Fun and Games with Hackers

A couple of weeks ago, your humble editor and COBOLdinosaur were engaged in some routine email conversation about something trivial, profound or both when he mentioned that he had to go fend off an attack by a "script kiddie", so we asked that he write up something about his activities, or perhaps some advice, with the inducement that we would mention shamelessly plug his site. This is his report.

There are two groups who are never welcome to visit my sites; spammers and hackers. Over the years I have develop a number of web sites for clients, and a couple for myself. The spammers are easy they can be blocked and booted and their 'bots can be defeated. The hackers are a little more challenge, but they can also be fun to deal with.

My latest site at http://coboldinosaur.com/pages/articles.html was up less than a month when it got its first visit from script kiddie hackers and the fun began.

Yes, fun. The kiddie hackers are amusing, and if you have a site designed to meet the lame script based attack of clueless fools; entertaining. A good professional hacker can crack any site. There is no such thing as a hack proof site, but the pros don't go after sites unless there is profit to be gained and most sites don't have anything they are interested in.

So here comes the amateur hacker; a script kiddie trying to get to my database. They try to connect using all the common paths that could work. Not going to find it that way. I don't use a common path, or a conventional name for the database and tables, and I have a unique arrangement for user accounts. Even if a hacker manages to work through it and crack a password, they will find themselves in a rubber room or on flypaper. The rubber room bounces them around in a couple pages with no exit. The flypaper is loaded with worthless stuff that looks interesting. Either one keeps them occupied with time-wasting effort.

A non-conventional design is the first step to security. If you are using common off-the-shelf software and/or widely implemented templates and plugins, you are vulnerable as soon as some idiot finds an exploit and posts it on a hacker site. Here is an example from the PHP topic on Experts Exchange. So you need do add a few twists with some custom code when using off the shelf hacker magnets. I do sites with custom code, so I just use unique architecture for every site.

Step two is detection. I can see exactly what a hacker is doing and trying because I use up to 25 custom logs to report everything that I have decided I want to know about. I don't have to dig through access logs. If a hacker starts to get too close I just make a change so the path they are on will dead end.

You cannot protect a site unless you know what is going on. All sites have logs, mostly they are ignored because they are difficult to analyze. So do your own logging with simple code like this: http://coboldinosaur.com/pages/scripts/Custom_Logging_Site_Events.html. Log everything that is out of the ordinary into a set of custom logs that should be empty unless somebody is trying to mess with you. The logging can be invoked from anywhere including scripts that come down through the host, not just http: requests. They can also be put in daemons or jobs being run with CRON.

As the dumb kids bounce around my site, they provide information and I can attach variables to their sessions to making tracking easier. If they are stupid enough to use a browser with cookies enabled, I can identify them the second they come on the site even when they are not trying to hack. As long as I can continue gathering information, I let them wander in the wilderness.

That is part three of the security model. Gather information, don't give it. The last thing you want to do is block an IP while it is still possible to learn more about the hacker and their attack vector. The IP is probably just a proxy and they will switch to another. If you block them, they are aware you have seen them and they may change the attack vector. Instead get information. The name of the script, referrer, user agent, and the sequence of steps gives you additional ways to identify them and what exploit they are trying. with patience you may get enough information to be able to track them even when they do legitimate stuff, and not trying to hide.

You also never want to help them by returning a real error message. A blank page tells them nothing. I like to send a 403 to a hacker for a not found page, then watch them try and find a way to get to what they think must be good stuff. Every time they try a new wrinkle I have a chance to find out more about them.

Once I have all the information I think I can get, they get a message page. I let them know that I have been tracking their activities and the next time they attempt to hack I will retaliate. If they try it again they get a response that will crash their computer. Am I going to post that? No, that is something that could be used by morons to attack others. If you notice I am not giving much information of how I track, because that would help the hackers hide; but every transaction requires an exchange of information between the server and whatever they are using for a client. Capture and use the information.

Most script kiddies will stop after three or four failed attempts; if it goes beyond that you have enough information to respond. Don't go easy. If you have the skills, downloads a harmless but very annoying bit of adware. If you can get their real IP or the name of the service provider, then contact the admin and notify them of the hacking and indicate you will block their netblock and report the IP to all the blacklists if they do not act. Hackers are scum and deserve absolutely no mercy. Service providers that fail to act against hackers using their facilities deserve to be put out of business.

As for the idiots with unsecured open proxies; they are either stupid (no cure for that) or they are maggots enabling criminal activity and protected by corrupt bureaucrats and politicians. Either way, they belong on public blacklists so web site operators can find them and block them.

Is all this worth the effort? Probably not; but it is recreational and educational. It keeps me up to date on what is being tried by the script kiddies and identifies ways I can make my sites more secure.

The best is when I get an email from a throw away email address whining about how I messed up their computer. That makes my day!

Just in case you missed it my site is at http://coboldinosaur.com/pages/cdHome.html and I never pass up a chance to post my link when it is appropriate.

Cd&

Nata's Corner

You can't make me. I'm not going to do it. No. But if you want to spend the day after Thanksgiving getting up really early, there are all kinds of sites that list Black Friday ads and deals.

I don't know what all the fuss is about. It's not like anyone I know has ever put anything embarrassing up on an Internet page.

