2012-10-13

Web servers are compromised due to vulnerabilities caused by misconfigurations of OS’s or networks; bugs in OS and web apps; not changing default settings; not keeping application secure or up to date with the latest patches an inept policies procedures and maintenance. From a web administrators perspective their greatest concern is not exposing the LAN or intranet to malware and code vulnerabilities which many times exploits servers utilizing scripts. From a network admins perspective there dilemma is misconfiguration of the server, giving out certain access privileges which can allow for compromise but disallowing to many privileges makes a web site practically non functional. From the end users perspective surfing on sites with malicious code which utilizes scripts to attack an end users browser and take control of their machines. So three types of risks are web server misconfigurations, browser side attacks and eavesdropping on the network. Here are some of the ways attacker can gain access to networks

First off tn attacker relies on vulnerabilities in web servers and software programs.
1. Man in the middle attacks
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

2. Password Brute Force Attack
During this type of attack, the attacker is trying to bypass security mechanisms while having minimal knowledge about them. Using one or more accessible methods: dictionary attack (with or without mutations), brute-force attack (with given classes of characters e.g.: alphanumerical, special, case (in)sensitive) the attacker is trying to achieve his/her goal. Considering a given method, number of tries, efficiency of the system, which conducts the attack and estimated efficiency of the system which is attacked, the attacker is able to calculate how long the attack will have to last. Non brute-force attacks, on the other hand, which includes all classes of characters, give no certainty of success. Many attackers utilize what is known as rainbow tables which is every combination of characters that have been collected over time

3. DNS Attack Through Caching

DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. The general concept has been known for some time, and a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning have previously been identified and described in public literature. Recent research into these and other related vulnerabilities has produced extremely effective exploitation methods to achieve cache poisoning. Tools and techniques have been developed that can reliably poison a domain of the attacker's choosing on most current implementations. As a result, the consensus of DNS software implementers is to implement source port randomization in their resolvers as a mitigation.

4. DNS Attack through social engineering
This one is pretty simple. A social engineering attack is basically using specific methods to trick people to give up information so that someone can attack a system
5. FTP Server Intrusion (Self Explanatory)
6. Mail server intrusion (Self Explanatory)
7. Web application bugs (Self Explanatory)
8. Web share misconfigurations (Self Explanatory)
9. Wrongly assigned permissions (Self Explanatory)
10. rerouting after a firewall attack (Self Explanatory)
11. SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

12. SMS Intrusion (Self Explanatory)

13. Directory Traversal Attack is a HTTP exploit which permits attackers to access restricted directories and execute commands outside of the web server's root directory. 2 types of these attacks are utilizing unicode and double decode traversal strings. an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even serious, permitting the cracker to execute powerful commands on the web server which can lead to a full compromise of the system.
14. Telnet Intrusion

Telnet is used to make connections between machines on a network. By default, telnet tries to connect to the remote host using Port 23. But telnet has the ability to connect to any port that has a valid listener. telnet can be used to spoof or exploit valid protocols. One old example that comes to mind is the WIZ command that used to exist in sendmail. One could telnet to the sendmail port, start up a conversation with the remote sendmail daemon and drop oneself into root fairly trivially. Other examples are the stack overflows of various other programs that are started by the internet server inetd. Although these examples are exploits of other valid programs, the means to get to them is via telnet. Some versions of telnet have the ability to execute non-interactive commands. If a .telnetrc file exists on the remote machine, then telnet commands in that file will be executed as if they were typed in manually at the telnet prompt. There are versions of telnet that can use Kerberos authentication, and some that can use encryption, but that is still the exception. Check your manual page to see if your version of telnet will support Kerberos authentication or encryption. Without encryption, telnet sends all commands in plaintext, making telnet sessions easy fodder for packet sniffer programs.

