Point and Click Cracking 105
An anonymous reader writes "Washingtonpost.com is running a story about a number of botnets and keylogger operations being controlled by Web-sites with point-and-click type front-end software interfaces. The sites mentioned in the story look like fairly slick PHP pages designed to sort through password data from keylog victims and update infected computers with new code or instructions. From the story: 'The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers.'"
Stupid Innuendo (Score:5, Insightful)
Stop mincing your words and just say it. Stop telling people about "some website" where "evil hackers" can "point and click" to crack your passwords. Just fucking say Rainbow Crack.
It really fucking gets my goat when someone claims to have secret knowledge. What harm could have come from just saying Metasploit or Rainbow Crack? The evil doers already know. Give JoeUser actual knowledge and let him decide for himself.
Stop pretending that you know something and the public can't be trusted with it.
The *real* killer distributed application? (Score:5, Insightful)
Case in point: Thomas Edison originally conceived of the phonograph as a tool for dictation, teaching children from recorded lessons, and a few other specific apps. You know what he never, ever thought of? Recorded music. And yet, that is the killer app that made his invention a common household object and birthed one of the most successful commercial fields of the 20th century--the whole music industry as we know it wouldn't exist without the phonograph.
We saw the same thing with the Internet, when a bunch or DARPA eggheads (no offense, I love you guys) built an academic network that turned into what may prove to be the newest and most effective mass media tool in the history of the human race. I seriously doubt that anyone involved in the original research, or even anyone engineering TCP/IP networks in the 70s and 80s, imagined what would happen after 1990.
In the same fashion, botnets manage to apply the same basic technologies pioneered by Seti@home, distributed folding, and all of the other "beneficial" distributed computing projects that have wrung work out of the combination of 1) the popularity of the Internet, and 2) the unharnessed cycles, disk, and network I/O bandwidth of all those overpowered word processors around the world. And it's arguable that the economic productivity (at least to a few criminal types) of the botnets is overwhelmingly more than the cash made by all the originators of the concepts (yeah, I know, they're nonprofits, sheesh).
It's kind of a shame that the killer app of distributed ad-hoc networks is so generally harmful, but that's the way the cookie crumbles. Get a firewall, install you patches, and hope to God that nobody targets you with a DoS attack.
Re:Most of the problem is the users (Score:4, Insightful)
Was "virus scanners worm people" a reference to the recent McAfee problem [sans.org] or just a typo? :)
Er, anyway, my actual point was that people are now so used to be warned about installing just about everything that they just click "yes" without thinking. When you go to Windows Update or Microsoft Update for the first time, Microsoft has a nice little picture explaining how to say "yes" to the warning dialogs that come up when it tries to install the update ActiveX control.
People are just so used to be annoyed by their computer that they mindlessly click through all the warnings anyway. The warnings don't really help, people don't bother understanding what they mean, and websites frequently include instructions on how to bypass them without explaining what the warning means [xenoveritas.org]. (I'll fix that someday. No, really...)
The only real solution is user education. Failing that, the clue-stick (also known as a "clue-by-four") is a fun, but ultimately useless, alternative.
No just paranoiac talk. (Score:1, Insightful)
They're called paranoiacs and are the antithesis of "open' people. They hoard, trade and restrict information and generally infest journalism, intelligence and large dinosaur corporations where the strict information heirachies are comfortable. They espouse the idea that ordinary people can't handle knowing this and that, that it's for 'security' and that it's for 'your own good'. All of this is a smokescreen to hide the rather shameful truth that their lives are built on profiting from keeping information controlled, engaging in obfuscation, misdirection, fear, uncertainty and doubt.
Invariably the defence they offer when confronted or exposed is to start calling their accusors 'paranoid', so cue tinfoil had reponses in 5, 4, 3....
Spur for users to RTFM? (Score:3, Insightful)
Yes. Asides from the "but is it Open Source?" jokes, I'd imagine it's not difficult for anyone with the motivation to get hold of this software - and no matter what it costs, a 'customer' could easily make that amount back and more.
It just makes me think - how far do things have to go before people realise that computers are not inherently safe? I'm being careful not to imply that computers *can't* be safe, because of course they can and I'd imagine the vast majority of /. readers' are - but that it's not some whizzy technological environment where everything is great and snazzier is better.
I'm talking about end-user attitudes; for a long time, public perceptions of computers and the internet has lagged behind the realities. They've shown themselves unwilling to learn out of sheer curiousity or interest in using these new tools. They've shown themselves unwilling to learn when viruses and spyware corrupt files and destabilise operating systems. Now I wonder if they'll start to pay attention to the realities of networked devices when it hits a lot of people in the wallet.
I also wonder whether the commoditization of cracking tools will eventually shoot crackers in the foot, by making them so ubiquitous that people actually get a clue and stop falling for phishing emails. But then I remember that while crackers have the greater desire to learn and exploit, they'll always be able to stay one step ahead, and come up with some new exploit...
And no, Trusted Computing is not the answer.
Re:Stupid Innuendo (Score:3, Insightful)
Fortunately, I've had the advantage knowing about these apps before now. But, I'm not the sort of person that goes looking for scripts to take out websites. I could make some good guesses on where to look for these things. But, I'm never going to have the time to be as aware of that area of knowledge as I could and should be. Especially if I have to rely on my own ability to find and desiminate knowledge.
Not talking about these things doesn't make them go away. Talking about them makes it easier for the people who are most effected by these things to stay educated. And that includes everyone from the developers to clients to the PHB's.
