Slashdot Mirror
Stealing Data? A Sniffer Shows it's Easy
museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""
http://www.bugmenot.com/
gets you past registration
I hate the one hundred and twenty character limit for signatures with an all-enveloping, all-destroying, incredible pass
Login and password for people who don't want to register ( from http://www.bugmenot.com/ ):
Username: tweedlesz
Password: tweedledum
Ethereal! Definitely the best free sniffer out there.
What?
I'm still looking for the part in the article that says "Too Many Secrets" or "Setec Astronomy", Mar... what you say his name was again ?
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
so I don't have to worry about this sniffing stuff because open source software has no security flaws.
just takes ya back to the saying "the most secure server is one that's offline" :)
I think that it's good that we see companies more involved and interested in tightening up their security. Most companies just buy expensive firewalls and other systems to protect their data, but ignore other obvious threats like someone just walking into their offices and sitting down at a unused workstation and browsing around the companies network. Security is multi-layered and a continuous process, that means even if they went through a security audit and everything was ok, they shouldn't stop to improve their security,..there's always a fast-paced race between those who protect and those who will try to pass that protection. Hope this story gives other companies which don't care about security a real reason to make an audit in the very near future.
Has anyone from /. / OSTG ever thought about asking NYT for system like the blogger registration-free linking thing?
Just a thought
paul reinheimer
The most secure server is first locked, then secured with a Kryptonite lock. After this, some real Kryptonite is attached to it (remember, it is never secure as long as Superman can bust into it). After this, it is encased in carbonite with a scarecrow wearing a Jar Jar Binks mask. The entire assembly is left in Jabba's palace. Don't worry, no one's gonna even be thinking of approaching the thing to rescue Jar Jar.
Just in case anyone does, we have an "I Love the Bee Gees" bumper sticker on the side. Also, we've moved it to a position standing right behind Jabba's toilet. I dare you to approach it.
Don't blame Durga. I voted for Centauri.
Well, I tried the park, but the cops didn't like it to much... [/feeding trolls]
What's cheaper in the mind of a shortsighted executive that can only see ahead to about a three to six month range?
Having you put in jail for threats of terrorism to shut you up about their secrets, or paying the IT guys overtime to fix the holes?
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
SATAN is a software package which can determine whether there are sniffers on your network. It finds some sniffers when the sniffer host looks up the same dns entries as other hosts.
People expect thieves to act like thieves. Act like you know what you're doing, and you can walk out with most data.
Another lesson -- put AP mines in your crawlspaces.
Paste this link into google and click through for a single page version
n ey/31hack.html?pagewanted=all
http://www.nytimes.com/2005/07/31/business/yourmo
no reg required
Even people that believe in pre-destiny look both ways before crossing the street.
Your use of Gentoo affects you by turning you into a social outcast. People may make fun of you by calling you a "gentile."
Is mentioned again.
My prurient is definitely interested!
Interesting article.
"Most systems are like this Tootsie Roll Pop," Mr. Seiden said. "They have this hard, crunchy outside, but they're very gooey and soft inside.
So he'd be one of the fat geeks then.
Drag n' Drop DVD Recommendations
During my career, I have worked as a tech break/fix. I have worked for a university, federal govt, and private sector.
;-) "Oh, ok. You look honest." He actually told me I looked honest, so it was ok! From there I found the office I wanted, no one was there. I was to swap out a couple of hard disks, so I did. Many people poked their head in, joking along the way, "Hey! You don't look like XXXXXXXX! Unless he's shrunk! hahaha!" One even to see "what does a hard disk look like?" No one questioned me from there.
Due to the nature of the job it is difficult to get passes or keys to move around immediately, especially into secure areas. So you put on your charm and off you go.
It is very easy to take things. Just look like you know what you are doing and where you are going.
Be presentable and nice, be friendly with the receptionists/secretaries/admin, and you can go anywhere.
I have been let into computer rooms that are supposedly secure, I have been assisted by security guards in loading computer gear into my car, I have had secretaries hold doors on elevators so I could get stuff in. I'm talking thousands upon thousands of $$$ worth of stuff. All of them took my word for it, never questioning or phoning to find out. I have never had to show ID.
