Website Hacking 101: Part II

Website Hacking 101 : Part II : InfoSec Institute

by Ivan Dimov, resources.infosecinstitute.com

August 28

To view Part I of this article, please visit http://resources.infosecinstitute.com/website-hacking-101/.
In this Part, we are going to briefly introduce Path Traversal, usage of Delimiters, and Information Disclosure attack.
Wee are going to present simple solutions to simplified problems involving the attacks.
Content
Exercise 8: Path Traversal
Figure : A simple webpage in which you choose an article and view it
The website (index.php) in the PathTraversal folder contains a simple form which submits to the same page through the GET request method. Once a choice of article has been made and “View article” has been clicked, the following PHP code executes:
<?php

//If the article GET parameter is set

if (isset($_GET[“article”])) {

// Create a div block and fill it with the contents from the file in the GET value.

        echo “<div id=’article’>” . file_get_contents($_GET[“article”]) . “</div>”;

}

?>

The result is the following URL: http://localhost/2/PathTraversal/?article=1.htm
It loads the relevant article file placed in the GET method. The parameter article is formed via:
<select name=”article” required=””></select>

And the values are also directly given through the HTML code (the value attribute):
Domain Slamming
Now, legitimate users will use the interface provided in the website to browse it, but with the code as it is we can easily open myriad files they do not want you to open by directly tampering with the URL parameters. Many websites have config directories where they store important data – let’s see if you can do it.
Tasks

Go back one directory and open openme.txt by changing the URL parameters.

We assume that we cannot open the folder config from our computer but only from the local server. Assume you do not know what files there are in the directory. First, you should check whether the directory exists.

The directory exists and now we know that there is HTTPAuth in place. Your task is to somehow find out the username and the hashed password for the folder without using any brute-force or dictionary attacks on the username and password.
Spoiler (Task 2)

If we know that there is a HTTPAuth security mechanism in place, then we can automatically deduce there is an .htaccess file. Therefore, we can open the .htaccess file that we would not be able to open normally via the path traversal vulnerability of the article viewer page.
Figure: Viewing the .htaccess file from the article viewer page
We type http://localhost/2/PathTraversal/?article=config/.htaccess and now we know the path and the file in which accounts and passwords are stored as well as the user that is required to view the folder.
We type the path to the userlist.htpasswd file and get all usernames and passwords:
tomburrows:$apr1$ZF.78h2N$zhAaP2AY6VwxuELizJAwg.
Now, the username is known and we have incredibly reduced our cracking time. HTTPAuth is using UNIX’s “CRYPT” function to encrypt the passwords which is a “one way” encryption method.
Using path traversal, we can also go back several directories and browse to the php.ini and other important configuration files as well.
A sample solution to our path traversal vulnerability

<?php

//If the article GET parameter is set
if (isset($_GET[“article”])) {

//Remove any “/” and “.” characters from the GET parameter’s value as this can be used for path traversal 

        $article = str_replace(array(“/”, “.”), “”, $_GET[“article”]);

// If the file does not exist, print a custom error.

        if (!file_exists($article . “.htm”)) {

        echo “<h1>The article does not exist!</h1>”;

        }

        else {

//If and only if the file exists – echo out its contents
// Create a div block and fill it with the contents from the file in the GET value.

//Add a mandatory file extension of .htm to the file

        echo “<div id=’article’>” . file_get_contents($article . “.htm”) . “</div>”;

        }

}

The change in the HTML code is that we no longer use the full file name value in the options tags, we just use the name of the file (without its extension so only .htm files would be allowed)
Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

