noel alanguilan

rockyou, a service that offers up applications to social networking sites, has been hacked. 30 million user passwords along with the associated e-mail address has been compromised and some has been reportedly been leaked on the net. rockyou has apps in facebook and myspace. if you run applications made by rockyou they highly recommend that you change your password in rockyou and other online accounts that use that e-mail/password combination (presumably associated with rockyou). now.

with a handful of government websites being hacked the a lot of people have been asking me, “is that really possible? can they really hack into the election system?” the short, practical answer is, “given time, a hacker can hack into anything. given time.”

let’s clarify something first. a website is like a billboard or a poster—it serves up information about whatever. its easily accessible to the general online public.and it can easily be defaced when no one is looking or if its not guarded. and if it does get defaced it doesn’t mean the person who did it was able to get into the company premises and steal whatever it is that’s in the safe.

hacking a website is not the same as hacking into a company’s internal network. a corporate website usually just contains information that the company wants the public to see. like i said, similar to a billboard or poster. hacking the website is equivalent to defacing the billboard. there is no real damage done or stolen from the internal network. it is highly unlikely that the internal network of a company is physically connected to its website. how do i know? its best practices—if it can be avoided, you do not connect the web server to the internal network. and if you do, you have to make sure that there’s at least one layer of security (essentially a firewall with a ridiculously long passphrase) between the web server and the internal network.

how could have the websites been hacked?
its a combination of several things which also includes luck but its mostly laziness on the part of the server administrators. they could have put a longer password and, if it is possible, change the username of the administrative account. and these things should be changed again every so often—six months with some of my servers. there are easily downloadable “tools” to help today’s script kiddies (noob hackers) get into a website. i do not take that for granted.

how hard is it to hack into a company’s network?
if the network has been setup properly, its pretty hard. you have to know and get through several things before you can get your hands into the good stuff.

first, you have to know the ip address of the door—commonly a firewall—to the internal network. most networks are connected to the internet in one way or another and this firewall has its own ip address. the problem is that there are over 4 billion ip addresses in use on the planet. pick one. the admins certainly wouldn’t publicize their ip address and even if that got leaked there are usually several more they can use.

now if by chance you do get their ip address, you have to know three more things—the port number, the administrative username and the password for that firewall. think of a port number as something like a mini door and there are more than 64 thousand of these mini doors in that address. you have to pick one to use. then there’s the username which can be anything and, of course, the password—which can be pretty long. it can even be a sentence complete with capitalization, spaces and punctuation.

if you get through the firewall, you can then proceed to the file or database server which you would need, of course, the administrative username and password. which, again, can be anything. and there are some who are paranoid enough to put another firewall between the first firewall and the database server.

so to recap, you would need the ip address, port number, the administrative username and password of the firewall, the internal ip address, the administrative username and password of the database/file server. and also the administrative username and password of a secondary firewall you may encounter. and you have to enter all of this data in a very limited amount of time.

best of luck to you.

so the answer is “if the system is setup properly, no, they can’t really hack into the election system.”

is there another way to get around all this security?
there actually is. you can try launching a phishing attack specifically targeting the system administrators and pray that they’ll fall for it. personally, i do not think the admins are stupid enough to fall for such an attack.

what can i do to be safe from such attacks?
for starters, don’t believe everything that gets sent to you via e-mail. and don’t click on that link that your friend sent to you without carefully inspecting it first. and try not to use internet explorer. please.

the passphrase is in cebuano. wait. does the account even exist?

it seems that hacking passwords for webmail services is getting some attention. and money. people are actually paying someone to get people’s webmail passwords so they can take a peek at people’s private e-mails.

naughty. santa does not like that.

there is a trend here. people get paid to hack into a webmail account–not to mess it up–but to take a look at what the account contains. they don’t even change anything–not even the password–so the user is unaware that his/her account has been compromised. on one occasion, i got my hands on a compromised e-mail account and all the hacker did was to add another e-mail account, supposedly so that they can send spam using the original e-mail address.

