Software takes brain power out of hacking

17:00, Jul 28 2011

Computer security professionals say breaking into websites and computer networks is now as simple as downloading free software, selecting a target and hitting ''run"

Even without a specific target in mind, a method called ''Google hacking'' allows hackers to find target servers running vulnerable software using just the search engine.

''If an attacker wants to get in, it's just a matter of time really,'' Ty Miller, the chief technology officer at Pure Hacking, said.

''You can use the search engine to find vulnerable companies and it's trivial to gain access to company firewalls and administrative access to people's systems and get straight into their internal network.''

Chris Gatford, of HackLabs, which like Pure Hacking is hired by organisations to break into their systems to test their security, said attackers with specific targets in mind often used a software tool called ''Metasploit''.

Hackers just point the software at a target and then wait while it searches for exploits in the system and, if there are any holes, provides access.


''Tools to perform complex attacks are readily available, they're extremely easy to use and people have made good use of these tools for several years,'' Mr Gatford said. ''I could teach you the basics of gaining unauthorised access in a day.''

Mr Miller said all it took was one piece of software on the target server to contain an unpatched security flaw for the entire system to be vulnerable. Even fully patched systems can be accessed if the attacker has what is known as a 0-day exploit.

''We do internal penetration tests where we act as a rogue employee or an attacker ... usually within a day we've been able to take over the entire network, gaining access to every system and every application and also all of the user names and passwords for the company,'' he said.

As the federal police Assistant Commissioner, Neil Gaughan, said yesterday: ''Even the best security systems are only as strong as the weakest link.''

The police charged Mr Cecil over allegedly breaking into a national broadband network service provider, but their investigation began when Sydney University's website was defaced and a Melbourne web-hosting provider was attacked.

Website vandalism is so common that the website, which catalogues website defacements, logs over 95,000 separate incidents a month. In 2002 when the site launched it was averaging 2500 monthly defacements.

Mr Miller said he was ''surprised'' Mr Cecil was arrested considering the extent of cybercrime and the fact that arrests and convictions are rarely secured.

"When you're no longer shocked that a company has been hacked but you are shocked that a hacker has been arrested, that's not good," he said.

Types of hackers:

Script kiddies - Amateurs who use free hacking software obtained online

Elite hackers - The most skilled hackers who find vulnerabilities and create new exploits

Hacktivist - Hackers who use technology to send social, ideological, religious or political messages

Black hat - Hackers who use their skills to attack networks

White hat - Hackers who use their skills for help companies be secure

Grey hat - Hackers who break into systems to notify administrators of security failings

n00b - Newbies who have little to no knowledge of hacking

Sydney Morning Herald