How hard is it to actually hack a website?

**DEAR _JOHN** · 02-15-2009, 02:02 PM

My computer knowledge goes back to the 70's (fortran, rpg, cobol, assembler programming in high school, some on college) so I am not much into the computer things that are going on in this day and time. I'm not totally illiterate in the computer world, but not advanced either.

This being stated, how hard is it to hack into a website? Is it simply guessing a password and going from there? I have heard things about back door this and that (saw the movies Hackers and Wargames), but don't really know. Can't they use just one really complex password to protect the system?

Just curious is all.

Just also glad we have another site to post on, but can't hardly wait to get back to the regular site.

**GneissGuy** · 02-15-2009, 03:37 PM

I have no inside info on how ASPD was hacked. However, there have been a number of web sites lately hijacked through "SQL injection" attacks. Some of these were very corporate, professionally run web sites.

Gross simplifications follow:

Web sites can be hacked many ways.

It can be a password attack, but there are other ways.

A very common way is to find a program that runs on the server that has a high level of authority to change things on the server. Then find a way to make that program do something that lets you take over the computer.

One very common example is a "buffer overflow." A program takes information from the internet as input. It takes that information and stores it in buffer in memory. The program uses a buffer that is, for instance, 100 bytes long. You feed it 1000 bytes instead. A properly written program would only read 100 characters and then stop reading. A bad program may keep reading characters and writing them into memory. If the extra 900 bytes in memory include an area where a program is stored, the attacker has now changed the program running on the server. In some cases, this allows the attacker to do things he shouldn't be able to.

It sounds stupid, but buffer overflows are very common causes of security holes.

An SQL injection attack goes as follows. You have a database running on the computer. The database program reads data from the internet, formats it, and then runs commands against it. If there are some bugs in the database program, or in the instructions you wrote for the database, the attacker may be able to make your database execute commands he included in the data he sent you.

Imagine it's something like this. You post a thread that contains: "Hello, here I am, %FORMAT C: " The database program sees, the "%" and does a format command. This assumes the "%" character is something recognized by the database program as an "escape" character that tells it to execute the rest of the string as a command.

The actual attack would usually be considerably more complicated, but that's the idea. Obviously, I wouldn't post anything that actually works.

There are many other techniques that will allow an attacker to take over a program through the internet, if the programs on your computer have security holes.

Any modern server probably has dozens of programs that talk to the internet directly. Many of these programs process the data and pass some of it to other programs. Each of these steps has the possibility of corrupting one of these programs. If one of these programs has high enough authority, it may be able to do bad things, including corrupting other programs, or adding new programs.

Depending on which program you manage to corrupt, you get the ability to do varying levels of bad things. You may be able to change posts. You may be able to change web pages. You may only be able to change avatars. You may be able to take over the apache program that serves web pages. You may be able to take over the base operating system on the computer and do everything.

Most of these techniques don't care about passwords, because the program that gets corrupted is already "logged in" to the system.

Because there are so many programs running on the computer, it's difficult for the server administrator to be sure they're all secure. Many of the programs are written by other people, so you don't know for sure how secure they are, even if the author is entirely honest. Remember that Microsoft, a $100+ billion company, produces buggy code all the time. An honest Linux/GNU software producer is bound to make some errors, too.

As I said, I have no inside information on the ASPD attack.

**The Proper Stranger (no longer active here)** · 02-15-2009, 03:51 PM

And then there's social engineering. Basically tricking people into giving you the key instead of trying to pick the lock. Pretending to be an administrator who forgot a password, a customer with questions about their bill, tech support asking to troubleshoot your computer, etc.

**Mokoa** · 02-15-2009, 05:40 PM

There are a lot of sites that continue to run old outdated releases of software. Over time hackers figure out what weaknesses these old releases have and share them among themselves. They know that the old releases are still around in many places so those places become easy targets. The release of vBulletin that ASPD runs is 2.2.8, that release is about ten years old and has weaknesses that are well known in the hacker community.

**DEAR _JOHN** · 02-15-2009, 06:18 PM

It's ashame these hackers can't take their intelligence and do good with it instead of creating problems.

