Network Hacking 175
Wrighter the Pessimist writes: "In this article on Yahoo, they report that computer hacking has become easier, partially because of devices that have built-in computers, like printers and playstations. However, it also lists a number of 'ordinary' (obsolete?) methods of 'hacking' - such as gaining physical access to a corporate computer, and social engineering. It would be interesting to see a study done on this, to see how many attacks are actually carried out from such devices." The article touches on the Dreamcast Attack mentioned the other day, but also some slightly less bulky approaches. Be on the lookout for dark-clad intruders slipping CD-Rs into machines at your workplace ...
Obsolete? (Score:5, Informative)
As long as there are people, social engineering will work wonderfully.
Social Engineering is still the biggest threat (Score:2, Informative)
Recent example - we were converting 17 years of production data from a mainframe into a the replacement system. With the volume, we needed an uninterrupted 40 hour window, but the client performed a cold backup of the database nightly.
The process in place says we call the production DBA's (who know us, and are employees, not contractors like us) and they pass official word to the operators in the datacenter.
Well, after 9 hours of loading, the database goes down at 5:00am. We call the prod dba's, and the on-call guy doesn't answer. So I call the ops center. The story I get is that a contractor on another project requested a backup of some critial files stored on the db box. He did this directly with the operator at 11:00 the night before, and the operator didn't even remember his name.
If a simple phone call to ops is all it takes to take the system down, why bother with the standard exploits?
Re:Safeguarding Secrets 101 (Score:3, Informative)
1) Buy people, rival firm has a product you need to sabotage... well hire their best brains so it turns out shit... and you get the product as well.
Our company is rated as one of the 50 best companies to work for [fortune.com] by its own employees.
2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".
Our facility, though comprising over 300 people, functions as a closely knit team. Nobody unknown to us gets past the lobby, clipboard or not.
3) Buy the people
Our company is rated as one of the 50 best companies to work for [fortune.com] by its own employees.
4) Have someone join as a graduate, or even as a more senior person. Sure it violates their contract, but just pay them the cash.
Our company is rated as one of the 50 best companies to work for [fortune.com] by its own employees.
5) Supply the network upgrade at low low prices via a subsiduary, then ensure they can be "remotely administered as part of the outsourcing and support deal".
We manage all our networks internally. An "outsourcing and support deal" would be laughable.
6) Buy the people
Our company is rated as one of the 50 best companies to work for [fortune.com] by its own employees.
7) Walk into PC support, ask for a backup of your server from date X put onto new server Y. Or even better just get the required files burnt onto CD. Sure you have to fake the paper work, but that isn't hard.
All of our change requests are managed electronically. To "fake the paperwork", you'd need access to a logged-in system, an acccount on the change management system, and you'd have to show up the next morning to represent your request at the daily change control meeting. Also, we manage our own backups. Nobody unkown to us would ever request one.
All of these will be more effective than hiring script kiddies.
None of these would be any more effective than hiring script kiddies. (Funny story: just this week a script kiddie was caught pounding one of our IPs. Security tracked him down and printed out a desist request on a printer on the kid's network. The attacks stopped a few minutes later.)