Turning Attackers' Tools Against Them 75
Tasha26 writes "The BBC has an interesting Web security snippet from the SyScan 2010 security conference in Singapore. In a presentation, security researcher Laurent Oudot released details of bugs found in commonly used attack kits such as Neon, Eleonore, and Sniper. These loopholes could be exploited to get more information about the attackers, perhaps identifying them, stealing their tools and methods, or even following the trail back to their own computer."
Time for hacker bounty hunter! (Score:5, Interesting)
There should be bounties put on these folks spreading this shit.
Re:Time for hacker bounty hunter! (Score:5, Funny)
*watches two hours of Dog learning to search for people on FaceBook*
Re: (Score:1)
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1, Funny)
Re: (Score:2)
I think you mean "accept". *wooosh*
dang it...
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Bounty is too good for them.
Re:Time for hacker bounty hunter! (Score:4, Insightful)
Following the trail back to their own computer (Score:3, Insightful)
..or to the person they are setting up to go to jail...
Re: (Score:2, Insightful)
..or to the person they are setting up to go to jail...
Yes, and the police shouldn't bother following up on physical evidence either since it usually leads to someone who's being set up to go to jail.
Re: (Score:2)
If you go to that much trouble to frame someone via a 'code trail', you will be planting more evidence.
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Who knows, people are having a bad day? Or perhaps they are guilty themselves? :)
I was trying to be serious, as it would be a great way to distract attention to yourself ( as the bad guy ) and take down your enemies in the process. A double win.
One would assume that the high end coders doing this stuff would be that smart.
But did he do "responsible disclosure"... (Score:5, Funny)
...or did he behave irresponsibly and publish the bugs without giving the vendors time to issue patches?
Ka! Crooks' food-chain (Score:2, Insightful)
Low hanging fruit (Score:5, Insightful)
Re:Low hanging fruit (Score:4, Insightful)
Thae fact that there are errors and vulnerabilities in web based tools just means that they were written by programmers who largely don't have peer code review
The fact that there are errors in these attack suites in particular is probably more because their purpose is to attack others with no expectation that counter-attacks are likely to happen, at least against these tools themselves.
I workd for a company that used a stripped down, harmless version of the sub7 trojan to deploy software
Funny you bring that up. Older versions used to have a hard coded master password that could be used to steal Sub7 systems, W32/Leaves took over systems that way.
Re: (Score:2)
No Honor Among Thieves (Score:5, Insightful)
Do you really think that the creators of these "tools" aren't going to leave SOME way of getting back into them? To prevent them from being used against their own systems?
"Did you really think you could use my own spell against me , Potter?" -Severus Snape "HP: THBP"
Re:No Honor Among Thieves (Score:4, Interesting)
Do you really think that the creators of these "tools" aren't going to leave SOME way of getting back into them? To prevent them from being used against their own systems?
No, of course not ... though they may install a copy of Kaspersky [ca.com] to remove the competition from their latest conquest.
Re: (Score:1)
This one hasn't been updated for more than 3 years.
I guess its author is still trying to remove Kaspersky from his Botnet...
Remember Alfred Nobel? (Score:1)
Re: (Score:1)
WTF?
Re: (Score:1)
In other news... (Score:5, Funny)
In other news, researchers learn that script kiddies tend not to be very good software developers.
Re:In other news... (Score:5, Insightful)
In other news, researchers learn that script kiddies tend not to be very good software developers.
Surely the very definition of a script kiddie is someone who doesn't write hacking software, but uses software built by others.
I think this shows that the hacking community can be a bit arrogant, and they think that hackers won't go after one of their own.
Re: (Score:2)
Re: (Score:2)
Or they just don't care...
The people who write these tools are not the same people who run them, script kiddies run the tools because they aren't smart enough to write their own and nor are they smart enough to verify that the code isn't broken or even full of blatant backdoors. Nor do they care at all since the machines they will be running the tools on are compromised systems which were obviously vulnerable to something else already.
Re: (Score:3, Insightful)
Eh, I'm not sure I agree.
