I have yet to understand why and I only have anecdotal evidence (including living in Ukraine), but there's something to those places that make them breed hackers.
One of my friend's mother worked at bulgarian shop that all they did was to translate Norton Commander into russian (basically hex editing here and there), and then it was sold on the russian market.
We had up to 1988-1989 a bulgarian company that was selling bootlegged games under their own name (yes I bought Karateka from them, and it worked on the bootlegged Pravetz-8C - a.k.a Apple ][/c).
But it doesn't stop there - you can (or at least back in the days) find people living in the same apartment building that were able to fix your TV, car, radio, etc. without calling technician.
My father regularly fixed TV sets of neighbors for no money (he's an ex military engineer - worked in radio-location)
But then it was something about russian, or eastern block made hardware - you take any plane, car, tank, radio, etc. - you can open it yourself and start hacking, replace parts, etc. - e.g. even the own-made products were meant to be hackable.
Now this is according to my father, who told me that it was much easier to fix russian produced military vehicles than anything else.
The I-fix-it culture was really thriving, and some thanks to the "communism" (there was never such thing), but lots of kids got free education since 1st grade in computer science, hardware, rocketry, train modeling. The magazines were so cheap (and printed out on cheap paper) - that you can buy dozen of them full with models, etc.
This is no longer the case (I've been living in USA since 1999, but visit my own Bulgaria almost every year).
I wish some of the days are back, but I knew that it was utopia we lived....
Well take it with a grain of salt, typing this while on vacation from my lovely Bulgaria :)
In college I wrote a major research paper on market-style exchanges on the factory floors of Eastern Europe, with the underlying point that you can never really purge all market forces, that "capitalism" is more descriptive than normative.
When I think back on it, well, I'm mostly ashamed for talking out of my ass about what other people actually experienced. It'd be great to hear more of your thoughts on it.
From my point, it was never communism - ahem the simple - produce as much as you can, take as much as you need
There was one difference - central planning - all prices were fixed and you can't find much variety in the store (2-3 types of bread, 2-3 types of feta cheese, etc.)
Another thing was the foreign currency - read about it here - http://en.wikipedia.org/wiki/Corecom
As a kid one of the best things were getting bananas/oranges for New Year, or getting some real dollars so you can buy kinder eggs/pezz/tobleron/etc from the Corecom stores (above). Although you might afford the money, there was no easy way to exchange them.
It was a 'meh' moment for me, when democracy came, and my favourite store (selling cake, soda drinks) start also selling kinder eggs - It was impossible for me to think that I can go and buy as much as I want with ... levas (our currency).
And as such they were no longer interesting :)
I had a happy childhood, maybe because I did not know anyone too rich, or too poor, and the choice was limited... okay maybe that was not the case... But looking at all old bulgarian kid movies, one can see kids roaming the streets without any danger (and it was so - It was normal for me to stroll around while I was 5 or 6 years old). This gets old, a a bit reddit-ish, and it's purely my experience and surely for other people it could've been totally different story.
Not correct. All men (and women) except those in a Yeshiva (religious school). As I understated it, they can post-pone their enlistment indefinitely.
I also understand this is a touchy subject in Israel right now.
Not exactly true. There are a few different computer groups, one of which requires only three years and it is nowhere near the level of sophistication of an average programmer (they are mostly responsible for the technological infrastructure of the army). The other programs require a degree beforehand (so they only go into the army at about 22) and then require 5 years of service. These are the people who create cool things. But let me say: even the things that they do are closer to things you can think about than what you would find in a sci-fi novel.
And the guy I started talking about now works for a pretty important anti-virus company , he's one of the most gifted hackers I've ever met.
There are plenty of job opportunities and the coders are relatively even more overpaid than in the West, so that's not the reason.
The real reason I believe is that people mostly can do this with impunity. There's very little being done for prevent or prosecute credit card fraud. In Ukraine and Russia CCs are still used very little, so this fraud hurts "the West" which is mostly seen as a good thing by the general population. Rampant piracy is practically encouraged for the same reason.
