Thursday, May 10, 2012

Passwords Still the Weak Link in the Chain

Networks are only secure as their weakest part, and time and time again, the weakest part of any network system is the user. Weak passwords are by far the easiest aspect of network security to hack, and despite repeated calls by security experts for people to tighten up their password habits, password vulnerability is as bad as it has ever been.

Gaining access to people’s passwords can be extremely simple, primarily because people just don’t listen to advice. Because so many people use weak or recycled passwords, a hacker only needs to determine one person’s login to gain access to an entire network and the great bounty of data therein. Virtually every high profile hack is down to a single user having a weak password; from online retailer Zappo, who earlier this year had the personal details of 24 million users stolen, to global intelligence firm Stratfor that really should have known better, but recently lost 860,000 user names and email addresses to hackers.

Password security can be extremely difficult for a big network to manage, primarily because it requires policing everybody with access, from the website designers and administrators, to the marketers who are in charge of PPC management and Adsense campaigns, and it only takes one person not to take security seriously for the whole network to become vulnerable.

Seven deadly password sins

People are creatures of habit and nearly a fifth of people still commit one of the seven most common sins for generating passwords:
They use the name of their partner, child or pet, perhaps followed by a digit to adhere to the alpha/numerical construction (usually a 1 or 0). These days with everybody having their life laid bare on social networking sites, it doesn’t take long to learn the name of a family pet, child or spouse.
The same is true of people’s date of birth, either the user or their partner/child/pet.
People often use the last four digits of their social security or employee roll number. These details are perhaps more difficult to get hold of, but not impossible.
Amazingly 123, 1234 or abcd1234 are still common password combinations used by people.
Likewise, “password” or “pa55word” (to get that alpha/numerical combination) is another commonly used combination.
Again, Facebook grants easy access to a user’s favorite sports team, which is another common password sin.
Then there are the generic one-word passwords of “god” “love” “money” “access” etc, which are all common strings.


Even if somebody follows the protocol for creating a strong password and uses upper and lower case, number and letters, and keeps the string as random as possible, there is a chance that after going through all that effort, they are probably going to use this same password for a whole host of other web activities. While gaining access to a work VPN or bank account is going to take a lot of effort, some sites, such as forums or online retailers, won’t have such strict security. If a hacker gains access to these websites and figures out a user has quite a strong password, then chances are they are using the same string to gain access to their work network, bank or other secure site.

Hear no evil

Despite the repeated high profile attacks, the loss of millions of people’s personal data each year, and the persistent mantra of the importance of strong passwords from network bosses, people just aren’t listening. It isn’t even as if the internet is a new thing. People have been relying on usernames and passwords for decades, but it seems they just won’t listen. There are probably a couple of reasons for this, and they both boil down to human nature.

Firstly, people think it will never happen to them. Hacking is like being mugged, both in the material loss that can result and in the fact that people think it only happens to others. It isn’t until somebody actually gets hacked that they start to take passwords seriously, but of course, by then it is too late. Secondly, people are inherently lazy. Generating new passwords all the time and having to remember them is not fun, and most people have better things to do, which is why so many choose weak and easy to remember passwords or recycle older ones.

Until people start realizing the importance of good password protocol, high profile hacks will continue unabated. Perhaps there will come a time when virtually everybody has suffered some form of hacking attack at least once, by which time, password security may at last become as important a security concept to people as protecting their wallet or locking their front doors at night. Until then, weak passwords are by far the easiest way in to a network for any hacker.