It's one thing to have the ability to find a exploit and take advantage of it. It's an entirely different thing to personally go through all of the code running on your machine and remove all exploits.
walled garden version for the rest of us? (Score:1, Troll)
Re: (Score:2, Insightful)
Microsoft would gladly make a walled garden OS for EVERYONE to use if they thought they could get away with it.
Re:walled garden version for the rest of us? (Score:5, Insightful)
Haven't they already taken the first step with compulsory driver signing in their 64-bit OSes? I hear there's a registry hack to disable it... for now. But MS would -love- it to be mandatory, they've been laying the foundations since the original "Trusted Computing Platform Alliance" days haven't they? I don't keep up to date on all this stuff so maybe it's not so true anymore.
Re: (Score:1, Troll)
They just upped the logo requirements - to get logo certification, you have to have 64 bit versions of drivers as well. Which is great, because 32bit blows chunks.
As for having to get them signed, that is kind of a pain. On the plus side, it means your signed driver went over some basic "are you likely to freeze the computer" tests and it discourages companies with shitty programmers from doing unnecessary stuff in kernelspace.
I for one applaud this tiny effort to improve Windows stability.
Re: (Score:2)
Maybe someone can encourage MS not to do unnecessary stuff in kernel space? IIS is a prime offender for this...
Re: (Score:2)
IIRC, one of the reasons for requiring driver signing was not for the logo certification part (which I thought remained optional, but I may be wrong on that) but actually to help with Microsoft's crash analysis efforts.
With a signed driver it's much easier to identify the vendor of a buggy driver, get in contact and ask them to fix their code, and even offer to push out an update via the Microsoft Update tool.
Re: (Score:2)
Microsoft would gladly make a walled garden OS for EVERYONE to use if they thought they could get away with it.
Companies do what makes good business sense. If Microsoft could get away with making a walled-garden OS and they thought it would be more successful than their current product, then of course they would. But they would lose me as a customer, and they would probably lose much of the rest of their current customer base, so they wouldn't. What's your point?
Now go back to using your Windows: Linux Edition (sorry, I mean Ubuntu) and stop turning every thread you can into a baseless battle of the OSes.
Re: (Score:2)
"Now go back to using your Windows: Linux Edition (sorry, I mean Ubuntu) and stop turning every thread you can into a baseless battle of the OSes."
Why have YOU turned this into a battle of OSes? There is nothing intrinsically wrong with Ubuntu. It might not be your distro of choice but for many thousands of people, it is exactly that. The fact that it is user friendly and works out-of-the-box makes it more popular but no less of an OS than whatever you might choose to use.
Re: (Score:2)
"Now go back to using your Windows: Linux Edition (sorry, I mean Ubuntu) and stop turning every thread you can into a baseless battle of the OSes."
Why have YOU turned this into a battle of OSes? There is nothing intrinsically wrong with Ubuntu. It might not be your distro of choice but for many thousands of people, it is exactly that. The fact that it is user friendly and works out-of-the-box makes it more popular but no less of an OS than whatever you might choose to use.
It's just that it's typically Ubuntu users that start the OS battles. And those people only use Linux so they can fit in with their hacker friends, dis micro$haft and feel all epix leatsauce, but they use Ubuntu so they don't actually have to know anything.
And you know it's true.
Re: (Score:1, Redundant)
By the way, I have nothing against Linux. I love Linux. I wouldn't use anything else for running a server (I have 3 that run on Gentoo)... it's the people that use it just to fit in that I can't stand.
Re: (Score:2)
I propose that MS create a walled-garden version of Windows that will work for 85% (my estimate) of home users.
FTFY.
Re: (Score:2)
In anything XP or later, not sure about 2000, you can use software restriction policies to control the execution of programs and the loading of dlls by location, name, hash, or signature. Or some combination.
It's kind of a pain to use, which is why you don't see it too much; but it is there.
Illegal in many jurisdiction (Score:5, Interesting)
Re: (Score:2, Insightful)
Not so. Try a "self defense" defense.
If an attacker originates an attack on you,
you are welcome to use ENOUGH force to stop it.
