Slashdot Mirror
Network Hacking
Wrighter the Pessimist writes: "In this article on Yahoo, they report that computer hacking has become easier, partially because of devices that have built-in computers, like printers and playstations. However, it also lists a number of 'ordinary' (obsolete?) methods of 'hacking' - such as gaining physical access to a corporate computer, and social engineering. It would be interesting to see a study done on this, to see how many attacks are actually carried out from such devices." The article touches on the Dreamcast Attack mentioned the other day, but also some slightly less bulky approaches. Be on the lookout for dark-clad intruders slipping CD-Rs into machines at your workplace ...
They day social engineering is obsolete is the day there are no more humans and computers rule the world.
As long as there are people, social engineering will work wonderfully.
Comment removed based on user account deletion
If doing this for a living rather than being a sad muppet who thinks its "cool" (Snowboarding is cool, Skydiving is cool, hacking IIS is not cool).
1) Buy people, rival firm has a product you need to sabotage... well hire their best brains so it turns out shit... and you get the product as well.
2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".
3) Buy the people
4) Have someone join as a graduate, or even as a more senior person. Sure it violates their contract, but just pay them the cash.
5) Supply the network upgrade at low low prices via a subsiduary, then ensure they can be "remotely administered as part of the outsourcing and support deal".
6) Buy the people
7) Walk into PC support, ask for a backup of your server from date X put onto new server Y. Or even better just get the required files burnt onto CD. Sure you have to fake the paper work, but that isn't hard.
All of these will be more effective than hiring script kiddies.
WARNING: Do not try the above at a military base, unless you want to get shot, corporations will normally just have you prosecuted.
An Eye for an Eye will make the whole world blind - Gandhi
my PLAYSTATION has a built-in COMPUTER?
holy SHIT!
im taking it back to the shop before a fucking TERRORIST hacks into it
I wish I would have know you could have used a Dreamcast, CD, or iPAQ to get access to a network. They caught me when when I tried to sneak my main frame in.
At first I took the notion with apprehension. But then I recalled, there was a time when we told people "You can't get a virus in a document file", "You can't get a virus from your email message" But even back in the day, you could cause extensive damage to your dos machine just by typing a text file with malicious ansi codes. Microsoft and others who have opted for the "feature rich" approach to dynamic documents have created more security problems than convienences.
Postscript is a pretty powerful programming language, and most printers today have it embedded. While I don't think it has TCP/IP capability yet, it wouldn't surprise me if someone doesn't find a stupid reason to implement at feature into the printer language, or even something that allows more low level control of the printer hardware could be used to gain access to the network. Remember people, it doesn't have to be easy. Virus/Trojan writers pride themselves on invading the bold new frontier. Don't get complacent.
As more appliances get network connectivity and more flexible embedded processors and operating systems, they'll all be subject to the same concerns. I'm already addressing some of these issues with my simple home automation projects. The computer I use to control things is isolated from the rest of the network other than the single open port for commands. Despite the security I might have implemented on my network, I can't assume that the network is always safe. And while right now I only have lamps and sprinklers on this system, when more complex (and potentially dangerous) appliances get added, a comprised system becomes a serious liability.
-Restil
Play with my webcams and lights here
You mean outsourced sysadmins? Yeah them's a nasty lot.
There's another related article on Yahoo! that mentions that it's okay to hack back.
Things you think are in the Constitution, but are not.
Yeah it sucks. Every time I want to jaywalk or speed a little in the car, I have to put on my robber mask and black cape.
Who started this crap anyway? All bad guys must wear stereotypical clothing?
Why even bother with physical access? The number of people here at work who screw their machines up due to email viruses received through checking their Hotmail, Yahoo and AOL webmail accounts at work is frightening.
Those viruses and trojans slip neatly by all the elaborate MS Exchance server based virus scanners we have.
And since this is a non-technology sector corporation, they try to cut costs where ever they can, which means McAffee virus scan on the local computers, which has caused so many conflicts between the latest virus definitions and programs like Microsoft Word that most end users tend to turn automatic virus checking off without permission.