15. URL poisoning

URL poisoning, also known as location poisoning, is a method of tracking Web user behavior by adding an identification (ID) number to the page address (Uniform Resource Locator) line of the Web browser when a user visits a particular site. This ID number can then be used to determine which pages on the site the user visits thereafter. Aggregating this kind of information can be useful for understanding how a user gets to a page, what products or services they may be interested in, and correlating user behavior to demographics.URL poisoning resembles the use of cookies. However, with URL poisoning, a user has no easy way to opt out. A server that employs URL poisoning assigns the ID as soon as the first page of the site is visited. The Web browser then considers this ID to be part of the URL. The ID remains and is recorded as long as the user visits other pages on the same site. It can also stay with the browser when the user visits Web sites that cooperate with the original site in tracking a user's page sequence. Because a user may not want anyone to track pages that are visited, the use of URL poisoning is somewhat controversial.

16. Web Server extension Intrusion (Self Explanatory)

16. Remote service intrusion (Self Explanatory)

18. Buffer OverFlow Attacks usually result from a programming error in which the process tries to store data past the limitations of a fixed size buffer and in turn overwrites adjacent memory locations. An attacker exploits this weakness to either crash a system or implement and execute arbitrary code to allow them to access admin or elevated privileges to garner full control of a system also known as privilege command execution.  This is also known as  privileged command execution vulnerability whereby permissions for memory allocations are not set allowing for an attacker to execute arbitrary code in a section of memory.

19. ASP (Archive Server Page) Trojan. Trojans in general masquerade as an authentic application. An ASP trojan can be attached to a shrink wrapper app installed on the victims computerto open a backdoor and capture password, pass codes etc...

20. Cross Site Scripting (XSS) should also be mentioned as it is one of the most widely deployed exploits. This is when an attacker implements malicious script code in the html content of a webpage displayed by a users browser. This attack can be done by submitting queries into text-boxes, or even into the URL. The results come back reading the text as HTML, so it executes the scripts instead of displaying them in plain text. With an XSS attack, you can steal cookies from a Web-
Administrator, or even use some social-engineering to manipulate someone into download a virus that you've constructed such as a Botnet, or RAT, maybe even a Keylogger.

Microsoft web servers in the past have been compromised by ::$DATA IIS vulnerability which resulted from an error in the way the IIS parsed filenames.  One of the attributes of the data stream is $DATA, which contains the primary data stored within a file.  An attacker could access the main data stream using a Web browser by crafting a specially constructed URL.  The vulnerability made it possible for an attacker to display the code of the file containing that data stream and any data that the file held.  This method could be used to display a script-mapped file that could be acted upon only by a particular application mapping.  The information of such file is not easily accessbile to all users.  In order to display the file, it must reside on an NTFS partition and mst have ACLs set to allow read access.  The information in the file used by application mapping is visible only to remove user by affixing the string ::$DATA.  The attacker, however, must previously have read access to this file to view its contents.  This attack could allow a user to read a potentially proprietary and compromising script source; Showcode.asp vulnerability  -- Showcode.asp is included as an example with the Microsoft Data Access Components that are installed with a number of products or that can be installed individually.  The default install locaiton is C:\Program Files\Common Files\SYSTEM\MSADC.  In a Web server, the subdirectory is also mapped as a virtual directory named MSADC off the Web root.  The script is also known as viewcode.asp and codebrws.asp.  This script allows a remote user to view the code of server-side scripts.  Showcode.asp takes a single argument, which is the name of the file that is to be viewed.  Though the sample code was initially intended to view code samples in the MSADC directory, a malicious user can start prodding by taking a path with MSADC and then using directory traversal to move up the directory tree and on to any path on the same drive.  Attackers can exploit the script to view any file on the same drive as the script.  This may lead to a compromise of the entire server, allowing the attacker to gain access to sensitive information on the server; Piggybacking vulnerability - Web and database services can be integrated using Microsoft Data Access Control (MDAC).  MDAC is a comprehensive framework of different technologies that allows programmers to uniformly develop application to access many types of databases, specifically SQL.  Database objects could be accessed remotely via IIS using the Remote Data Services (RDS) component of MDAC.  RDS is a technology that allows retrieval of data from a remote database server.  The vulnerabilities in RDS allow attackers to send random SQL commands that modify the database or retrieve information (SQL injection).  By embedding the Visual Basic shell command into the SQL statement, the attacker can gain administrative privileges; Showcode.asp vulnerability  -- Showcode.asp is included as an example with the Microsoft Data Access Components that are installed with a number of products or that can be installed individually.  The default install location is C:\Program Files\Common Files\SYSTEM\MSADC.  In a Web server, the subdirectory is also mapped as a virtual directory named MSADC off the Web root.  The script is also known as viewcode.asp and codebrws.asp.  This script allows a remote user to view the code of server-side scripts.  Showcode.asp takes a single argument, which is the name of the file that is to be viewed.  Though the sample code was initially intended to view code samples in the MSADC directory, a malicious user can start prodding by taking a path with MSADC and then using directory traversal to move up the directory tree and on to any path on the same drive.  Attackers can exploit the script to view any file on the same drive as the script.  This may lead to a compromise of the entire server, allowing the attacker to gain access to sensitive information on the server; WebDAV RPC is extensions to the HTTP protocol whereby many can edit and manage files via remote web servers however attackers can compromise WEBDAV by manipulating resources in the directory, modifying properties, lock and unlock resources, and search content and properties of files and directories.