I think a requisite measure of restraint would be
proven, and any subsequent culpability waived.
Re: (Score:1, Insightful)
Not so. Try a "self defense" defense.
If an attacker originates an attack on you,
you are welcome to use ENOUGH force to stop it.
I think a requisite measure of restraint would be
proven, and any subsequent culpability waived.
Stop it? .... -j DROP
iptables
Retaliation against the attackets system, which just happens to be a rooted box at MegaCorp ? Year, real smart idea - their lawyers will surely see the sanity of what you did and not sue..
drug dealers can't report theft of drugs (Score:4, Insightful)
likewise, what hacker is going to report that someone reverse engineered his hack?
Re: (Score:2)
What if the attacker is using another system they already exploited? You're then hacking into someone else's computer and they very well could press charges.
your view of ethics is odd (Score:2)
i think you are trying to say that going after hackers is unethical. you are of course right. but that doesn't mean you can't go after them, just that you can't wrap yourself in the cloak of ethics when you enter their shadowland
in other words, to catch a criminal, you should abide by good conduct, but you may have to get a little dirty yourself
it is not possible to fight crime completely straightjacketed by the highest standards of good behavior. as long as you yourself don't become a criminal in your purs
Re: (Score:2)
Re: (Score:2)
There's a bit of irony in reporting vulnerabilities in malware - can I get a CVE for that?
I nominate 'There's a CVE for that!' as the new 'There's an app for that'.
sounds fun, but you could still go to jail (Score:2)
Why not just build in counter-attack tools (Score:3, Interesting)
in the OS or have an option of and OS update that includes tools to detect attacks and then counter them.
I remember having a Fedora 9 Web Server and all kinds of foreign IP addresses tried to crack passwords and guess user names. I read the logs as root showing me failed attempts using some dictionary attack of English/American first names and passwords from a dictionary list. Now I don't use first names but handles and pen names that are hard to guess and run as a user account and only use root when I need to do something.
A friend of mine told me they will keep trying and cannot be stopped because my Linux server has no defense system to counter attack their hacking attempts and when they send a DoS attack my system does not send one back.
But I was never able to find such programs for Linux that would counter-attack such things and stopped hosting my web site at home and moved it to a web hosting services and let their admins monitor it 24/7. I recall they used an exploit in Apache 2.X and PHP during Halloween when I was taking my wife and son out for collecting candy. I come back home and found that trolls from Kuro5hin hacked my web server and took control and added insulting and untrue stuff about me. Later on they did the same thing to Net Money Chat that used Scoop like Kuro5hin but the admin fixed it to work with Apache 2.X and mod_perl for Apache 2.0, he submitted the code changes to Rusty, but Rusty never did anything about them. Then the Kuro5hin trolls hacked Net Money Chat and make it so it never served web pages and sabotaged the system so no part of it would work.
I would like to see such things available or built into Linux and other operating systems or be part of a security update or some free or open source software that can be gotten by people or small businesses that run web sites and need some way to force hackers and attackers to stay away from their web servers or at least collect enough evidence to submit to the FBI or some other group to hunt down the hackers and crackers by generating an ODF or PDF or whatever file that contains copies of the logs and a list of IP addresses doing the hacking and cracking attempts and attacks and then lists what they did. If needed a court can examine the Linux logs to see the whole history if they want to as well.
Re: (Score:2)
False positives. In order for this to be effective, one would have to come up with fingerprints of attacks. If someone's normal activity happened to be similar and triggered it, then their system gets attacked by yours.
The other problem is that there are new attacks everyday and it would get harder and harder to have effective counter attacks. Pretty soon every mail server on the internet will be attacking each other. It's just silly.
Re: (Score:1)
correct web address for psad is (Score:1)
The presentation: well hidden (Score:2, Informative)
These conferences, unlike BlackHat® conferences, seem to publish zilch, and on his company web site there is nothing, in any language, except for a news item in Inspector Clouseau's English (Pink Panther, remember?) on this same matter, hardly more informative that the OP comment.
To shake him, please e-mail him