In the end, social engineering will never be "obsolete".
Um, no. Hacking is not a crime. Cracking is a crime. The term 'hacking' has been misused by government "experts", reporters who can't learn the difference, and idiots since damn near the dawn of the age of the Internet. I put you in the last category.
Kierthos
Mr. Hu is not a ninja.
I'd really like to see that ... I'm curious as to what kind of axe is used.
Did you know you can fertilize your lawn with used motor oil?
2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".
At my local Walmart, the store's network backbone is located 20 feet from the door leading to the backstock room. There are no obtrusions (except for the occasional six-wheelers with merchandise), and the door's always open. Three-quarters of the time, there's no one in the room, and even if there is, it's typically a low-end manager (the high-end managers like to stick with their own offices) who don't know about how computers work. There's only a "regional" administrator...Walmart feels it's more efficient to let the machines work on their own and pay someone only when the machines don't work.
All you need to do is look young, wear kahki's and a polo shirt, and carry your "geek-bag-o-goodies", and no one will question you being there. As long as you look like you know what you're doing, no one will think otherwise. In fact, there was even one time where I walked in there completely unanounced just to use the telephone (I work for a vendor, not for Walmart). A manager saw me as he walked on by outside the room, and had no problems with me being in that room.
Now, realize that the computer network at Walmart controls everything...the lights, heating, TV / Radio / Announcement systems, the ATM network, evertything. Every Walmart has a satellite hookup to the mainframe (no idea where that is).
My point is that people are way to afraid that someone's going to get them by hacking into the computer, while no one's worried at all about someone walking in and getting them from the inside. There are some wide-open doors when it comes to internal network security (or lack-thereof), and it doesn't take a Hollywood actor to pull off a slip into the server room of almost any company.
Personally, I'd say that if a programmer knowingly and willingly created/promulgated bugs and vulnerabilities, there should be some sort of legal response to that. If it's a bug/vulnerability that was not obvious or possible to be noticed until distribution, that should not carry anywhere near the amount of action against the programmer. (They should still fix it, mind you.)
Likewise, someone who publishes bugs and vulnerabilities with no actual interest in seeing those fixed should be hammered as well. I mean, if it's a cracker or a script kiddie who is publishing vulnerabilities so that other crackers and script kiddies can exploit them, well, that's just as bad as not fixing the vulnerability. If it's someone publishing them with the intended purpose of having them fixed, again, different circumstances.
Kierthos
Mr. Hu is not a ninja.
Where I work, if someone showed up with a Dreamcast and plugged it into our network, the poor sap would be fired before you can say "choo choo rockets".
Now I had thought that was a reflection of the mean streak in management.
Now I learn that its a security precaution. That's alright then.
Patrick
1000s Warcraft Gold while you sleep
Till this day, I have users who call and are handing over their username and password without me saying anything more than "Hello!".
There are users I call who hand over the same information without any thought. Most of the time, I am there busy telling users to please not give me that information. The comparison of the username/password being like an ATM card and pin just doesn't work.
Our abuse department (yes we have one) has a two strikes and you're out policy. That is to say, if anything happens from your account the first time, you are given a warning and forced to read the entire IT policy. The second time, you account is deactivated in effect terminating your employment/affiliation with the university. You pretty much need your account for everything.
This issue has been spoken about for years and things rarely improve, but I still believe educating users is the best way to eventually solve the problems here.
I am Lord Snowbeam. Heed my call!
Comment removed based on user account deletion
Go to a bar or something. Meet women.
Hey! I'm in a bar waiting for a woman to show up.
The guy a couple seats down is trying to hack me, so it's kinda fun.
I think NY is getting geeky.
Hmm.
You can get unauthorized access to a network easily by gaining physical access first.
As computers proliferate and approach ubiquity, security becomes a larger issue.
These are the central themes I identified. This is not news. It is hardly even analysis.
Actually, it struck me more as a kind of public service announcement designed to raise levels of awareness.
Blearf. Blearf, I say.
