Search Here

Saturday, 21 May 2016

Here are the top 10 hacking techniques discovered in 2015


Hacking was a term that originated in 1990s and is associated with the unauthorized use of computer and network resources. By definition, hacking is the practice of altering the features of a system, to accomplish a goal which is not in scope of the purpose of its creation.

Hacking is more commonly used in context of “Computer Hacking” where threat is posed to security of the computer and other resources. In addition, hacking has few other forms which are less known and talked about .e.g. brain hacking, phone hacking etc.

“Hacker” was a term used to denote a skilled programmer who had competency in machine code and operating systems. Such individuals were proficient in solving unsatisfactory problems and often interpreted competitors’ code to work as intelligence agents for small software companies.

There are three types of hackers, white hat or ethical hackers, grey hat hackers and black hat hackers. You can read about the different types of hackers here. We dont usually have to worry about ethical hackers but need to keep an out for the grey hat and black hat hackers who are usually cyber criminals.

In 2015, there were a dozen big time vulnerabilities discovered by researchers. However, a few of those were actually exploited in the wild.

Here are the top 10 hacking techniques discovered in 2015 :

#1 FREAK Attack

Freak attack is a SSL/TLS Vulnerability that would allow attackers to intercept HTTPS connections and force them to use weakened encryption. The vulnerability was first reported in May, 2015 and can be read here.

Researchers: Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. You can get further details about Freak attack research here.

#2 LOGJAM vulnerability

Logjam vulnerability was discovered in October, 2015. It was another TLS vulnerability that allows man-in-the-middle attacks by downgrading vulnerable TLS connections to 512-bit encryption.

A researcher team of David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann discovered this vulnerability and you can read additional information about it here.

#3 Web Timing Attacks

Web Timing attacks have been revealed many years back but this is the first time that researchers showed how it can be executed. Black Hat talk on how to tweak timing side-channel attacks to make it easier to perform remote timing attacks against modern web apps.

The lead researchers of web timing attack are Timothy Morgan and Jason Morgan.

#4 Evading All* WAF XSS Filters

Security researcher Mazin Ahmed discovered that it is  it is possible to evade cross-site scripting filters of all popular web-application firewalls. Once exploited the hackers can do pretty much anything they want.

The research paper can be read here.

#5 Abusing CDN’s with SSRF Flash and DNS

Now a days almost all big websites use content delivery networks (CDN). Research highlighted at Black Hat looking at a collection of attack patterns that can be used against content delivery networks to target a wide range of high availability websites.

The two Researchers, Mike Brooks and Matt Bryant discovered this hacking technique.

#6 IllusoryTLS

IllusoryTL is an attack pattern that can wreck the security assurances of X.509 PKI security architecture by employing CA certificates that include a secretly embedded backdoor. The vulnerability was discovered by a security researcher, Alfonso De Gregorio.

You can get additional information about illusorytls here.

#7 Exploiting XXE in File Parsing Functionality

Cyber criminals can exploit the XXE in file parsing functionality. A Black Hat talk examining methods in exploiting XML Entity vulnerabilities in file parsing/upload functionality for XML-supported file formats such as DOCX, XSLX and PDF.

The security researcher who discovered this vulnerabili