They'll pick up and stick every last one of those in the company's computers. Just have it call home to report which employee used it. Then give them training. lol

    At any rate, it takes a lot of work to secure a network.
    Last edited by Maven; Jun 28th, 2014 at 04:27 PM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  17. #17
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Since this is a site for programmers and not box jockeys I'm not sure the topic fits here anyway.

    At best it might go under General PC, but surely not General Developer Discussions.

  18. #18

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    Since this is a site for programmers and not box jockeys I'm not sure the topic fits here anyway.

    At best it might go under General PC, but surely not General Developer Discussions.
    Computer security is a programming concern. The exploit is caused by bad programming. For example, the above exploit worked because some programmer at Microsoft didn't control a buffer. The program fills up memory in the buffer and is eventually able to overwrite EIP which caused the processor to jump back into memory that the exploit overwrote. As a result, we could install a backdoor directly on a remote computer. All the victim had to do was click on a URL.

    Example of bad code:

    Code:
    #include <iostream>
    using namespace std;
    
    public main()
    {
    char dumb[8];
    cin >> dumb;
    cout << dumb << endl;
    return 0;
    }
    The variable dumb only has room for 8 bytes; however, it uses cin without a restriction on maximum bytes to input into the variable. So a user entering something in the terminal could enter in more than 8 characters and cause the buffer to overflow.
    Last edited by Maven; Jun 27th, 2014 at 05:08 AM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  19. #19
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    So, basically, we have the bog-standard buffer overrun situation. In other words, if too many bytes are sent to a buffer, and the program does not accommodate this scenario, it is possible that code can be executed.

    And this is the bottom line: the only way any malicious software can get on a computer is if code is executed. Period.

    Edit: it's not even necessary to waste effort 'replicating' such a scenario - i.e. actually executing code through a buffer overrun - just to understand that such a scenario exists. You don't need to get stabbed with a knife to understand that getting stabbed with a knife will have bad consequences.

    I think that's the point; from a programmers perspective, the whole 'taking control of a computer' is a ridiculous notion to dissect. Sure, security experts are often called upon to be the cleanup crew, so need to understand the effects, so they can, well, clean up.
    Last edited by SJWhiteley; Jun 27th, 2014 at 06:12 AM.
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  20. #20
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    I tried starting a security thread from the point of view of programmers but it got little attention:

    [VB6 ISVs] Defense in (more) Depth

    It links to Microsoft's directions to C++ programmers, and hoped to build on that to cover VB6. Pretty much none of it applies to .Net programs where little is in the developer's hands anyway.

    It would come down to a few API calls developers should make and a few flags to be set in your compiled PE files as a post-build step. I'd hoped for a discussion on using anti-hijack techniques like windowless controls and such too.

    But nobody was interested.

  21. #21

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    I tried starting a security thread from the point of view of programmers but it got little attention:

    [VB6 ISVs] Defense in (more) Depth

    It links to Microsoft's directions to C++ programmers, and hoped to build on that to cover VB6. Pretty much none of it applies to .Net programs where little is in the developer's hands anyway.

    It would come down to a few API calls developers should make and a few flags to be set in your compiled PE files as a post-build step. I'd hoped for a discussion on using anti-hijack techniques like windowless controls and such too.

    But nobody was interested.
    For visual basic programmers, logical problems, authentication problems, and failure to handle user input correctly will be the largest source of security problems. For example, visual basic programs that mishandle user input while working with a database will be vulnerable to SQL injections. Almost any resource has that kind of problem including file systems and exec like commands.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  22. #22
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    True, but you brought up buffer overruns, DLL injection, etc. in your posts on a well known software burglar toolkit.

    For those at the mercy of the .Net Frameworks, all they can do is hope users keep installing those tens to hundreds of megabytes of Framework security fixes from Microsoft each month.

  23. #23

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    True, but you brought up buffer overruns, DLL injection, etc. in your posts on a well known software burglar toolkit.