what to do. like i said before, use a passphrase instead of a password. a phrase is longer than a word and is therefore harder and take longer to crack. it would be better not to use any english words or phrases if you can. french. german. tagalog. japanese. whatever. as long as you can remember them. but not english.

change your password. now.

i just read that there’s this new and ‘clever’ worm moving about attacking sites using older versions of wordpress. if you’re running the latest versions–2.8.4 and 2.8.3–then you’re safe. if you’re running an older version then better upgrade now. i also read that sites hosted under wordpress.com need not worry about the worm.

what the worm does is to register itself as a user and then tries to make itself an admin via a security bug (which has been fixed early this year) then basically tries to hide itself. later on it inserts spam and malware in old posts. think of it. if google’s crawlers find spam and malware on your posts then your site will be removed from google’s indices. and that would not be good.

the wordpress devs have made it easy to upgrade to the latest version with just one (or two) clicks. i’ve never had problems with it. please upgrade.

i have been preoccupied of late with security stuff. the first one is what they’re calling conficker.c which will activate on the first of april. no one knows what it will do but i would bet a beer that its not entirely good. symantec has a removal tool for this and previous versions of conficker (aka downadup).

+ + +

another news item that has been in that particular corner of my brain is the network bluepill aka psyb0t botnet. its a new botnet targeting routers/modems instead of pcs. these router/modems are the gadgets that give you access to the internet. imagine what bad things can happen when that’s been compromised. you can’t scan for the botnet either because the botnet code is not on your pc. according to dronebl–a real-time tracker of abusable ips–you are vulnerable if:

• Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device;
• Your device also has telnet, SSH or web-based interfaces available to the WAN, and
• your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

the best way to ensure that you don’t get infected (or reinfected) is to perform a hard reset of the device, update the device’s firmware to the latest and change the administrative passwords to stronger ones, maybe use a passphrase instead.

+ + +

and then there’s the next version of ubuntu–jaunty jakalope or version 9.04–coming out by april (2009.04). that’s something to look forward to. at the same time i’ve been studying/ evaluating the server version of ubuntu as a replacement for some (or all my server installations).

+++

i have taken on a new project making a new website which will act much like a repository of information about a famous person. this will replace another project that i had to let go. its another php/mysql/apache install (spelled as web 2.0). this should prove interesting.

flash stores its own version of cookies in your computer. they are formally called local shared objects — linux planet just calls them flash cookies. unlike ordinary cookies, these things are binary files not readable by plain-text editors and, as you guessed, not readily accessed or removed also. you have to go to the adobe site and use their online flash settings manager to edit or delete these cookies.

this is a follow up post to securing your gmail.

google has made it easier for you to permanently use https when you access your gmail account. that’s from login and logout and everything in between. in gmail, click on your “settings” located on the upper right hand of the browser screen. this will bring you to the general settings of your gmail account. scroll down to the bottom and you will see “browser connection“. click on the “always use https” and then click on “save changes“.

and you’re done. easy.

please understand that doing this will make your gmail session a tiny bit slower because of all the encryption/decryption that’s going on between your browser and google mail. the upside is you secure your gmail account.

there exist a tool that can “automaticaly steal ids of non-encrypted sessions and breaks into google mail accounts” and it will be released to the public in a few weeks. the tool was presented in the recent hackers’ conference in las vegas called defcon. click on the link above if you want more technical details.

essentially what the tool does is to allow a hacker (unsuspecting or otherwise) to get into your gmail account and do what s/he pleases — like change the password. scary stuff.

the solution is simple enough — encrypt your entire gmail session and not just the login portion. to do that both the server (google mail) and the client (your browser) have to talk to each other via ssl (secure sockets layer) all the time. fortunately, google was informed of the vulnerability about a year ago so they took steps to implement ssl on their side of the fence. browsers has ssl-support built in.

all you have to is to add an “s” to the “http” portion of the google mail address making it look like “https” (without the quotes of course) and you’re done. preferably, you should do this at the start of your gmail session when you log in.