Alan Wlasuk, CEO of 403 Web Security, has compiled a list of the top six dumbest hacks of all time. While hackers can be dangerous, Alan shows that not every hacker is a brilliant mastermind. Think of the always amusing Darwin Awards pictured in our icon at left. With many of these exploits, the hacker left unintended clues in their code to make them easier to be found.
1. Late last year, Kelly Osborne (of Dancing With the Stars fame, no further comment) had her email account hacked. The hacker, wanting to not only look at all of her past emails new ones as well, had Kelly’s emails forwarded to his own, personal email account. This seemed like a pretty easy trail to follow.
2. Self proclaimed hacktivist Shahee Mirza and several associates defaced a Bangladesh government military website, Rapid Action Battalion, with the following message:
“GOVERNMENT DOES NOT TAKE ANY STEP FOR ICT DEVELOPMENT. BUT PASSED A LAW ABOUT ANTI-CYBER CRIME. YOU DO NOT KNOW WHAT IS THE CYBER SECURITY OR HOW TO PROTECT OWNSELF. LISTEN. HACKERS R NOT CRIMINAL. THEY R 10 TIME BETTER THAN YOUR EXPERT. WE ARE GINIOUS THAN YOU CAN’T THINK. DEFACED FROM BANGLADESH.”
Unfortunately 21-year old Mirza also left the banner that clearly stated, “HACKED BY SHAHEE_MIRZA.” Obviously not the “GINIOUS” indicated in his hack, Mirza may end up with 10 years in a Bangladesh federal prison. One can only imagine what the prisons are like in one of the poorest countries in the world.
3. Famous for his Samy Worm, Samy Kamkar was responsible for a virus-like attack that infected over 1 million MySpace accounts in 2006. Amongst other malicious effects was the ‘Samy is my hero’ addition to the MySpace homepage of each of the million victims. As part of his obvious ego addition, Samy went on to boast of his hacking feat in a blog post.
Unfortunately for Samy, the blog contained a picture of him with a license plate in the background, which was then used to find Samy.
4. 20-year old Sayaka Fukuda had her iPhone stolen on the streets of New York City. The thief, Daquan Mathis, while enjoying his new iPhone took a picture of himself (dressed in the same clothes he wore during the mugging), which he then sent to his own email address. Unfortunately for Mathis, Fukuda’s iPhone email account could be accessed on the Internet (like almost every such account). Given his email address it was a simple matter to track Mathis down, made even simpler by the fact the police had his picture. There are many stories about people tracking down their smartphones.
5. By all accounts, Eduard Lucian Mandru is a very clever hacker. His 2006 hack of the U.S. Department of Defense (DOD) computer system went undetected for years, with the authorities only having Mandru’s email address (email@example.com) as their single clue. Mandru’s downfall and arrest in 2009, however, came about when he used the same firstname.lastname@example.org email address on the résumé that he posted on numerous job boards. Sometimes it pays to use different email addresses for different tasks, don’t you think?
6. Alan was not sure if this hack is dumb or just really fun. One clever hacker realized that recent speed traps use cameras that automatically register your speed, take a picture of you license plate, and then use character recognition to translate you license plate number into something they can use as a lookup within the DMV database. With this in mind, he changed his license plate number to (‘ZU 0666’, 0, 0); Drop Database Table.
If the DMV uses this string of characters in their database lookup it has a good chance of deleting all of the database records containing his actual license plate number, ZU 0666. This has got to be 10 out of 10 on the creativity scale, and once again showing the importance of knowing what SQL injection and little Bobby tables is all about.