IIS 7.0 provides significant functions for web servers and apps such as listening for requests, managing processes such as web services and reading files however these functions allow for an attacker to compromise IIS. Some components of IIS are BITS background transfer such as automated updates to files,  common files always enabled on a dedicated server, FTP services not enabled on a dedicated server however it can be enabled on a server for posting content support, frontpage 2000 server extensions which provides front page support for sites, IIS manager an administrative interface for IIS, Internet printing which can be shared via HTTP, NNTP service which a dedicated server does not need used for users to post on the net, SMTP service which is the protocol to transmit email, WWW offers static and dynamic content to clients and must be on a dedicated server, active server pages but its not essential and internet data connector enables support for dynamic content, remote admin required on a serverhas html administer IIS, remote desktop hosts terminal service client connections and server side supports.shtm, .shtml and .stm file.

Another vulnerability is known as Unicode Directory Traversal Vulnerability which is due to a canoncalization error in IIS 4.0 and 5.0 that enables an intruder to make use of a specific malformed URL in order to access files and folders located on the logical drive that includes Web folders.  This enables attackers to escalate privileges and add, change, or delete data; run existent code; or upload new code to the sever and execute it. A tool known as IIS Xploit automates the directory transversal in IIS with two known files exploits one is Unicode and the other is the double decode.

NETcat can be used as a backdoor by attackers to hack into IIS

Msw3prt IPP vulnerability: The ISAPI extension responsible for IPP ismsw3prt.dll. An oversized print request, containing a valid program code, can be used to perform a new function or load a different separate program and cause a buffer overflow.

RPC DCOM Vulnerability exists in the Windows Component Object Model(COM) subsystem, which is a critical service used by many Windows applications.DCOM service allows COM objects to communicate with one another across a network and activated by default on Windows NT, 2000, XP, and 2003. Attackers can reach for the vulnerability in COM via any of the following ports: ‡TCP and UDP ports 135 (Remote Procedure Call)‡TCP ports 139 and 445 (NetBIOS)‡TCP port 593 (RPC-over-HTTP)‡ Any IIS HTTP/HTTPS port if COM Internet Services are enabled

IIS LOGS: IIS logs all visits in log files. The log file is located at
\logfiles. If proxies are not used, then IP can be logged.This command lists the log files:http://victim.com/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Winnt\sy stem32\Logfiles\W3SVC1
Some rules for IIS Logging include configuring the IIS logs to recordevery available field, capture events with a time stamp, ensure continuity in logs and ensure there is no modification in logs after they hav been recorded.

Log analyzer tool: This tool helps to grab web server logs and build graphically-rich self-explanatory reports on web site usage statistics, referring sites, traffic flow and search phrases, etc.