**Texas Passion** · 02-15-2009, 06:37 PM

<div class='quotetop'>QUOTE (DEAR _JOHN @ Feb 15 2009, 05:18 PM) <{POST_SNAPBACK}></div>

It's ashame these hackers can't take their intelligence and do good with it instead of creating problems.[/b]

Like changing red-lights during high traffic or busting the jerks that hack into bank accounts & Sperm banks!

Seriously help save our planet and global peace for all is the best anyone could possibly do.

**TexTushHog** · 02-15-2009, 07:53 PM

Some would argue that some hackers do a useful social service by finding and exploiting holes in software. When they publicized them, it requires makers of the software to address the issue. In the case of ASPD, the hackers were obviously malicious, not just finding vulnerabilities and leaving a benign calling card.

However, and I'm relying on what has been reported and not on personal knowledge, by running wildly outdated and vulnerable software, ASPD was asking for it. That certainly doesn't excuse the criminals who perpetrated the hack, but much of the blame, at least in my mind, lies at the feet of ASPD. It's like living in a high crime area and leaving your door unlocked, open, and advertising that you're gone and have expensive stereo equipment and lots of new flat screen TVs with no security lights around your house (after you've had a previous burglary). If my law firm treated our computer security like ASPD treated theirs, I'd be out of business. And I have far less valuable proprietary information that ASPD does and don't directly derive any of my income from computer data. I doubt my firm is hack proof, but we have daily updates of software, hardware and software firewalls, daily backup of data, VPN only outside access, etc.

**GneissGuy** · 02-16-2009, 02:41 AM

<div class='quotetop'>QUOTE (TexTushHog @ Feb 15 2009, 06:53 PM) <{POST_SNAPBACK}></div>

Some would argue that some hackers do a useful social service by finding and exploiting holes in software. When they publicized them, it requires makers of the software to address the issue. In the case of ASPD, the hackers were obviously malicious, not just finding vulnerabilities and leaving a benign calling card.[/b]

Would you argue that Bernie Madoff did a service by pointing out the inadequacy of the financial regulators?
Would you argue that a car thief does a service by exposing inadequate security systems for cars?
Muggers exposing people's carelessness in where they walk?
Burglars showing that people don't secure their homes well enough?

<div class='quotetop'>QUOTE (TexTushHog @ Feb 15 2009, 06:53 PM) <{POST_SNAPBACK}></div>

...
However, and I'm relying on what has been reported and not on personal knowledge, by running wildly outdated and vulnerable software, ASPD was asking for it. That certainly doesn't excuse the criminals who perpetrated the hack, but much of the blame, at least in my mind, lies at the feet of ASPD. It's like living in a high crime area and leaving your door unlocked, open, and advertising that you're gone and have expensive stereo equipment and lots of new flat screen TVs with no security lights around your house (after you've had a previous burglary). If my law firm treated our computer security like ASPD treated theirs, I'd be out of business. And I have far less valuable proprietary information that ASPD does and don't directly derive any of my income from computer data. I doubt my firm is hack proof, but we have daily updates of software, hardware and software firewalls, daily backup of data, VPN only outside access, etc.[/b]

1) Do you know that ASPD was hacked because of old software?
2) People have a higher reasonable expectation of privacy and security dealing with a law firm than they do dealing with a site like ASPD.

I can guarantee that your computers are vulnerable to something. The question is whether a fix will be published and applied to your computers before some criminal hacker uses it to attack you.

For instance, Windows XP was released in 2001. At the end of 2005, a "WMF" vulnerability was found. A specially crafted "WMF" graphics file could be embedded in a web site, e-mail, etc.. If you browsed such a page with an unpatched version of Windows XP or Windows 2000, the WMF file could compromise your system. You did not have to click on a link. ASPD or any web site that allows you to post pictures, possibly even avatars, could be used to hack your computer. Everyone's XP or Win2k machines were susceptible during this time. If a criminal hacker knew about the exploit, he could hack you. Luckily, the fix was published pretty quickly after the vulnerability became widely known. No one is really sure that some smart criminal didn't figure this out in 2001, and quietly hack computers for 4 years without being noticed.

