On Facebook, you can poke your friends and test your movie compatibility. On the House of Hackers social network, members share information about securing computer systems, exploiting vulnerabilities, and all sorts of things related to hacker culture.
(Credit:
House of Hackers)
It's with this broad definition in mind that Petko D. Petkov launched House of Hackers, the first social network devoted to the often-maligned group. London-based Petkov is the founder of information security think tank GNUCitizen (no relation to the GNU open-source operating system).
Petkov writes in his blog introducing the site, "We do not promote criminal activities." Still, the site is likely to attract hackers of all stripes--white hat, gray hat, and black hat hackers--as they are referred to depending on their motivation.
Unlike Facebook, there aren't a lot of personal photos and information on profiles here. This group prefers to talk about ideas rather than post photos of themselves and announce what they did last night.
Unveiled a month ago, the site now has about 4,000 members who share their ideas in blogs, announce events, and discuss diverse topics in groups with names like Life Hacker; Urban Explorers (an examination of the normally unseen or off-limits parts of human civilization); Black PR (public relations with a negative twist); Female Hackers; IT Professionals, and Reversing (for people who like to take things apart and see how they work).
There are also groups devoted to topics like hacker movies, open-source security, wireless and mobile device security issues, electronic music, cryptology, cross-site scripting attacks, iPhone cracking, and hackers from countries around the globe.
"I wanted to aggregate in a single place people interested in hacker culture, security, people trying to find solutions to interesting problems," he said in an interview Monday.
The goal is to bring people to together to share ideas, collaborate on projects, and eventually create a recruitment market for independent security consultants, he said. Toward that end, Petkov will be working on a system to verify job experience, training, and performance.
Whether companies will come a-hiring remains to be seen. But for those who want to see what today's digital rebels are up to, this site offers a glimpse.
The Web site for the Phoenix Mars Lander mission was hacked over the weekend with readers of the main news article redirected to an overseas Web site, a spokeswoman for the mission said on Monday.
Someone was able to access the site Friday night and change the "read more" link to connect to an outside site that was in a foreign language, said Sara Hammond, spokeswoman for the mission being led by the University of Arizona. She was not sure what language it was.
Several hours later another attempt to hack the site was made and site administrators took the site down for nine hours to fix the problem, she said. The site was back up on Saturday afternoon.
"We're taking the appropriate steps to identify who it is, and we've improved our security on the site," she said.
The Phoenix Mars Lander vehicle touched down on Sunday and will use a robotic arm to dig through the ground and bring back soil and water samples for analysis. The goal is to study the history of water in the Martian arctic and search for evidence of a habitable zone.
The Web site for the Phoenix Mars Mission was hacked over the weekend.
(Credit: Phoenix Mars Mission)
Updated at 12:15 p.m. PDT to clarify that Comcast wasn't technically hacked, but that its domain and Web site were hijacked.
Two teenagers who say they hijacked Comcast's Web portal on Thursday also say they expect to be arrested for their actions.
"I wish I was a minor right now because this is going to be really bad," 19-year-old "Defiant" told Wired's Kevin Poulsen, who managed to get a one-hour phone interview with Defiant and his 18-year-old cohort "EBK."
"I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit," Defiant said of a past raid.
On Thursday, Comcast's portal was defaced, leaving some e-mail subscribers without service. On the site, the hackers referenced their group: "KRYOGENICS Defiant and EBK RoXed Comcast."
The teens say that after they initially managed to take control of Comcast's registrar account at Network Solutions, they called the company's technical contact to tell him, but he dismissed their claim and hung up on them.
That response angered EBK, who says he then decided to redirect traffic from Comcast's site to other servers. "I wasn't even really thinking," he said. "Plus, I'm just so mad at Comcast. I'm tired of their shitty service."
Meanwhile, the teens say they did not grab user names and passwords during the hack, even though they could have.
In what Russian officials say was a coordinated effort, hackers knocked Web sites for nuclear power plants offline temporarily last week amid false reports of an accident at a plant, according to Russian news agency RIA Novosti.
Several Internet forums had false reports of radioactive emissions from the Leningrad Nuclear Power Plant near St. Petersburg at the same time as some official Web sites that provide real-time information about radiation incidents were attacked, said a spokesman for the Rosatom state nuclear corporation.
"This was a planned action by hackers, which has brought down almost all sites providing access to the Automatic Radiation Environment Control System (ASKRO), including the Leningrad NPP site, the rosatom.ru site, and others," he said.
Last year, several dozen people believing similar false reports of an accident at the Volgodonsk nuclear plant fell ill after poisoning themselves with iodine believing that ingesting it would offset radiation damage.