    For those at the mercy of the .Net Frameworks, all they can do is hope users keep installing those tens to hundreds of megabytes of Framework security fixes from Microsoft each month.
    Right, .net programmers don't have to worry about memory allocation issues. So memory leaks and buffer overflows aren't their concern; however, everything else in security is a concern.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  24. #24
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,527

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Maven,

    Great post. I was a little sadden to see it was edited before I was able to read the full post.

    I have to admit that I didn't even think of the USB stick hack technique. I work at a university police and we receive all the campus lost and found. Majority of the items we retrieve are USB sticks. I don't work in the lost and found department, but I am sure that they plug a good lot of them into the computers to see who they belong to. Considering are computer network has access to the DOJ and other government networks, I would hate for someone to gain access to our already pretty secure network. I am going to be forwarding this information to our lost and found coordinator.


  25. #25

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dclamp View Post
    Maven,

    Great post. I was a little sadden to see it was edited before I was able to read the full post.

    I have to admit that I didn't even think of the USB stick hack technique. I work at a university police and we receive all the campus lost and found. Majority of the items we retrieve are USB sticks. I don't work in the lost and found department, but I am sure that they plug a good lot of them into the computers to see who they belong to. Considering are computer network has access to the DOJ and other government networks, I would hate for someone to gain access to our already pretty secure network. I am going to be forwarding this information to our lost and found coordinator.

    http://us.norton.com/yoursecurityres...?aid=usbdrives

    Might be a good idea to have a box set aside from the network to test them out. Those people will have no clue where those drives came from or what exactly is contained on them. In addition, they can immediately exploit a computer.
    Last edited by Maven; Jun 28th, 2014 at 04:52 PM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  26. #26
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,527

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Maven View Post
    http://us.norton.com/yoursecurityres...?aid=usbdrives

    Might be a good idea to have a box set aside from the network to test them out. Those people will have no clue where those drives came from or what exactly is contained on them. In addition, they can immediately exploit a computer.
    Yeah I think I will see how they do things. Like I said, I do not work in the lost and found department, so maybe they are already taking these precautions. But I will pass that information along.

  27. #27

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dclamp View Post
    Yeah I think I will see how they do things. Like I said, I do not work in the lost and found department, so maybe they are already taking these precautions. But I will pass that information along.
    By the way, if you'll PM me your email address I"ll send you an email with the missing directions.

    The next step if you want to get into learning security is to install splunk on the victim machine. Use metasploit to attack the machine, and use splunk to observe the changes. This process gets you into security analytics. The goal here is to figure out how systems behaves once it is the victim of some kind of attack. User patterns may change, the backdoor may try to ping home, and some programs may behave differently. The difficult part is figuring all of this out in the middle of all the noise a computer generates. So using metasploit allows you to know what to look for and kinda introduces you to the practice. Splunk is a really good computer analytics program.

    There are a number of aurora like exploits in flash and various other applications that can allow an attacker to get control of a machine remotely. Most of these only require a user to click on a URL. It'll kind of make you paranoid. For example, I could create a web page that has some tutorial on it. Link it here, and when people follow it, I could get access to their systems while they read the tutorial.

    After one realizes the volume of personal information, trade secrets, national secrets, and so forth at risk, it becomes pretty obvious that we are in big trouble. A small team of professional hackers could probably shut down the power grids of the United States.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  28. #28
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Again, we're off in the blue collar "PC admin" weeds here. There aren't any developer issues being discussed so this thread belongs in General PC.

  29. #29
    PowerPoster Nightwalker83's Avatar
    Join Date
    Dec 2001
    Location
    Adelaide, Australia
    Posts
    13,344

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    Again, we're off in the blue collar "PC admin" weeds here. There aren't any developer issues being discussed so this thread belongs in General PC.
    Oh, so you consider general pc problems blue collar work as opposed to being a developer?
    when you quote a post could you please do it via the "Reply With Quote" button or if it multiple post click the "''+" button then "Reply With Quote" button.
    If this thread is finished with please mark it "Resolved" by selecting "Mark thread resolved" from the "Thread tools" drop-down menu.
    https://get.cryptobrowser.site/30/4111672

  30. #30
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Exactly. That's what PC technicians do.

