Hack attack


                                                                                                     Posted by Joseph Peart

“On Sunday evening Salander opened Asphyxis 1.3 and went into the mirrored hard drive of MikBlom/laptop.  He was not online...”

Fans of Stieg Larsson will recognise the characters and possibly the storyline from The girl who played with fire.

Instead of sending emails, the character Lisbeth Salander simply hacked into her friend's computer, so she could leave messages without them passing through an ISP.

Such benign hacking can occur but is very unlikely; much more likely is a malicious intrusion.  According to Time magazine, roughly a billion US dollars were stolen last year, using the Zeus malware program.

One of the scariest news items lately has been about a botnet, called Stegobot, which was created by computer scientists at the University of Illinois to show how easy it might be for criminals to enter your computer through a swapped Facebook picture.  The bot makes use of steganography, which allows it to hide data in picture files, so it can enter your computer undetected.  It can then mine your passwords and account numbers, or jump into a Facebook friend’s computer within the picture (New Scientist, 23 July,2011).

Closer to home, AUT University issued a warning to staff about spear ‘phishing’ – a hacker entering an internal network via a single member who has lots of contacts within that network – exposing a weakness in internal social applications.

That’s what is fascinating about the direction that hacking seems to have taken more recently.  It’s going social.  Phishing used to be that query from a site that pretends to be your secure supplier (retail or bank) which asks for your account number and password.  Spear phishing looks more innocent, as it simply wants to access your email database.  However, once inside, the hacker can wreak wide damage because of the social nature of that database.

Social media applications and social behaviour on the web have increased the likelihood of a viral spread of a malicious code, in the same way as a flu epidemic.  It’s more pervasive as social media becomes more pervasive.

The most prominent attack so far was the ‘robin hood’ break into Sony’s Playstation Network.  It was thought to be the work of ‘hacktivists’ called ‘Anonymous’, but they denied responsibility for the shut-down that cost Sony $US173 million.

Once Sony was operational again, the more benign hacker group LulzSec found holes in its web security using SQL (structured language query) injection and tweeted triumphantly: ‘We accessed EVERYTHING…’ They weren’t there to vandalise so much as to tease Sony about its poorly designed query language interpreters. 

SQL also has a social aspect in that it manipulates a database, including users and passwords, without having administrative access. 

This emergence of hacker groups into the social media community is now amplified by a network of human participants – not simply a captive network of computers as in a botnet.  Time quotes Dave Jennings, chairman of web security company Iron-Key, ‘They have a social element to bring people together to create more sophisticated attacks than we’ve ever seen.’

This points to the wisdom of using all your privacy settings on Facebook as well as your usual caution of ignoring all messages that ask you for your account numbers or passwords.   As for the password you choose…  Well, Time magazine publishes the familiar tips to make your own password harder to hack, including: Use a mix of upper and lower case; use numbers and special characters, and the longer the password the better. 

It’s all worth thinking about.

Comments are closed.