I can almost guarantee you that there are similar bugs in some of the software you're running now. Microsoft and Linux discover security holes all the time and issue patches. Most of these security holes sit silently on your computer for years before the criminals or the good guys discover them.

**yardape** · 02-16-2009, 09:15 AM

I've lost count of the number of popular, popularly-used, and high-visibility web sites and web-based network facilities that have been successfully hacked since, say, 9-11. There must be tens of thousands. You have targets of opportunity - e.g., credit card processors and banks, high value targets to terrorists and political nemeses - e.g., military and defense contractors, business targets - e.g., a competitor's trade secrets, and targets that offend somebody's sensibilities or social obsessions - e.g., ASPD or, some of you will recall, Ogrish, which carried beheading videos and Abu Ghraib photos a few years ago. It's so common that Congress and most of the states have passed "computer fraud and abuse" laws with stiff prison time, fines, forfeitures, and civil damages to vindicate and compensate proprietors of information technology harmed by a perp's unauthorized access. The economic costs have grown exponentially, to the point that insurance companies don't want to cover them in, say, your general business property damage policy. It's a wonder, a miracle, that all the largest global financial institutions, the IRS and the Social Security Administration haven't been totally plundered by hackers. Governments and the largest corporations can spend whatever it takes to keep their web-based networks relatively secure. But everybody else is whistling past the graveyard. Hackers who want in badly enough will get in. Someone among them already knows what you did to secure your web site and your server before you did it. It's just a matter of underworld networking + trial-and-error. If the users of a facility like ASPD wanted it walled off like it were, say, Exxon, sure, it's do-able. But would anybody come? Therein, I think, lies the dilemma.

**ck1942** · 02-16-2009, 09:29 AM

Let's put it this way, and I am citing common knowledge that has been widely reported:

Top secret U.S. government websites, computer systems, etc. have been infiltrated, compromised, copied.

If the U.S. military cannot keep hacktoids out, can we expect any civilian site to do much better?

That said, in the case of aspd, it's not so much about the loss of data, but the loss of control, the loss of format, and the regaining and the restoring of same.

Regaining control was easy enough. Locking out the whoevers is "apparent," but then the chore is to to make sure they are locked out and that the entire system is protected from further intrusions to the best of our ability, and then...

...improvement of the site and restoration of the data bases can begin, which it has.

The important thing to remember, and trust me, I know what I am about to say is true, the entire existing data base as we know it was backed up and will be made available as soon as the programmers determine no "timebombs" or "surprises" were left behind.

Cannot promise much more than that, and cannot at this point offer a firm time-table, but I do know that we appear to be closing in an announcement. (OK, I sound like a broken record, but I do know progress is being made, even if only inch-by-inch or is that MegaByte by MegaByte?)

Meanwhile, for those who are here at home2, life goes on, and more are here every day.

Feel free to spread the word to those you know to be genuine providers or bcd members at aspd.

**Ghostface147** · 02-16-2009, 12:02 PM

It's not hard at all. Social engineering is a valid and useful way of hacking, but I can hack any moderate site in less than a day. I agree with what Texastushhog says, ASPD brought it upon themselves by using outdated software. However there was no need to hack it as bad as they did. Most hackers get in to just poke around and say they did it. The select few are the destructive ones. Regardless, good thing we have this board.

**devo** · 02-16-2009, 08:14 PM

Yeah, well, I saw this documentary last year, and these bad guys crashed the whole US financial market, so they could steal a bunch of money, and get this....It was Bruce Willis that killed all those bad guys because they had his daughter kidnapped, and he set everything right.

A Hollywood actor, and he saved the world.

I'll bet he doesn't even have any computer skills..... :o

**geniusman** · 02-17-2009, 01:16 PM

Thank you so much for all the updates ck. I think that we should all be patient as I need to learn how to be LOL

**sunfish** · 02-19-2009, 04:51 PM

wow !!!!

**713hobbyman** · 02-20-2009, 06:15 PM

CK- Thank you for all of your hard work to keep us updated and as informed as you can.

Thread: How hard is it to actually hack a website?

Thread Tools

Display

Posting Permissions