What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

More Browser Hacking: What All This Means for Computer Security

Some Internet servers are protected by an Intrusion Detection System (IDS) that detects attempts to look in sensitive directories such as cgi-bin, /etc or /bin. An IDS will record the Internet address from which you accessed this directory. If the systems administrator using the IDS is paranoid, he or she might ask your online service to kick you off. Yes, your online service will be able to tell it was you who was doing this browser hacking.

Your solution is to MAKE FRIENDS WITH TECH SUPPORT at your online service. If you use some giant company such as AOL, MSN or Earthlink, this is impossible because there are too many people and they usually work about a thousand miles from your home. Your best bet is to look in the Yellow Pages of your phone book for small local online services. If they are willing to make friends with you, and understand that you are purely interested in knowledge, sign up with them and your troubles are over. That's what I (Carolyn Meinel) do.

Why doesn't every web site let your browser see and download all sorts of goodies that aren't on the official web site? Stuff like passwords and administrative programs and documents? As you have surely seen, a bad attitude person can do a lot of harm with some of the things you have learned in this Guide.

The answer is, you can get away with these stunts whenever systems administrators haven't used decent Web server and file transfer protocol programs, or they may have configured them wrongly. While researching this Guide, I was amazed to discover that some organizations that pride themselves on being experts at computer security run misconfigured websites. Whoopsie!

That brings us to the best use of this Guide. You can use these techniques to test your web site for vulnerabilities. See if you can find any of these problems at Happyhacker.org -- I'll give you credit in our ezine if you can find something misconfigured.

When you find these problems at other web sites, you can make the Internet a better place by politely telling the webmasters or sysadmins about it.

Have a bad day way: "Dude, your web server's all f***ed up. You sure are a laymer!!!!

Have a nice day way: "While using Google, a search I ran turned up a link to your customer database. Here's the exact link (insert here). You might consider installing the latest version of Apache, which I have found to be far easier to configure. Or perhaps get a BRICKServer web appliance, which I use for most of the web sites I administer. It's as easy to use as falling off a log."

Notice that in the "nice day way" I don't tell the administrator he or she is a dummy. Anyone can make a mistake, especially if they are stuck because of some management decision with running a web server that isn't very easy to configure, or that is inherently insecure. Apache has the advantage of being free from Apache.org. BRICKServer is, in my humble opinion, the most secure and easy to administer server for web, email and file transfers, but some outfits can't afford it.

Generally the best email address for sending warnings of insecurities is webmaster@victim.com (substitute the real web site name for victim.com). Or if you figured out who the sysadmins are by viewing the password file, you can amaze them by emailing them at their user name addresses.

I've made friends by alerting people to their security problems. Just be careful not to make them think you are looking for a job or consulting contract, because that can make a bad impression. If they discover that someone has broken in using a weakness you told them about, some people could jump to the conclusion that you did it in order to get money from them. So if you are careful to make it clear that you don't want money, you can avoid nastiness and make friends.

References:

http://www.oxygen-inc.com/google.html

http://comsec.governmentsecurity.org/googletut1.txt


This is a Guide devoted to *legal* hacking! If anyone plans to use any information in this Guide to commit crime, check out http://happyhacker.org/crime/ to find out what happens to bad hacker girlz and boyz.

You are welcome to join our chat groups at http://happyhacker.org/jirc/ .

Clown Princess and author of this Guide to (mostly) Harmless Hacking: Carolyn Meinel, (505)281-0490

Happy Hacker is part of a 501 (c) (3) tax deductible organization

Why do we freely give out information that even the total beginner may use as a two-edged sword of cyberspace power? We do this "to turn over to mankind at large the greatest possible power to control the world and deal with it according to its lights and values." -- Robert J. Oppenheimer, head of the Manhattan Project, which created the world's first nuclear weapons.  


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

Return to the index of Guides to (mostly) Harmless Hacking!

© 2013 Happy Hacker All rights reserved.