+1
and whats even worse is when they use the same password for lots of accounts. Just one accident with a keystroke recorder or social engineer and they've given someone else access to everything.
This comment does not represent the views or opinions of the user.
I mean it. I'm a consultant and its surprising how much I can get a sys admin to do for me over the phone, from across the country.
Recent example - we were converting 17 years of production data from a mainframe into a the replacement system. With the volume, we needed an uninterrupted 40 hour window, but the client performed a cold backup of the database nightly.
The process in place says we call the production DBA's (who know us, and are employees, not contractors like us) and they pass official word to the operators in the datacenter.
Well, after 9 hours of loading, the database goes down at 5:00am. We call the prod dba's, and the on-call guy doesn't answer. So I call the ops center. The story I get is that a contractor on another project requested a backup of some critial files stored on the db box. He did this directly with the operator at 11:00 the night before, and the operator didn't even remember his name.
If a simple phone call to ops is all it takes to take the system down, why bother with the standard exploits?
Spammers going after a network printer...
loop (1..1000)line.font = bold;
line.size = 18pt;
line.output = "Need more toner? Call us at ###-####"
line.pagebreak
endloop()
I would expect Slashdot, of all places, to avoid misusing the word "hacking".
Even if we were to give up the battle over the original meaning of the word (a concession I do not make), the meaning being propagated by the media seems deliberately designed to cause confusion. When the same word is used to refer to (a) exploring and/or modifying a system you own, (b) breaking or bypassing the security features of a system someone else owns, and (c) breaking into and vandalizing a system someone owns, it gives the impression that anyone who does any of these things is a criminal -- or, conversely, that anyone who vandalizes someone else's computer system is just having a little innocent fun.
If you want to talking about someone breaking into someone else's computer system, call it what it is -- trespassing. If you want to talking about someone deliberately modifying someone else's computer system without permission, call it what it is -- vandalism.
If There are still quite a lot of people who know the difference between a hacker and a cracker, then let us not talk as if we didn't. It's crackers or malicious hackers, plain and easy.
Some people avoid to call some contemporary music "Rhythm and Blues", because there was a different style of that name before.
I avoid to call malicious hackers just hackers, because hacking is fun, a healthy sport for both yourself and the society you live in.
If you think I am wrong, search the web for the Jargon File. It points to some good reading about the history of the term.
--
Years ago, I did desktop support for a large government installation. I would get assigned a handfull of cases per location at a time. Inevitably, one of those cases would be for someone who was away from their desk with their desktop locked via screensaver. It was good that they were following policy and used either a timed or manual lock - it was bad that normally I'd have to leave a "sorry we missed you" card and their case would go back in to the cue (and further delayed).
Then I burned an autorun CD that would kill their screensaver when popped in to their CDROM drive. I very rarely ran in to a workstation with autorun disabled. What I usually got was quick desktop access and often a customer comment card thanking me for the quick turn-around.
http://www.pugo.org:8080/
As it points out, you can't listen on any port you want, because PostSCript lacks the ability to open sockets, post listens, or accept connections.
On the other hand, a few modifications, and it can listen on the LPR port of an HP network printer (all it has to do is intecept new connections, not listen or accept by itself).
-- Terry
If you have unmonitored physical access to a machine, you can tell it what drive to boot from, which means you can root the machine by simply booting off a disk of your choice. The point is, don't expect a machine to be secure if untrusted parties have physical access to it.
First, the "crack-a-mac" contest a few years back led to a widely publicized crack, even though it was a mistake in configuration as I recall. (I don't remember what OS). Second there is no such thing as unhackable. If a mac hasn't been cracked yet it's because there are too many PCs for people to spend their time on macs. Third, MacOS 8 or 9 is easy to remotely administer if you gain enough access to install remote admin devices (there's one on http://securemac.com but I forget its name). Finally bugtraq has never called macs "unhackable" nor would they be so irresponsible as to call any machine that.
Well that last post got me looking for info on the crack a mac contest; here are some details.