Dual Certification – CEH and CPT

5 days of Intensive Hands-On Labs

Expert Instruction

CTF exercises in the evening

Most up-to-date proprietary courseware available

VIEW ETHICAL HACKING
 Keyloggers: How They Work and More

Firstly, checking if the file exists and echoing it out only if it exists prevents another attack – that of information disclosure.
There is a PHP warning thrown out if we type a non-existent file deliberately. Of course, another way to resolve such information disclosure issues is by turning off the display_errors In the php.ini file (this is most desirable if the site is live anyway).
With the above mentioned code we get a clean and neat error that the article does not exist, along with prevention of any path traversal attempts.
Figure: We now receive an error when we try to go back one directory and open the openme.txt file
Note: in old editions of PHP (older than 5.5.3) you could use the %00 marker to end the string abruptly and pass your own file extension in place of the “.htm” one in our solution code.
if (!file_exists($article . “.htm”)) could be exploited in older versions of PHP by typing:
http://localhost/2/PathTraversal/?article=accounts.txt %00
Which is equivalent to:
“accounts.txt.htm” forcing the server to ignore the .htm part of the string.
Exercise 9: Information disclosure
Figure: Comment page
For this exercise, I have created a working but problematic comments page which looks similar to a chat. You have to write a comment, and then you view all the comments up to now. The comments are stored in a .txt file rather than in a database and there is one PHP file that creates new comments and one that displays them on the screen.
//Index.php server-side code
        <?php

                $path = “comments/”;

                ?>
                <?php 

                        if ($_SERVER[“REQUEST_METHOD”] === “POST”) {

                                include(“add_comment.php”);                   
                        }
//Add_comment.php

<?php 

                        //Open file and create an array with all comment information as indices

                        $comments = file_get_contents($path . “comments.txt”);

                        $newcomment = [];

                        $newcomment[] = $_POST[“name”];

                        $newcomment[] = $_POST[“topic”];

                        $newcomment[] = $_POST[“message”];

                        // Convert to string and add a delimiter to store in file

                        $newcomment = implode(“:”, $newcomment);

                        // Write the string to the file

                        $comments_w = fopen($path . “comments.txt”, ‘w’);
                        fwrite($comments_w, $comments . “n” . $newcomment . “:” ); 

                        // Show all comments

                        include($path . “view_comments.php”);
                        ?>

Figure: How the comments file looks
// View_comments.php
        <?php

//Convert to array and echo all out in a certain format within the comments div

$comments = explode(“:”, file_get_contents($path . “comments.txt”));

echo “<div id=’comments’>”;

for ($i = 0; $i < count($comments) – 1; $i += 3) {

        echo “<p>User: ” . $comments[$i] . “<br> posted about: “.

        $comments[$i + 1] . “<br> and he wrote: ” . $comments[$i + 2];

        echo ” </p>”; 

}

echo “</div>”;
?>

This application works just fine when viewed as is, but imagine if a user enters add_comment.php separately, without the file being included from the index.php. This can easily happen as the name of the service implies the file name, and this particular file name is frequently used, and the fact that add_comment.php is in the same directory facilitates the process.
Figure: Viewing add_comment.php on its own
Now, the attacker would know that we have a variable called $path and he can probably guess that we are setting the path to the comments file as there is a warning that file_get_contents(comments.txt) cannot be opened. Thus, he knows the name of the file that contains all our comments as well. Because the include is failing, he also knows the whole include_path which can also be dangerous. Also, the attacker knows another file in our directory tree (view_comments.php) so he can access it and look for some more errors. He also knows that in this file we are working with the POST values from the form, as he can view the HTML and see they are the same.
This comments form is also vulnerable to diferent code injection attacks. You can easily insert in one of the comment fields to test it out. In that way, the browsers of the users’ will execute any code that you like each time they visit the page.
A probable solution is easy: wrapping the post values in htmlspecialchars() function which converts < and > amongst others as special characters (<, >, etc.) preventing them from being interpreted as code.
$newcomment[] = htmlspecialchars($_POST[“name”]);
$newcomment[] = htmlspecialchars($_POST[“topic”]);
$newcomment[] = htmlspecialchars($_POST[“message”]);
Solution
A simple solution to get rid of all those errors in this example is to wrap the code in add_comment.php and view_comments.php inside the following if statement:
        if (isset($path)) {     

//code here
}

In that way, the code will only execute if the files are included from index.php, presumably.
Of course, that does not handle the issue that users can post the form empty and still view the content and make the application think there is an actual comment, but that can easily be fixed and is not the issue of discussion here.
Displaying errors is good for development purposes but when the application is live and in production – always turn off display_errors from the php.ini
Exercise 10: Delimiters
We will be looking at a vulnerability similar to the one that existed in the old Poster website.
Sometimes, parameters used In the code can be abused by users even when interacting with the interface provided to them.
Open Delimiters folder from your localhost in a browser. There is a users.txt file which contains all the user data. However, access to it is forbidden from the .htaccess file:
<Files “users.txt”>

Deny from all

</Files>

Try to open it using the path traversal method of the article viewer, just for practice.
Look at the different data stored there and think about what everything represents.
Try to login with one of the accounts and escalate your privileges to “admin” just by communicating with the website as normal.