Of course this creates a barrier for doing legitimate business online. For example PayPal simply does not allow merchant accounts from Ukraine and Russia to reduce fraud. These countries are the safe haven for hosting illegal content etc. It would benefit local programmers to clean up the reputation of the country and to my great annoyance people just do not realize this. Crooks are accepted as keynote speakers at business conferences etc (they do make money, so what's the problem?)
+ a rigorous STEM curriculum
+ limited conventional job prospects
+ a social/business environment in which exploit-selling is a respectable profession
I'm slavic but I was raised in Sweden, visits with family in the balkans always leave me surprised at the strict education children go through.
Of course, my only perspective is from small country villages, not cities.
Or maybe it's just USA that's good at breeding anger and revenge-driven people all over the world. ;)
There's also the theory that they don't have as much to do, at least not as many distractions.
>It is not alleged that the NASDAQ hack affected its trading platform.
They could have hacked a customer (say, citigroup) and entered that way, but all they really could do is incur losses for the customer.
If they could inject "incorrect" trades, could they put themselves on the other side of those trades via normal means and so benefit from such losses?
BULLSHIT. I want to see hard evidence that there were real losses totaling more than $300 million. The justice dept loves inflating loss figures based on sentencing guidelines which mandates minimum losses for stolen info even if they were never used to commit a crime.
It's really not that much money per card for just the Heartland breach alone, even if you assume only a fraction of cards were actually being used.
The Heartland breach was discovered after card companies found a pattern of chargebacks over a number of months. If the cards hadn't been used, the breach likely would have been undiscovered, for years, if at all. It took Heartland months of investigation to find internal evidence they had been breached. The attackers had long since left and attempted to erase their tracks.
The arrest itself happened an year ago and was widely reported on gaming websites (http://www.joindota.com/en/news/3537-moscow-5-ceo-arrested-i...).
My understanding of security is fairly small, but it seems to me that there's a market to be had here ... If the expertise exists to dramatically reduce exposure, it's a question of sales or ease of use. If the expertise doesn't exist yet, someone smart might make a lot of money.
He often has screenshots and other details on the working of various markets.
Here is a market for ecommerce credentials: https://krebsonsecurity.com/2012/12/exploring-the-market-for...
What use a hacked PC has: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hack...
And even a thriving software industry for the bad guys http://krebsonsecurity.com/2013/07/one-stop-bot-chop-shops/
Counterpane is a company (now owned by BT) that sells managed network security services as an example of how you sell to the firms.
I can't remember exactly, but he told me what they bill him out for and it sounded like NY senior attorney level rates.
He travels overseas regularly on longer term assignments. I told him he should go out on his own but he's not entrepreneurial. He also said that a few of the "sales guys" at the firm already did that with some of the other security people last year.
There is a market there among Fortune 500 companies, for sure. The difficulties (as I've experienced it) are:
1. Companies want some omni tool that scans vulnerabilities, manages tickets, enforces policies, tests controls, etc and feeds all the data into a single database that they can run reports on.
2. Large companies (especially financial ones) don't want their data in the cloud so you have to provide some sort of support onsite.
I remember when I was working as a security consultant doing a "safe" Nessus scan of a relatively small organization that happened to have a mainframe. The mere act of scanning the ports on the mainframe caused it to crash. The whole thing had to be rebooted and it took HOURS. Essentially, a whole day of work was lost.
When we met with the CSO to talk about it he was both happy and sad: Happy that we discovered such a huge vulnerability and sad that he was going to have to explain to his superiors that an action that he undertook (hiring security consultants to perform a scan) cost the business a lot of money.
I later found out that he was fired because of the incident.
That right there explains a lot about the state of IT security in business right now.
* Secretary's workstation gets owned via zero day.
* Attacker installs keylogger.
* Attacker "breaks" the workstation's join to the domain.
* Domain admin shows up to re-join the workstation to the domain (to "fix it").
Now the attacker has the credentials necessary to manage all of AD and give themselves rights to whatever they want. Also, since AD doesn't use a salt with password hashes the attacker can now trivially obtain the passwords of every employee in the company along with things like service accounts. It's game over at that point--rebuild everything time.
