HackThis!! News

SMTP problems

Tue, 30 Apr 2013 22:27:53 +0100

Earlier SMTP errors have now been fixed! For the past 24 hours or so emails have not been delivered successfully, this has now been rectified.

New SQLi Levels

Thu, 21 Feb 2013 21:18:49 +0000

A new group has been added to the levels section of the site. The new SQLi section will focus on common SQL injection attacks. Currently there are only two levels online but more will be coming soon. SQLi is one of the most common real world attacks. When found a vulnerability of this kind can allow an attacker access to large amounts of personal information as well as leverage to form further attacks. Hopefully these levels will give you an introduction and understanding of how both SQL works and it's pitfalls.

As always if you find yourself stuck on any part of the site head over to the forum where you can find more information and ask your own questions.

CTF v1.0 Follow Up

Mon, 28 Jan 2013 20:53:39 +0000

So it has been a little while since the CTF event finished, thank you to everyone who took part. A follow up to the event can be found here. The link contains results and stats as well as a look at each level and how they could have been solved. Hopefully another of these events will be hosted soon so keep your eyes peeled.

www.hackthis.co.uk/ctf/1.0

Game Over

Fri, 11 Jan 2013 18:04:39 +0000

The first HackThis!! CTF event has now finished. I would like to take this opportunity to say thank you to everyone who took part and anyone who helped make it a huge success. We would like to run these kind of events more often so if you have any ideas, suggestions or just think it is a good idea then let us know.

A follow up post will be online soon reflecting on the event, visualising the data and releasing the final scoreboards. There will also be a series of articles explain each level in detail and how you would go about solving them.

HackThis!! CTF 2013

Fri, 04 Jan 2013 19:56:21 +0000

To celebrate HackThis!! passing 100,000 registered members we are running a week long competition, starting now! The competition is a series of levels progress in difficulty. Each level will be timed from the moment you open the level until you complete it. Once completed you can not attempt a level again.

Prizes will be awarded for a variety of different reasons, so just have a go.

http://ctf.hackthis.co.uk

Happy New Year

Mon, 31 Dec 2012 20:49:01 +0000

Happy New Year from everyone at HackThis!! We would like to take this opportunity to thank every single person who has contributed to this website, be that a comment, forum post, idea or just being part of the community. Hopefully next year will bring lots of new and exiting additions.

One of these events is taking place very soon, if you don't know what I am talking about then look at this:

Code:

NmY2NjcyMmU3NDZkNmY3NzY2NzQ3NTY1MmU2ZjYxMmU2Nzc3

Happy New Year!!

Update: Hotel Card Lock Security Flaw

Tue, 27 Nov 2012 21:32:25 +0000

This is an update to a post made in August where we reported about a defect with Onity HT lock systems that could allow anyone access to a hotel room in minute. The original post can be read here: http://www.hackthis.co.uk/news/hotel-card-lock-security-flaw.

Since then a lot of hackers have been looking at the details released, with some interesting results. The hotel Hyatt in Houston, Texas reported that a number of guests suffered break-ins last September. With no signs of lock picking or forced entry and with none of the maids cards being recorded on the devices. Read more about the report at Forbes. A 27-year-old Matthew Allen Cook has now been arrested for the break-ins and is helping the police with their inquiries.

And what has Onity said about all of this? To fix the defect a new circuit board must be installed in every lock, which they are asking their customers to pay for. A low-tech solution is to cover the small connection port at the base of the device with super glue. As Cody Brocious points out in a blog post:

Given that it won't be a low cost endeavour, it's not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger; this is on top of those that will simply not have heard of the fix, if Onity does not contact all of their customers directly
Cody Brocious

Bug fix: Friends system

Tue, 13 Nov 2012 18:00:18 +0000

There has been a number of questions about the friends system and it appears that these concerns were valid. There was a bug in the friends system that did not allow certain members to add each other. The email notification was still sent correctly. So if you received a notification about a friend request but did not see the request when you logged in please try to add the member again and everything should work correctly. Thank you to Holblin for his assistance in tracing the problem.