Spoiler

http://localhost/2/PathTraversal/?article=../Delimiters/users.txt
//The path in the GET should be valid, but you should fill the path to the index.php.
It should be clear that the “:” character is the delimiter between the different values.
You can test on the login form, but it should be clear that the first word before the first delimiter is the username, the second is the password and the third is the user’s privileges.
The code that extracts the user data one line at a time is the following:
$userlist = fopen(‘users.txt’, ‘r’);

while (!feof($userlist)) {

        $line = fgets($userlist);

        $acc_details = explode(“:”, $line);

        $username = $acc_details[0];

        $password = $acc_details[1];

        $access = $acc_details[2];

Then, each line is checked separately with the submitted details to check whether It matches with them:
if ($username === $_POST[“name”] && $password === $_POST[“pass”]) {

When it find a match, the user can be logged in.
Note that there are many better alternatives than this nowadays, such as using a database and cookies.
When logged in, you have the option to change your username or/and password.
if (isset($_POST[“pass”]) && trim($_POST[‘pass’]) !== “”) {

                        $userlist = str_replace /* old pass */ ($_POST[“userdata-pass”],  */ new pass */$_POST[‘pass’], $userlist);

                        echo “<em>Password changed to: ” . $_POST[‘pass’] . “</em>

“;

And to check the privileges, the script merely checks if there is a substring “admin” in the $access variable.
if (stripos($access, “admin”) !== false) {

        echo “<img src=”administrator.png” alt=”admin” width=”480″ height=”480″ /></pre>

<h1>Howdy, admin!</h1>

<pre>

“;

}

Thus, it should be clear that you can abuse this mechanism by adding the : delimiter after your password and typing admin after it when you change your password.
Solution to this vulnerability

The solution is easy and is the same as the previous exercise.
We change the code slightly:
                if (isset($_POST[“usrname”]) && trim($_POST[‘usrname’]) !== “”) {

                        //We remove any delimiters in the new account details an add it to a var

                        $newacc = trim(str_replace(“:”, “”, $_POST[“usrname”]));

                        //Then, we replace the old password with the $newacc variable

                        $userlist = str_replace($_POST[“userdata-acc”], $newacc, $userlist);

                                echo “<em>Username changed to: ” . $_POST[‘usrname’] . “</em>

“;

                }

Besides sniffing and other problems, this website is again vulnerable to probability of information disclosure, as the last iteration of the while loop spills out an empty line and a PHP error would occur each time a wrong password is submitted unless display_errors is set to off.
You can do the following to avoid this as well:
if (trim($line) === “”)

                break;

Conclusion
Sometimes the solutions to vulnerabilities are really simple and do not take too much time, you just have to split the application into pieces and test them all apart from the single whole that is the application itself.

Website Hacking 101

Website Hacking 101 : Part II : InfoSec Institute
by Ivan Dimov, resources.infosecinstitute.com
August 28
To view Part I of this article, please visit http://resources.infosecinstitute.com/website-hacking-101/.

In this Part, we are going to briefly introduce Path Traversal, usage of Delimiters, and Information Disclosure attack.

We are going to present simple solutions to simplified problems involving the attacks.

Content

Exercise 8: Path Traversal

Figure : A simple webpage in which you choose an article and view it

The website (index.php) in the PathTraversal folder contains a simple form which submits to the same page through the GET request method. Once a choice of article has been made and “View article” has been clicked, the following PHP code executes:

<?php
//If the article GET parameter is set
if (isset($_GET["article"])) {
// Create a div block and fill it with the contents from the file in the GET value.
echo "

” . file_get_contents($_GET[“article”]) . “

“;
}
?>
The result is the following URL: http://localhost/2/PathTraversal/?article=1.htm

It loads the relevant article file placed in the GET method. The parameter article is formed via:

And the values are also directly given through the HTML code (the value attribute):

Domain Slamming

Now, legitimate users will use the interface provided in the website to browse it, but with the code as it is we can easily open myriad files they do not want you to open by directly tampering with the URL parameters. Many websites have config directories where they store important data – let’s see if you can do it.