Where are they getting their numbers from? Last I heard (a year or two ago), carders charged about 10 cent for foreign cards and a dollar per US card. Any actual carding researchers care to weigh in?
Sites are susceptible when user input is ... incorrectly filtered for characters used in database commands ...
think of it this way: no matter how you slice it, there are Bad Things you need to keep out of your SQL, and an easy layperson term for doing so is 'filtering'.
Recall that 'filter' != regexp.
It's something the NYSE should get "hip" to.
"SELECT ... WHERE `field_name` = '" . mysql_real_escape_string($string_value) . "'";
In all serious though, just be thankful you're still alive you unappreciative uppity citizen; at least you haven't been killed by a terrorist yet.
More toddlers with guns have killed Americans this year than terrorist have.
If we are trying to save lives, worrying about terrorism is a waste of money.
That's a ridiculous argument. The Beltway sniper killed 10 people in 2002, a fraction of the number who died in car accidents that year. But tens of thousands of people had their lives disrupted as they ducked down while filling up at gas stations.
Car crashes in 2002 were in the range of 30,000 deaths. Which is orders of magnitude higher than the sniper.
So in my opinion we shouldn't waste money on NSA wiretapping that doesn't stop terrorism (because if it did it would have stopped the Boston Bombing) and instead invest that time and money into transportation infrastructure.
By doing that we would save more lives, improve our economy and most importantly still have constitutional freedoms.
If I'm wrong here, if there's more to it, feel free to correct me. I want to be empathetic with the people who set up these SQL databases, but I really cannot understand why anyone can still in 20xx get a shell via SQL statements, at a financial institution no less, after so many years of seeing others fall victim.
They can do the basic things: don't use the root MySQL user, restrict privileges on each MySQL user, use AppArmor or SELinux to isolate the mysqld process, etc. This does prevent an attacker, in most cases, from instantly uploading a shell as soon as they find any sort of injection vector.
But it does not stop an attacker from reading arbitrary values from any table in any of the databases the MySQL user has read-permissions to (which in many cases is every database on the server).
And if an attacker can effectively dump your database, generally it's a matter of cracking admin password hashes and using those to login and escalate their access. DBAs really play no part in any of that; it is the developers of the application who must be blamed here. It's their job to use good hashing mechanisms, and to prevent admin accounts from being able to escalate privileges and upload a shell to the server. And above all, to code securely and prevent SQL injection in the first place.
Also, this isn't reddit, please don't say "I know I'll get downvoted for this."
Also, I don't follow reddit, so I didn't know they say that.
In an application you may need to read user-selected data from some sort of database. As a simple example, you might accept a user's input of an article ID to fetch said article from a db. That might look something like this:
"SELECT * FROM articles WHERE id = $article_id"
Where $article_id is the input you received from your user. A valid $article_id could for example be "7", an invalid one might be "7 OR 1=1". If the latter value is not escaped, it'd change the statement to read "SELECT * FROM articles WHERE id = 7 OR 1=1, returning all articles.
Any somewhat competent programmer would then check if $article_id contains a value of the expected type (i.e. integer, string, string that looks like an email address, ...) and use an escaping function (in PHP this might be mysql_real_escape_string) to escape any special characters (e.g. turn " into \").
If you're doing things right, you'll use a prepared statement. You'll tell your database driver the format of your query first ("SELECT * FROM articles where id = ?"), then provide the contents for your placeholders (? -> $article_id).
Prepared statements are considered more elegant and comfortable to work with; both approaches are secure when done correctly.
All of this is done by the application developer. Now the DBA only gets to work with the assembled query. How would they be able to tell a valid "OR 1=1" from an injected one?
Nonetheless, your point on holding the responsible party accountable stands -- but it's the developers, not the DBAs.
I assumed (incorrectly) that the person designing the database was also involved in selecting the "prepared statements" or "assembled queries", or was the same person.
Now I'm thinking the problem may be more with the people building the interfaces to these SQL databases, and the languages they are using to build them.
If that's true, then "SQL injection" seems like less of an SQL-specific problem and more of popular label for a more general "santization of user input" in internet-facing programs problem. That problem is as old as the web. And now we encourage every program to be a web-facing application, hosted in "the cloud". Yikes.
