I have been following the activities of the so called ‘hacker group’ calling itself “Anonymous” for some time now. Not because I support their activities but because I find the whole Anonymous, Lulzsec and Wikileaks debacle interesting.
While there is certainly a valid argument that Wikileaks is doing some good in the world the same cannot be said for Anonymous and Lulzsec. Although unlike Anonymous at least Lulzsec is up front about why they attack other peoples systems. They admit to doing it for fun and entertainment, whereas Anonymous tries to justify themselves with Hypocritical bullshit. Such as claiming to defend Free-Speech while simultaneously taking down the websites of perceived opponents.
Anonymous even tried to take this blog offline when I wrote the article titled “Anonymous Script Kiddies are not defending the internet.” at the time I didn’t recognise the traffic pattern as an attempted SQL Injection because I wasn’t expecting one and nor was I familiar with the tool they use to “hack” peoples websites. Needless to say the attempted SQL Injection failed and I was able to remain online.
It turns out the method by which these groups infiltrate websites is remarkably unsophisticated. The tool being used by both Anonymous and Lulzsec to infiltrate websites is called Havij, it’s a GUI based SQL Injection tool and is available for download here.
It is only after testing Havij against my own system that I recognised the signatures left in the server access logs by the Havij software. The most concerning thing about this is how easy it is to protect WordPress and a variety of other content management software from this type of vulnerability; yet these attacks keep on happening. In most cases securing your website is simply a matter of keeping the software upto date.
While Lulzsec and Anonymous are using unsophisticated attacks, if they inject a vulnerable website that happens to contain sensitive information it can have direr consequences for the user. As we have seen with the recent Sony hacks in which millions of credit cards were stolen.
I believe the best way to defend yourself from the kids at Lulzsec and Anonymous is by understanding the treat. I don’t endorse trying an SQL Injection on someone’s website without their consent. Use your own system or create a Honeypot.
Here are some resources I have found. To get started with SQL Injections.
I do not condone any criminal activity, nor do I support the actions of either Anonymous or Lulzsec. I am only sharing what I have learned so far. Both screen shots were captured from legal penetration testing of my own systems setup expressly for that purpose.