All of us have passwords for all kinds of things, right? And all of us are religious about changing them, and using odd combinations of random letters, numbers and symbols so they're completely unguessable, right? And we never write them down, or leave them on Post-its on the side of our monitors, right? I thought not. But that's what PasswordCard is designed to help with. They give you a printable card that, even if someone finds it, can keep track of all your secure passwords in a non-electonic form that's small enough to fit in your wallet. While it's true that the number of victims in the US was down last year, it's also true that the cost per incident is going up, so maybe a low-tech way of keeping track of them is worth the few minutes it will take to protect yourself.

If that much effort isn't worth it for you, then you should read through the suggestions listed in The New York Times, along with some follow-up ideas from their readers. But whatever you do, it's like locking the door to your house; you may live in a little town where everyone knows everyone, and nothing really ever happens, but you'll only have yourself to blame if someone steals your television.

A few months ago, the other half bought me a new laptop that came with Windows 7, but it also came with a very inexpensive upgrade to Windows 8, and I haven't done that yet (I'm still trying to get used to one system before I go leaping into another, and we all know what a new Windows operating system is like, so I think I'll let them get some of the bugs out of it first). But if you're in the same position, you might want to take a quick look at Sophos' security tips for Windows 8. There's also the free e-book from Dell, and an upgrade assistant available from Microsoft, which is critical. If you don't run it, and you don't have the latest drivers, you're going to wind up with a black screen and only a cursor to show for it.

I know Halloween was a couple of weeks ago, but this makes Dracula look like a Curious George story. There's a PR company out there that builds a plug-in for Outlook 2010 that tells the sender of an email a lot more about the recipient than most of us would like -- unless, of course, you're one of those creepy PR people.

Finally, if you don't have a Facebook account but are thinking of getting one, the company has started giving new users specific instructions on privacy settings, along with a lot of other stuff. Now if they'll just do the right thing and show the rest of us where all their secret settings are.

In Brief

You will never find a more wretched hive of scum and villainy: Thank god that's over. Biggest winner is Nate Silver of FiveThirtyEight, who proved yet again why, while statistics is one of the three kinds of lies, they can also tell the truth if you don't have a stake in the game. Second biggest winner: Twitter, for getting through the night without a single whale sighting. For our part, if we never hear the words "this ad was paid for by [insert name of shadowy political action committee] which is solely responsible for its content" ever again, it will be too soon. Okay, except for the Americans For A Better Tomorrow, Tomorrow.

...millions of voices suddenly cried out in terror and were suddenly silenced...: The Walt Disney Co. (wich already owns Pixar, founded by George Lucas and later sold to Steve Jobs) is buying Lucasfilm.

She may not look like much, but she's got it where it counts...: There will always be an England, and fortunately, its headline writers will always be creative.

Hokey religions and ancient weapons are no match for a good blaster: In one corner, there was the electronic version of the same systems in place since, oh, 1960. In the other corner, there was 2008 on steroids.

We seem to be made to suffer. It's our lot in life: There's a startup that makes it possible for companies to keep using IE 6... but Live Messenger is being shut down. Oh, and Windows 8 is selling well, sorta (if you ignore the fact that there are something like 670 million devices running some brand of Windows), as long as you don't ask businesses about it.

Fear will keep the local systems in line: Europe, while on the one hand looking for ways to extract cash from Google, is also looking at a way to simply opt out.

It's all a lot of simple tricks and nonsense: Lockheed-Martin won a contract to implement a Microsoft 365 system for the Environmental Protection Agency.

Hey, what are you trying to push on us? The secret is out about Facebook's impact on busines bottom lines.

Jabba, you're a wonderful human being: If you're using SSL on your website, expect a letter from a law firm about a complaint. It should come as no surprise if a lawsuit is filed in Texas.

What good's a reward if you ain't around to use it? Or if the lawyers are going to take a bunch of it?

She'll make point five past lightspeed...: as long as you do it their way, that is. Southwest Airlines sent a "cease and desist" letter to a guy who built a website that would check you into one of their flights automatically as early as possible. Apparently, SWA is all about great customer service as long as it's the people deciding what great customer service is (and charging $10 for it).

I used to bullseye womp rats in my T-16 back home: Remember a little over a year ago when Netflix CEO Reed Hastings tried to split his company in two after raising the price, and it blew up in his face? Today, his company is responsible for one-third of North American bandwidth. It must be tough being right all the time.

I think you overestimate their chances... which is why big tech companies keep chasing the money instead of paying attention. Then again, the Chinese do have issues.

I sense something; a presence I've not felt since... Yahoo, pre-Mayer. Carl Icahn's latest target: Netflix.

I'd prefer a straight fight to all this sneaking around: Apple tried to pull a fast one after losing a round to Samsung, but the UK court said "not so fast".

I told you she would never consciously betray the Rebellion: Coca-Cola got hacked and kept it quiet -- kind of like the secret formula.

Help me, Obi-Wan Kenobi. You're my only hope (Signs of the Apocalypse): A "private" Facebook. Siri gets prudish. A mouse that requires you to go online to get it to work. Navy SEALs were punished for consulting on a video game. And the person who will be writing the script for the next Star Wars movie also did Little Miss Sunshine.

Milestones

New Geniuses: ralmada's third Genius certificate comes in the Query Syntax topic area. nav_kum_v has earned his first, in Oracle. Congratulations!

Milestones:

• matthewspatrick is the ninth member of EE to earn 15,000,000 points overall.
• hanccocka has earned 8,000,000 points in the VMware topic area.
• mbizup has earned 5,000,000 points in the Access topic area.