Clean IISLog Tool clears the log entries in the IIS log files, filtered by IP address. An attacker can easily cover his tracks by removing entries based on his IP address in W3SVC Log Files.

Tool server mask modifies all you web server’s “fingerprint” by removing unnecessary HTTP response data, modifying cookie values, removing the need to serve files extensions and adjusting other response data. Server mask makes it difficult to find real banner, fingerprint and vulnerability of system thus fooling an attacker to try wrong exploit thus allowing detection of attack by IDS and IPS.

Tool server mask ip100 stops TCP/IP fingerprinting used to exploit system using flaw in TCP/IP model. It stops IP spoofing by adding authentication to unprotected TCP/IP packets. It helps in stopping DoS attack, session hijack, DNS cache poisoning attack.

CacheRight Tool allows Web developers to create cache control policies without MMC access. By eliminating unnecessary validation requests and ensuring proper caching of images and other content by both browser and proxy caches, CacheRight will speed up pages, reduce network chatter, and free up servers to handle more requests. A single configuration file in the home directory allows control of caching by mime and path.

CustomError Tool for IIS allows developers and administrators to create customized 404 and other default error pages. Furthermore in increases security by masking web server specific default error messages and helps with link management and SEO.

Httpzip tool is an IIS server module for ISAPI based compression on IIS 4.0, 5.0 and 6.0 web serverswhich compresses static and dynamic web content  using encoding algorithms supported by all modern browsers with flawless decompression secured by real time browser compatibility checking. Files are reduced to 2 percent of their original size and the tool also offers optional html and css code code optimization to improve performance and battle attackers source sifting. It also has a built in caching feature

LinkDeny Tool controls access to your Web site or Web-based application content and ensures that your bandwidth use is for your site users only keeping out all types of bad traffic. LinkDeny's powerful access control features allow you to transparently stop bandwidth pirates and potential hackers in their tracks by limiting their access via a Web request's

Server defender AI is a web app firewall

ZipEnable tool allows admins does a configure compression on all static and dynamic files for IIS 6.0

W3compiler tool allows you to create leaner, more secure code for faster page loads, safer sites, and lower bandwidth costs with code optimization. You can construct your (X)HTML, CSS, JavaScript, ASP, PHP, and CFM files in developer-friendly mark-up and script, then let the w3compiler optimize and deploy changes automatically - a natural final step before launching new pages. Employs safe compression, code condensing, visual and code comparison, and won't break even sloppy codes.

Tool Yersinia  is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.Currently, there are some network protocols implemented. Attacks for the following network protocols are implemented: Spanning Tree Protocol (STP); Cisco Discovery Protocol (CDP); Dynamic Trunking Protocol (DTP) Dynamic Host Configuration Protocol (DHCP); Hot Standby Router Protocol (HSRP); IEEE 802.1Q IEEE 802.1X; Inter-Switch Link Protocol (ISL); VLAN Trunking Protocol (VTP).

Metasploit framework is an open-source computer security platform which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. The tool is used for developing and executing exploit code against a remote target machine.

Karma is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID.  Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host. Karmetasploit is just the integration of the KARMA toolset with the metasploit framework.

Immunity canvas professional is a tool that contains many exploitsas well as a system for creating and automating new exploits and supports windows, linux and mac ox

Core Impact tool allows admins to test for security patches, network infrastructure, and system upgrades before an attacker can compromise the system.

MPACK tool written in PHP which is a web exploitation tool requiring a backend database. It utilizes http header info to exploit browsers.

Neosploit is a toolkit of attacks to launch for system testing.

Patches fix vulnerabilities in software programs and is the immediate solution to a problem. Hotfixes is a cumulative package to address a bug in a platform.

Patch cycles direct the routing application of patches and updats to a system for example Microsoft has one every month and oracle every 3 months I believe.

Patch testing is to first verify the patches source and integrity and than the patch is then tested in a test environment

Patch management is the process that makes sure the right patches are installed.

Patch and hotfix tools
Update expert is a windows admin app that optimizes security by remotely managing serce packs and hotfixes.

