This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Script kiddies are going further in compromising websites to prove they are capable hackers

Share this article:

It is not enough now just to deface a website, you need to totally compromise the victim and publish the results.

I recently went skiing with a group of friends. One of them booked the flights, so all we had to do was add our advance passenger info. Easy, really; he sent round an email with his username and password, we logged in and added the info as requested.

How familiar is this: username – his work email address, password – his company name? A little irritating really, as now my passport and related details were being shared more widely than I had intended.

We had a little chat straight after, only to discover that the same credentials were in use on eBay, Amazon etc. The usual problem: “How do I remember different passwords on multiple sites?”

It is not a great idea to use the same credentials over several sites, although I'm sure many of us do. However, the wisdom of doing this comes into serious question when looking at data extracted and published by script kiddies and more advanced hackers.

Gawker.com was subject to an almighty compromise (see blog at www.codinghorror.com). After a previous attack was mocked, the attackers published details of 1.3 million user accounts, email addresses, passwords, internal networks, IM conversations, just about everything, and guess what? Numerous users found in the attack had ridiculously simple passwords, used across several sites.

It doesn't seem to be enough to simply deface a website any more. To gain kudos in the black hat community, one apparently needs to totally compromise the victim and publish the results, to avoid being labelled as a script kiddie.

Is this the future? Will an arms race start between script kiddies, each out to prove that they're a more capable hacker than the next? Will the result be that every compromise now requires a database dump to be worthy? It would take little to write a script that tested any stolen credentials against a bunch of popular e-commerce and social networking sites.

This arms race isn't as unlikely as it sounds: defacement archives have been around for years –  somewhere for those script kiddies to parade the scalps of vulnerable websites and registrars. Zone-H attempts to keep on top of defacements, where Attrition.org left off (for various reasons) back in 2001. Xssed.org is an interesting collection of cross-site scripting vulnerabilities, many of them live on high-profile websites. Where their motivations lie isn't clear; however, there's little doubt about certain things.

Sites such as www.srblche.com (not always long-lasting) offer live vulnerable site info for money. Indeed, at the top of today's srblche list were TfL and DCSF, together with numerous .mil and .gov domains. A couple of hundred dollars for sufficient information to compromise live government databases. A scam? Maybe, although research suggests the hacker is using SQL injection, Google searches and some interesting scripts to find the bugs.

When investigating a compromise of a website a while back, we found a blind SQL injection problem. A few moments with Google later, we found postings on an archive site that collated blind injection bugs. Quite a surprise when we found links there to the site we were investigating, complete with live, working injection strings. The attacker had even taken the time to explain the attack to all and sundry. Associated blog postings suggested that numerous hackers and script kiddies had all had a go at the site using the provided helpful explanation.

Stakes are being raised; corporate and customer data is increasingly being published to the public internet after hacks. Live vulnerabilities in high-profile sites are being sold and disclosed online. Defacements are seen as lame, even among the more junior of the script kiddies; user accounts, database data and control of sites via admin control panels are the goal now, due to the kudos and potential financial rewards.

Fingers crossed that sensitive data – passwords, for instance – is stored in irreversible formats such as one-way hashing algorithms… or anyone who uses the same credentials across multiple sites is rather stuffed!

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in Opinion

Winning strategies in cyber warfare

Winning strategies in cyber warfare

The adversary has enormous capabilities in the cyber world, but it too is not without its vulnerabilities, and these must be exploited says Calum MacLeod.

Getting to the heart of the problem

Getting to the heart of the problem

As the Heartbleed bug demonstrates, passwords - especially the way they are commonly used across sites - are inherently vulnerable suggests Chris Russell

Changing the cost of cybercrime

Changing the cost of cybercrime

Oganisations need to cooperate and share threat intelligence in order to increase the cost of cyber attacks for hackers suggests Russ Spitler, VP product management, AlienVault