Print
Discuss
Send to friend
RSS feedsA few days ago I watched a live hacking demo at the University of Sussex in which a company showed how easy it was to access a large number of credit card numbers on a supposedly secure ebusiness site.
The demo took 15 minutes and involved an arsenal of tools easily available on the internet. As the independent security consultants I-Sec made Swiss cheese of the website's firewall, many of the delegates' jaws dropped - mine included.
This particular demo was carried out on a site the firm had designed, and credit card details were held on the site rather than elsewhere or by a secure third party.
But the site still had a number of features that are common to many firms' sites. By using an un-patched vulnerability in Microsoft's IIS web server, the attacker managed to compromise the machine in minutes.
I-Sec managing director Geoff Davies searched the web using phrases such as 'how can I hack Microsoft IIS?' and 'free hacking tools'. If you haven't tried this yet, then do so. The variety of free C scripts is horrifying.
This may not come as a great surprise to many of you but, if you're feeling overconfident about your security regime, stop now, because this wasn't the end of it.
We were given a short history of virus activity by Peter Cooper head of support at Sophos. The Chernobyl virus hit 250,000 PCs, he said, and added that being internet aware the Hybris virus auto-updates. W32/Nimda and Unix/Sadmind tend to dive straight for known vulnerabilities. Cooper also mentioned the Polite virus, which asks users if they would like it to infect their system before wiping their drives.
Round the corner are more file-infecting viruses that encrypt data as they go, multi-pronged attacks, and viruses with in-built message transfer agents, able to send mail from themselves. There are many virus shops, including Roadkil's Virus Cafe, with DIY virus kits and ready-to-run scripts.
The problem is not necessarily the brilliance of hackers or virus writers. It is the willingness of more inexperienced users to launch multiple attacks at corporate networks and, if they are targeting a vulnerability that is relevant to, say, 10 per cent of Windows PCs, that's a lot of machines for the hackers to chew on.
Another speaker, Stephen Whitelaw from Iomart, talked about yet more illegal tools that are available on the public network. For example, you can download a credit card number generator called Credit Probe, and an address generator called Credit Wizard, although it is illegal to possess them in many countries.
A tool called Triangle Boy can be used to access blocked IP addresses, and a password cracker called Revelation is available from Snadboy.com.
Here are the questions to ask yourself: what would you do if your site was targeted with some of the weapons above? What backup do you have? Are you up to date on the tools used to compromise ebusiness security? And are any of your staff using these tools?
del.icio.us
Digg this
reddit!