Qfecheck helps admins diagnose the effects of the anomalies in the packaging of hotfixes for windows.

HFNetChk is a command line tool that allows remote access to the patch status of all machines on a network.

Cacls is a built in windows utility that can set access control list permissions worldwide.

The different types of vulnerability scanners according to their availability are:
Online Scanners: ( e.g. www.securityseers.com)‡Open Source scanners: e.g. Snort, Nessus Security Scanner, Nmap, etc.‡Linux Proprietary Scanners: The resource forScanners on Linux is SANE (Scanner Access Now Easy). Aside from SANE, there is XVScan, ParallelPort Scanners under Linux, and USB Scanners onLinux.‡Commercial Scanners: these can be bought from the vendors.
Online vulnerability search engine
The national vulnerability database (NVD) is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD is a product of the NIST Computer Security Division, Information Technology Laboratory and is sponsored by the Department of Homeland Security’s National Cyber Security Division.

Tool Whisker is an automated vulnerability scanning software, which scans for the presence of exploitable files on remote Web servers. Refer to the output of this simple scan given below and you will see Whisker has identified several potentially dangerous files on this IIS5Server.

Network Tool: Stealth HTTP Scanner N-Stealth \ is an impressive Web vulnerability scanner that scans over 18000 HTTP security issues. Stealth HTTP Scanner writes scan results to an easy HTML report.
N-Stealth is often used by security companies for penetration testing and system auditing specifically for testing Webservers.

WebInspect is an impressive Web server and application-level vulnerability scanner which scans over 1500 known attacks. It checks site contents and analyzes for rudimentary application-issues like smart guesswork checks, password guessing, parameter passing, and hidden parameter checks. It can analyze a basic Web server in 4 minutes cataloging over 1500 HTML pages.

Shadow Security scanner is designed to identify known and unknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes with in a network's internet, intranet, and extranet environments. Shadow Security Scanner includes vulnerability auditing modules for many systems and services.These include NetBIOS, HTTP, CGI and WinCGI, FTP,DNS, DoS vulnerabilities, POP3, SMTP,LDAP,TCP/IP,UDP, Registry, Services, Users and accounts, Password vulnerabilities, publishing extensions, MSSQL,IBMDB2,Oracle,MySQL, PostgressSQL, Interbase, MiniSQLand more.

Secure IIS is a webserver protection toolspecifically for window and has site stats, config interfaces and real time log viewer.
ServersCheck monitoring software is an application for monitoring, reporting, and alerting on the availability of systems, networks, and applications. Unlike many competing products, ServersCheck can alert you even when your network is down as it sends out alerts via SMS using a GSM modem. The software can be installed in 38 different languages. The software is also available as an appliance, a small box with the software preloaded ready to go. It can be completed with the optional environmental sensors which monitor temperature, humidity, power failure and water.

GFI Network Server Monitor enables admins to scan the network for failures and irregularities and when there is a problem the system can send can alert the admin via email, pager, sms and take corrective action like rebooting the machine.

Servers alive is a network monitoring tool run on windows 2000,2003/xp . Monitors windows performance, a ping or complex snmp checks and can also send admin a message via sms, email, page, icq and msn messenger.

Tool webserver stress tool is an http client server test app design to pinpoint critical performance issues in a website or web server. The admin can simulate http request under normal and heavy loads.

PSI Secunia is a software tool that allows for automated patching on most applications of known security vulnerabilities.

IIS Lockdown tool restricts anonymous access to system utilities as well as the ability to write to Web content directories.‡It disables Web Distributed Authoring and Versioning (WebDAV).‡It installs the URLScan ISAPI filter.

UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator.

Web server should surfaces should be reduced in order to protect against attacks however not so much to reduce functionality performance.

One tool many small to midsize businesses use is MBSA which determine measure of security based on Microsoft  security recommendations however only with Microsoft apps and systems

File system transversal countermeasures: Here is were Microsoft recommends setting the NTFS ACLson cmd.exe and several other powerful xecutables to Administration and SYSTEM:Full Control only. Remove executable permission to IUSR account to stop directory traversal in IIS. Apply Microsoft patches and hotfixes regularly.

