Social Engineering and Other Low-Tech Hacking Methods
Over the past year, security has become a major issue in internet technology. Hackers, crackers, viruses, Trojan horses and other malevolent entities have sent scares through IT departments around the world.
In regard to the hackers, however, very often these high-tech marauders launch their attacks from a low-tech, mundane level. The truly criminal hackers have one personality trait in common: they all have an abundance of patience. They take the time to analyze your company’s network, and then, piece by piece, put together a method of attack that is a product of strategy, design and, of course, patience.
One reason they’re so patient is because they’re only going after big game: bank accounts, company plans, products, and any other forms of valuable military, industrial or government information. They’re not just script kiddies, happy just to leave a tasteless message on your monitor.
The software tools they use consist of sophisticated methods for port scanning, password cracking, denial of service, and so forth. However, these attacks often begin with traditional reconnaissance techniques.
For example, a temporary employee enters your server room under a false identity. He then locates the password file in the \SYSTEM32\CONFIG directory of the Windows 2000 server and copies it onto a floppy. When he gets home that night, he’ll run the encrypted passwords through a program like L0phtCrack, and within a day or so, he might be in full possession of your company’s passwords.
Here’s another example. Sheila is a subcontractor who has been hired to configure ten new HP printers on to the network of the XYZ company. In order to do this, she informs the systems administrator that she needs to install HP JetDirect software onto the print server. The systems administrator gives her access to the server room, which, of course, gives her the opportunity to install a customized version of a popular remote control application. When Sheila gets home that night, she’ll be able to log into the server with ease, and from there, explore the company’s network.
Had the company established a stricter policy regarding permissions to enter the server room, Sheila's installation of the remote control software might not have been possible. For example, the subcontractor would be required to give the system administrator the software to install.
Social engineering is the hacker's method of manipulating you to do things under false pretenses in order to otain information that you wouldn't give him otherwise. Typically, the hacker will call you at your company, saying he is a new employee in the field and asking if you would fax him a list of company phone numbers. Since there's no company policy against releasing that information, you fax him the numbers.
Or, maybe there's someone in upper management who has become dissatisfied over the years about the way the company has treated her. She calls the help desk asking them for a diagram of the building's network, including hub closets, servers and routers. Over the years, she's also met some shady characters in the computer underground who will pay her a high price for such information.
The defense against social engineering is simple in principle: all users should be trained not to give out sensitive information without going through proper channels. If your company is a financial institution, for example, procedures for the authorizing and signing-out of documents can be established.
The use of Windows’ and Novell’s network security policies is also a good deterrent, since they allow only applications and files that are specific to the user to be downloaded to the workstation. Thus, even if a hacker has network priveleges, he or she has access to only a limited number of files.
Simply put, dumpster-diving is the practice of searching through a company's trash bins to find any sensitive information that might have been discarded.
Here's an interesting scenario:
Sally is a bright and attractive young lady at Axle Manufacturing. With her soft country voice, and flirtatious way of getting favors, she has no problems calling the help desk and asking technical questions about workstations used by various employees. Sally’s boyfriend, Stan, was fired from Axle Manufacturing a year ago. Stan has an engineering degree and likes action movies. He likes dressing up in black ninja outfits. That’s why "dumpster diving" in the middle of the night is exciting for him. His two hacker buddies have cooked up a plan to bring down Axle’s entire network, using a series of denial-of-service attacks on the servers, but they need more information.
Their first step involves rifling through the company’s trash to find important items that have been discarded - floppy disks, tapes, hard drives, CDs. Perhaps someone has scribbled their username or password on a scrap of paper. Each little bit of information that can be scavenged can be used as a piece in the puzzle for cracking the company’s network. Some of this information appears trivial, because, by itself, it is. Your dog’s name or your street name aren’t important to hackers, are they? Well, if you use them for passwords they are, and that’s what a lot of people do!
If they find any phone numbers, well, those numbers will come in handy when they go searching for the company's modems. First, they learn the prefix of the company's phone numbers. Next they insert combinations of the last four digits into their war-dialing software. The software dials each number until it reaches a modem. If the modem links to a server then they can enter the series of user IDs and passwords that they copied to the floppy. It might take a few days or weeks but eventually they will be logging into that network.
Meanwhile, during the day, Sally is learning what web sites and user groups her fellow employees are using. She asks them things like: "Is there a web site where I can ask questions about Windows?"
"Well, sure," the sys admin tells her with a grin. "We always use the forums at such-and-such.com."
That night, Stan and the gang are hitting those same forums to see if any Axle employees are inadvertently giving away details about the company’s network.
So what are the defenses against such an attack as dumpster diving? Well, you might want to buy a paper shredder and then instruct all users to destroy documents containing sensitive information. Also, users should be made aware that unscrupulous individuals do scan company web sites as well as the discussion boards where employees might inadvertantly post information regarding network configurations.
Searching the Company Web Site
Company web sites can be good sources of information for hackers. Very often, a company will leave employee names and phone numbers on their web site. Some companies also include links to the sites of their business associates and suppliers, as well as information like "This site operates from an Apache 2.0 server, running on a FreeBSD 4.6 operating system."
Chat sessions can be monitored as well. In fact, the moderator of a discussion group or chat session can casually ask session members what they do on their jobs.
In July of 2002, Yale University officials contacted the FBI to investigate claims that Princeton's admission staff had hacked into their web site to obtain information on recent Yale applicants. The Princeton staff was able to do this after obtaining the applicants' social security numbers and birth dates. This data was available because the students had applied to both schools.
Defenses against Web-based Reconnaissance
How do you defend against web-based reconnaissance? First of all, decide what kind of information should be on your web site and what should not. You probably want to explain your company's products and services, and how to contact sales representatives. However, you must exercise caution when explaining the company's future plans, products or network structure. Be careful when publishing "white papers" or other documentation that would give away information regarding server names, operating systems or network structure.
And, speaking of names, don’t name servers or other machines according to their function. For example, don’t name the firewall "firewall.company.com." Use a name like "heathcliff.company.com."
Social engineering, dumpster-diving and web site scanning: those are some basics of low-tech hacking. In future issues, we will discuss some of the more popular high-tech methods of the professional hacker.
By: Roy Troxel