Inside the Mind of a Hacker

What hacking incidents have I heard of? Plenty, you’ll be surprised. But I’m not going to talk about them today. Instead, I will take you through the mind of a hacker. See what they look out for and more importantly, how you can prevent yourself from falling victim to a hacker. (Photos taken from my own collection).

IMG_0046
A typical perceived “hacker” setup.

Movies often portray hackers as geeks or nerds who spent most of their time in front of their Unix systems, looking through lines of green code in the middle of the night. The reality is far from that. Most people don’t realize that hackers are often just ordinary people like you and me. They go to school or college, or have regular jobs. But their curiosity on how a system works often bring them further than where most people would go.

DSCN3064
Books can never teach you to become a good hacker.

Poking through sensitive information, looking for holes in security systems, and devising methods to exploit potential flaws are just some of the things that they do. Most hackers are known for their ability to think outside of the box and to come up with unique solutions for problems, including ways to get into a secured system. Some do it for the knowledge, some do it for the thrill and some do it for the money. Some just do it because they can. Here are just some of the things hackers do, and how you can protect yourself against them.

Trust is not always good.

Trusting strangers in cyberspace is a big mistake. Users who are unfamiliar with computers and the Internet often fall victim to these hackers. One of the easiest thing to do is sending a Trojan. Trojans can be hidden inside legitimate programs. When that program is run, it silently installs itself to the victim’s computer and lets the hacker take over control of the computer. The victim will not suspect a thing. The hacker can then easily steal the victim’s sensitive information like passwords and credit card information. Trojans can often cause more damage than viruses.

sub7-1

sub7-2
Just some of the harmless things the Sub7 trojan can do. It can also steal passwords, credit card numbers and wipe out your entire hard disk.

Prevention: Do not accept suspicious programs from strangers, especially from instant messengers. Do not download anything from an untrusted source. Treat executable files (.exe) with a certain level of suspicion. Be paranoid, change your passwords often.

Website hacking

Websites are usually secure, making it hard for hackers to exploit. A website can be vulnerable to attacks if the server contains outdated software that have security holes, or is improperly configured. Badly written scripts can open up a server to malicious attacks.

2
An example of an improperly configured server, allowing anyone to upload and overwrite files on the server.

One interesting hack involved a local website. Due to a configuration error when setting up the website, the administrator password was readable to anyone who knew where to look. I was able to login as the administrator and the power to screw up the entire website was in my hands. But instead, I fired off an email to the administrator telling him how to fix it. The website is still up and running till today.

Prevention: Keep server software updated and all security holes patched. Never install scripts that may have security vulnerabilities. Monitor server logs frequently to detect suspicious activities. Subscribe to a mailing list like SecurityFocus.com’s Bugtrac to keep up to date with the latest vulnerabilities.

Wireless fun

DSCN3067
Unsecured wireless networks can leave these telnet services open to the public.

When wireless started to gain popularity, a new form of hacking called wardriving started. You just take your wifi-enabled laptop and drive around to look for unsecured wireless networks. In fact, you can try it now by downloading NetStumbler. Then you connect to them to either surf the web for free or gain access to sensitive information. A lot of people have unsecured wireless access points. At least one bank I know has unsecured wireless networks.

What wireless users do not realize is when they are connected to an unsecured wireless network, they are sending information through the air unencrypted. Anyone within the range of the wireless network can see what they are doing. I can sit at Starbucks and read everyone’s MSN conversations with just my laptop. There is no privacy at all.

msnhack3dz
Reading unencrypted MSN packets sent over the air. Disclosure of sensitive information can occur.

Prevention: Try not to use unsecured wireless networks for sensitive work. Normal web browsing is alright, as long as you are not concerned about others knowing about the sites that you are visiting. To be safe, tunnel through an encrypted virtual private network (VPN). This way, information sent over the air will be encrypted and not readable by anyone.

Nothing is secure

klia11
An unsecured printer can be taken over and made to print useless things, wasting ink and paper.

Hacking is not limited to websites only. Anything can be hacked and exploited. Even network devices (Read more: router hacking). There was a discovery of a serious flaw in a local ISP’s modem some years back. The flaw enabled malicious hackers to gain access to sensitive subscribers’ information. That can later be used to purchase access to wireless hotspots and make voip calls to land lines and mobile phones at the expense of the victims. The hack is untraceable until the damage is reflected on next month’s bill.

Prevention: Change your network devices’ default login passwords. The list of default passwords can be found here. Knowing the model of your router, the hacker will have no difficult in logging in if you have the default password on. Always be observant of any unusual changes or symptoms to your network. A slow connection might mean someone else is leaching your internet bandwidth.

Passwords

As mentioned, trusting strangers in cyberspace is a bad mistake. But having passwords that can be easily guessed is even worse. People often think that no one would bother to guess their passwords. It is not a myth that most people have “password” as their password. Hackers gaining access to email accounts can lead to serious disclosure of sensitive information. When government departments have email accounts with easy-to-guess passwords, you know that a more serious approach to cybersecurity is needed.

DSCN3266
Strong passwords usually have a combination of letters, numbers and symbols.