The Hacka Man

Wednesday, December 15, 2010

More WikiLeaks News

Pro WikiLeaks hacker group’s DDoS tool downloads top 40,000 (12/13/10)
Imperva, the web security specialist, has reported that the tool released by the Anonymous Hacker Group for would-be WikiLeaks protesters has been downloaded over 40 000 times, with the majority of downloads occurring in the US. Imperva said there were three versions of the denial of service tool that members have been able to use:

Anonymous attacks more websites, as second Dutch teenager is arrested in WikiLeaks saga (12/13/10)

WikiLeaks Imbroglio Renews Focus on Risk Management (12/13/10)

WikiLeaks-Related Spam Spotted (12/13/10) braces for possible Wikileaks hacklash (12/14/10)

The Hacka Man

Tuesday, December 14, 2010


So Wikileaks recently made the news headlines on all major media. Companies with dirty secrets needs to be on extra vigilant and watch out for attacks. The next attack target, BAC??? Are controls and processes in place?? What mitigation techniques are effective? Let's monitor and watch for now. :)

Attacking BAC

The Hacka Man

Wednesday, November 3, 2010

XSS without Browser

To all Sec guys, I had been cracking my brain over these past 2 weeks thinking on how do i verify successful XSS attacks without using the browser. I know it sound absurd, but that's the way it is. All i have is pcap files available. From those pcap files, we can obviously search for those "script" word or other variants of XSS attacks by using regular expression. However, how do we know if an attempt is successfully executed or just false positive. Looking at the HTTP 200 response code, that will tell me that the attempt went through, but how do we know if we are truly exploited. Javascript maybe?

The Hacka Man

Monday, August 18, 2008

Better Risk Management for Banking Industry

With the recent identify theft cases that are happening around the banking industry, a new regulation is going to be implemented for counter fight identity theft. Effective November 1, 2008, all federally regulated banks, credit card companies and other financial institutions will be required to be in full compliance with the Identity Theft Red Flags Rule, which is designed to financial services firms protect consumers' identities.. The goal of the rules is to "flag" attempted and actual identity theft early, thereby reducing consequences associated with identity theft.

Each institution's program must include policies and procedures for detecting, preventing and mitigating identity theft. Further, the program must set forth a list of red flag activities that signal possible identity theft and a response plan for when a flag is raised. In addition, each financial institution must update its program periodically to reflect changes in risks from identity theft and implement a risk management program as part of the ID Theft Red Flags regulation.

8 tips for a Better Risk Management:

1. Assess in detail the different products and service offering of a financial institution, and review which red flags and level of risk is applicable for that particular product or service offer for example, - "credit cards" need high level of monitoring as well as pose high risk as fraudulent activities are most likely.

2. Streamline automation and manual checks for red flag items where necessary.

3. Focus on the different channels through which these products and services are provided to end users. For example, online access over the internet is more risky when compared to physically going to the bank.

4. Spend different amount of attention on each product and service offering based on risk factor. High risk demands more attention.

5. Study the historical data of an institution for identifying fraud activities, patterns etc.

6. Integrate risk management to current security and privacy programs by adopting similar approach for conducting risk assessments for different departments within the enterprise and leveraging data from these individual risk assessments to another. This will help identify clearly which regulation has directly focused on the risk or red flag action item, without duplicating effort, then attacking and placing checks on the ones that are relevant.

7. Do not depend totally on the vendor or service bureau for putting checks and conducting their own risk assessment. Instead have a thorough risk assessment program initiated and implemented by the financial institution for its different service bureaus to ensure full proof check and updates.

8. Appoint a key person to take charge and ownership of the risk management process. This person will initiate annual risk program effectiveness, adopt a revision process, monitor and constantly analyze current industry situations and risk profile, appoint a committee for ensuring that appropriate program is deployed, making and proposing changes etc.
The Hacka Man

How to hack a Bank part 1?

This is going to be a very sensitive topic for the Banking industry, however I am not going to post any exploits or vulnerabilities of how to hack a bank, instead a high level overview of how to gain money from a bank. I am not going to write a long article on this as the story might go on and on.

Several months back, i was performing a penetration test for a large bank here. Although it was only a web penetration test, i was already starting to observe the banking environment, the technology used, the physical environment, their partners, ATM etc, to see if loopholes can discovered. Everyday at the bank, i made new friends and started talking to them to learn more about the banking environment and the job nature. At the end of the penetration test, I was thinking to publish an article of how to hack a bank, however, its either i am too lazy to do so or i can't be bothered. Today, I just feel like writing an article on it, just a sudden urge to do so.