Tasks
Go back one directory and open openme.txt by changing the URL parameters.
We assume that we cannot open the folder config from our computer but only from the local server. Assume you do not know what files there are in the directory. First, you should check whether the directory exists.
The directory exists and now we know that there is HTTPAuth in place. Your task is to somehow find out the username and the hashed password for the folder without using any brute-force or dictionary attacks on the username and password.

Spoiler (Task 2)
If we know that there is a HTTPAuth security mechanism in place, then we can automatically deduce there is an .htaccess file. Therefore, we can open the .htaccess file that we would not be able to open normally via the path traversal vulnerability of the article viewer page.

Figure: Viewing the .htaccess file from the article viewer page

We type http://localhost/2/PathTraversal/?article=config/.htaccess and now we know the path and the file in which accounts and passwords are stored as well as the user that is required to view the folder.

We type the path to the userlist.htpasswd file and get all usernames and passwords:

tomburrows:$apr1$ZF.78h2N$zhAaP2AY6VwxuELizJAwg.

Now, the username is known and we have incredibly reduced our cracking time. HTTPAuth is using UNIX’s “CRYPT” function to encrypt the passwords which is a “one way” encryption method.

Using path traversal, we can also go back several directories and browse to the php.ini and other important configuration files as well.

A sample solution to our path traversal vulnerability
<?php
//If the article GET parameter is set

if (isset($_GET["article"])) {
//Remove any “/” and “.” characters from the GET parameter’s value as this can be used for path traversal
$article = str_replace(array("/", "."), "", $_GET["article"]);
// If the file does not exist, print a custom error.
if (!file_exists($article . ".htm")) {
echo "

The article does not exist!

“;
}
else {
//If and only if the file exists – echo out its contents

// Create a div block and fill it with the contents from the file in the GET value.
//Add a mandatory file extension of .htm to the file
echo “

” . file_get_contents($article . “.htm”) . “

“;
}
}
The change in the HTML code is that we no longer use the full file name value in the options tags, we just use the name of the file (without its extension so only .htm files would be allowed)

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:
Dual Certification – CEH and CPT
5 days of Intensive Hands-On Labs
Expert Instruction
CTF exercises in the evening
Most up-to-date proprietary courseware available
VIEW ETHICAL HACKING

Keyloggers: How They Work and More
Firstly, checking if the file exists and echoing it out only if it exists prevents another attack – that of information disclosure.

There is a PHP warning thrown out if we type a non-existent file deliberately. Of course, another way to resolve such information disclosure issues is by turning off the display_errors In the php.ini file (this is most desirable if the site is live anyway).

With the above mentioned code we get a clean and neat error that the article does not exist, along with prevention of any path traversal attempts.

Figure: We now receive an error when we try to go back one directory and open the openme.txt file

Note: in old editions of PHP (older than 5.5.3) you could use the %00 marker to end the string abruptly and pass your own file extension in place of the “.htm” one in our solution code.

if (!file_exists($article . “.htm”)) could be exploited in older versions of PHP by typing:

http://localhost/2/PathTraversal/?article=accounts.txt %00

Which is equivalent to:

“accounts.txt.htm” forcing the server to ignore the .htm part of the string.

Exercise 9: Information disclosure

Figure: Comment page

For this exercise, I have created a working but problematic comments page which looks similar to a chat. You have to write a comment, and then you view all the comments up to now. The comments are stored in a .txt file rather than in a database and there is one PHP file that creates new comments and one that displays them on the screen.

//Index.php server-side code

<?php
if ($_SERVER["REQUEST_METHOD"] === "POST") {
include("add_comment.php");

}

//Add_comment.php

Figure: How the comments file looks

// View_comments.php

<?php
//Convert to array and echo all out in a certain format within the comments div
$comments = explode(":", file_get_contents($path . "comments.txt"));
echo "

“;
for ($i = 0; $i < count($comments) – 1; $i += 3) {
echo "

User: ” . $comments[$i] . “
posted about: “.
$comments[$i + 1] . “
and he wrote: ” . $comments[$i + 2];
echo ”

“;

}
echo “

“;

?>
This application works just fine when viewed as is, but imagine if a user enters add_comment.php separately, without the file being included from the index.php. This can easily happen as the name of the service implies the file name, and this particular file name is frequently used, and the fact that add_comment.php is in the same directory facilitates the process.