Prevention: Simple. Do not use easy to guess passwords. Change passwords frequently. If you’re afraid of forgetting your own password, use a password that makes sense, like “i12have4kids” or “ilove2blog4fun”. You can try phonetic passwords too. They’re easy to remember, but hard to guess. Companies and organizations should have security awareness campaigns to promote good security practices.

Port Scanning

Port scanning is carried out to find an open port on a server to exploit. Open ports can led to very serious security issues. I have come across websites with their FTP servers (port 21) wide open to the public. This means anyone and everyone can change the server files and run malicious scripts. The website can easily be defaced and probably destroyed if desired. There are a lot of free port scanners that are available online, which makes it easy for anyone to do a port scan.

klia31
A port scan can reveal interesting details about a network, including possible points of entry for a hacker.

Before TMNET decided to block port 25, some badly configured SMTP (simple mail transfer protocol) servers allowed anonymous users to send email to any address. These servers became the proxy for spammers to send large amounts of junk email. A hacker can also use these servers to spoof emails. They can spoof an email to make it appear to come from a trusted source and trick their victims into revealing sensitive information like credit card numbers or account password.

Other open ports may allow unauthorized access to different services of a server. If a telnet service that allows anonymous login is running and port 23 is open to the public, anyone can login and use the telnet server. With the proper tools, a hacker may be able to execute malicious scripts (example: shell code) to gain administrator privileges and take over the server.

Prevention: Do not keep any unnecessary ports open to the public. If open ports are required, limit the access to a pool of IP addresses only. An authentication system should also be built into the publicly accessible service. Not doing so is equivalent to leaving the front door open to a busy street. Installing a firewall is sufficient enough to restrict access to most ports. For home users, Sygate Personal Firewall is an excellent choice.

Finale

3

The above is by no means a complete guide to prevent hacker attacks. Hackers will always come up with new ways of getting into a system. We can only make it harder for them, hoping that they will target an easier victim.

You can also get yourself updated and familiar with how hackers operate, what tools they use and how to prevent hacker attacks by attending a Complimentary Workshop on Cybersecurity organized by EC-Council Academy. It’s free so sign up now. You might be surprised at what you may learn about hackers. Trust me, what you know previously about hackers may be irrelevant after this workshop.

If you want to try some harmless hacking, head over to Hack This Site! and try out their hacking challenges. Some are really challenging but solutions are provided if you get stuck.

Till next time, happy hacking! Continue reading

Shooting with Film

My brother brought 2 film SLRs from Kuching so today I decided to go back to using film and see how people take photos before digital cameras came into the market. It must have been years since I bought a roll of film. I have used film point and shoots and SLRs before this, but that was way before I knew how shutter speeds, exposures, apertures and film speed affect the outcome of the image.

DSCN3195
24 exposures will set you back RM8.50.

DSCN3055
I’m shooting with a Nikon F65 now with 28-80mm F3.3-5.6 lens. Easy to use with full manual function.

DSCN3080
Photo taken by Marks.

Shooting with film and digital is very different. With digital, I’ll probably have shot 200 photos. With film, I have to compose a photo properly, look at the exposures, and check if the shutter speed is high enough to eliminate blurring. Only then I will decide if I want to take the picture. With a digital, in that time I would probably have shot 10 pictures and I’ll be able to review them and take more if I’m not satisfied with the results. I can set the ISO (sensitivity) of a digital on the spot when light levels fall. Film sensitivity is fixed for that roll of film that you’re using. You can change the ISO by changing films, but you have to wait till you are finish with the current roll. Shooting with film is almost torturous.

And now for the most fun part of shooting in film. Waiting for the negatives to be developed. I hope they can give me a digital copy as well.

Update: The films are back! It cost me a whooping RM15.50 to develop the 23 photos to 4R size. Some turned out well, some not. I would say most were not interesting enough to be published.

DSCN3201
Some of the better ones.

Because I was playing with the camera without film before I used it to take actual photos, I forgot to check all settings. I shot all 23 photos using the exposure compensation below:

DSCN3207

Important lesson learned. Always check all settings before shooting. I’m still surprised the photos turn out to be bright enough. I think I’m going to buy another roll of film and shoot again. The anticipation is addictive. Continue reading

Anwar vs Shabery in Historical Debate

I missed this debate because I didn’t have a TV at home. But here it is on youtube in 8 parts. The debate is in Malay. The topic of debate was “Hari Ini Membentuk Kerajaan, Esok Turun Harga Minyak!” (If government is formed today, tomorrow petrol prices will go down).

Honestly, I think if the personal attacks by Shabery were reduced, more questions could be answered. The very important question that Shabery dodged was what happened to the money saved when the government increased petrol price by 30sen during 2006? RM4.3 billion was saved because of that and it was to be used for public transportation. So far, according to parliament, only RM834.75 million was used. So with the 78sen increase, which will save the government RM13 billion, where, or more importantly, how will the money be spent? Continue reading

Funny System Requirements

DSC00080

This newspaper advertisement is advertising a first person shooter game called Ranggi. From the looks of the screenshots, it looks exactly like counter-strike. And when you look at the minimum system requirements, it really makes you wonder if they ever proof read their advertisement before publishing it. The processor requirement is either a Pentium 3.8MHz, or a Pentium 3, 8MHz. Neither exist in this world.

Either this is a scam, or someone needs to go back to kindergarten. Continue reading