Examining Crackers Tricks


Examining Crackers’ Tricks

Crackers have hundreds, maybe even thousands, of tools at their fingertips. Most cracking tools are available online and are free to download and use. The crack that a cracker is attempting determines the type of software tool that cracker chooses to use.

Crackers don’t rely solely on software on other technological tools. They have many nontechnological techniques at their disposal. These techniques are often even more effective than software tools because companies are less prepared or aware of the threat. This section provides an overview of two effective nontechnical tools, social engineering and trashing.

Cross-Reference 

Learn more about technical tools and attacks against Wi-Fi in Chapters 4, 5, and 6.

Social engineering

Social engineering is the art of manipulating people to get passwords or other information. Crackers sometimes refer to it as “hacking the wetware” (wetware being the human brain, as opposed to computer hardware). P.T. Barnum once said, “There’s a sucker born every minute,” and unfortunately, he was right. Now many of those suckers have user accounts, and crackers know it. Sometimes people will give up the incredibly sensitive information to a sincere sounding stranger on the other end of a phone.

Cracker Kevin Mitnik was (and probably still is) an extremely skilled social engineer. Much of the cracking attributed to him involved a telephone, not a computer. People from Motorola, Nokia, AT&T, and Sun Microsystems gave him passwords, phone numbers, voice mailboxes, and even faxed him technical manuals and proprietary information.

A common social engineering trick is to pose as a member of the IT staff. In large companies, it is often easy to pose as staff because there are so many employees that no one knows everyone. To pose as a staff member it helps to have an actual employee name to lend some credibility. A cracker can get the names and extensions of employees from corporate phone books or lists. These also list the names of all other personnel, their departments, and their phone numbers.

A cracker can call Jim in accounting and claim to be Peter from the IT help desk. He can tell Jim that a problem with his system is affecting the whole network. Of course, Jim is now worried and wants to help. Peter asks what password Jim has been using so that he can see if that is the problem. Jim, being the concerned employee he is, gives up his password. The cracker then tells him that this doesn’t appear to the problem, and it must not be Jim’s system causing the trouble. Jim is relieved and goes about his business. The cracker now has access to Jim’s account and starts working from the inside of the network to escalate his privileges to administrator level.

Many popular social engineering tricks involve e-mail. The e-mail, which appears to be from the site administrator, instructs the recipient to run an attached test program. The program then prompts the user to type his password. After the user types his password, the program e-mails it to the hacker. The following is a sample of this type of message:

OmniCore is experimenting with an online-high-resolution graphics  display on Windows XP. But, we need you’re help in testing our new  product, Turbo-Tetris. So, if you are not too busy, please try out  the Tetris game attached to this email. Because of the graphics handling and screen re-initialization, you  will be prompted to log on to XP again. Please do so, and use your  real password. Thanks you for your support. You’ll be hearing from  us soon! OmniCore

Social engineering is an incredibly effective way of gathering information. The creativity of the cracker and the security awareness of the potential victim are its only limits. There is story after story of crackers gaining vital information with just a simple phone call or e-mail. While social engineering takes a smooth tongue and sharp mind, another technique, trashing, requires less glamorous skills.

Trashing

Trashing is the practice of going through trash to find information. This information can include account names, passwords, credit card numbers, and other security information. Although it is a risky, clandestine process, it can provide valuable information. It’s important to remember that what you put in the trash may not stay there. What you may consider innocuous documents or discarded packaging can give an edge to a cracker or a social engineer.

Discarded mail, manuals, or packaging from hardware can facilitate a number of attacks. Crackers can recover sensitive personal information from discarded mail. Manuals and packaging that you have thrown away might indicate exactly what type of Wi-Fi gear you have, assisting a cracker in attacking it.

You might also write down passwords, account numbers, or alarm codes because they are difficult to remember. If you throw these notes away, they can end up in the hands of a cracker. Figure 3-2 illustrates the loot a cracker can find in a trashcan.

click to expand
Figure 3-2: Trashing




Caution. Wireless Networking. Preventing a Data Disaster
Caution! Wireless Networking: Preventing a Data Disaster
ISBN: 076457213X
EAN: 2147483647
Year: 2003
Pages: 145

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net