  31. #31

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    Again, we're off in the blue collar "PC admin" weeds here. There aren't any developer issues being discussed so this thread belongs in General PC.
    Since when is security experts aka white hats known as "blue collar"? People who sign their paychecks would beg to differ. In addition, security is not the same thing as system administration.

    Computer security of any kind is a software engineering topic. There are multiple software engineering workflows responsible for these kinds of hacks.

    Finally, how exactly are you going to be a better programmer until you learn about these problems? Do you suggest developers just ignore security in development?
    Last edited by Maven; Jun 29th, 2014 at 12:17 PM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  32. #32

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    Exactly. That's what PC technicians do.
    Uhh.. you obviously don't know what your talking about.

    Do you even know the background you need to do security as a profession? Obviously, this is a new world for you.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  33. #33
    PowerPoster SJWhiteley's Avatar
    Join Date
    Feb 2009
    Location
    South of the Mason-Dixon Line
    Posts
    2,256

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by Maven View Post
    Since when is security experts aka white hats known as "blue collar"? People who sign their paychecks would beg to differ. In addition, security is not the same thing as system administration.

    Computer security of any kind is a software engineering topic. There are multiple software engineering workflows responsible for these kinds of hacks.

    Finally, how exactly are you going to be a better programmer until you learn about these problems? Do you suggest developers just ignore security in development?
    This has raised a good point.

    Computer security is most often relegated (sic) to the very PC Technicians that dilettante - quite harshly - notes. As such computer 'security' means preventing users from using the computer to it's fullest extent. And we still get viruses and malicious software tearing up the network...

    In many larger organizations, IT and Development are two separate slots on the org. chart. And never the twain shall meet.
    "Ok, my response to that is pending a Google search" - Bucky Katt.
    "There are two types of people in the world: Those who can extrapolate from incomplete data sets." - Unk.
    "Before you can 'think outside the box' you need to understand where the box is."

  34. #34

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by SJWhiteley View Post
    This has raised a good point.

    Computer security is most often relegated (sic) to the very PC Technicians that dilettante - quite harshly - notes. As such computer 'security' means preventing users from using the computer to it's fullest extent. And we still get viruses and malicious software tearing up the network...

    In many larger organizations, IT and Development are two separate slots on the org. chart. And never the twain shall meet.
    A company that delegates computer security to PC technicians simply doesn't have computer security. PC Technicians do not have the qualifications of computer security professionals; instead, PC technicians are only qualified to do computer repair. In general, computer security professionals have advanced degrees in computer science, and many have military intelligence backgrounds. Also, Large organizations have dedicated computer security professionals on staff. In addition, many of them run red and blue teams.

    Computer security is about defending against asymmetrical attacks and information assurance in general; as a result, it's a very broad and deep subject. A user may have access to something, but should he access it? For example, a computer security professional has keys to the castle. There isn't a door that can't be opened. Should a security professional be looking at payroll information? There are many examples like this throughout an organization. In the developer world, security is a part of every single workflow. What design patterns should one use in order to make some functionality secure?
    Last edited by Maven; Jun 29th, 2014 at 02:58 PM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  35. #35
    WiggleWiggle dclamp's Avatar
    Join Date
    Aug 2006
    Posts
    3,527

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Why not agree on a middle ground. General Developer is not the best place nor is General PC since it does not fit perfectly into either. This type of content belongs in its own category of which we do not have.

  36. #36
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dclamp View Post
    Why not agree on a middle ground. General Developer is not the best place nor is General PC since it does not fit perfectly into either. This type of content belongs in its own category of which we do not have.
    This is a programming forums site, not a PC admin site. That's why General PC is here, and exactly where this thread belongs.

