Data breach interactive chart shows major increase in security flaws

If you didn’t believe us that hackers have been keeping themselves really busy in the last few years, this interactive graphic might just be the visual proof you need.
David McCandless of Information is Beautiful created the graphic with coder Tom Evans. It shows all the different “data breaches” that have occurred since 2004 affecting more than 30,000 people. Each attack is displayed as a bubble, based on that victim-count. You can also filter by year, method of leak, what was stolen, and the type of organization.
Pretty much any article about a hack you might read includes some mention of how “cyberattacks are growing,” and “the amount of hacks have increased in the last X amount of years.” This graphic gives those call-outs merit, but also highlights some of the internal mistakes companies have made that let regular folks accidentally leak out data .
As you scroll up from 2004, the size of the breaches actually seem to diminish slightly, but the frequency definitely increases and varies from hundreds of thousands to tens of millions of victims. You can click on each bubble to get a little more information about the breach and click through to a report.
Check it out and let us know what you think of the interactive graphic.

 

Robots.txt is a text (not html) file you put on your site to tell search engine which pages you would like them not to visit. Robots.txt is by no means mandatory for search engines but generally search engines obey what they are asked not to do.

 

Now if this is not configured properly, then there are chances hacker tries to find exploitable targets and sensitive data by using search engines which is known as Google Hacking. The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Although Google blocks some of the better known Google hacking queries, nothing stops a hacker from crawling your site and launching the Google Hacking Database queries directly onto the crawled content.

 

Information that the Google Hacking Database identifies:

 

 * Files containing passwords
 * Files containing usernames
 * Advisories and server vulnerabilities
 * Error messages that contain sensitive information
 * Sensitive directories
 * Vulnerable servers
 * Web server detection
 * Control of CCTV Cameras
 

Trying to completely update this GHDB soon, So you can refer this post to find latest attack pattern.


GHDB: Files containing passwords

This search show “password” files which contain encrypted/hashed/cleartext passwords. A password cracker can decrypt the encrypted/hashed password faster than Elvis eating jelly doughnuts. Sometimes you will get FULL ADMIN access...

1. inurl:"/root/etc/passwd" intext:"home/*:"
2. intitle:index.of passwd passwd.bak
3. intitle:index.of master.passwd
4. intitle:”Index of” pwd.db
5. intitle:”Index of” “.htpasswd” htpasswd.bak
6. intitle:”Index of” “.htpasswd” “htgroup” -intitle:”dist” -apache -htpasswd.c
7. intitle:”Index of” spwd.db passwd -pam.conf
8. intitle:”Index of..etc” passwd
9. intitle:index.of config.php
10. index.of passlist
11. intitle:index.of administrators.pwd
12. filetype:sql insite:pass && user

GHDB: Files containing usernames

This search reveals userlists, username of different types of user like end user account, administrative user account.

1. inurl:admin inurl:userlist
2. inurl:admin filetype:asp inurl:userlist
3. filetype:reg reg HKEY_CURRENT_USER username
4. filetype:conf inurl:proftpd.conf -sample
5. inurl:php inurl:hlstats intext:”Server Username”
6. intext:”SteamUserPassphrase=” intext:”SteamAppUser=” -”username” -”user”
7. filetype:log username putty

GHDB: Control of CCTV Cameras

This search reveals web cameras, If authentication is not enable then you can take controll of web cameras.

1. inurl:/control/userimage.html
2. intitle:"active webcam page"
3. inurl:camctrl.cgi
4. allintitle:Brains, Corp. camera
5. intitle:"supervisioncam protocol"
6. allinurl:index.htm?cus?audio
7. intitle:"Browser Launch Page"
8. inurl:"next_file=main_fs.htm" inurl:img inurl:image.cgi
9. intitle:"Live NetSnap Cam-Server feed"
10. intitle:"iVISTA.Main.Page"
11. intitle:"V-Gear BEE"
12. intitle:"EvoCam" inurl:"webcam.html"
13. intitle:"i-Catcher Console" Copyright "iCode Systems"
14. intitle:"toshiba network camera - User Login"
15. intitle:"DVR Web client"
16. inurl:netw_tcp.shtml
17. camera linksys inurl:main.cgi

How Secure is Your Mobile Worker?

