Hacker demonstrates targeted attack

Hacker Robert Hansen, also known as RSnake, demonstrates the pains cybercriminals take to target specific organizations and individuals through an exercise posted on his blog, which targeted the head of Google's spam team. Hansen's exercise underscores the threat companies face from today's organized and patient cybercriminals.

This Content Component encountered an error
This article can also be found in the Premium Editorial Download: Information Security magazine: Nine tips to guarding your intellectual property:

Determined attackers will go to great pains to exploit you and your applications.


Unless you're locked in a room with some guy from a three-letter government agency, chances are that anything you've heard about a targeted attack on an organization is strictly hypothetical. Details are scarce and what you hear usually involves theories about a phishing scheme, zero-day exploits or crimeware. That's all well and good, but all of that is too far after the fact to really get a grip on the issue.

The real insight comes when the topic turns to the reconnaissance cybercriminals conduct against a target.

It's frightening the depths a cracker will descend and the time he'll invest to learn about your organization. And it's an equally scary proposition when you learn--often too late--what you've exposed about yourself online, or worse, what innocuous applications running on your machine leak to the world.

Enter a hacker nicknamed rSnake. His real name is Robert Hansen and he's behind ha.ckers.org, a hacker site and self-professed application security lab. Hansen, whose day job is head of a security consultancy, recently posted details of an exercise he ran, he says, as a demonstration of what pains a determined attacker takes to target not only an organization, but perhaps a key individual within that group.

The essay, called "Death by 1000 Cutts," is the tale of a targeted attack on a guy named Matt Cutts, who not only is a sometime visitor and poster to Hansen's site, but is the head of Google's spam team. He's an SEO guru and a not-so-coincidental target. Hansen's distaste for Google and its security practices is no secret--just peruse a few pages of his site to see for yourself.

Hansen set out to prove that a hacker who knows what he's doing can exploit the most inconsequential series of actions and carry them out to a potentially disastrous end. Cutts' greatest sin was merely visiting the hacker site. As Hansen put it: "His browser has touched my website, which is often all an attacker needs, if I know what to look for."

The details are meticulous and they're posted, but for the sake of brevity here, Hansen had Cutts' IP address and browser, and after some reconnaissance via log captures and Google searches, he was able to determine that Cutts was running a vulnerable instance of Google Desktop (in addition to finding out his home phone number, work address, schools he attended and sites he visits--all of which serve a purpose to a hacker, like providing password possibilities, answers to challenge questions and vulnerable Web sites to attack). Armed with this knowledge from Cutts' visit to ha.ckers.org, Hansen could send exploit code back to the victim and initiate a cross-site scripting attack that eventually gave Hansen theoretical access to Cutts' files, email and more via Google Desktop. Hansen says he did not go through with the attack.

"Every tiny thing that someone blows off that's kinda bad adds up super fast; just randomly visiting a hacker site is kinda bad, having JavaScript turned on is kinda bad, having Google Desktop turned on is kinda bad, but they add up super fast," Hansen says.

This is today's hacker: an organized, patient criminal who relies on your mistakes and ubiquitous holes in applications to sneak off with your organization's most precious assets (see "Who's Had a Taste of Your Intellectual Property?"). Hackers do recon; it's probably their most insidious weapon, and it pays off. Remember, you're a target, and if you have visibility, you're a bigger target.

But for now, keep this thought: If you surf over to ha.ckers.org, tread lightly--and turn off JavaScript.

This was first published in May 2007

Dig deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close