I have actually had one employee of a major oil corporation watch me follow him in through the doors, ask me, "Where are you going? Who are you?"
This was going into their engineering areas, from which I'm sure numerous other oil companies would love to see the data.
I replied that I am a computer tech and visting XXXXXXX. "Who? Are they on this floor?" "Yeah, they are, around the corner." (I really only had an office number
Many, too many to count, I have just knocked on the door and asked for Mr. S.A.S. "Oh, I'm here to take a look at his computer, he said it wasn't working. Can I see it?" Then they lead me to the office, in which Mr. S.A.S. isn't there. "Well, I'll just start and he'll come back and I'll let him know. Thanks." Then they leave.
It doesn't matter how secure it is, like the article points out, being sociable gets you lots of open doors.
Crazy part is that I pride myself on this "talent." It's much simpler to talk your way through than to have to run all over getting ok's and escorts into areas.
That's copying data, not stealing it.
Interestingly, this time round it is "stealing data" - what else would you call walking out with a complete set of the company's backup tapes?
Geesh people... how hard can it be?
n ey/31hack.html?ex=1280462400&en=31158975e4a4090a&e i=5090&partner=rssuserland&emc=rss
http://www.nytimes.com/2005/07/31/business/yourmo
...act as if you know what you're doing and you can walk out with the computers, too.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The key to this is that knowing what he thinks is secret is half the battle to finding it out.
Once the executive told him where to target, that made it much easier. If you're talking about sniffing the entire network output of a company looking for important stuff... that's a much harder task.
Seems to me like they got their terminology a bit off. Shouldn't the guy be called a Pen-tester or part of a Tiger team. A sniffer is what the guy used, not what he is.
Irongeek's Hacking Videos / Security Videos and Articles
I would have been impressed if the CEO didn't tell him what data he thought was most important and he was able to both figure it out and acquire it.
There are sniffer detectors out there, but I'd not want to use SATAN for it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Old tricks, fat dog too!
Social Engineering.
Enuf said.
First rule of holes; When in one, stop digging.
If you want ideas, just watch more movies and tv:
Keymaker: There's a building. Inside this building there's a level where no elevator can go, and no stair can reach. This level is filled with doors. These doors lead to many places, hidden places, but one door is special. One door leads to the Source. This building is protected by a very secure system. Every alarm triggers the bomb.(Matrix Reloaded)
ok, so maybe not "the bomb" but exploding bright blue/orange ink/itching powder(Lone Gunmen, Police Academy 7) packets might deter anyone trying ot pick the lock of the server or records room and make them any easy sight for security. And enough UPSs and generators in the isolated area to have everything work even if someone cuts the power to 10(Die Hard) or 27(Matrix: RL)sq blocks, depending which movie your watching but you're still screwed if they use a pinch(Ocean's Eleven). And don't forget the Mission Impossible room with extra large vents.
Forget the ventalation shafts large enough for people to crawl through, just use more fans and small vents. And have one enterance into the room with a security desk outside, should deter anyone from sitting there trying to pick the lock. And scanning photo ID cards with finger prints and/or retna scan, just more things someone will have to fake and increases the chance of your armed security officer noticing that the person they've never seen before is taking a lot longer to enter the right codes.
F7 doesn't work, ignore spelling and grammar
Interestingly, this time round it is "stealing data" - what else would you call walking out with a complete set of the company's backup tapes?
Stealing tapes. The data was not stolen, as, being a backup, it was only a copy.
common men! The packet went thataway! Oh, no! A gateway! Wrong port! They've lost the route.. Men! Listen up OSPF isn't working; we'll have to RIP that packet a new one!!
I opened up my networks all the way. One day some guy comed on and he was all omg dud ur running teh mandriva! Can you teech me hacks? and I was all like 'cat foo.txt | grep foo' and he was like dude omgfwtbbqpdq that is some leet ass coding. I shwed him to use teh emacs (what real hackers use, i tried vi once and it tooks me three days to figure out how to quit it. what is that all about? piece of shit program si what! lol!) and also to use WinE so he can get on the internet explorer.