Increasing Web Server security
Make Use of Firewalls, Administrator Account Renaming, Disabling the Default Web Sites, Removal of Unused Application Mappings, Disabling Directory Browsing, Legal Notices, Service Packs, Hot Fixes, and Templates, Checking for Malicious Input in Forms and Query Strings and Disabling Remote Administration just to name a few

Hacking
There are a number of reasons why hackers break into computers. Those that seek to steal money, intellectual property or damage a system are know as “black hat” hackers. Those who do it for fun but do not wish to steal or cause damage are known as “white hat” hackers. In other words, they do not wish to do harm to others. Hacking can be legitimate, however, and is known as “ethical hacking”. Companies who are proactive in securing their networks will try to hack into their own networks or hire consultants to do that. Some prolific hackers have changed their ways and become ethical hacking consultants. Some hacker slang includes 133t, 1337P0wn3d, B0x3n, L@m3r, 2600.
Some of the earliest hackers were involved in “phone phreaking”. This involved hackers seeking to break into telephone networks in an effort to make free long distance calls. Joe Engressia was one of the first phone phreaks. He was a blind boy with perfect pitch who could whistle any tone. Circuit switching centers at the phone company were fooled by the tones that he produced. One tone, used by AT&T tone dialing switches, was a tone of 2600 Hz, which could be exploited to provide free long distance and international calling. Engressia could imitate this tone, while other phreaks used what was called a “blue box”. Jobs and Wozniak, founders of Apple, were allegedly successful phone phreaks.
Computer hacking took off in the early 1980s with the advent of “true” personal computers – manufactured by companies like Apple. “War Games” was the first famous movie to expose the public to the world of computer hacking. Here is a link to the movie: http://www.youtube.com/watch?v=2k1aztBGnWc
“2600” is a very well known magazine in the hacker community. Many of those involved in the magazine can be found at the annual Hackers on Planet Earth (HOPE) Conference in NYC each year, which costs around $100 to attend. Here a link to the Website: hope.net. The agenda and podcasts from the previous podcast can be found here: http://thenexthope.org/
Kevin Mitnick was one of the most famous hackers of the 1980s. In 1988 he was convicted of breaking into Digital Equipment Corporation’s (DEC) network. He also hacked into the networks of Nokia, Motorola, Sun Micro and other companies. He now has his own company – Mitnick Security Consulting.
Legion of Doom was founded by Vincent Louis Gelormine (“Lex Luther”) in the 1980s. They were involved in unauthorized access to a number of corporate networks, include BellSouth Corp.
A number of congressional laws were passed in the wake of numerous high-profile break-ins. This legislation was enacted to provide greater protection of unauthorized access to government computers.
Title 18 United States Code: § 1030. “Fraud and related activity in connection with computers” Link: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
After hackers broke into the Virginia Health Professions Database they posted a ransom note on the organization’s Website. They stated, "I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.“
WikiLeaks was founded to assist political dissidents, from countries like China, to anonymously send intelligence about abuse, which would be later released to the public. Private First Class Bradley Manning was arrested after downloading hundreds of thousand of sensitive files from the Department of Defense (DoD). He is suspected of receiving assistance from a hacker who helped him to download the documents without being detected by his superiors.
Adrian Lamo, a former hacker, was entrusted with information about the downloads but he informed the authorities about Manning’s activities. He appeared at the HOPE Conference and explained his reasons for reporting Manning to the authorities. Lamo was labeled a “snitch” and received death threats.
The Aurora Project was a project conducted by Idaho National Labs to test network vulnerabilities in the power grid. The experiment was successful and they were successful in destroying a 27 ton power generator through the Internet. The success of this experiment highlights how vulnerable our utilities are to attack. Link: http://unix.nocdesigns.com/aurora_white_paper.htm
A number of years ago utility companies pooled their resources to centralize their IT support and network their services. The problem is that access to one utility’s network now means access to a number of utility companies. The 2003 Northeast Blackout was unofficially caused by hackers. So too were the 2009 blackouts in Sao Paolo and Rio: http://news.bbc.co.uk/2/hi/8354460.stm
