Script kiddies are going further in compromising websites to prove they are capable hackers
It is not enough now just to deface a website, you need to totally compromise the victim and publish the results.
I recently went skiing with a group of friends. One of them booked the flights, so all we had to do was add our advance passenger info. Easy, really; he sent round an email with his username and password, we logged in and added the info as requested.
How familiar is this: username – his work email address, password – his company name? A little irritating really, as now my passport and related details were being shared more widely than I had intended.
We had a little chat straight after, only to discover that the same credentials were in use on eBay, Amazon etc. The usual problem: “How do I remember different passwords on multiple sites?”
It is not a great idea to use the same credentials over several sites, although I'm sure many of us do. However, the wisdom of doing this comes into serious question when looking at data extracted and published by script kiddies and more advanced hackers.
Gawker.com was subject to an almighty compromise (see blog at www.codinghorror.com). After a previous attack was mocked, the attackers published details of 1.3 million user accounts, email addresses, passwords, internal networks, IM conversations, just about everything, and guess what? Numerous users found in the attack had ridiculously simple passwords, used across several sites.
It doesn't seem to be enough to simply deface a website any more. To gain kudos in the black hat community, one apparently needs to totally compromise the victim and publish the results, to avoid being labelled as a script kiddie.
Is this the future? Will an arms race start between script kiddies, each out to prove that they're a more capable hacker than the next? Will the result be that every compromise now requires a database dump to be worthy? It would take little to write a script that tested any stolen credentials against a bunch of popular e-commerce and social networking sites.
This arms race isn't as unlikely as it sounds: defacement archives have been around for years – somewhere for those script kiddies to parade the scalps of vulnerable websites and registrars. Zone-H attempts to keep on top of defacements, where Attrition.org left off (for various reasons) back in 2001. Xssed.org is an interesting collection of cross-site scripting vulnerabilities, many of them live on high-profile websites. Where their motivations lie isn't clear; however, there's little doubt about certain things.
Sites such as www.srblche.com (not always long-lasting) offer live vulnerable site info for money. Indeed, at the top of today's srblche list were TfL and DCSF, together with numerous .mil and .gov domains. A couple of hundred dollars for sufficient information to compromise live government databases. A scam? Maybe, although research suggests the hacker is using SQL injection, Google searches and some interesting scripts to find the bugs.
When investigating a compromise of a website a while back, we found a blind SQL injection problem. A few moments with Google later, we found postings on an archive site that collated blind injection bugs. Quite a surprise when we found links there to the site we were investigating, complete with live, working injection strings. The attacker had even taken the time to explain the attack to all and sundry. Associated blog postings suggested that numerous hackers and script kiddies had all had a go at the site using the provided helpful explanation.
Stakes are being raised; corporate and customer data is increasingly being published to the public internet after hacks. Live vulnerabilities in high-profile sites are being sold and disclosed online. Defacements are seen as lame, even among the more junior of the script kiddies; user accounts, database data and control of sites via admin control panels are the goal now, due to the kudos and potential financial rewards.
Fingers crossed that sensitive data – passwords, for instance – is stored in irreversible formats such as one-way hashing algorithms… or anyone who uses the same credentials across multiple sites is rather stuffed!