Not so.
With the recent resurgence of hacktivism and Internet-savvy collectives like Anonymous, it’s getting easier. What’s truly shocking is just how easy.
Rob Rachwald claims it took him 15 minutes to teach his 11-year-old how to carry out an SQL injection attack, one of the most common methods for stealing private data from web-databases. SQLi essentially tricks a database into revealing data that should be hidden, by “injecting” certain commands. That used to be done manually; now it can be automated, thanks to new tools like Havij and sqlmap.
“The tools are getting smarter,” says Rachwald, who directs security strategy at cyber security firm Imperva. As a result, “the pool of hackers is increasing.”
Havij, for example, was created just a year ago, but it’s already become one of the most popular tools for carrying out automated SQLi attacks, allowing users to steal anything from passwords, to email addresses to credit card numbers from a website. The most popular targets are small and medium-sized businesses that allow online transactions: think local gyms, pet-sitting services and charities.
But big companies can be vulnerable too, and there are plenty of examples:
LulzSec, a splinter group from Anonymous, grabbed headlines last year when it stole the staff and admin passwords from PBS, then published a fake story about Tupac Shakur through its content management system. The group then revealed the hack had been easy, thanks in part to using Havij to collect and store the stolen data.
Earlier this week Ohio man John Anthony Borell pleaded not-guilty to stealing the private details of nearly 500 police officers from the Salt Lake City Police Department. Prosecutors claim Borell was part of another splinter group called CabinCr3w, which used an automated script to carry out the attack. That “automated script” could easily have been Havij or sqlmap.
Supporters of Anonymous also used Havij in an (unsuccessful) attempt to steal private data from the Vatican last August.
Anyone can download Havij for free and simply type in the URL of their target, a vulnerable website. The program then reconstructs, and categorizes the hidden data it finds into a helpful list of headings like “passwords” or “CC numbers.” It lets you to tick off the features you want to take (for selling be spammers, or just posting online for the world to see) from other less-useful data. All done via a simple interface and in just a few clicks.
Some 88% of all SQL injection attacks between January and March of this year were carried out by either Havij or sqlmap, according to new research from Imperva, with the majority of attacks using Havij. The name, incidentally, is Farsi for “carrot,” and charmingly used as slang for male genitalia. “Somebody somewhere tried to have a sense of humor,” Rachwald says dryly.
Sqlmap, also free and billed as an off-the-shelf, penetration-testing tool, uses a command-line interface and requires a little more programming experience to use. But it can also automate the process of taking private data.
Sometimes attackers won’t know whether a site is vulnerable or not. But (surprise) that problem is also easily solved with more automated tools like Acunetix and Nikto. Acunetix, which is marketed to organizations who want to test their own websites for vulnerabilities, offers a free version on its site, while Nikto is open sourced and also freely available. Once downloaded, either program can quickly scan a site for security holes, before something like Havij comes in to mine the spoils.
In late 2010, Anonymous grabbed headlines for launching so-called DDoS attacks on PayPal and MasterCard, spamming them with junk traffic which (largely thanks to botnets) knocked them temporarily offline. Fast-forward to a year and a half later and those kinds of stunts don’t make as much noise anymore. That’s why Anonymous and its various offshoots have shifted their focus to stealing data.
“If you really want to hurt a company you expose their data,” says Rachwald, adding that two thirds of the attacks on 30 web-applications (websites) that Imperva had tracked over the last three months were automated. He’s also noticed increased discussion about Havij on hacker forums.
This might explain another recent statistic. The majority — or 61% — of IT security professionals are worried about future attacks from Anonymous and hacktivists, according to survey results released earlier this week by cyber security company Bit9. Anonymous came top of the list of attackers they though were most likely to target their organization, followed by “cyber criminals” and “nation states.” The professionals aren’t worried about the malicious spammers and veteran cyber thieves as much as they are about the teenager or 20-something next door who’s just learned how to use a free hacking tool.
The rise of armchair hackers like these is just another example of how new online tools have helped make skills that once took years to master, far more accessible. Websites can still protect themselves from these guys, but there will certainly be more of them.
0 comments:
Post a Comment