We have entered a new era of hacking – “hactivists”, who are politically motivated hackers. “Anonymous” was the first hacktivists to come out in support of WikiLeaks’ actions; they launched Distributed Denial of Service (DDoS) attacks against companies who suspended their business with WikiLeaks in “Operation Payback”. These companies included PayPal and MasterCard. What was interesting about these attacks is that supporters allowed their computers to be used by Anonymous for the attacks, which was probably never done before. DDoS attacks typically occur today by bot herders, in control of thousands of computers in their botnet
HBGary later stated that they would release the names of members of Anonymous. As retribution, the President of HBGary had his e-mail account hacked by a teenage girl who later posted the President’s e-mail online. The President subsequently resigned. Link: http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/
During the conflict in Ossetia, Georgia, the Georgian President’s Website was hacked as were the Twitter accounts of a number of Georgian ministers. The Russian government was allegedly behind the attacks. Link: http://www.usatoday.com/tech/world/2008-08-11-georgia-president-hacked_N.htm
In March, 2011, 150 French ministry computers were hacked. Link: https://www.infoworld.com/d/security/french-government-says-hack-compromised-150-pcs-863
LulzSec is one of the most notorious and many of their members have been arrested.
Unfortunately, there are hacker groups have sought to incite hatred against certain religions. These groups include UGNazi (anti-semetism) and AlQaeda (Islamaphobia
LulzSec Leader 'Sabu' Flips on Friends for FBI: http://www.securitynewsdaily.com/1593-lulzsec-hacker-sabu-fbi-informant.html
Doxing is the publication of personal information about someone. The term comes from “Documents” or “.docx”. This technique is used by many hackers to expose the identities and personal information about members of law enforcement. CabinCr3w doxed police from the LAPD for their handling of Occupy LA protesters. They published detailed information about police officers, including their home address, mortgage payments and email addresses.
From discussion board
AntiSec is the term used by hacking groups LulzSec, anonomyous and various other factions of crackers around the world. AntiSec refers to the operation of attacking systems not for monetary purposes but more so to show how many government agencies security countermeasures are inept and by gaining access to critical data via these systems Lulzecs and other hacker objectives are to also inform the general public about injustice that goes on among these agencies. It must be said that these groups go after not just governmental agencies but after any entity or individual who they claim to be unjust and harmful to society as a whole. Some examples of attacks were against  PBS, Sony, Fox, porn websites, FBI, CIA, the U.S. government just to name a few. In one statement issued by LulzSec they exclaimed "This is what you should be fearful of, not us releasing things publicly, but the fact that someone hasn't released something publicly. We release personal data so that equally evil people can entertain us with what they do with it."The roots of AntiSec date back to 2006 when LulzSec targeted the server on Booz Hamilton's network, a security consulting organization who works on behalf of many governmental agencies. The motivation here was  to show how easy it was to infiltrate the so called secured virtual network that Booz Hamilton was being paid a substantial sum of money by the U.S. Government to safeguard critical data when in fact Booz's security was inept at best. For one thing passwords were easily cracked due to non-salted hashes and through the use of a shellcode which is a key component of many buffer overflow attacks, the shifting of execution to code furnished by a hacker and more times than not saved in the buffer being overflowed allowing  for remote code execution to occur by LulzSec. By utilizing this method to compromise the network LulzSec also revealed that Booz Hamilton's and other consulting firms management were comprised of former directors of the NSA, CIA and other agencies who were given preferential treatment due to there past ties with the public sector to garner a significant number of security contracts considered to be a clear conflict of interest and not doing a good job to say the least. Also this acquisition of sensitive data also revealed many privacy violations

Additional Source: Ethical Hacking and Countermeasures Attack Phases EC-Council Press

Show more