On my campus:
1) Buy people, rival firm has a product you need to sabotage... well hire their best brains so it turns out shit... and you get the product as well.
Our company is rated as one of the 50 best companies to work for by its own employees.
2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".
Our facility, though comprising over 300 people, functions as a closely knit team. Nobody unknown to us gets past the lobby, clipboard or not.
3) Buy the people
Our company is rated as one of the 50 best companies to work for by its own employees.
4) Have someone join as a graduate, or even as a more senior person. Sure it violates their contract, but just pay them the cash.
Our company is rated as one of the 50 best companies to work for by its own employees.
5) Supply the network upgrade at low low prices via a subsiduary, then ensure they can be "remotely administered as part of the outsourcing and support deal".
We manage all our networks internally. An "outsourcing and support deal" would be laughable.
6) Buy the people
Our company is rated as one of the 50 best companies to work for by its own employees.
7) Walk into PC support, ask for a backup of your server from date X put onto new server Y. Or even better just get the required files burnt onto CD. Sure you have to fake the paper work, but that isn't hard.
All of our change requests are managed electronically. To "fake the paperwork", you'd need access to a logged-in system, an acccount on the change management system, and you'd have to show up the next morning to represent your request at the daily change control meeting. Also, we manage our own backups. Nobody unkown to us would ever request one.
All of these will be more effective than hiring script kiddies.
None of these would be any more effective than hiring script kiddies. (Funny story: just this week a script kiddie was caught pounding one of our IPs. Security tracked him down and printed out a desist request on a printer on the kid's network. The attacks stopped a few minutes later.)
Any sufficiently well-organized community is indistinguishable from Government.
Suppose, nothing! these guys do it all the time!
Any sufficiently well-organized community is indistinguishable from Government.
I assume you feel the same way about disseminating a catalog of cars that are easy to hotwire. How about books on explosives? A list of local speed traps? The names of companies that do business with South Africa (if you care about that sort of thing)? Where, exactly, do you draw the line?
Any sufficiently well-organized community is indistinguishable from Government.
I send this CD in order to have your advice.
Our company is rated as one of the 50 best companies to work for [fortune.com] by its own employees.
I fail to see your argument here. for a large sum of money I would have a very hard time doing the "right thing", even involving murder, theft, etc. Perhaps I'm cynical, but I feel everyone has a price and it's typically not much more than a few million.
Working for a great company is one thing, but making enough to never have to work again is, in a word, priceless.
or a script kiddie who is publishing vulnerabilities
By definition, a script kiddie is not publishing exploits.
Anyway, who's going to pay you "several million" to "never have to work again"? The whole reason that money's out there to begin with is they want you to work for them, instead of the competition.
Any sufficiently well-organized community is indistinguishable from Government.
I always thought it was ironic that the dumbest users (no offence) oh man, you're very retarded, no offense
--fetch daddy's blue fright wig, i must be handsome when i release my rage
an iPaq is a small form factor computer, as well as a handheld device. If you'd like, I can take a picture of one and email it to you, but they're the shittiest computers ever made
--fetch daddy's blue fright wig, i must be handsome when i release my rage
i've installed litestep on machines at kmart, walmart, and best buy, it's fun stuff!
--fetch daddy's blue fright wig, i must be handsome when i release my rage
He called it "Black Hat Linux". Them were crazy times; it was a wonder girls wouldn't talk to us.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Nobody noticed - or if they did, they realized they couldn't complain without tipping us off that they were installing games | stuff | whatever.
The whole reason that money's out there to begin with is they want you to work for them, instead of the competition.
I'm sorry,perhaps I misread the previous comments. My understanding what not that a company wanted to steal away employees as much a sabotage the competion. In the case of sabotage you most certainly would pay a large amount to never see a certain rival company's employee ever again.
I'm sorry to pick this up, but no, _you_ are very retarded. 'offence' is the British spelling, but since you are probably american (with a lowercase a) you have no knowledge of other cultures or societies outside your crapitalist dictatorship.
This comment does not represent the views or opinions of the user.