Q&A between a security evangelist and a hacker
Earlier this week HP security evangelist Rafal Los published a question and answer article with a hacker named ‘srblche srblchez'.
Los, who calls himself ‘Wh1t3Rabbit', said that the effort was ‘to try and see if I could get a peek into the mind of the hacker who was selling pwn3d sites'.
Los said: “I don't think you can adequately protect yourself unless you understand your enemy, so with that in mind I fashioned some questions which the hacker would likely answer. I hope we are able to learn something here.”
The Q&A is as follows:
- Are you really making any money on this hack, now that it's public? - Yes up to thousands of dollars. Depends on value of targets
- Aren't you afraid of being caught, arrested and prosecuted? - I didn't force the law. (Law does not protect fools).
- Why target government-related websites? - Customers [are] dying to know edu/gov/mil's database information such as military actions/papers/documents. Evidence of staff such as real names, phones, contact email, address, etc. for their special operations. Such as spamming or private operations. CPA leaders.
- How long did it take you to gather this list of targets? - Couple of minutes. Thanks Google to make hack easier.
- Did you write all your own scripts, exploits or code? - Yes. Mostly perl/python.
- How long did it take to actually pop those sites? - Couple of seconds.
- Do you have a favourite exploit (XSS, SQLi, RFI, etc?) - Remote exploits mostly and SSH brute forcing.
- Do you think any particular framework, or dev language (PHP, etc) is any more vulnerable than others? - PHP, ASP, CFM are the most stupid code frameworks and the most vulnerable.
- Do you think the administrators of these sites would ever notice these sites were hacked if this didn't become public? - Well honestly [I] am not a defacer (the ones who change the whole database, remove the target files and makes a big notice even the stupid system administrators will notice). No, I just finish my goals, which gather the information, which is the most valuable in my case. Then I remove my logs then I disappeared like a ghost.
- Why are the prices so low? - Well in marketing as much low prices and much more customers depend on your product quality. So [I] am providing a good quality with a good price and that brings more customers.
- Do you have any ethical problems with exploiting and then profiting from poor security on these sites? - No at all. Each vulnerable site I face I directly email the web admin. If I see no reply I publish it.
- Do you think the website/application security is getting any better over the last five years? Three years? - Am into security since 1996. Simply I see no changes and it has become worse than ever.
- Are you part of an organised group? Or do you work alone? - I used to be a member of m00p crew but all my friends has been arrested, or most of them. I used to be a member of milw0rm organisation, but no more since str0ke's quit.
- Can you give any advice for people who build websites? How to protect themselves from people like you? - There's a bunch of useful website vulnerability scanners, it is good if you give your site a couple of seconds for checking for vulnerabilities.
In conclusion, Los said: “Clearly our hacker isn't afraid of being caught and has no moral issues. An independent attacker who writes their own scripts and hacks in ‘a couple of seconds' is your worst nightmare as a security professional mostly because the velocity of attack is so great and the likelihood of being caught in a detection system like an IPS is so low.
“What I do find interesting is the method of penetration which the attacker explains as ‘remote exploits and SSH brute forcing', so a combination of attacks like SQL injection at the application layer and an SSH brute force at the system-level to achieve a complete compromise.
“System admins thought they had things figured out and the hackers were moving exclusively to the web layer, apparently that is not as true as we would like to think. Passwords are still your weakness (SSH brute forcing) and we all know that web applications are written just as poorly today as ever, so we've got serious issues out there. What's perhaps most telling of all is that the hacker sees virtually no changes (maybe even things getting worse) since his/her entry into security in 1996. I suppose an ‘I told you so' is inappropriate at this point, but the industry is still not getting it.”
In terms of remediation and lessons to be learned, Los recommended taking a few seconds to test your applications and to consider incident response (responding to being told your site has a vulnerability), as this is consistently missing from most organisations' software security assurance programs.