|
Excerpt
Peeping into the hacker’s mind
 Hacking
is more than just manipulating computers. As phone phreakers discovered in their
quest to control the telephone system, hacking can be performed on anything,
and as you’ll soon see, people have been hacking in a variety of way for
years. Hacking involves studying a system to see how it works, playing with
the system to see how to control it, and then manipulating the system to put
it under your control.
Social engineering: the art of hacking people
Perhaps the oldest form of hacking is social engineering,
which involves using people to get what you want. Unlike can games that steal
money, social engineering steals information. But since social engineering victims
are unaware that they have been tricked, they’re often willing to help
the same person who fooled them again and again. (Politicians are probably the
ultimate social engineers).
Say, for example, a hacker wants someone’s password at a particular company.
Rather than ask that person directly (which would probably fail), he might try
a more easily manipulated source, such as a secretary. The hacker could deliberately
foul up a computer at that company, then call the secretary (while masquerading
as a technician), and ask if she has noticed any problems with the computer.
When the secretary says yes, the “technician” claims that fixing the
problem requires the (desired) password. More often than not, the secretary
will give out this password and the “technician” will fix the very
problem that he created in the first place. The computer problem “mysteriously”
disappears and the secretary thinks that everything is now okay, not realising
that she has just given her boss’s password to a hacker. The secretary
suffers no loss, and the password’s owner is unaware that it’s been
stolen.
Rather than go through another person, hackers might social engineer a target
directly. For example, a hacker might discover the phone number to a corporate
technical support line, then reroute those calls to herself. When the target
finds that his computer is suddenly not working, he calls technical support.
The hacker answers the line and asks for the target’s password. Since the
target initiated the call, he will likely supply any information requested just
to get his computer working again. Once the target gives the hacker the password,
the hacker “fixes” the computer, and the problem once again “mysteriously”
disappears. The hacker has succeeded in obtaining the password, and the target
never realises that he gave it away.
Studying a target
Social engineering can be particularly effective for gathering
bits of information a little at a time. While hackers could social engineer
people without knowing anything about them, the company they work for, or the
type of job they do, studying a target before trying to social engineer anyone
will likely gather much more useful information.
One favourite tactic for researching a target is dumpster
diving. As the name implies, this activity involves digging through a company’s
trash bins for valuable tidbits of information, such as out-of-date phone directories
(which can provide names, phone numbers, and department names), business cards
(which can match names with titles and departments), and handwritten notes (which
can reveal passwords or current project names).
Dumpster diving helps a hacker plan the best way to launch
an attack without the target ever being aware of the hacker’s existence.
However, in some cases, dumpster diving may not yield enough information. In
those cases, hackers might take the riskier path of dressing up as janitors,
temporary workers, or new employees and physically wandering around the premises,
noting what they see and where equipment is located.
If this surveillance takes place after hours or during lunch, hackers can even
peek inside workers’ desks and examine computers. With physical access,
hackers can try to access a network from a trusted computer, or install a keystroke
logging program to snare the users’ passwords as they type them in (see
Chapter 9 for more about these techniques).
Since visiting a targeted company in person may be too risky or impractical
for some hackers (a 13-year-old is likely to have trouble masquerading as a
temporary employee). Hackers might call certain people either to get information
from them or to discover the names of others who can provide the information.
When talking on the phone, hackers often disguise their voices and play different
characters. Thus, a hacker might use multiple voices to call the same worker
so the victim thinks she’s providing information to a different person
each time. (Few workers will be suspicious of ten different people calling for
information, but the same person calling repeatedly would definitely arouse
suspicion).
Armed with one bit of personal information about a target, a hacker can often
prowl the Internet and pick up additional bits of information about people,
from their personal web pages, to their posted resumes on job-hunting sites
like Monster.com, to their biography listed under a corporate web page. The
more information a hacker gathers about a target, the more likely he’ll
appear “credible” and successfully social engineer the target out
of valuable information.
Gaining familiarity
The key to social engineering is to gain the trust of others. This is often
accomplished by acknowledging, rather than questioning, the target’s position
or authority and developing a rapport with the target. For example, hassled
secretaries are unlikely to answer questions from a total stranger, but once
the hacker develops a rapport with him or her (perhaps by making fun of his
own boss in a way that the secretary might relate to), the hacker can erase
any suspicions. This works especially well if the hacker can toss out the names
of important people, projects, or procedures with the familiarity of someone
who has worked at or with the company for several years.
Having established a rapport, the social engineer next asks the victim for help.
Since helping others—especially someone perceived as trustworthy-can make
people feel important, most victims of social engineering will willingly give
the hacker the requested information. The victim doesn’t feel like he or
she is really losing anything; the hacker has only asked for information after
all, not something tangible like money.
Hackers rarely ask for information point blank. Instead, they obfuscate their
true purpose with casual requests for assistance and friendly small talk. For
example, a hacker might complain to a secretary about the company’s working
conditions, casually mention that he’s in building F (which anyone at the
company would know is isolated from the rest of the company’s buildings),
then suddenly remark that he forgot his password back at his desk, which is
way across the parking lot in another building. He may ask the” victim
if she knows another password that he could borrow for the moment. The victim
will volunteer someone else’s password or, more likely, just give her own.
Either way, the hacker now has what he wanted.
At this point, the hacker could just hang up and yell, “SUCKER!!!!”
However, he doesn’t want to arouse suspicion, so he might chat a little
more about the company and the people involved, and then complete whatever task
he needed the password for in the first place.
Social engineering victims rarely learn that they’ve been victimised. Even
if people later learn that someone broke into the computer network using a stolen
password, the social engineering victim usually believes that he or she gave
the password to help an employee rather than a hacker. As a result, the hacker
can often victimise the same target repeatedly.
If you can be fooled by a magician’s sleight of hand, you can be fooled
by social engineering. In fact, chances are good that you have already fallen
victim to social engineering and don’t even know it.
Excerpt from Steal This Book 4.0: What they won’t tell
you about the Internet’ by Wallace Wang Price: Rs 400 Contact: Akbar Shroff
Phone: +919867230571, 022-22070989 E-mail: cbs@vsnl.com Website: cbs-india.com
|