Figure: Viewing add_comment.php on its own

Now, the attacker would know that we have a variable called $path and he can probably guess that we are setting the path to the comments file as there is a warning that file_get_contents(comments.txt) cannot be opened. Thus, he knows the name of the file that contains all our comments as well. Because the include is failing, he also knows the whole include_path which can also be dangerous. Also, the attacker knows another file in our directory tree (view_comments.php) so he can access it and look for some more errors. He also knows that in this file we are working with the POST values from the form, as he can view the HTML and see they are the same.

This comments form is also vulnerable to diferent code injection attacks. You can easily insert in one of the comment fields to test it out. In that way, the browsers of the users’ will execute any code that you like each time they visit the page.

A probable solution is easy: wrapping the post values in htmlspecialchars() function which converts amongst others as special characters (, etc.) preventing them from being interpreted as code.

$newcomment[] = htmlspecialchars($_POST[“name”]);

$newcomment[] = htmlspecialchars($_POST[“topic”]);

$newcomment[] = htmlspecialchars($_POST[“message”]);

Solution

A simple solution to get rid of all those errors in this example is to wrap the code in add_comment.php and view_comments.php inside the following if statement:

if (isset($path)) {
//code here

}
In that way, the code will only execute if the files are included from index.php, presumably.

Of course, that does not handle the issue that users can post the form empty and still view the content and make the application think there is an actual comment, but that can easily be fixed and is not the issue of discussion here.

Displaying errors is good for development purposes but when the application is live and in production – always turn off display_errors from the php.ini

Exercise 10: Delimiters

We will be looking at a vulnerability similar to the one that existed in the old Poster website.

Sometimes, parameters used In the code can be abused by users even when interacting with the interface provided to them.

Open Delimiters folder from your localhost in a browser. There is a users.txt file which contains all the user data. However, access to it is forbidden from the .htaccess file:

Deny from all

Try to open it using the path traversal method of the article viewer, just for practice.

Look at the different data stored there and think about what everything represents.

Try to login with one of the accounts and escalate your privileges to “admin” just by communicating with the website as normal.
Spoiler
http://localhost/2/PathTraversal/?article=../Delimiters/users.txt

//The path in the GET should be valid, but you should fill the path to the index.php.

It should be clear that the “:” character is the delimiter between the different values.

You can test on the login form, but it should be clear that the first word before the first delimiter is the username, the second is the password and the third is the user’s privileges.

The code that extracts the user data one line at a time is the following:

$userlist = fopen(‘users.txt’, ‘r’);
while (!feof($userlist)) {
$line = fgets($userlist);
$acc_details = explode(“:”, $line);
$username = $acc_details[0];
$password = $acc_details[1];
$access = $acc_details[2];
Then, each line is checked separately with the submitted details to check whether It matches with them:

if ($username === $_POST[“name”] && $password === $_POST[“pass”]) {
When it find a match, the user can be logged in.

Note that there are many better alternatives than this nowadays, such as using a database and cookies.

When logged in, you have the option to change your username or/and password.

if (isset($_POST[“pass”]) && trim($_POST[‘pass’]) !== “”) {
$userlist = str_replace /* old pass */ ($_POST[“userdata-pass”], */ new pass */$_POST[‘pass’], $userlist);
echo “Password changed to: ” . $_POST[‘pass’] . “
“;
And to check the privileges, the script merely checks if there is a substring “admin” in the $access variable.

if (stripos($access, “admin”) !== false) {
echo “admin

Howdy, admin!

Who is ELyssaD™?

Who is ELyssaD™?

I started this private site after my name, ID, medical and financial info was stolen, made public in Pastebin, and sold on T-shirts at the DefCon hackers conference.

I never got one penny for the T-shirts and apparel sold and was never reimbursed for the damage done to my computer equipment and mobile devices as a result of HARD CORE hackers.

I was promised the T-shirts and promo ads would be pulled from the event and the black hat hackers known as Lulz, AntiSec, (Sabu and Co.) would take them down and refrain from using my likeness for promotional purposes.

They were not.

They used my name, my likeness, my photos, my social security number, my ID, my address and more to create a slew of fake social media accounts to post insane bullshit across a variety of platforms. 

They even socially engineered my closest friends and family members in various forums to reinforce the charade.