If anyone has any other bugs or feature requests please use the Contact Us link to let us know.

Apache Web servers exposing data

Thu, 01 Nov 2012 19:34:09 +0000

An Apache mod_status module which generates server status pages containing detailed internal information of the the site they host. This generated page can expose this information if they are left unprotected. Which is the case for some of the most popular websites. The server status page contains visitor IP addresses and associated target URIs, as well as paths to various internal files. This page is useful for server for server administrators but it can also aid hackers in understanding the structure of a target.

Is that a big deal that I can go to staples.com/server-status/ and see all those orders/connections being made and their IPs? Or go to one of them and search for 'admin-p' and find a mostly unprotected admin panel (I won't disclose the site). Or find all the internal URLs and vhost mapping for nba.com or ford.com?

Probably not a big deal by itself (well, if you don't have an unprotected admin panel), but that can help attackers easily find more information about these environments and use them for more complex attacks
Sucuri

Sucuri have been investigating this topic. Their research crawled over 10 million websites and found that a large number of them keep their server-status page open. Here is a short list of the more popular ones, many have been fixed since the report was released so they have been omitted:
www.staples.com/server-status
www.metacafe.com/server-status
www.ford.com/server-status
www.cisco.com/server-status
www.apache.org/server-status

Information leaked via weather.gov vulnerability

Fri, 19 Oct 2012 15:38:58 +0100

The US National Weather Service has been exploited by a vulnerability in the weather.gov website. Sensitive data from the government system has subsequently been released. Credit has been taken by "Kosova Hacker's Security", according to a post on pastebin.com. The attack took place a few days ago and since has been fixed. The leaked information contains lists of files that hold account user names and other sensitive information. With these account names brute force attacks can be used to try and compromise the entire server.

Examining an image of the alleged hack included in the Pastebin document shows that the group exploited a local file inclusion vulnerability. If you are not sure what this is then you should have a look at one of our articles. The Pastebin document also claims the attack was in retaliation for American attacks against Muslim nations. According to THN this is related to cyber attacks against Muslim countries:

They hack our nuclear plants using STUXNET and FLAME like malwares, they are bombing us 24*7, we can't sit silent - hack to payback them
Kosova Hacker's Security

Also in the THN report a XSS attack was also successful elsewhere on the site, again this has already been fixed.

Pacemakers: Weapons capable of mass murder

Fri, 19 Oct 2012 11:30:07 +0100

Barnaby Jack an IOActive researcher has given a speech at Breakpoint security conference in Melbourne, Australia detailing how he has been able to reverse-engineer pacemaker transmitters making it possible to deliver hacked firmware to any compatible device within a 30 foot range. This firmware could be made to force the device to deliver a deadly 830 volt electric shocks. Only one brand of pacemaker has been been exploited so far, which he declined to specify (for obvious reasons). The discovery could lead result in "anonymous assassination", and in a realistic but worse-case scenario, "mass murder".

The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and ... the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range
Barnaby Jack

The exploit took advantage of a "secret function" that would activate all devices in range, and return model and serial number information. "With that information, we have enough information to authenticate with any device in range," Jack said. While reverse-engineering the transmitter terminal he found there was no encryption or obfuscation and even found user names and passwords that appeared to be for the manufacturer's development server.

He was able to show the technique in action via a demonstration video, that could not be released publicly in-case it was possible to identify the manufacturer. He hopes that the demonstration would spur manufacturers to correctly secure such devices, "sometimes you have to demonstrate the darker side," he said.