I heard the NAS (that's like the governemt hackser guys, dumbasses) was trying to make linux illegal because they were all like we need to see your porns+warez and some dude was like no way, man, I got linux and there's no way I'm letting you guys in. Teh NSA was all like hella pissed! They got the best hackers in the world (except me of course! LOL!) and they can't even break into the lnux.
http://slashdot.org/comments.pl?sid=157538&thresho ld=-1&commentsort=0&tid=153&mode=nested&cid=132037 16
In practice, almost no organization is going to install all of the above. Even the US Government, which is not short of ready cash, is getting far poorer grades on their network security audits than they should.
However, if you define the "target" or "ideal" security schema, then you have something you can compare against. IMHO, the above description is the "ideal", in that it is unlikely that anyone would be able to break in using technological methods.
The remaining problem - social engineering - is not something you can program against. The description I outlined, if implemented in full, would provide enough checks and counter-checks to require someone using social engineering to get past several people, which raises the bar a little but does not make it hard enough.
("Hard Enough" is defined here as making it an impractical method for typical IT situations.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
One of the main reasons that approaches like social engineering work is because of the overwhelming emphasis a lot of companies put on "customer service".
I worked for several years in corporate security (good money/awful job), and it was the cardinal sin to piss someone off. On one occasion, a white guy showed up on a weekend with a pass card with a Vietnamese woman's name on it that wasn't cleared for access to the floor he wanted to get onto, which was the executive floor of a bank nonetheless.
The ten minutes it took to verify this guy's identity were the cause of a major spat between him (he turned out to be a VP of some sort) and my employer (the building management) that took days to blow over.
Some of my colleagues would simply give in if someone was pushy enough. No one wants to be the person who said "No" to the wrong person, no matter what the circumstances.
That's right: I'm gumby dammit.
Direct to the article here
thanks
You don't have to sniff to find his head lying outside San Francisco, even though it may help. Then it should be easy to steal him.
This had to be said,.
The New York Times
July 31, 2005
The Sniffer vs. the Cybercrooks
By GARY RIVLIN
THE investment bank, despite billions in annual revenue and the small squadron of former police, military and security officers on its payroll, was no match for Mark Seiden.
"Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back. The executive listed two. One involved the true identities of clients negotiating deals so hush-hush that even people inside the bank referred to them by using a code name. The other was the financial details of those mergers and acquisitions.
A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets. As a bonus, he also had in hand a pilfered batch of keys that would give him entry into this company's offices scattered around the globe, photocopies of the floor plans for each office and a suitcase stuffed with backup tapes that would have allowed him to replicate all the files on the bank's computer system.
"Basically, that all came from working nights over a single weekend," he said with a canary-eating smile that seemed equal parts mischief and pride.
Mr. Seiden is what some people inside the security industry call a "sniffer": someone who is paid to twist doorknobs for a living, to see which are safely locked and which are left dangerously unsecured. Clients sometimes hire Mr. Seiden, a former computer programmer, to buttress the security systems that protect their computers and other precious corporate assets. But primarily, large corporations turn to him to test the vulnerability of their networks.
"Mark is one of the more respected people out there doing this kind of work," said Bruce Schneier, a security expert and the author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." Mr. Schneier called him "one of the good guys."
And for Mr. Seiden and others practicing the strange craft of intrusion detection, business has never been better. As data-security breaches at places like ChoicePoint and LexisNexis have made headlines, there has been a "tremendous surge in vulnerability assessments" in recent months, said Howard A. Schmidt, a former chief security officer at Microsoft who has also worked inside the White House on cybersecurity issues.
Indeed, purloined Social Security and credit card numbers are the new top prizes of the 21st-century cybercriminal. "In the early days of the Internet, breaking into systems was about bragging rights. It was about technical prowess. It was breaking into systems just to break in," said Mr. Schmidt, who is now working as an independent security consultant in Issaquah, Wash. "Now what we're seeing are economic crimes in a way we've never seen before."
That is why corporations and other large organizations are increasingly turning to people like Mr. Seiden to assess the soundness of their security systems. No one knows how many people make their living doing what people in the industry call penetration testing, though clearly their numbers are climbing. The most recent Computer Crime and Security Survey - released earlier this month by the F.B.I. and Computer Security Institute, an information security trade group - said that more than 87 percent of the organizations they polled conduct regular security audits, up from 82 percent a year earlier.
