A day spent with Anonymous
In the 5th annual Cyber Security Summit 2017 Mr.Stephan Dane from CISCO stated that according to Robert S. Mueller, III, Director FBI, “There are only two types of companies: Those that have been hacked and those that will be hacked.” The summit was held on 27th September 2017 and two ex-hackers from Anonymous and lulzSec participated and shared their experiences.
Jake Davis [1] and Darren Martyn both are founding members of lulzSec[2] and Anonymous shared most valuable resources which helps for cyber security professionals in order to keep an eye of the possible mistakes that leads to cyber attacks.
Before coming to the summit they have analyzed how the cyber space of Sri Lanka looks like. They found over 43,000+ breached websites with .lk domain, 300+ open shared desktops(like vnc, they presented screenshots) and their belief was our telecom provider’s cyber defence is pretty good than UK’s ones.
Jake Davis have been arrested when he was 18 years old for hacking NSA, Serious Organised Crime Agency’s (SOCA), Sony and government websites in countries such as Zimbabwe, Syria, Tunisia, Ireland, and Egypt.
The hackers described how is a hackers mind set. The most dangerous time of a hacker is when he feels boring, because to get rid of laziness his exercise would result in gaining access into a confidential server within few minutes. They do exploit vulnerabilities for the thrill.
Darren Martyn is an ethical hacker who serves for companies by discovering vulnerabilities in their company network and sensitive content.
Jake described one of his attacks to NSA, and he showed the image that was placed in the NSA website which was made by him with photoshop in 10 minutes.
According to Jake Dutch government’s systems are very strong and have less vulnerabilities. If someone tries to hack Dutch government give a tshirt for the person who tried to hack, with the statement “I tried to hack Dutch Government website and all I got is this tshirt” lol :D . Jake have received a one.
There were several panel discussions also. A point that was focused was a system’s security should be ensured from the system design itself, not just after implementing and revealing a vulnerability.
From 7 pm to 10 pm was a session where they demonstrated sample hacking sessions. There were 3 demos,
- Exploiting 802.11n(WiFi)’s vulnerabilities using an ESP8266 — packet flooding, deauthentication of connected stations, create multiple(50+) WiFis with same ssid and etc.
- Hacking a web application where uploads of pdf files are possible with system having vulnerability of using ‘include’ to render pages inside a wrapper page(like having a header and a footer and included file will be rendered in middle) — with this exploit he was able to run commands on the server with root access.
- Sniffing WiFi packets and gaining root access of a system
It was a hell of an event!
References,
[1] Jake Davis: https://en.wikipedia.org/wiki/Topiary_(hacktivist)
[2] https://en.wikipedia.org/wiki/LulzSec
[2.1] https://fabiusmaximus.files.wordpress.com/2016/03/anonymous.jpg?w=625&h=352
[3] https://pbs.twimg.com/profile_images/834194422556454912/HfEdYTt9.jpg