Read more:
SC Magazine

Reading someone's Gmail doesn't violate federal statute

Thu, 18 Oct 2012 18:48:37 +0100

Emails have been considered a protected medium under the Stored Communications Act (SCA), which is defined in the US law as follows:

(i) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (ii) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.
Stored Communications Act

In a case decided on Wednesday 10th Oct 2012, the South Carolina Supreme Court ruled that accessing someone's online e-mail without their permission doesn't violate the SCA. The justices decided that emails left on the server/cloud didn't fall under the SCA because it constitutes 2 components, the storage clause (i) and a purpose clause (ii). Since there were no other copies of the emails, they weren't considered as backup and thus fail to fill the purpose clause.

While this case deals with a fairly narrow subsection of the SCA - what constitutes electronic storage - it's yet another example that the Stored Communications Act needs more judicial review at the very least, and possibly an entire overhaul.

Woodrow Hartzog, a professor at the Cumberland School of Law at Samford University, still pointed out that in a case like this, there could still be federal liability under the Computer Fraud and Abuse Act.

...this is an issue that really calls out for U.S. Supreme Court review. Internet providers often have a national customer base. A provider in one state or circuit can have millions of customers in any other state or circuit. Given the national customer base, any disagreement among lower courts causes major headaches: ISPs don't know which rule to follow
Orin Kerr, Fred C. Stevenson Research Professor of Law

Read more:
volokh.com
arstechnica.com

Sniffing open WiFi networks is not wiretapping

Mon, 10 Sep 2012 13:52:49 +0100

In a recent court ruling the judge ruled that intercepting traffic on unencrypted WiFi networks is not wire-tapping. This means that it is legal, if not always legitimate, to capture data from a public unencrypted WiFi hotspot such as a coffee shop or hotel. This decision counters a previous 2011 decision suggesting that Google may have violated the law when its Street View cars intercepted fragments of traffic on open WiFi networks. Federal law makes it illegal to intercept electronic communications, but it's not illegal to intercept communications "made through an electronic communication system that is configures so that such electronic communication is readily accessible to the general public".

The ruling is the first step in a larger case against a company called Innovatio IP Ventures. Who have accused various businesses that offer WiFi services to the public of infringing 17 of their patents. Innovatio wanted to use packet sniffing techniques to gather traffic to use as evidence. The firm was concerned that doing so might violate federal laws, so sought a preliminary ruling.

Innovatio is intercepting WiFi communications with a Riverbed AirPcap Nx packet capture adapter, which is available to the public for purchase for $698.00. A more basic packet capture adapter is available for only $198.00. The software necessary to analyse the data that the packet capture adapters collect is available for download for free. With a packet capture adapter and the software, along with a basic laptop computer, any member of the general public within range of an unencrypted WiFi network can begin intercepting communications sent on that network. Many WiFi networks provided by commercial establishments (such as coffee shops and restaurants) are unencrypted, and open to such interference from anyone with the right equipment. In light of the ease of "sniffing" WiFi networks, the court concludes that the communications sent on an unencrypted WiFi network are readily available to the general public.
Judge Holderman

The practice of sniffing packets from an unencrypted network needs special software, such as Wireshark, and a computer to connect a packet capture device like the Riverbed AirPcap Nx. Although the judge states that such devices cost between $198 and $698, similar products can be purchased for as little as $10 from well known online retailers.

'; CREATE TABLE `Capture the Flag`;'

Thu, 16 Aug 2012 21:23:38 +0100

Stripe will be hosting a Capture The Flag which will be dedicated to web-based vulnerabilities and exploits. It'll be open to anyone who's interested in trying their hand at exploiting thier levels.

If you capture the flag, you'll get a special-edition Stripe CTF t-shirt. So it's worth giving it a go.

Head over to Stripe.com for more information.

Start: Wednesday, August 22nd, 2012 at 11:59 AM PDT
End: Wednesday, August 29th, 2012 at 11:59 AM PDT
Stripe

Version 5.1.0

Sat, 11 Aug 2012 17:48:36 +0100

The latest update to the site brings the articles section online. More articles will be added as they are written, please help us out by submitting your own article (you will be rewarded with the 'writer' medal). There is also the addition of a search box in the navigation bar. This will search across users, articles and the forum once it is implemented.