How well do you know your mobile worker? Understanding the mobile worker’s perceptions and behaviors will offer a better view on the potential security implications your organization must manage. Cisco recently released a new global infographic and white paper, the Cisco Connected World International Mobile Security study. They explore the mobile worker’s view points concerning working remotely, connecting to corporate, and their sense of security. Some of the findings are worth reflecting on to help you set the course for your mobile security efforts.
There is no question that the movement to mobile personal devices in the workforce has been well recognized. A recent response to this trend includes almost half of employers offering to fund workers to buy their own devices. Allowing the “chose your own” device alternative will attract and retain talent and reduce costs (see recent IBSG BYOD research), but what are the security implications?
There are a few striking data points to call out:

• 63% of users download sensitive data on their devices. The frequency significantly increases in some countries which should alarm people doing business internationally if there are no precautions taken to secure the downloaded data. Imagine your financial data or product road maps being downloaded on an unprotected personal device.
• Most believe remote access is a privilege. Yet in some countries they believe it’s a right as a worker. This establishes high expectations for IT to support and secure the devices including, but not limited to, extensive help desk calls.
• Most users are diligent when a pop-up appears and will read through the details and determine what it really means. Yet, many workers from select countries generally tend to be less careful and accept warning pop-ups without reading the details which increases the risk that hidden malware will be downloaded. Hackers depend on this social mining effort.
• 60% of users admit to engaging in risky behavior on a device (for example, personal or company-owned) while connected to corporate resources. This suggests that more security enforcement technology would benefit the prevention of data breaches and/or loss.

So, who really owns the mobile security issue? Mobile workers do not take full responsibility for a safe device with 84% believing that their IT will protect them from threats no matter what device is used. Sometimes IT’s perspective on this dependency is expressed with disbelief. An example of this issue was observed at BlackHat from a security professional during a demonstration we presented a couple weeks ago.
During the demonstration, we were showing how a user who inadvertently clicked on a phony URL sent in an email. That click triggered to phone an alert to a hacker that an “innocent” user is accessing the phony Internet site. The user unknowingly offered login credentials to their bank account. The hacker begins to record the users’ keystrokes to use later for malicious purposes. A security professional from BlackHat chimes in during the demonstration with the comment, “Dumb User.” The demonstration later showed how the combined effort of Cisco ISE and SIEM (Lancope) with unique TrustSec enforcement can identify and control the malicious activity with a single policy (for example, by segmenting and restricting users traffic close to the edge—on a network switch). The surprise to the security experts watching the demonstration was the concept that the network switch provided this enforcement.
Bottom Line: Most mobile workers have good intentions but do rely on IT to step in.
It would be great hear from you on your impressions of these recent findings and whether you are a mobile worker or an IT professional.
Please refer to Cisco’s security response for the mobile workforce: Secure Access

WEAPON OF ANONYMOUS

Before starting, I would like to give a small preview about the topic. This article focuses on the world famous hacker group, known as “Anonymous.” I will be describing their attacking methodologies and way of planning, but we will be focusing more about the weapons or tools they use. The word anonymous simply means having no name or identity. The group Anonymous is a faction of hackers or hacktivists. They have their own website and IRC (Internet Relay Chat) channel where they hold lax online gatherings that focuses on brain storming. Rather than giving orders, the group uses a voting system that chooses the best way in handling any situation. This group is famous for their hacks, one of which is Distributed Denial of Service (DDOS) attacks on government websites, well-reputed corporate websites, and religious websites. Their famous slogan is:

We are Anonymous
We are Legion
We do not forgive
We do not forget
Expect us

This is the signature of Anonymous that can be seen in their every attack.

Skills of Anonymous hackers:

They are people with excellent hacking skills, but they use conventional black hat techniques and methods. In fact, their hacking techniques are familiar with other hackers. For example, they also use the same tools used by other hackers, like havij and sqlmap in performing an SQL injection attack on any website. In other words, they are able to take advantage of common web application vulnerabilities which can be found in many websites.

The Anonymous hackers are comprised of two types of volunteers:

• Skilled hackers –This group consists of a few skilled members that have expertise in programming and networking. With their display of hacking skills, one can surmise that they have a genuine hacking experience and are also quite savvy.
  
• Laypeople – This group can be quite large, ranging from a few dozen to thousands of volunteers from all over the world. Directed by the skilled hackers, their primarily role is to conduct DDoS attacks by either downloading and using special software or visiting websites in order to flood victims with excessive traffic. The technical skills required in this group ranges from very low to modest.
  

There was about a 10:1 ratio of laypeople to skilled hackers.

The Anonymous hackers’ first objective is to steal data from a website and server. If it fails, that is the time they attempt a DDOS attack. They are a very well-managed group. Before selecting a target, they conduct a voting poll in the internet. After that, they name their operation.

They already organized many operations that became very famous, one of which is “Pay Back” which became famous all over the world back in 2010. In operation Pay Back, they stopped the services of well known e-commerce business solutions, such as PayPal, Visa, MasterCard, and Sony by performing D-DOS attacks on them. There are many other operations which were conducted by this group such as Operation leakspin, Operation Israel, Operation Facebook, Operation Gaza, etc.

In the figure below, we can see an example of their voting system for an operation.


After the voting poll, they decide what the next operation is.