System Admins (Score:5, Insightful)
I don't get it. How can these Hackers get this tools that do all these great things, and as a system admin I cannot get a application bundle and installed without having to try and move the Rock of Gibraltar.
Considering as a system Admin, I would have more time and a higher budget, you would think some corporation would make some better tools to handle the more common tasks like managing and updating applications on workstations. Instead I get to read how a hacker can control thousands of machines through a configuration more complicated than Enron's accounting procedures all with a click of the button.
Life just ain't fair.
Real problem is philosophical (Score:4, Insightful)
Re:Why do people write these? (Score:3, Insightful)
Don't know, but these parts are more of a write-once and reuse code-type. I've seen tools like this, it's like a frigging plug-in system. "Insert exploit here" "Insert shellcode here". Which doesn't mean you'll actually write code - you'll just add some modules of what it's going to do. I imagine the botnet code is similar, it's just a generic management tool. You could probably lift most of the code out of completely legitimate programs.
I imagine the makers are "advanced script-kiddies" - they don't actually go out and make the hard parts - they just get their "whoas" by impressing other script kiddies. Lots of flash and little content, but well... it's like with DeCSS - it's the GUI guy that's famous.
human psychology: power is a drug (Score:4, Insightful)
a part of me wants to push the button, just to laugh at your suffering
over time, i could probably could come to enjoy it, sadistic pleasure from your pain
even it required a lot more effort on my part to initiate the reaction
and if it came to define my identity, this dependence on this drug (as this behavior obviously has for some) i might even fetishistically involve myself in the tools i needed initiate your suffering. i might have the magic button encrusted with diamonds. if it really represented the source of so much of my pleasure
and before you sneer at me, recognize that this aspect of human behavior and this potential for asocial manipulation exists in all of us
just look at your average kindergarten class if you think this kind of cruelty and enjoyment of others suffering, impersonal or not, is not something unfortunately intrinsic to human nature
its a dark side, and its defeat comes in recognizing it, not ignoring it
Re:System Admins (Score:5, Insightful)
Well, I imagine the hackers don't give a flying fuck if it fails on 10% of the machines or how much it breaks, since it's all about numbers and it hardly matters which ones that works. If on the other hands it is the fscking machine you're trying to upgrade and instead it hoses the box, I think you might be slightly more annoyed.
Off topic:..*real* killer distributed application? (Score:4, Insightful)
I've got to question that assumption at least a little bit. Many (most?) of the scientists working on computer science related projects have always been fans of science fiction. Are you trying to tell me that they wouldn't have been aware of stories by Asimov, Heinlein, Clarke, Sturgeon, and others who all envisioned ubiquitous communications networks? Many of those authors wrote stories where ubiquitous computer systems of varying degrees of complexity were a factor. And some of those stories included all kinds of fascinating elements revolving around hacking past security measures. Certainly Gibson developed the themes far more completely later, but the elements were already there in the '50s at the latest.
I will concede that the original design(s) were never intended to grow into the global network that we have today. They were merely prototypes. The second one based upon IPv4 was so outstandingly successful that it took off before anyone really understood what was going on.
Suggesting that the original developers never thought about security issues also does them a disservice. They were researching communications for the DoD, for Pete's sake! The original design goal was to come up with a communications systems that would be capable of surviving a nuclear war. While that particular scenario has never been tested (thank Ghu!), faulting them for not thinking through every implication of every design choice doesn't do them justice. They still designed and built a system that just runs (partial network meltdowns are always due to economic reasons, not design). This was a truly remarkable achievement. It's especially true since we see systems in place that are essentially immune to the bulk of the common attack vectors in use today. It's not the original designers' fault that so many implementations are so badly broken. It's especially not the designers' fault that the single most dominant OS in use today is also the most porous.
Re:Most of the problem is the users (Score:3, Insightful)
Most of the reasons PC's get hacked now days is that end users are still clicking on the links in phising emails and then holes in the browser being exploited.
Gee, that's great except it is not even close to being true. Most infections by number and most DDoS bandwidth is the result of automated worms that perform automatic remote exploits and require no human intervention.
Surely it wouldn't take much for the main browser makers to put in a user idiocy filter to just say aren't you being a bit silly? Of course user education would be best but there will always be a certian newbie segment who are on the internet for the first time and will keep doing this.
Step one, close the remote holes in the OS. Windows has gotten better with a default firewall, etc. but it still has too many services running by default and too many remote holes. Step two, close remote holes in the main internet applications. IE and Outlook need to be revamped with security as a primary component, not a add-on. Third, new applications need to be sandboxed by default and restricted from doing anything with a user's files, internet connection, address book, buddy list, other programs, OS files, and services unless the user is informed with a well made UI and presented with choices in the English language that explain what the program wants and lets the users choose the appropriate level of access. Fourth, then and only then can we successfully apply end-user education that can work to stop malware infections.
Please note the software mentioned here does not compromise machines. (Although such GUI software does exist.) This software is used to easily manage a botnet after it has been compromised. Since botnets are big business and are often run by less savvy users, it is advantageous to be able to sell time on a botnet to a Russian mafioso, a disgruntled, rich, arab kid, or a greedy american corporate. Since they are pretty clueless you can do better than the competition by giving them an easy to use GUI for it. I saw the logs of what appeared to be a Islamic activist using a botnet the other day to attack random IP blocks in the Netherlands. He attacked useless ports twice, making his attack very ineffective, and then took multiple tries in order to find the right command to stop the DoS attack. These are not experts anymore.
Re:Stupid Innuendo (Score:3, Insightful)
Yah, he's in Guantanamo Bay now.
Fight fire with fire (Score:3, Insightful)