“We cannot change our past. We can not change the fact that people act in a certain way. We can not change the inevitable. The only thing we can do is play on the one string we have, and that is our attitude.” --Charles Swindoll
Getting into the mind of the 'hacker' is often difficult because they're so elusive and don't necessarily want to take interviews... unless you're a Wh1t3 Rabbit. So with you readers in mind, I decided to try and see if I could get a peek into the mind of the hacker who was selling pwn3d sites (here: http://www.srblche.com/index.html ) and hacking services.
There have been some good write-ups in the media already, but they're all making assumptions... I'd rather have the answers directly from the hacker him/her-self.
I don't think you can adequately protect yourself unless you understand your enemy - so with that in mind I fashioned some questions which the hacker would likely answer... so here you go. I hope we're able to learn something here... I will do a brief analysis of the answers after the Q&A.
The Q&A with hacker "srblche srblchez"
- Are you really making any money on this hack, now that it's public? - Yes up to thousands of dollars. depends on value of targets
- Aren't you afraid of being caught, arrested, and prosecuted? - . I didn't force the law. (Law does not protect fools).
- Why target government-related websites? - Customers dying to know edu/gov/mil's database information such as military actions/papers/doc's, Evidence of staff such as Real names, Phones, Contact email, Address, etc for their special operations. Such as spamming, or private operations. CPA leaders.
- How long did it take you to gather this list of targets? - Couple of minutes. Thanks Google to make hack easier.
- Did you write all your own scripts, exploits or code? - Yes. mostly perl/python.
- ...and then how long did it take to actually pop those sites? - Couple of seconds.
- Do you have a favorite exploit (XSS, SQLi, RFI, etc?) - Remote exploits mostly and SSH Brute forcing.
- Do you think any particular framework, or dev language (PHP, etc) is any more vuln than others? - PHP, ASP, CFM, are the most stupid code frameworks. and the most vulnerable.
- Do you think the admins of these sites would ever notice these sites were hacked if this didn't become public? - Well honestly am not a defacer (The one who change the hole database and remove the target files and make a big NOTICE even the stupid system administrators will notice). No, I just finish my goals which gather the information's which is the most valuable in my case. Then I remove my logs then I disappeared like a ghost.
- Why are the prices so low? - Well in marketing as much low prices and much more customers. depends on your product quality. so am providing a good quality with a good price. and that bring more customers.
- Do you have any ethical problems with exploiting and then profiting from poor security on these sites? - No at all. Each vulnerable site i face. I directly email the Web admin. If I see no reply I publish it.
- Do you think the web site/application security is getting any better over the last 5 years? 3 years? - Am into security since 1996. Simply I SEE NO CHANGES and it's become worst than ever.
- Are you part of an organized group? Or do you work alone? - I used to be a member of m00p crew but all my friends has been arrested. or most of them.. I used to be a member of milw0rm organization, but no more since str0ke's quit.
- Can you give any advice for people who build web sites? How to protect themselves from people like you? - There's a bunch of useful web sites vulnerabilities scanners such as *******, it's good if you give your site a couple of seconds for checking for vulns.
Apparently, even at a maximum of $500USD selling hacked web sites is still lucrative. What this means is that there is an economy of scale that we're probably not aware of in the general industry.
If you can afford to sell something of value cheap, then you economic sense tells us that you must be selling a lot of it to make money ...right?
Clearly our hacker isn't afraid of being caught and has no moral issues... so I'm going to make a leap and say that this won't be he only hacks he/she conducts - there was and will be more.
An independent attacker who writes their own scripts and hacks in 'a couple of seconds' is your worst nightmare as a security professional mostly because the velocity of attack is so great and the likelihood of being caught in a detection system like an IPS is so low.
What I do find interesting is the method of penetration which the attacker explains as 'remote exploits and SSH brute forcing'... so a combination of attacks like SQL Injection at the application layer and an SSH brute force at the system-level to achieve a complete compromise.
System admins thought they had things figured out and the hackers were moving exclusively to the web layer... apparently that's not as true as we'd like to think. Passwords are still your weakness (ssh brute-forcing) and we all know that web applications are written just as poorly today as ever - so we've got serious issues out there.
What's perhaps most telling of all is that the hacker sees virtually no changes (maybe even things getting worse) since his/her entry into security in 1996. I suppose an "I told you so" is inappropriate at this point, but the industry is still not getting it.So is there anything to be learned here? I think so.
- Web site (in)security is complex ... take a few seconds to test your applications otherwise they'll keep ending up pwn3d and for sale
- Whether your site is written in PHP, Java, .Net or whatever ... they can all be written insecurely (and likely are), but yes some are worse than others.
- As the hacker points out - incident response (responding to being told your site has a vulnerability) is consistently missing from most organizations SSA programs and it shows
- There have been some claims (as Steve Ragan points out in his article) that Srblche is just ripping off other hackers' hacked sites and trying to make a profit... I did pose the question, and it was 'dodged' rather than answered... you draw your own conclusions.
- I got a tip from a reader (Sandro @Suffert CTO of TechBiz Forensics and friend of the blog) that the location of the 'hacker' appears to be from a Kuwait-based IP address...perhaps a proxy?