Anyway, I think my original comment may indeed be valid: in 200xx, in too many cases, programmer knowledge of escaping and quoting (rules that if I'm not mistaken originated when more people were more familiar with terminals and shells) is inadequate.
To answer your second question, Standard Query Language is very, very complicated, and you would have to be a genius to make a proper input scrubber. That's why you are supposed to use things like parameterized queries and bypass the danger of sql injection entirely. However, security mistakes still happen, and you should code in such a way that database leaks are not catastrophic.
Blaming the existing systems instead of blaming the hackers, it's like being an astronomer in the middle age. Deciders and business owners will scream and tell their systems are fine, and that the ones who think differently and prove otherwise are at fault.
Suppose you went out and came home to find your window smashed and your most valuable possessions gone. Would you be happy to have received an unscheduled visit from a private security consultant who decided to pay himself a handsome fee in the form of your stuff? No, you'd call the police to report a burglary.
Just because these guys were using computers and you also use computers does not mean they're basically the same as you and would be your good friends if only those mean old suits would get out of the way and let you run everything.
I was answering to the question "why were those guys using their skills for criminal activity instead of working on protecting against those crimes ?".
The thing is, I doubt company deciders really care about real computer security at all, and even if they do, the security market is very slim. OSes are not really designed with security first in mind, while they should be the first ones to do research on it, and apply it steadily.
I can find many reasons why the computer security market is still weak: there are not that many crimes because we don't use computers for many important things (even if it's on the rise), intelligence agencies prefer to let those vulnerabilities in place so they can have the upper hand to investigate or spy other countries (not talking about PRISM), and programmers are still a rare supply, and I don't really see any open discussion in university about computer security theory, it's mostly black hats/white hats folks, it's not really productive.
If those guys committed those crimes, either they are not good enough, but that also means nasdaq systems were weak, or that they were actually good enough, but the computer security job market did not propose them enough money, which is why they risked 20 year prison sentences, because it paid more.
You could compare it with the drug market. Right now those substances are illegal, which allows criminals to make huge amounts of money, but the DEA people will also make money, and are often found to work with criminals. That's an example why most of the time, crime pays, while it would be wiser to make those substance legal, and try to help drug users instead. For computer security, it could be a good idea to stimulate the security market by asking universities to create degrees, and maybe make some government programs to work on computer security, instead of letting it rot like that.
This is truly dumbfounding to me. They had normalized, searchable access to millions of credit cards. They presumably had systematic ways of siphoning off money on high balance cards in a way that no one would've ever noticed. And yet, their grand scheme was to hock the numbers piecemeal for 50 a pop?
How are such smart people so bad at business.
That's like saying anyone who runs a SaaS that helps other businesses make money for $50/m is bad at business.
6 months since the first SQLi to the "Nasqad is owned".
Sometimes I've play Neo from a pub connection with recycled hardware (not buy with my card number) but at most one week to the same target.
I wish I could have the skills of those people. Not that I want to make money stoled from unknown people... I just would like to have their skills.
Could you explain what you are saying here?
There I was saying, that even if I have make some security research, from a internet connection not related with me, with hardware not related with me, I've never work on it more than 1 week. This people was 6 months against the same target (owning it) without being detected.
It's a weird issue of "I need it now because it's important" and "I need it working well because it's important". Good, fast, cheap. Pick two.
Thanks for supporting my confirmation bias.
I never understood how people can just magically "gain access" to servers.
Another seemingly common scenario (aside from a direct attack on the server) is to spear-phish someone else inside the company, not necessarily an admin or anyone technical, into clicking on some flash applet or trojan'd excel doc or something that owns their machine, then install keyloggers, proxies, etc., and work from there until you snag a credential that lets you into the server you actually want.
Here on HN we often say "security through obscurity is no security." Relying on the fact that it is "illegal" for someone to hack your system to prevent them from doing so is similarly flawed logic.
That path has dangers all around (though, financial regulations try somewhat, don't they?) but it's a different discussion than victim blaming.
This is a company charged with processing financial information that apparently didnt sufficiently protect the data.