Home

Chapter Contents

Trashing
Social Engineering
Infiltration Hacking
Combining these approaches

Chapter Index

1: Introduction to Hacking
2: Newbie Corner
3: Hacker History & Culture
4: The Hacker's Toolbox
5: First Principles
6: The Direct Approach
7: Hacking the Web
8: Tips for Specific Systems
9: Phone Phreaking
10: Viruses
11: MP3's & Warez
12: The Elements of Cracking
13: Maximising Security
14: Learning More

Computer Security Books

Advertisements

BLOG

Dr. K's Blog

Email

mailto:drk@!spam!hush.ai

Introduction

Sometimes crackers decide that there is no alternative but to take the direct approach to the systems they are interested in. The direct approach consists of three basic techniques to gather information about the target system; Trashing, to gather basic information. Social Engineering, to gather more advanced information, and Infiltration Hacking, where information is gained by actual physical entry into the target building. Of course, not all three techniques are always needed, but when all three are used together, they form a set of powerful tools in the cracker's armory, tools that complement the technical abilities used to gain access to a computer or network. This "direct approach" stuff is extremely "black hat", but knowledge of these techniques is useful to white hats and systems administrators everywhere if they want to protect themselves from this type of attack. If you are interested in protecting your company's data, then you need to know how crackers use "the direct approach" before you can secure against it. Further information on protecting against these sorts of attacks is given in Chapter 13 "Maximizing Security", where proper countermeasures against this type of attack are given.


Trashing

"Trashing", "Dumpster Diving" or as the English sometimes say, "skipping", (named after the UK garbage containers called "skips"), is the art of sorting through the detritus of a target office in the hope of finding something interesting. One of the attractions of trashing is that it is fun, although can be a bit dirty and smelly at times, as sorting through printouts covered with coffee grounds and cigarette ends can be unpleasant. However the dedicated trasher will be well rewarded, as they can find many of the following items, all of which are useful to a hacker or cracker. Many trashers will have found all of the items mentioned below when trashing and much more besides.

  • Assorted office memos, giving names of employees and some sense of the office hierarchy, which a cracker finds useful for Social Engineering. Notepads, "doodle pads" or "Post-It" notes with phone numbers, passwords and TCP/IP addresses.
  • Assorted computer manuals, office equipment manuals, books of procedures etc. Billing information for customers, often including customer name & addresses, bank account or even credit card details. Sacks of "shredded" material etc.
  • Bits and pieces of computers, keyboards, floppy disks, etc. Dumpsters are a source of obsolete and other equipment, and many people pull old, but perfectly functional computers, out of garbage piles including Apollo workstations, old IRIX machines, SPARC 1 workstations, numberless dumb terminals (vt100s), thick ethernet cabling, hubs, telephones, electronic components etc.
  • Office equipment including desks, swivel chairs, filing cabinets, tables, lamps etc.

Trashing is illegal because strictly speaking the garbage the trasher is sorting through belongs to somebody, and they could be prosecuted for theft. In the UK and US there have been several high profile cases where journalists or private investigators have been prosecuted for stealing garbage from the homes of people they have targeted. Despite this, most trashers I know have never encountered difficulty with open sites. When the police have turned up it has been enough for them to explain that they were "recycling" old rubbish and the police were happy enough to leave the trashers alone after warning them "not to leave a mess behind". Closed sites are a different matter. If trashers are climbing over walls or fences to get at the trash then they *are* trespassing, and they might find that the site security will be very unhappy to see them there. They could mistake a trasher for burglars and be jittery enough to have a "shoot first, ask questions later" policy, so would-be trashers should be aware that there could be very real danger and legal risks involved in a trashing run.

Selecting the target

Selecting the target for the trashing run depends on why the trasher is doing it. Broadly speaking there are three types of targets that present themselves for the trashing run.


  • "Targets of Opportunity", where trashers cruise around industrial and city areas taking any opportunity they can to dive into dumpsters and see what's there. These targets are often be best for hardware, as they only happen once and provide rich pickings. Trashers keep an eye out for companies changing location or going bankrupt for finding hi-tech items and furniture. It is possible to build a decent LAN and office on junk that other people have thrown out.
  • "Regular Targets", where the trasher goes through the rubbish at every available chance, as the bins are refilled regularly. Telephone exchanges, computer companies that repair or build computers, and electronic companies that integrate boards or build from component up are targets that should be protected against regular trashing runs.
  • "Project Targets", where trashers target a single company site as part of a larger hacking project and where they are looking specifically for information about the corporate hierarchy, computer security procedures, passwords, network details, operating system details, phone network details, etc. Finding memos about LAN RAS diallups for example gives them something to hack on, and even the most useless memos can give an insight into office hierarchy enabling fast and efficient social engineering. A few simple rules enable any systems administrator to block this type of attack by denying trashers access to any information that could compromise system security.