"Since the beginning of the calendar year we've seen a great increase in the number of calls from enterprises looking for someone to do security vulnerability testing for them," said Kelly M. Kavanagh, an analyst who tracks the security industry for Gartner Inc., a technology research group.
CORPORATIONS in North America spent more than $2 billion on outside security consultants in 2004, Mr. Kavanagh said. That was up 14 percent from the previous year.
As a result of all that spending, a large organization's data center - whether it holds a company's most precious trade secrets or the credit card numbe
That reminds me of the graphing calculator story:
http://www.pacifict.com/Story/
that says a lot about corporate security.
At any rate, the main point of the article is that there is a cost/benefit to security (security is expensive and can hamper productivity), but that most of the time people/corporations don't even bother looking for simple effective measures that would reduce the risk for little or no extra cost.
Forgot? Read parent: "After this, it is encased in carbonite". Maybe you thought I said corbomite, which would also be very secure!
Don't blame Durga. I voted for Centauri.
"Most systems are like this Tootsie Roll Pop," Mr. Seiden said. "They have this hard, crunchy outside, but they're very gooey and soft inside. And once you get past that crunchy outside and you're inside, you can do anything."
How many licks does it take to get to the center of this corporate server?
Here's a reg free link courtesty of New York Times Link Generator.
The data remains, therefore it is not really stolen. It's privacy is merely infringed :P
But seriously. If you're so adamant about "copyright infringement" != "theft", I think you should do the same for "data theft" and "identity theft". In all cases no physical property is taken, so it doesn't seem right to call two theft and the other something else. Oh, right. It's only "theft" when it affects "us".
Tell me the things you most want to keep secret
That, right ther, was the single biggest security breach. By far, the amount of data that is out there is simply too much for a random hacker to grab some data and make a profit from it. He needs to know what data he can use. Professionally data thiefs already know what they want to steal, but they are not the types to simply be stopped by security measures of any kind. If worse comes to worse, he can always just get a job as a janitor, or better yet, a security guard at the place he wants to steal from and flount ALL security measures.
Anti-Gentilism!
Anti-Gentilism! Anti-Gentilism! Anti-Gentilism!
WE MUST combat antigentilism through improved monitoring, reporting, and law enforcement. A special representative to the UN should be named to address hate crimes.
Major public education campaigns must be initated to promote awareness of antigentilism, racism and hate and to stress the importance of reporting these horrendous incidents.
http://kithrup.com/dkm/dkmnonfic/hacksec.html
Summary: Daniel Keys Moran is a SF writer, does day jobs. One job, he was interviewing to work on for them, and was told their security was top-notch - he didn't need to worry about it.
**
Someday I'll remember my password.
A computer with it's own power supply in an electrically and visually isolated soundproof room - think 4 walls, a ceiling, a floor, soundproofing, and a faraday cage - is about as secure as you can get. Be sure to add an "air lock" so people can get in and out without leaking anything.
The only way anything is getting in or out is by way of a human operator, and if you've got a mole in your environment you've got bigger problems than computer security.
Just for added security, have the thing self-destruct if it is moved or tampered with, and have an armed guard ready to "shoot the disk" if anyone unauthorized gets near.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
root@somebox# cat rename.patch
/usr/sbin/satan /usr/sbin/santa
#!/bin/sh
# Idiots getting their panties in a bunch of a friggin' program name!
# Fine, here:
mv
echo "Happy now?!"
It's?
http://www.google.com/search?hl=en&q=The+Sniffer+v s.+the+Cybercrooks&btnG=Google+Search
roachfiend.com
Just right-click the login textbox, hit "BugMeNot" and it looks up and enters a login for you. I don't use it often, but it sure is nice to have it.
...or drink chicken blood as homage to the dark lord. In return he will protect your network.
In your case, a sniffer isn't easy. You'll have to get your use flags just right and then wait 8 hours for the emerge to finish. Your sniffer will be .5% faster though and you'll be 10% 1337er. Just kidding. I use gentoo too and like it - although everything i said is basically true, if a little exaggerated. oh well.
Heres a few stories from my consulting days.
Walked into this medium size firm at 7:00AM in the morning.