In early days, the banking environment used to be a simple and closed environment whereby the only way to hack the bank is to rob the bank. There were no ATMs, no internet banking, no huge and complicated networks. To withdraw any money, the only way is to go to the bank's branch and fill up the withdraw form and provide your bank account passbook for updating purposes and the money is given to you. Mainframe is the backend system that does all the processing of the transactions, i think until this very day, it still prevails. Today, we are more advanced. We have internet banking without the need of any passbooks, we have ATMs, Credit and Debit cards, complex networks to interconnect multiple systems together, we have cash deposit machines, huge variations of databases and partners that might house the bank's data/information. So you see, it used to be maybe one or two doors opened. Today however, many possibilities are possible because of multiple doors being opened. We still have not factored in the physical site and environment. You might be surprise that this is one of the most easiest way to enter the bank.

A lot of people might think that hacking the bank is a tough job due to its tight security and controls, but you might be surprise that sometimes the weakest link is actually the easiest link. Stay tuned for part 2.

Disclaimer: The materials and information here are solely for educational purpose only. Do not attempt to hack a bank with knowledge acquired. Do not try at any bank.

The Hacka Man

Monday, May 12, 2008

Yet Another SQL injection

I was boring the other day, so here i am again toying and playing with SQL injection. Wow, for this particular site, not only they did not turn off debugging, they also allow me to view other very juicy information. I must say if i am determined to hack the site, i can successful grab lotsa juicy information. Not only that, because it is a online shopping site, i can change information and buy things at a much much cheaper price. Check out the information leakage!!

The Hacka Man

Thursday, April 3, 2008

Scanless PCI, Hurray

Sometime ago, i mentioned something about PCI and its credibility. In short i was saying that are all those PCI certified companies safe from attacks just because they are PCI certified? Today we witnessed something better, more cost effective, faster, least intrusive and for the best part? It does not even cost a single cent as compared to hackersafe or qualys, unless you subscribe for additinal service. Well, i had not personally register for the service, but i guess it will be much more proficient with the current pci standards. The setup up is simple, just copy and paste the codes to your side and that will do it. Check out

The Hacka Man

Wednesday, January 30, 2008

PIX/ASA Finesse 7.1 & 7.2 Privilege Escalation

I was trying to get into admin mode without the enable password during a penetration test and i came across a post by Terry where he describes a designing flaw in the PIX/ASA Finesse Operation System, version 7.1 and 7.2. Well, it was possible to escalate a normal level 0 user to a level 15 privilege user. The exploit is simple and it only works locally, at the console and remotely with Telnet. However, do note that it will NOT work if SSH, TACACS or Radius is implemented in the firewall. Below are the steps.

1. Login with your user level 0 account. Once logon, you will be prompted to enter the enable password which is the privilege password.

2. At this prompt if you move your cursor forward with a space or character(it doesn't matter if there are more then one), and then proceed to delete any spaces or characters, by holding down the backspace a second after deleting the last character it should immediately drop you into level 15 privilege-exec mode.

It had been tested on PIX 515E, Finesse version 7.2 and i had also tested it on the PIX 525.

The Hacka Man

Wednesday, January 16, 2008

Web Attacker Toolkit

Sorry for the lack of updates. Been roaming around for the past 2 months and felt a little lazy in updating my blog. i was reading news on the internet today and i read something about a hacking toolkit that was able to compromise thousands of webservers and that caught my attention. Well, apparently the tool called the "Web Attacker Toolkit" can be bought from the Russian hacking group called Inex-Lux for a cheap price. All unpatched IE and Firefox browsers can be compromised, with a trojan silently being installed into the local PC without user knowing it. Once a trojan is installed, the game is over. After reading the news, of course i have upgraded my IE and my Firefox to the latest version to avoid any exploitation. Check out those three links below:

The Hacka Man