Attacks/Breaches
10/30/2012
11:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Trade Tips On DDoS, SQL Injection

Study of hacker bulletin boards reveals focus on attack techniques, tips for beginning hackers, buying and selling of fake social network endorsements.

What do hackers talk about amongst themselves?

These days, the two hottest topics -- comprising 19% of all discussions -- involve distributed denial of service (DDoS) attacks and SQL injection attacks.

Those findings come via a new report released by data security firm Imperva, which reviewed the chatter on 18 underground forums -- including one with 250,000 members -- to see what participants discussed. Beyond DDoS and SQL injection, the other top topics, based on a keyword analysis, were shell code (16% of all discussions), spam (14%), cross-site scripting (12%), and brute-force techniques (11%).

[ What do we know about the U.S. bank hackers? Read Who Is Hacking U.S. Banks? 8 Facts. ]

Imperva also found that the majority of forum threads were devoted to beginner hacking, hacking tools and programs, and website and forum hacking. Other information security topics, such as wireless hacking and cryptography, were also discussed, but with much less frequency.

Beyond tutorials and education, hacking forums also serve as a place for people to buy and sell their goods or services. "The pages are filled not only with job offers, but with advertisements for paid services, buy/sell, ads, and trading goods," read the Imperva report. "Goods in the cyber world can be anything from Facebook 'likes,' hacking tools, and e-books to botnets and pornographic material. Some simple tools are shared for free, just to increase the status of the developer. Transactions are usually made in ways that allow anonymity, like Bitcoins, Liberty Reserve, or even PayPal."

One area of increasing interest on hacking forums involves so-called "e-whoring" attacks. E-whoring, according to the Imperva report, is "a practice of selling pornographic content, while pretending to be the person, usually girl, photographed." The report continued, "It is considered a form of social engineering, when the victim is misled to believe he is interacting with a girl who is sending him nude photos and video clips of herself." To facilitate such attacks, hackers -- or more precisely, social engineers -- actively share, if not buy and sell, "e-whoring packages," which typically include photographs and videos. An attacker then lurks in adult chat rooms, using the photos and videos to pretend to be the pictured woman, to try and lure buyers into paying to see more racy material.

While these types of social-engineering ruses may be popular, some of the most devastating exploits being launched today involve DDoS attacks, aided in part by a number of free but effective DDoS tools. DDoS attacks involve flooding a network with fake packets, to make it effectively unreachable. Such attacks have recently been used to disrupt the websites of major U.S. banks.

The most common type of hack attack seen these days, however, involves SQL injection. Attackers -- including hacktivists -- favor SQL injection attacks because they allow attackers to "inject" their own commands into databases. When databases aren't configured to properly screen inputs for signs of attack, attackers have an easy-to-use, remote technique for obtaining any information stored by the database.

According to Imperva, SQL injection attacks are the most common type of attack launched against websites -- and more often than not are the favored attack type for stealing sensitive data. For example, numerous security experts suspect that SQL injection attacks were used in the online attack against South Carolina state systems announced Friday by state officials. All told, the breach involved the social security numbers of some 3.6 million state residents, as well as 387,000 credit and debit card numbers. Unfortunately, the social security numbers, along with about 16,000 card numbers, weren't stored in encrypted format.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
matcohen
50%
50%
matcohen,
User Rank: Apprentice
11/1/2012 | 10:50:48 PM
re: Hackers Trade Tips On DDoS, SQL Injection
Why do thieves rob banks? Because that's where the money is.

SQL Injection is the quickest and easiest way to maximize the return on your hacking hours if you are a hacker. After 10 years of web application security efforts, enterprises are still vulnerable to the most obvious and dangerous attack.

Building a website without security is like building a car with no safety features.

Best,

Matthew Cohen
www.ntobjectives.com
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.