Could Terrorist Hackers Hijack Drones over the US?

The news wires were abuzz today over a Homeland Security Subcommittee meeting. Several committee members were alarmed over issues raised concerning drone use in US skies. The government plans to steeply increase the number of active drones in the US by 2015. But it wasn’t necessarily the increase of drones that was the issue. University of Texas Professor Todd Humphreys raised much more serious concerns.

Humphreys testified before the committee that US drones could be controlled and possibly used against American citizens. “I am worried that it could be a weapon in the arsenal of organized crime, or state actors, or organized terrorists,” He explained.

Last month, the Texas professor successfully demonstrated that GPS signals could be spoofed and a drone could be in-effect hijacked and controlled. Though not a big deal now, this could become a potential target for terrorists in the future. “In 5 or 10 years you have 30,000 drones in the airspace, each one of these could be a potential missile used against us”, Humphreys said to Fox News.

Drones may be much larger in the next few years also. There has been several mentions of delivery companies possibly using large drones in the future. Also, with the increased interest by local and federal law enforcement, their is also the possibility of armed drones in US skies. Terrorist hackers controlling either one of these types of aircraft would be very concerning to the public.

Hopefully the politicians at the Homeland Security meeting got the point and understand the risks. Drones need to be hardened against subversion attacks before they become a common fixture over US cities.

Hacker Free Holiday Shopping

Oh, the joy of the Holidays. You may, like many, decide to buy some (or all) of your gifts online this year. And why not? Why go out in the cold, snow and slush, fight traffic, and have to walk a mile from the only available parking spot? Why push through aisles of crabby people only to find out that the person in front of you just bought the last Nerf N-Strike Stampede?

When you could have just stayed home in your jammies and fuzzy slippers and ordered it online…

Shopping online is fantastic. But unfortunately there are some modern day Grinches out there that try to ruin it for everyone. That latest e-mail you received from a “name brand” store that has the super Nerf Vulcan Automatic Heavy Blaster for half price just may not be legit. It could be a fake e-mail that leads you to a spoofed site.

Spoofed sites are a common technique that hackers use to collect personal & financial information from unsuspecting victims. A spoofed site is a site that is run by hackers, and is camouflaged to look like the website of a real store. Many times it is very hard to tell the difference between a spoofed site and a real one. Here are some browser screenshots comparing legit websites with sample spoofed sites.

See if you can tell them apart (Click images for larger view):

 

Wow, pretty much identical. The one on the top is the original site. The one on the bottom is fake. The only discernable difference is the address bar. If you look closely, the real site says “http://www.sears.com” while the fake site says “http://192.168.96.128”.

The address 192.168.96.128 is not a valid routable internet address, but a real spoofed site would be using a live IP address. Internet explorer 8 ties to help you out against these types of attacks by highlighting the website (domain) name in the browser. If you look at the address bar on the top, sears.com is in bold.

Here is another example:

 

Okay, these ones aren’t quite identical, but this shows that spoofed sites can look and behave just like the real ones. The advertisements have dynamically updated on the spoofed site just as they would on the real one. So advertisements beside, the only real difference is the address bar.

If you look closely, the real site has “amazon.com highlighted and again the fake site just lists an IP address. One other difference is the icon in the address bar. The real site has the Amazon icon and the fake one has the generic internet explorer icon. But this is not always the case.

Using the IP address is just one tactic hackers use. For additional ways site names are spoofed check out my article, “Spoofing a Website Address: How to Obscure a URL”.

Please be careful this Holiday Season as you shop for your loved ones. Be leery of using links in e-mails, especially in unsolicited mail. You can always manually surf to the website yourself and find any deals that are legit.

Have a happy and safe Holidays!

 

Backtrack 4: Social Engineering Toolkit (SET) – Introduction

By David Kennedy, the creator of SET. Probably the most impressive social engineering penetration tool that I have ever seen. Full set of instructional videos available at Kennedy’s website – SecManiac.

Spoofing a Website Address: How to Obscure a URL

I have been asked recently about the dangers of clicking on unknown links in e-mails. This lead to a discussion on how hackers disguise website addresses or URLs. There are actually several tactics that spammers and hackers will use to disguise a website address. Today, I wanted to take a quick look at some of them.

Microsoft released a good article on how to recognize spoofed sites. Spammers will try to register website names that are close to the website they are trying to spoof. For example, misspelled words like Micosoft, or Mircosoft would be options for someone trying to spoof Microsoft. Another common tactic is to use the number “0” in place of the letter “O”. Or adding extra words in the website name works as well, like security-microsoft.com. Internet Explorer 8 tries to help you recognize these tactics by always highlighting the domain name in bold so you can verify the spelling.

Also, spammers will use very long names in links to disguise the actual site that they are trying to send you too. A website address (also called Fully Qualified Domain Name) can be up to 255 characters long. So when displayed in the address bar, it wraps so you cannot see the whole address. They will add some official looking directories in the name to make it look more legit. For example:

http://www.malwarebadsite.com/up_to_no_good/exploited_machines/…lots_of_random_junk…/Official/Microsoft/Security/Updates/. When displayed, you will only see the “/Official/Microsoft/Security/Updates/” part of the address.

Okay these ones you could catch if you scrutinize the address closely enough. But there are other ways to write a domain name. For example, you can use the IP address instead of the name. If you open a command prompt and type “ping google.com” you will see “pinging Google.com [72.14.204.103]”. You can take that number and place it into the Internet Explorer address bar and you will end up at Google.com. That one is well known, but how else can you write the address? Here are some other less known ways to write an internet address:

  1. DoubleWord (dword): Google.com in dword is 1208929383
  2. Hexadecimal: Google.com in Hex is 0X480ecc67 (convert the IP to hex and then add “0x” in the front so IE known that it is a Hex number.)
  3. Octal: Google.com in Octal is 0110.016.0314.0147 (Convert the IP address to Octal, and then add a “0” in front of each number so IE knows that it is octal.)

Go ahead, copy and paste any of the numbers above in your IE browser and you will end up at Google.com. Or you can “ping 1208929383” from a command prompt and you will get a response from 72.14.204.103. Firefox seems much better than IE at parsing these out, placing these numbers in Firefox did not seem to work, I got a DNS error or BAD ADDRESS error message. Hackers will use the numbered IP addresses instead of a domain name to further mask the malware site.

If you want to know more, an excellent article for converting IP addresses to other forms and full instructions on how to do so can be found at PCHelp.com. Two sites that are helpful in converting the IP address are IPAddressLocation and IPAddressConverter.

One last point to keep in mind. Website spoofing is not just used by vicious hackers. Sometimes your users may be using this tactic also. When you set up your firewall filter and block sites that you don’t want your users on, some routers will allow users to bypass the filter by using the spoofing tactics listed above. So if you want to keep people off youtube.com, you may need to also block the actual IP address and possibly the other variants listed above as well. I have seen SOHO setups where specific sites were blocked by name, allowing no access to the domain name, but you could still get to them by putting in the IP address.