(Thanks to Paul Ferguson of Trend Micro.)
People attending the Last HOPE hacker conference in New York City this July will be getting more than just an agenda and badge when they check in.
The badges will have electronic tracking devices, using radio frequency identification technology, that will be tracking their movements throughout the three-day event.
Conference attendees can then participate in games created around the tracking system, such as by trying to protect their privacy, finding vulnerabilities in the system, and employing data mining techniques to learn more about other participants.
Large monitors at the show will display in real-time the activities of the badge carriers in what the conference organizers say will be the first time the general public "will be able to participate in the transparent operation of a major RFID tracking program."
This demonstration will be open to the public at The Last HOPE (Hackers On Planet Earth) conference from July 18 to 20 at the Hotel Pennsylvania in New York City.
Someone posted hundreds of flashing images and links to more pulsating images on the Epilepsy Foundation site, triggering severe migraines and near seizures for some visitors recently, the Associated Press reports.
The recent attack was likely designed to cause seizures given that it is common knowledge that exposure to flickering images, such as those in video games and cartoons, can bring on such problems in people with photosensitive epilepsy, the foundation said.
Hackers exploited a security hole in the site's publishing software that allowed them to make numerous posts quickly in the support forum. Since the attack, policies have been changed so that visitors can't post animated images or create direct links to other sites, the report says. The FBI also is investigating the matter.
Web site attackers have also targeted the blind, releasing malicious code earlier this year that disabled text-to-speech software used by Web sites for the visually impaired. Researchers believe that attack was designed to cripple computers running illegal copies of the software.
Last month, in a separate attack involving political sites, someone exploited a weakness in Democratic presidential hopeful Barack Obama's Web site and redirected visitors to the community blogs section on rival Hillary Clinton's site.
The ease with which holes in antivirus software can be discovered and the insidiousness of invisible scripts that can track your Web surfing were two of the notable talks at the BlueHat hacker sessions Microsoft held Friday on its Redmond, Wash., campus, according to a veteran attendee.
The invitation-only event, held every six months for the past three years, brings top security researchers to the home of the biggest software company in the world where they discuss the latest and greatest exploits and issues in the world of computer security.
"You actually have 'the developer' who does something who shows up to hear from 'the attacker' who is breaking it. And that's pretty cool," Dan Kaminsky of security firm IOActive said in a phone interview.
The highlights, according to Kaminsky, were: a talk on design weaknesses in Windows by Cesar Cerrudo, founder and chief executive of Argeniss, that Kaminsky described as a "technical tour de force" that was "scaring lots of people over here"; a session by independent security researcher Manuel Caballero on how an invisible script can follow a Web surfer around on the Internet, enabling the "browser to be monitored by the bad guy;" a session on Web browser failings by Alex "kuza55" K., another independent security researcher; as well as a talk on holes in antivirus software by Feng Xue, also known as "Sowhat," who is technical lead at the research lab of Nevis Networks.
"We all kind of know antivirus is broken," said Kaminsky. Xue has been showing "how he can do some pretty simple stuff to AV code and the stuff just falls over. The interesting thing is how easy it is to reach."
For example, Xue explained how sending an infected file to someone then returns a reply that specifies which antivirus product scanned it, which enables a hacker to then use an exploit tailored for that particular product, Kaminsky said.
Xue talked about how to exploit the vulnerabilities through Web pages, peer-to-peer and IM. He also demonstrated some vulnerabilities in antivirus programs that he discovered using "fuzzing," a technique in which you try to make the program fail or crash, he said through an interpreter in a phone interview with CNET News.com. He declined to name the vendor of antivirus software because the company was still working on a patch for the vulnerability.
Xue said he has also used reverse engineering and source-code auditing to find vulnerabilities in most of the top 20 antivirus products. His company is working to disclose the vulnerability information to the companies. AV companies need to be aware that just scanning the potentially malicious files, as it does to try to learn if they contain viruses, puts the AV software at risk because the file could be written to attack the AV software, he said.
Others have found other holes in antivirus software and prompted vendors to fix the vulnerabilities. Recently, a mail server in Denmark was compromised and data was stolen as a result of a Zero Day exploit written to take advantage of an unpatched vulnerability in antivirus software, according to Xue.
Microsoft, which has struggled to protect Vista users against viruses, considers the threat serious and is likely gleaning knowledge for its own Windows Live OneCare antivirus efforts.
Meanwhile, two technologies in Vista--Address Space Layout Randomization and Data Execution Prevention--can help minimize the damage from an attack on a vulnerability in antivirus software, say by crashing the program to prevent a server compromise, Xue said.