They claimed the T-shirts were for charity and that $1.00 would be donated for every ELyssaD garment sold.

Not only did I not receive any such monies, I am quite certain these fuckwits have no idea how serious it is to impersonate a 501(c)3.

So not only did they make a profit from exploiting every aspect of my life, they harassed my friends, impersonated an ex-cop who has been one of most trusted allies and confidant; threatened friends who dare to speak up on my behalf by calling them on the phone and identifying themselves as law enforcement. ANOTHER felony.

They made a profit. They offered a reward for tittie pics, had podcasts, comic books and sold a line of women’s apparel to promote their podcasts, show and of course, make money.

They created multiple fake identities on various social media platforms. They pwned my website, social media accounts, linked in, private forums, etc…  harassed my friends and posted my fathers home address on the internet.

They altered personal documents they stole from my private files, altered them, and had the nerve to put the FAKE documents back in to my web albums and made them public.

ONE LOGIN = ONE FELONY

Destruction of evidence (especially records that pertain to employee benefits is a whole other class of crimes)

These individuals are clearly guilty, and have no problem advertising their skills across the hacker community.

They destroyed my professional credibility with disinformation writing posting ridiculous website entries that present my professional certifications as a practicing therapist to make them appear as if I was the patient not the provider.

65 “people” impersonating me on social media platforms?

My friends, sister, brothers, my mother, and even “Agent Daddy” became targets as well.

I started this site hoping for a do-over.  My name is ELyssa. ELyssaD™ and, for he record I’ve never done midget porn!

Just me,

e

@ELyssaD

Who is ELyssaD™?

Who is ELyssaD™?

I started this private site after my name, ID, medical and financial info was stolen, made public in Pastebin, and sold on T-shirts at the DefCon hackers conference.

I never got one penny for the T-shirts and apparel sold and was never reimbursed for the damage done to my computer equipment and mobile devices as a result of HARD CORE hackers.

I was promised the T-shirts and promo ads would be pulled from the event and the black hat hackers known as Lulz, AntiSec, (Sabu and Co.) would take them down and refrain from using my likeness for promotional purposes.

They were not.

They used my name, my likeness, my photos, my social security number, my ID, my address and more to create a slew of fake social media accounts to post insane bullshit across a variety of platforms. 

They even socially engineered my closest friends and family members in various forums to reinforce the charade.

They claimed the T-shirts were for charity and that $1.00 would be donated for every ELyssaD garment sold.

Not only did I not receive any such monies, I am quite certain these fuckwits have no idea how serious it is to impersonate a 501(c)3.

So not only did they make a profit from exploiting every aspect of my life, they harassed my friends, impersonated an ex-cop who has been one of most trusted allies and confidant; threatened friends who dare to speak up on my behalf by calling them on the phone and identifying themselves as law enforcement. ANOTHER felony.

They made a profit. They offered a reward for tittie pics, had podcasts, comic books and sold a line of women’s apparel to promote their podcasts, show and of course, make money.

They created multiple fake identities on various social media platforms. They pwned my website, social media accounts, linked in, private forums, etc…  harassed my friends and posted my fathers home address on the internet.

They altered personal documents they stole from my private files, altered them, and had the nerve to put the FAKE documents back in to my web albums and made them public.

ONE LOGIN = ONE FELONY

Destruction of evidence (especially records that pertain to employee benefits is a whole other class of crimes)

These individuals are clearly guilty, and have no problem advertising their skills across the hacker community.

They destroyed my professional credibility with disinformation writing posting ridiculous website entries that present my professional certifications as a practicing therapist to make them appear as if I was the patient not the provider.

65 “people” impersonating me on social media platforms?

My friends, sister, brothers, my mother, and even “Agent Daddy” became targets as well.

I started this site hoping for a do-over.  My name is ELyssa. ELyssaD™ and, for he record I’ve never done midget porn!

Just me,

e

@ELyssaD

Why everyone is getting hacked these days – Nextgov.com

Why everyone is getting hacked these days



Pedro Miguel Sousa/Shutterstock.com

If it feels like there have been a lot of password hacks this year, it’s because there have been more than usual, and Ars Technica’s Dan Goodin explains why that is. In short: Password hacking has gotten better, while our password making has gotten worse. “The result: security provided by the average password in 2012 has never been weaker,” Goodin writes, which is why it shouldn’t surprise you that this year we have heard about security breaches at LinkedIneHarmonyYahoo Voices, and a personal horror story fromWired‘s Mat Honan. Last year, James Fallows told us about his wife’s security situation in The Atlantic story called “Hacked!” And for all the high profile accounts, there are all the ones we don’t hear about. It’s happening a lot these days.