ME: Hi I'm here from XYZ consulting. I'm working on the network for >insert name of director of ITdirector is not here.
ME: Well can you let me into the room so I can do my taks?
RECPT: sure, I'll have someone let you in.
ME: Left alone for 2 hours in their main server room all alone until everyone else came on shift.
------------
Story 2:
Large datacenter company.
1: Drive up to shipping dock of large datacenter wearing t-shirt of company hosted at facility.
me: I'm here to deliver this to my cage (point at t-shirt).
Shipping clerk: "ok"
me: Has unlimited access to datacenter. Never badged or signed in.
Now this will get you through some of the security at some datacenters, as you still need a final key or badge to get to the final layer. (or you can try the old "pop the floor tile trick".
Other option could be:
"This hardware on the shipping dock was misshipped and I'm here to move it back to (other datacenter | corporate office)."
Depending upon affability you can get away with various expensive boxes that the company has sitting in the shipping area. (Cisco/Sun/dell etc.) (still never having badged in/out).
You realize that all of this can be defeated with Tom Cruise lowering himself into the room on wires. Keeping a nice health population of large black widow spiders inside the room would greatly reduce the chance of success of such missions.
Don't blame Durga. I voted for Centauri.
Thank god; let's root out the hideous Judaeolaters and Bolsheviks.
A copy is still data, the fact that an "identical" set of data exists somewhere else does not suddenly make this set no longer data.
IT: "We have to stop employees from writing their passwords on post-it notes and sticking them to their monitors."
PHB: "That's gonna be tough. What can we buy to make this change unnecessary?"
IT: "Nothing. It's a fundamental thing, it's not related to any product. Any product is only as secure as its dumbest user. You can't have passwords stuck all over in public spaces and expect to remain secure."
PHB: "Well, everything seems to be working okay right now..."
IT: "But it won't continue to work okay if we don't stop this practice!"
PHB: "Why don't we watch things closely for a few weeks, make an evaluation about the state of things at that point, and then revisit the possibility of acquiring a solution to this problem at the next team meeting if we think it's necessary? Okay, gotta go. I've got a 3:30."
Thats some wild stuff makes me rethink my securty but it has always been my belief that once a computer is online then it is hackable if you want to store secrets on computers then do it with a computer with no internet connection.
Big Corps only bother about security if a major shareholder gets upset by a security breach. The chances of a major shareholder getting wind of a security breach are minimal, unless it gets in the media.
Hence most security in Big Corps is to prevent media people getting notice of security breachs.
HTH.
threadeds blog
http://ettercap.sourceforge.net/
A competitor, or actual spy, allready knows what they are looking for: The company head just saved th e cost of making this guy a subject matter expert (vp level) in what they did.
Consider this: "James, we suspect Dr. Badguy of creating a secret lab to destroy the earth. Check it out will you..." Or this "Powers, we have reports that GoldMember is out to make things very hard for everyone. Check it out will you?"
In both cases, the agent is given preliminary intelligence. In the corporate world, this is usually done by followning analysts, or by competative research.
If those backup tapes are encrypted, then hopefully you have the password too. Otherwise, all you have stolen is a bunch of white noise tapes.
Muahhhahaha.
But the real hack is to include a greasemonkey hack for nytimes.com called nytspoof .
This all goes to prove that never trust what the user's browser saysQuidquid latine dictum sit, altum videtur
...Harold Shipman
Oh my God! Harold Shipman has come back from the dead and is breaking into my network!
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
He picked locks. He made phone calls. He wandered around the building, awlking off with physical objects. This didn't involve breaking into any computers.
"Our interests are to see if we can't scale it up to something more exciting," he said.
I'm sick of these assholes submitting stories and not posting regfree NYT links.
Seriously, why NOT post a regfree link? You KNOW damn well they exist, so what the hell is the problem?
Instead of wasting our fucking time by either registering or logging in, you should spend an extra 2 minutes finding the regfree link.
Be a bit more courteous.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
I thought the guys on /. didn't like Bill gates.
For example, Kevin Mitnick wrote a book called "The Art of Intrusion" in which scenarios presented in the NYT article are laid out in much more detail.
When people think about network and data security they tend to focus only on computers and connections. They forget that physical security plays a part in it.