For some attendees, the event doesn't end with the sessions. IOActive has organized a limousine race photo scavenger hunt for Friday night that has become somewhat of a tradition. This unofficial event brings some levity after two days of talks.
"It's hard to take yourself too seriously if you're in a big costume rolling around in a limo, getting out and having a photo taken of you hugging a tree," Kaminsky said.
You may recall that during the heat of the 2006 primary race that prompted then-Democratic Sen. Joe Lieberman to go Independent, the Connecticut politician's Web site, as a colleague of mine so eloquently noted, dropped dead.
Sen. Joe Lieberman
(Credit: U.S. Senate)At the time, conspiracy theories abounded. There was twittering that liberal bloggers who backed Lieberman's antiwar Democratic rival, Ned Lamont (who went on to win the primary, by the way) were responsible for the site's inaccessibility, and Lieberman's own campaign maintained that a denial-of-service attack had occurred.
Now, nearly two years later, we finally know whom to blame: the Lieberman campaign's own system configuration.
A recent Freedom of Information Act request by the Stamford Advocate, a local newspaper, turned up an FBI memo that concluded there was no evidence of an attack.
Rather, "the server that hosted the joe2006.com Web site failed because it was overutilized and misconfigured," according to an e-mail message dated October 25, 2006 from the FBI's New Haven, Conn., office.
The site crashed because Lieberman officials were exceeding a 100-e-mails-per-hour limit, as configured by their system administrator, on the night before the primary, the memo went on. The system administrator "misinterpreted the root cause" of the additional Web traffic overwhelming the Web server and declared it was being attacked, the FBI memo said.
Lieberman, of course, ultimately won re-election to the Senate as an Independent Party candidate during the November election. The 2000 running mate to Democratic presidential contender Al Gore has also been on the road campaigning for this year's presumptive Republican presidential nominee, John McCain.
When walking through the San Jose Minetta airport on Wednesday, I couldn't help but see McAfee's name strewn throughout the terminal. The marketing folks at McAfee must be on an advertising kick because there are numerous, visible advertisements that read, "Hackers hack code. McAfee hacks hackers."
OK, McAfee, you got my attention, but my question is, just who are you trying to reach with this message? Here is a list of possibilities and my associated confusion:
1. Enterprise customers. This audience doesn't seem likely. Enterprise security today is much more about governance, risk management, and compliance than hacker paranoia. Yes, you do have to guard against hackers, but as part of an overall set of processes and architecture. Doesn't seem like McAfee's advertisements are a good fit here.
2. Consumers. I guess John and Jane Q. Public are more-likely targets, but this seems like a mismatch as well. Consumers want comprehensive protection against viruses, worms, spyware, phishing, etc. The average consumer probably associates the word hacker with movies like Firewall, Swordfish, and War Games--not end-point security.
3. RSA attendees. Maybe, but RSA Conference 2008 isn't for a month and it is in San Francisco, not San Jose.
I've been around high-tech marketing and advertising for a long time and I don't get this strategy or positioning at all. For security professionals, direct fear of hackers harks back to the early 1990s when Kevin Mitnick was on the FBI most-wanted list. Now he is a highly paid security consultant helping companies marry security defenses to business operations. Hmm, maybe this is what McAfee should be talking about as well.
A few weeks ago I had the chance to ask Dave Merkel, vice president of products for Mandiant, a digital forensics company, if there was a point where investigators say "well, that's the best we can do." Apparently a lot of cybercrime cases do hit a brick wall. Merkel said it was a one-in-a-hundred or one-in-two-hundred chance that investigators get the kind of resolution that results in someone's arrest.
"The big challenge is--and this is still true today--there is no Internet equivalent to a local cop or local police agency. You work with actual local agencies and local police but they have limited resources and a lot of times their very best investigators that really become proficient in computer crime can double--if not triple--their salaries by working in private industry.
"The ability to retain the talent that can pursue those crimes is very hard. Federal agencies have a better time of retaining that kind of talent by being able to contract that kind of talent, but their focus a lot of the time is national security issues or problems that are much bigger than what might be plaguing you, particularly in a criminal context. Until it really starts crossing some serious thresholds in terms of loss or risks to national infrastructure, it can be difficult to get their attention."
"That's not a criticism. That's just an acknowledgment of reality today. There are different things that, to use an example, the FBI is focused on today. I would think everyone would know what those things are, so getting someone to pursue--I don't know, a distributed denial-of-service that took your e-commerce site offline--is going to be pretty difficult."
You can read more of Merkel's comments in this Security Watch column. And you hear more of my interview with him in this Security Bites podcast.