But why the sudden uptick? Goodin explains:

  • Our password habits have gotten worse. “The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007,” he writes. We have more things for which we need to create codes and it takes far too much brain space to store 25 different combos. Having the same passwords for various accounts was what did Fallows’ wife in. Plus, the passwords we pick are stupid, as we learned from the Yahoo Voices hack, in which “123456” was (still!) a popular choice. It takes 10 minutes to crack a lower case 6 character password. To avoid this possible issue, we have before suggested picking dumb passwords for sites that don’t matter. 
  • Password cracking has gotten better. “Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone,” adds Goodin, who details the various tech advancements in hacking. The LinkedIn breach taught us this, leading us to the conclusion that perhaps we need to accept that the modern password isn’t good enough anymore 

Read more at The Atlantic Wire.

(Image via Pedro Miguel Sousa/Shutterstock.com)

UM… I HAVE SOME THOUGHTS ON THIS…

to be continued…

Why everyone is getting hacked these days – Nextgov.com

Why everyone is getting hacked these days



Pedro Miguel Sousa/Shutterstock.com

If it feels like there have been a lot of password hacks this year, it’s because there have been more than usual, and Ars Technica’s Dan Goodin explains why that is. In short: Password hacking has gotten better, while our password making has gotten worse. “The result: security provided by the average password in 2012 has never been weaker,” Goodin writes, which is why it shouldn’t surprise you that this year we have heard about security breaches at LinkedIneHarmonyYahoo Voices, and a personal horror story fromWired‘s Mat Honan. Last year, James Fallows told us about his wife’s security situation in The Atlantic story called “Hacked!” And for all the high profile accounts, there are all the ones we don’t hear about. It’s happening a lot these days.

But why the sudden uptick? Goodin explains:

  • Our password habits have gotten worse. “The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007,” he writes. We have more things for which we need to create codes and it takes far too much brain space to store 25 different combos. Having the same passwords for various accounts was what did Fallows’ wife in. Plus, the passwords we pick are stupid, as we learned from the Yahoo Voices hack, in which “123456” was (still!) a popular choice. It takes 10 minutes to crack a lower case 6 character password. To avoid this possible issue, we have before suggested picking dumb passwords for sites that don’t matter. 
  • Password cracking has gotten better. “Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone,” adds Goodin, who details the various tech advancements in hacking. The LinkedIn breach taught us this, leading us to the conclusion that perhaps we need to accept that the modern password isn’t good enough anymore 

Read more at The Atlantic Wire.

(Image via Pedro Miguel Sousa/Shutterstock.com)

UM… I HAVE SOME THOUGHTS ON THIS…

to be continued…

Obama faces delicate decisions as cyberattack fears rise

President Barack Ob, ... ]

White House photo

At the height of the economic crisis in 2008, Saturday Night Live’s “Weekend Update” comedy news show rolled out the character Oscar Rogers as a faux financial commentator. His advice on how to restore the economy? “Fix it! It needs to be fixed! Now!”

Four years later, lawmakers are grappling with a cybercrisis, and despite rising concerns, legislative debates over how to secure U.S. networks and infrastructure have often resembled nothing so much as Oscar Rogers yelling “Fix it!”

Now, with Congress looking unlikely to act anytime soon to fix vulnerabilities in the nation’s computer systems that leave them open to cyberattacks, President Obama is weighing the pros and cons of using anexecutive order to do what Congress hasn’t.

Experts in government and industry alike report a tide of attacks aimed at stealing information from individuals, companies, and government agencies, potentially making a strong case for presidential action.

Further bolstering the case are warnings from top national-security officials that a catastrophic attack on a critical system like those that run energy grids or chemical plants could cause damage to the economy or even loss of life.

But Obama needs to consider his options carefully, because any unilateral steps could invite accusations from his critics of overstepping his authority. As the acrimonious debate over antipiracy legislation illustrated earlier this year, simmering Internet issues can easily explode.