    Nick Burns, Your Company's Computer Guy


    Or try somewhere like http://sysadmintalk.com/

  37. #37

    Thread Starter
    Hyperactive Member Maven's Avatar
    Join Date
    Feb 2003
    Location
    Greeneville, TN
    Posts
    322

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    Quote Originally Posted by dilettante View Post
    This is a programming forums site, not a PC admin site. That's why General PC is here, and exactly where this thread belongs.

    Nick Burns, Your Company's Computer Guy


    Or try somewhere like http://sysadmintalk.com/
    Why do you keep insisting that computer security is some kind of technician job?

    Is that why MIT rolls out computer security to first year grad students?
    6.857 is an upper-level undergraduate, first-year graduate course on network and computer security. It fits within the department's Computer Systems and Architecture Engineering concentration. Topics covered include (but are not limited to) the following:

    Techniques for achieving security in multi-user computer systems and distributed computer systems;
    Cryptography: secret-key, public-key, digital signatures;
    Authentication and identification schemes;
    Intrusion detection: viruses;
    Formal models of computer security;
    Secure operating systems;
    Software protection;
    Security of electronic mail and the World Wide Web;
    Electronic commerce: payment protocols, electronic cash;
    Firewalls; and
    Risk assessment.
    http://ocw.mit.edu/courses/electrica...ity-fall-2003/


    Imo, this kind of thing is a good example of why we need licensing.

    http://theinstitute.ieee.org/career-...s-in-the-works
    Last edited by Maven; Jun 30th, 2014 at 04:39 PM.
    Education is an admirable thing, but it is well to remember from time to time that nothing that is worth knowing can be taught. - Oscar Wilde

  38. #38
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    In my HIPAA world the SECURITY OFFICER has to know where the "protected health information" is. That is application level (for me) - or at least DBA level for anyone else.

    I play a developer role with this client and have to involve the SECURITY OFFICER in all discussions of how data will be available both INTRANET and INTERNET - with that SECURITY OFFICER forcing application design changes onto the developer side.

    I personally welcome this thread being discussed in GENERAL DEVELOPER. Any developer that does not consider the issues discussed here runs the risk of creating applications that could be exploited.

    Consider the ASP.Net programmer - and what they might put into a WEB.CONFIG file. If a web server gets compromised the contents of that WEB.CONFIG file become very important.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  39. #39
    Super Moderator FunkyDexter's Avatar
    Join Date
    Apr 2005
    Location
    An obscure body in the SK system. The inhabitants call it Earth
    Posts
    7,900

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    This thread isn't going to be an entirely comfortable fit no matter where we put it. General PC isn't a good fit because it's hardware orientated. Personally I'm happy that General Development is about as good a fit as we're going to find on this forum even if it's not perfect. We are a programming forum; specifically we're a VB forum, but that doesn't stop us covering all sorts of related topics.

    This is a very important topic and, as Szlamany says "Any developer that does not consider the issues discussed here runs the risk of creating applications that could be exploited". While security may well be an admin task it's certainly of interest to developers as well (and if not it damn well should be).

    If there's enough interest in this type of topic then maybe Brad will see fit to create a new sub-forum for it in the future but we don't have enough discussion to merit that yet and, until such a time as we do, then general developer is the best place for it.
    The best argument against democracy is a five minute conversation with the average voter - Winston Churchill

    Hadoop actually sounds more like the way they greet each other in Yorkshire - Inferrd

  40. #40
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: [Computer Security] Demonstration of the aurora hack: how hacking works.

    I strongly support leaving this thread where it stands. I thought I had said this before, but I don't see the post, so I'll say it here: Software security is a programming issue, not a hardware issue. I go to General PC for hardware issues, not software issues. It's a backwater, and this is a more important topic than that.

    Software security only gets pushed to the techs because people don't feel it should be anywhere else. That's a bad way to look at it. It's a subject that shouldn't be relegated anywhere, it should be a bit more out in the open and discussed at all levels from coding to hardware.
    My usual boring signature: Nothing

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width