Network Hacking

Wrighter the Pessimist writes: "In this article on Yahoo, they report that computer hacking has become easier, partially because of devices that have built-in computers, like printers and playstations. However, it also lists a number of 'ordinary' (obsolete?) methods of 'hacking' - such as gaining physical access to a corporate computer, and social engineering. It would be interesting to see a study done on this, to see how many attacks are actually carried out from such devices." The article touches on the Dreamcast Attack mentioned the other day, but also some slightly less bulky approaches. Be on the lookout for dark-clad intruders slipping CD-Rs into machines at your workplace ...

Obsolete?

[BurritoWarrior]

They day social engineering is obsolete is the day there are no more humans and computers rule the world.

As long as there are people, social engineering will work wonderfully.

Re:Safeguarding Secrets 101

[susano_otter]

On my campus:

1) Buy people, rival firm has a product you need to sabotage... well hire their best brains so it turns out shit... and you get the product as well.

Our company is rated as one of the 50 best companies to work for by its own employees.

2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".

Our facility, though comprising over 300 people, functions as a closely knit team. Nobody unknown to us gets past the lobby, clipboard or not.

3) Buy the people

Our company is rated as one of the 50 best companies to work for by its own employees.

4) Have someone join as a graduate, or even as a more senior person. Sure it violates their contract, but just pay them the cash.

Our company is rated as one of the 50 best companies to work for by its own employees.

5) Supply the network upgrade at low low prices via a subsiduary, then ensure they can be "remotely administered as part of the outsourcing and support deal".

We manage all our networks internally. An "outsourcing and support deal" would be laughable.

6) Buy the people

Our company is rated as one of the 50 best companies to work for by its own employees.

7) Walk into PC support, ask for a backup of your server from date X put onto new server Y. Or even better just get the required files burnt onto CD. Sure you have to fake the paper work, but that isn't hard.

All of our change requests are managed electronically. To "fake the paperwork", you'd need access to a logged-in system, an acccount on the change management system, and you'd have to show up the next morning to represent your request at the daily change control meeting. Also, we manage our own backups. Nobody unkown to us would ever request one.

All of these will be more effective than hiring script kiddies.

None of these would be any more effective than hiring script kiddies. (Funny story: just this week a script kiddie was caught pounding one of our IPs. Security tracked him down and printed out a desist request on a printer on the kid's network. The attacks stopped a few minutes later.)