In the final days before the August recess, the Senate hit an impasse on broad cybersecurity legislation that the White House and national-security and defense leaders support. The bill stalled after businesses and Republicans said the legislation would create burdensome regulations for industry without doing enough to shore up defenses against cyberattacks.

Top White House counterterrorism aide John Brennan said earlier this month that Obama was looking at the possibility of an executive order but that there is no decision yet.

Lee Hamilton, a Democratic former House member who sits on a board that advises the Homeland Security Department and who examined government security failures as cochair of the 9/11 Commission, said that Obama is right to consider moving forward on his own. He said the stalemate in Congress is a “serious breakdown” reminiscent of failures before the terrorist attacks on Sept. 11, 2001.

“The preference would be to work together with Congress, but the threat is serious enough that an executive order is in line,” he said. “There is certainly a lack of urgency in dealing with this, and it’s not a business-as-usual problem. Given the fact that Congress hasn’t acted, the president has the obligation to put together options to secure the country.”

While the debate in Congress largely broke down along party lines, some prominent Republicans support the cybersecurity standards backed by the White House.

Top national-security advisers for GOP presidential candidate Mitt Romney, such as former Homeland Security Secretary Michael Chertoff and former National Security Agency and Central Intelligence Agency chief Michal Hayden, differed with Republicans in Congress and publicly called for the Senate to pass provisions that have Obama’s support.

Romney campaign spokeswoman Andrea Saul declined to elaborate on the Republican candidate’s assertion that more needs to be done to secure American networks, or comment on whether he would favor using an executive order in the absence of legislation. But she reiterated Romney’s promise to make cybersecurity an early priority and didn’t rule out executive action. Romney’s plan would require agencies to begin developing a new national cybersecurity strategy within the first 100 days of his administration. “Once the strategy is formulated he will determine how best it can be implemented,” Saul said in an e-mail.

Polls show that while Americans express concerns over cyberattacks, they, too, are divided over what should be done.

Separate surveys published by United Technologies/National Journal and The Washington Post over the summer found that a majority of Americans prefer that the government either not create standards for private companies, or keep any standards voluntary.

Backers of the White House’s proposals, however, say an executive order could add clarity to the debate and prove to skeptics that the government can play a greater role in protecting American networks without violating privacy or burdening private businesses.

“I think it’s hard to make things any messier than it was politically,” said James Lewis, an expert at the Center for Strategic and International Studies. “If done right, an executive order could help critics reconsider their arguments.”

That’s an analysis echoed by University of California (Berkeley) professor Steven Weber who said many people seem to be “sleepwalking” when it comes to the threat of cyberattacks. An executive order, he said, could reform cybersecurity policies before a catastrophic attack galvanizes public opinion.

An executive order could give Obama the chance to take a strong stand on a rising national-security concern while portraying Republicans in Congress as ditherers.

But an order is unlikely to accomplish all of the White House’s aims. It couldn’t hand DHS wider authority to ensure that certain private networks are secure. Nor could it entirely ease legal restrictions that prevent businesses from sharing threat information. Even policy changes for some federal network-security policies would likely need congressional action. Additionally, any action would need to avoid inciting privacy watchdogs who fear cybersecurity could be used as an excuse to undermine civil liberties.

And some analysts said the politics of an executive order could cut both ways for Obama. Presidents often win political debates that pit them against an unpopular Congress, especially one perceived as unable to do anything substantive, said Peter Feaver, a former National Security Council staffer during the Clinton and George W. Bush administrations. But if Obama were to take unilateral action, it would give his critics on the right an opening to paint him as an “imperial” president and to accuse him of saddling business with new regulations, Feaver said.

“In general, White Houses win in these fights with Congress, but this White House has played this card many times,” Feaver said. “This is an issue where there are bound to be unintended consequences and any cybersecurity measures will need a system to fix and update the provisions down the road. This administration has a hard sell assuring people to trust them to fix things later.”

Paul Rosenzweig, a consultant and visiting fellow at the conservative Heritage Foundation, said a cybersecurity executive order could play into both the “imperial presidency and do-nothing-Congress” narratives, but said he thinks there is a genuine possibility for a future compromise and unilateral action by Obama would do little to actually help secure private networks

http://m.nextgov.com/cio-briefing/2012/08/obama-faces-delicate-decisions-cybe…