In the figure below, we have shown a good example of their voting response.


After finalizing voting for the target, the operation process proceeds.

Their hacking operation consists of three different phases.

1. Recruiting and communication phase

2. Reconnaissance and application attack phase

3. DDOS attack phase

1. Recruiting and communication phase: In this phase, Anonymous uses social media in recruiting members and promoting campaigns. In particular, they use popular social networking sites like Twitter, Facebook, and YouTube to suggest and justify an attack. This is really the essence of all hacktivism campaigns. Messages were spread via social media such as Facebook, Twitter and YouTube.

The content during this phase:

• Explains their political agenda for the campaign. In this case, a website was created that rationalized the attack. Twitter and Facebook were used to bring attention to the website and its arguments. In addition, YouTube videos further rationalizes the attack by denigrating the target and exposing perceived transgressions.

• Declared the dates and targets for protest in order to recruit protesters and hackers.

2. Reconnaissance and application attack phase: In this phase, the attackers have a sound knowledge on attacking tools. They use anonymity services to hide their identity and maintain a low profile. Their attack traffic levels during this phase were relatively low, especially when compared to the attack phase. However, the reconnaissance traffic was relatively high compared to ordinary days. An attacker tries to penetrate the web application by using famous tools like Havij, Acunetix Web vulnerability scanner, etc.

Example of tools used is stated below:

Havij- Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, running SQL statements and even access the underlying file system and executing commands on the operating system.

Acunetix – The Acunetix Web Vulnerability Scanner is an automated black box scanner that checks websites and Web applications for vulnerabilities such as SQL injection, Cross Site scripting, and other vulnerabilities.

Once the attacker successfully exploits any of these vulnerabilities, Anonymous will deface the website by replacing their website’s home page with their defaced page that looks like the figure below, with their slogan and a message to the world.

3. DDOS attack phase: DDOS attack it is the deadliest attack they use and is performed by their skilled hackers. If they fail to penetrate the web application then they go for this attack. They are also famous for this attack because whenever they perform this attack, they always succeed on their operation. But before conducting a DDOS attack, the anonymous group provides a list of tools in different social media like in an IRC channel, Facebook, pastebin, etc.

Some of the famous and powerful tools used by the Anonymous group are H.O.I.C, Pyloris, Qslowloris, Torshammer, etc.

I am going to show you some of the usage of the tools.

H.O.I.C- Also known as High Orbit Ion Cannon. It is a simple script launching HTTP POST and GET requests at the target server. It is a cross platform tool easily found for Windows, MAC and Linux platforms. As we can see in below figure Click on plus icon which opens a new small windows for adding targets.

Input the target address in URL box then set the power level to Low, Medium and High as your requirement.

In the figure above, we can see the third option was left blank.
HOIC’s boosters are used to tailor the HTTP requests sent by HOIC to the target for a specific type of attack. “HOIC is pretty useless,” the documentation file that comes with the code says, “unless it is used in combination with ‘Boosters.’” And that’s putting it mildly—the attack code is generated based completely on what’s in the booster file. When an attack is launched, HOIC compiles the booster to create the HTTP headers to be sent, and sets the mode of the attack.

After selecting the booster, it is ready for the attack, as we can see in the figure below.

Now just click on “FIRE TEH LAZER” and wait for few minutes.

Now when you will open your target web page, you will see a message like the figure above. If you see the message “Resource Limit Is Reached”, then it means the game is over.

PyLoris – It is a python based tool that works simultaneously on Linux and Windows platform. PyLoris also includes a feature called TOR Switcher, which allows attacks to be carried out over the anonymized Tor Network and switch between Tor “identities,” changing the apparent location the attack is coming from at user-defined intervals. Before using this tool, it is required that TOR browser and Python is installed on the system. Now we can start the tutorial.

1. First open Tor. In the Vidalia control panel, go to settings, then “Advanced”, and from the drop down menu, choose password. Finally, deselect Randomly Generate.
2. Next, go to Pyloris folder and open the file Tor_Switcher.py and input the password you just set in Tor. You can lower the rate of interval if you want. If you are getting rejected connections, try lowering or raising the rate of interval.
3. Leave Tor_Switcher.py running and open Pyloris.py. Configure it, by inputting your target website in the host under the general’s menu. The port is usually 80. You can raise the limits depending on how fast your computer is. Once it’s all set up, fire your laser, and click on the launch button.
   
4. After clicking the Launch button, a new window will pop up and will show the status of the attack. Please refer to the image below.
5. It takes some time before all the target’s sockets are filled, usually around 300 or so. Just wait and soon you will see that your target is down.

References:

http://en.wikipedia.org/wiki/Anonymous_(group)

http://arstechnica.com/business/2012/02/high-orbits-and-slowlorises-understanding-the-anonymous-attack-tools/