They say it takes one to know one – so Samy Kamkar is perfectly positioned to identify cutting edge hacking techniques threatening business computers.
Samy Kamkar is a hacker, a malware author, an entrepreneur and an independent security researcher. He authored the world’s first XSS worm, infecting 1 million MySpace users in a mere 24 hours and subsequently had his house raided for the gambit, and served some time on probation.
But these days he’s wearing a white hat, helping security researchers understand the latest hacking methods and the vulnerabilities that need to be patched to stop them. In an interview with ITBusiness.ca at the Toronto-based Sector security conference, he shared these four threats to beware.
PHP session prediction
PHP sessions prediction or the attack on random numbers is an attack that allows a hacker to predict what cookie will be generated by a Web site when a specific user logs in. If the hacker can predict what cookie will be generated when you log-in next time to a specific account, they can hi-jack your account. Imagine that applied to your online banking.
It’s not clear if the attack is being used in the wild yet, but it’s likely. One possible method would be to predict what random URL a site is creating when it issues a password recovery page. Using this page, a hacker could reset a user’s password and gain access.
To defend against this attack, sites must have the latest version of PHP installed. It has fixed this type of exploit.
Firewall penetration using javascript
Using javascript on a Web site, you can make someone’s router port-forward any port back to them. This software forces any port that might normally be restricted to become open to attack, and leaves the door open for hackers. Worse yet, users might not even know it’s happening.
Browser protocol confusion
Hackers can fool a browser into thinking it is using HTTP protocol (normally uses for Web browsing) when in fact it’s using a different protocol such as FTP or IRC. This in turn confuses the router on a network and forces it to open ports that might normally be restricted.
Businesses should run strict firewalls to prevent this type of attack, with limited outbound connections. Running an end-point based firewall could also prevent this attack.
Browser-based geo-location harvesting
A malicious Web site can use a browser to learn some information about a user’s network with no authentication required. The browser then sends information to an attacker, who asks Google where the original user lives. Google has this data because they correlate network locations with GPS coordinates, collected during their Street View mapping.
Businesses should use secure routers that don’t have a Web interace, or at least a very secure one, to protect against this type of attack.
