Sunday, October 21, 2007

Topic for Research Paper for MMIS 620

The Emergence of web 3.0: the Future of the Internet

The first implementation of the web is called web 1.0, and marks a monumental change with the way that businesses operate. According to Berners-Lee, this would be considered a “read only web”. This meant that there was information on the internet that could be displayed by businesses and found by individuals around the world. This was the era of the dot com boom, where all kinds of internet businesses sprang up to sell their goods and services. However, unlike web 2.0, there was very little user interaction. With the coming of web 2.0, sites like Myspace.com or Flickr, become customizable by the customer, and the web is now transferred into “read-write” according to Berners-Lee’s definition. This new concept of users being able to contribute content is changing the way businesses operate once again. We have actually just begun to experience the benefits of web 2.0. Although nobody knows for sure what the future will look like, the next generation of web technology is coined web 3.0, and according to Berners-Lee’s definition, will bring the ability to “read-write-execute” to the web. Currently search engines can retrieve data, but have no ability to understand the semantics of the data being queried. With the future, applications will be able to understand data and retrieve queries based on the data’s validity according to the semantics of the search. New complex graphics in 3d and artificial intelligence will also contribute to the user experience on the web. This paper will attempt to examine current and future trends with web technology.

Saturday, February 17, 2007

Zone-H.org Website Defaced 1/25/07

Zone-H.org Website Defaced 1/25/07

To many in the security community, Zone-H is a useful site to get information on the latest news, geared for the technologically oriented. The site is also notorious for being a target for website defacers. Yesterdays attack is just one in many unskilled attacks over the years, where a Skiddy (script kiddie) defaced Zone-H; and Zone H almost cheerfully retells the stories and then posts them in their archives for all to read. There have even been denial of service attacks on the defaced website by angry H-Zone readers. Although the majority of the hacks were due to the article contributors getting socially engineered (conned), there have actually been some elaborate hacks; which translates to an interesting and educational story (posted in their archives). The best story I found, was how someone hacked an article contributors hotmail account and forced a password reset for that user to the hotmail inbox. The attacker used the contributors account to post their own html files, and then uploaded a php script which opened a shell on the main content server; all articles have to be reviewed by an admistrator before being posted; the attacker was able to elevate their privileges to that of an administrator, and then gained full control of the site. (for a more in depth article on what happened, visit Zone-H to read the article at http://www.zone-h.org/content/view/14458/31/)
Yesterdays attack was the work of an unskilled trouble-maker, who was able to trick the domain registrar into transferring the domain to an IP controlled by the attacker. Website defacements are one of the easier attacks to perform, since the server is hosted on public domain (the internet). Often times, the attacker will exploit a bug in the web server (Windows boxes are frequently updated due to bugs) that was either unpatched due to the admin’s error, or is a new exploit with no patches yet to fix the software bug. Sometimes an attack is as simple as stealing the webmasters login info, and changing the content on the site. Unfortunately, the only way to mitigate the risks is through due diligence. Patches for critical bugs must always be tested and applied asap. Admins and others who contribute to the website, must be educated about best practices. It also doesn’t hurt to have a company like Secnap monitoring your domain for malicious activity. (to view the article on yesterdays attack visit http://www.zone-h.org/content/view/14498/31/)

Friday, January 5, 2007

Why LinkedIn users can get EASILY hacked, and the pros and cons of MegaUpload.com

Hey Security peoples!

I'm going to talk about the pros and cons of 2 of the most visited sites on the internet; LinkedIn and MegaUpload.com. LinkedIn is a great site to quickly expand your "business affiliates"; many people simply post their email address for anyone to contact them to "join their network". You could definitely establish some good contacts at specific companies or even find out about open jobs; many people even refer others or vouch for their experience, which pretty much means that they owe you a favor later on - like in the Godfather ; ) But the problem with leaving your internet address like that, is anyone can make a fake Linked In "Join my Network" request (that looks like the same request the victim has seen 300 other times), and pretty much trick the user into clicking on a link that can do really any number of things, by sending out an email that looks like it actually came from a valid LinkedIn user. To give you a scenario - If I was to do this, that link would automatically look for exploits or vulnerabilities in your browser (basic users prob. using Internet Explorer, right) and then exploit them with some new 0 day (new exploit with no patches yet) or some other exploit thats been floating around for awhile. This exploit will then allow me further control over your computer; I could even download more code from a remote internet server to use your computer for sending spam or DDOS attacks. I could search your machine for confidential info like login info, credit card #s, contacts and other personal info; I'm sure everyone gets the idea. So what could be done to protect yourselves? Well if its not against your companies security policy to surf random sites, and you have your own personal computer, I wouldn't be going to this site, amongst other sites like Myspace or MegaUpload. At a minimum, log into LinkedIn and accept your invitations to join peoples network from here; DO NOT accept a request from an email to your personal email address that you gave on LinkedIn to add them to your network.
Ever heard of MegaUpload.com? It's in the top 100 most visited sites on the internet. You can upload as much stuff to their servers as you want (like files too big to be sent via email), and other people can download it when they want (just send them a link), and the service is free. Could also be used for a public ftp server (unlimited bandwidth courtesy of MegaUpload). It also circumvents users from sending attachments via email (corporate users can easily violate their email security policy by simply sending someone a link to download their multimedia). Security managers must be shi)(n their pants; but at least there's a signature for this activity if your using a good Intrusion Detection System like Snort.

The moral of this story is that theres plenty of valuable sites out there, just be careful how you use them ; )

Until we meet again...





Friday, December 22, 2006

This weekend I will break into a Corporate Network ; )

This weekend I will break into a Corporate Network ; )

Hello,

For this weekends assignment, I and two others will attempt to infiltrate the security barriers of Company Confidential, to test for weaknesses (we are paid to do this). After giving a formal interview with the top management and heads of the IT dept, we will start off with general access to the compound, where we will do a survey of the environment, and look for possible ways to break in. Of course the easiest way in would be through someone else's password; you know, those people that stick it on their monitor or under the keyboard (I just cant be rifling through someones desk though; although an intruder would probably do this first). We will also talk to random people, maybe check out a few printer areas for goodies (maybe some nearby trash cans ; yuck). Then its on to the technical stuff; getting excited yet?
First, we will attempt to crack their wireless security (wireless security? huh!), if no wireless, we will plug right in to the nearest terminal and break out our arsenal of software weapons. We could definitely have one computer running a network sniffer, that will look at all communications on the local network, and will capture passwords (in clear text, and encrypted), network traffic (useful info), and other un-encrypted useful info (like login user names, IM conversations etc). We will also run vulnerability assessment software (that will tell us versions of software being used and their weaknesses). We can then use another program which will "automatically" exploit these vulnerabilities, which will then give us full control of any computer which was successfully exploited. This is a relatively easy attack, that can be carried out by someone with limited technical ability. There are definitely endless possibilities to the methods that an attacker can use to compromise a system.

After, these and other assessments on their infrastructure and existing security layers, we will make a review of what we would recommend should be done to help mitigate the risks. This is a plan that we help the management develop, that is an actual course of action over the next few months to a year. Usually, the most important initiatives involve better user training for everyone about what the companys goals are for a secure system.

hope you enjoyed my pre writing, on tomorrows assessment; If theres anything cool that happens I'll let you all know.

peace in the middle east,
J