How to Hack: Computer Security Experts Demonstrate Techniques Part 1

How to Hack: Computer Security Experts Demonstrate Techniques Part 1

by Sarah Cortes - "It's pretty much the Wild West out there" for computer and internet hacking, warned Francis Brown of Stach & Liu, while casually demonstrating how to access thousands of administrator passwords with a few keystrokes. Brown and a number of "white hat" computer hacking experts spoke in Cambridge at the curiously named "Boston" Application Security Conference ("BASC") at the Microsoft NERD Center in Cambridge Saturday. BASC is sponsored by OWASP, the Open Web Application Security Project, a "worldwide charitable organization focused on improving the security of application software."

Brown demonstrated how poor programming techniques allow him to access secret keys and private keys of thousands of Amazon Web Services ("AWS") cloud computing accounts. AWS is widely used by commercial firms as well as individuals to host their computing services. The hacking technique is commonly known as "google hacking" because it makes use of search engines such as Google, Bing, and China's Baidu to facilitate penetration of computer software vulnerabilities.

Many believe the widely-publicized hacker groups Anonymous and LulzSec used similar techniques to effect recent computer penetrations of firms such as MasterCard and Visa. Anonymous supported the release of classified US government files including the video "Collateral Murder" by the Wikileaks organization. It also supported the MasterCard/Visa hacks when Paypal and others attempted to cut off contributions to Wikileaks as a reprisal for leaking classified information which was viewed by many as embarrassing to the US military.

"White hat" computer hackers include security firms who assist organizations to locate their computer vulnerabilities so they may patch them. They contrast with "black hat" hackers who hack maliciously. OWASP describes its mission as making "application security visible, so that people and organizations can make informed decisions about true application security risks."

Brown demonstrated a suite of "Diggity" tools that facilitate locating vulnerabilities using search engines. "Diggity" tools are available free of charge and were developed by Stach & Liu, a computer security consulting services firm located in Phoenix, Arizona. Stach & Liu describes itself as a "security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments."