Formation | 2003 |
---|---|
Purpose | Hacking/media |
Location |
|
Origin | Chicago, Illinois |
Founders | xec96 The_Anarchist spiffomatic64 randomcola |
Products | HackThisZine e-zine |
Affiliations | Hackbloc |
Website | www |
HackThisSite.org (HTS) is an online hacking and security website founded by Jeremy Hammond. The site is maintained by members of the community after he left the organization. [1] It aims to provide users with a way to learn and practice basic and advanced "hacking" skills through a series of challenges in a safe and legal environment. The organization has a user base of over a million, [2] though the number of active members is believed to be much lower. The most users online at the same time was 19,950 on February 5, 2018 at 2:46 a.m. CT . [2]
HackThisSite involves a small, loose team of developers and moderators who maintain its website, IRC server, and related projects. It produces an e-zine which it releases at various hacker conventions and through its hackbloc portal. Hard copies of the magazine are published by Microcosm and Quimbys. It also has a short news/blog section run by developers.
HackThisSite is known for its IRC network, where many users converse on a plethora of topics ranging from current events to technical issues with programming and Unix-based operating systems. Mostly, the HackThisSite IRC network serves as a social gathering of like-minded people to discuss anything. Although there are many channels on the IRC network, the main channel, #hackthissite, has a +R flag which requires users to register their nick (username) before they may join the channel. This requirement helps reduce botnets in the main channel, because they would have to register every nick.
Following the split[ citation needed ] from its former sister site CriticalSecurity.Net, HackThisSite retained one main set of forums. The Hackbloc forums also had many HackThisSite users involved, but they were taken down. Before the split, the CriticalSecurity.net forums had most HTS discussion, specifically related to help with the challenges on the site as well as basic hacking questions. The Hackbloc forums were more for focused hacktivist discussion as well as a place for people to discuss news and plan future projects. Many people[ who? ] criticize the forums as being too beginner-focused compared to IRC, most likely because many new users visit the forums to ask for help with the challenges. HackThisSite is taking steps to try to attract more qualified users to its forums. Members contribute original texts to the articles area of the site. This area is broken down into different sections on a range of topics. Some of these sections include Ethics, HTS Challenge Tutorials, and Political Activism. The topics covered in these articles range widely in complexity. Topics range from walkthroughs for the missions provided by HackThisSite, to articles regarding advanced techniques in a plethora of programming languages.
HackThisSite is also host to a series of "missions" aimed at simulating real world hacks. These range from ten basic missions where one attempts to exploit relatively simple server-side scripting errors, to difficult programming and application cracking missions. The missions work on a system of points where users are awarded scores based on their completion of missions. In general, the missions become steadily more difficult as the user advances through a particular mission category.
The Web hacking challenges includes eleven Basic Web Challenges. Each challenge consists of an authentication page with a password entry box, plus other files which are to be exploited or attacked in order to gain the correct password. Successful authentication to the main challenge page will advance the user to the next challenge. These challenges are typically considered simple and are used as an introduction to hacking. There are sixteen Realistic Missions which attempt to mimic real, moderate to difficult hacking, in real life situations. Each mission is a complete web site featuring multiple pages and scripts. Users must successfully exploit one or more of the web sites pages to gain access to required data or to produce changes.
A Programming Challenges section also exists. This section currently consists of twelve challenges charging the user to write a program which will perform a specified function within a certain number of seconds after activation. These programming challenges range from simple missions such as parsing the contents, to reverse-engineering an encryption algorithm. These help users develop and practice on-the-go programming skills.
The goal of application challenges is generally to extract a key from an application, which usually involves some form of reverse-engineering. Other challenges involve program manipulation.
More recently, HTS came out with logic challenges, which moo, HTS's official bot, proclaimed were "not meant as a challenge to overcome like the rest of HTS challenges." Instead, the logic challenges were meant to be overcome by the participant alone from solving. In April 2009, they were disabled and all points earned from logic challenges were removed. Reasons included concern that the answers could have been easily found elsewhere on the internet. [3]
Likewise, the "extended basic" missions are of recent creation. These are designed to be code review missions where partakers learn how to read code and search for flaws.
A set of 10 easter eggs hidden around HTS were known as the "HTS missions." For example, one of these "missions" was the fake Admin Panel. Developers later decided to remove HTS easter eggs, as some allowed XSS and SQL exploits and many members submitted false bug reports as a result.
Steganography missions are also available on the website. The goal in these missions is to extract the hidden message from the media file provided. There are 17 steganography missions available. [4]
There has been criticism that HackThisSite's self-description as a "hacker training ground" encourages people to break the law. Many people related to the site state that although some of the skills taught can be used for illegal activities, HackThisSite does not participate in or support such activities. Despite this, several individual members have been arrested and convicted for illegal activity (most notably Jeremy Hammond, founder of HackThisSite). [5]
In November 2004 the (now defunct) HackThisSite-based HowDark Security Group notified the phpBB Group, makers of the phpBB bulletin software, of a serious vulnerability [6] [7] [8] in the product. The vulnerability was kept under wraps while it was brought to the attention of the phpBB admins, who after reviewing, proceeded to downplay its risks. [9] Unhappy with the Groups' failure to take action, HowDark then published the bug on the bugtraq mailing-list. Malicious users found and exploited the vulnerability which led to the takedown of several phpBB-based bulletin boards and websites. Only then did the admins take notice [10] and release a fix. [11] [12] [13] Slowness to patch the vulnerability by end-users led to an implementation of the exploit in the Perl/Santy worm (read full article) which defaced upwards of 40,000 websites and bulletin boards within a few hours of its release.
On March 17, 2005, Jeremy Hammond, the founder of HackThisSite, was arrested following an FBI investigation into an alleged hacking of conservative political activist group Protest Warrior. His apartment was raided by the Chicago FBI, and all electronic equipment was seized. The federal government claimed that a select group of HackThisSite hackers gained access to the Protest Warrior user database, procured user credit-card information and conspired to run scripts that would automatically wire money to a slew of non-profit organizations. The plot was uncovered when a hacker said to have been disgruntled with the progress of the activity's turned informant. [14] [15]
Administrators, developers, and moderators on HackThisSite are arranged in a democratic but highly anarchical fashion. This structure appears to work at most times. When disputes arise, however, loyalties tend to become very confusing. Therefore, HackThisSite has had a long history of administrators, developers, and moderators turning darkside or severely impairing or completely taking down the site. [16] [17] In the last major attack to occur, several blackhat dissidents gained root-level access to the website and proceeded to "rm -rf" the entire site. Subsequently, HTS was down for months as a result.
Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unforeseen circumstances. Defensive programming practices are often used where high availability, safety, or security is needed.
Drupal is a free and open-source web content management system (CMS) written in PHP and distributed under the GNU General Public License. Drupal provides an open-source back-end framework for at least 14% of the top 10,000 websites worldwide and 1.2% of the top 10 million websites—ranging from personal blogs to corporate, political, and government sites. Drupal can also be used for knowledge management and for business collaboration.
phpBB is an Internet forum package written in the PHP scripting language. The name "phpBB" is an abbreviation of PHP Bulletin Board. Available under the GNU General Public License, phpBB is free and open-source.
In computing, a crash, or system crash, occurs when a computer program such as a software application or an operating system stops functioning properly and exits. On some operating systems or individual applications, a crash reporting service will report the crash and any details relating to it, usually to the developer(s) of the application. If the program is a critical part of the operating system, the entire system may crash or hang, often resulting in a kernel panic or fatal system error.
A patch is data that is intended to be used to modify an existing software resource such as a program or a file, often to fix bugs and security vulnerabilities. A patch may be created to improve functionality, usability, or performance. A patch is typically provided by a vendor for updating the software that they provide. A patch may be created manually, but commonly it is created via a tool that compares two versions of the resource and generates data that can be used to transform one to the other.
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf
. A malicious user may use the %s
and %x
format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n
format token, which commands printf
and similar functions to write the number of bytes formatted to an address stored on the stack.
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.
A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.
Kloxo was a free and open-source web hosting control panel for the Red Hat and CentOS Linux distributions. As of October 2017, the project has been unmaintained with a number of unresolved issues, and the project's website is offline.
Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.
The Anti Security Movement is a movement opposed to the computer security industry. Antisec is against full disclosure of information relating to software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information. The general thought behind this is that the computer security industry uses full disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services.
A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.
H. D. Moore is an American network security expert, open source programmer, and hacker. He is the founder of the Metasploit Project and was the main developer of the Metasploit Framework, a penetration testing software suite.
Teamp0ison was a computer security research group consisting of 3 to 5 core members. The group gained notoriety in 2011/2012 for its blackhat hacking activities, which included attacks on the United Nations, NASA, NATO, Facebook, Minecraft Pocket Edition Forums, and several other large corporations and government entities. TeaMp0isoN disbanded in 2012 following the arrests of some of its core members, "TriCk", and "MLT".
MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open-source forum software developed by the MyBB Group. It is written in PHP, supports MariaDB, MySQL, PostgreSQL and SQLite as database systems and, in addition, has database failover support. It is available in multiple languages and is licensed under the LGPL. The software allows users to facilitate community driven interaction through a MyBB instance.
NullCrew was a hacktivist group founded in 2012 that took responsibility for multiple high-profile computer attacks against corporations, educational institutions, and government agencies.
The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.
A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
[[Category:Hacking (computer security baypas )]]