Gaining access

How trashers gain access depends on the site. Their favourite sites are the ones where they can walk off the street or even park a car right beside the dumpster. Least favourite sites are behind walls, fences and locked gates or ones with guards or dogs. Most trashers would rather return to one of these sites many times in the hope of finding a gate unlocked or unoccupied, than climb into a site like this because of the added complication of the laws on trespass. Most trashers use their brains and don't leave themselves open to further criminal charges by breaking down fences or gates, cutting locks or chains, or smashing any obvious physical security apparatus such as cameras, lights or infra-red detectors. The art of trashing is only to take what is thrown away without engaging in any criminal activities to do so, and once a trasher starts causing damage to property in their attempts to get at the trash, they are nothing more than a vandal, a common criminal. When experienced trashers leave the scene of their trashing activities, they tidy up before they go. This is not out of common courtesy, but also prevents the company being aware of trashing activities and enables "regular targets" to be revisited again and again. Many trashers forget this golden rule, and are dismayed to find large padlocks on dumpsters that could have produced high quality garbage for months.

Sorting the trash

How trashers sort the trash depends on what type of target and what type of trash they have found. Apart from obvious items like computer and electronic equipment with a possible resale value, 90% of what trashers find will be garbage. These are some of the items that a cracker will specifically look for if they are targeting a specific site with one eye to social engineering or infiltrating the target's computers systems. The disposal of all of these items should be monitored to prevent a trasher procuring them and possibly using them for an attack in the company's information systems.

  • Computer, network, and phone manuals. Finding any of these can tell crackers more about the technology inside the target.
  • Floppy disks, as even coffee soaked disks can be read with a little effort. Sometimes memos and documents that are shredded inside a target can be found on floppy disks that have gone "bad" and been thrown out.
  • Memos & internal office documents. These give an insight into the office hierarchy, the procedures and jargon used, project names and acronyms, all of which can be used to add a veneer of veracity to social engineering attempts.
  • Computer & IT procedures, especially security procedures. These are great for the cracker. Finding an IT procedure with a title like "Debugging the ISDN Router" that has been written in-house for operating staff to enable the fast fixing of problems will contain a large amount of target specific network and phone connection information.
  • Customer account or billing information, sometimes including credit details, bank accounts etc. About the only use for these is social engineering, as any fraudulent use of this information takes the cracker into the criminal domain. This information should be heavily protected, as companies and systems administrators have a legal responsibility to protect the privacy of customers or clients.
  • Backup Tapes. It happens all too often as backup media is cycled or goes bad, it just gets pitched into the bin, often without being wiped. Given the backup tape for a large system and bit of work to read it, a cracker has an entire copy of their file system, possibly including UNIX passwords, Netware bindery information, NT registry information etc.
  • Shredded documents. They look like a mess but most crackers did jigsaws as a kid. Crackers start by sorting by color, thickness of paper and other possible clues, then isolate chunks bit by bit and work on them. It takes a while, but once finished they can tape them together and retrieve the information quite easily. In general, if a document is sensitive enough to shred, then it should also be worth disposing of by a security company specialising in destruction of company paperwork.

Protection

If you are a interested in securing a site against this sort of attack, then you should work closely with the person responsible for the physical security of the site. The following tips are designed for security minded systems administrators who want to be 100% sure that security cannot be compromised by information leaks via the trashing route.

  • Shred everything and dispose of it properly.
  • Secure your garbage area behind locked gates.
  • Use motion sensors to brightly light the garbage area.
  • Secure your dumpsters and other waste bins with padlocks.
  • Don't unlock dumpsters until disposal day is due.
  • Send sensitive paper waste to a security company which specialises in destroying sensitive information.
  • Wipe and then cut floppy disks into chunks before disposal.
  • Wipe and then cut old backup media into chunks before disposal.
  • Work with the person responsible for physical security.

Social Engineering

What is Social Engineering?

Social engineering is the term crackers give to any form of "con trick" designed to get information about computer systems from the people who use or run them. In its simplest form, social engineering exploits people's natural openness and helpfulness by employing knowledge of human psychology and how people behave in situations where hierarchy, procedures and routine are part of day to day life. In the average business or university, the majority of people working there only know a small part of the picture, and can only respond to situations within the small picture. Effective social engineering uses this by allowing the social engineer to penetrate into the situation by displaying knowledge or people and procedures, company and office jargon. This, along with the cracker appearing at ease in the situation enables the target to feel that they "trust" them, because the cracker appear to be who they say they are. As I heard some hacker say on the Internet; "social engineering exploits bugs in human wetware to penetrate systems, just as crackers exploit bugs in physical software to penetrate systems".

Why use social engineering?

Sometimes social engineering is going to get a cracker faster, further into a target system than any other method, an example of this is the classic "support target" hack, where the cracker phones system support in a company or university and poses as a user who needs their password reset, or the number of the diallup, or VMB mailbox. Other times social engineering can be used for small, fun hacks designed to amuse, rather than further any long term aims, like engineering the password to all the screensavers in a local computer store, so come the first Friday of the month everyone can go and play with their machines.

Whether a cracker uses social engineering or not depends very much on their acting abilities, their level of confidence and their prior research and preparation. Even the smallest piece of information recovered in trashing runs can be vital in establishing just that little extra measure of veracity that forms the bond of trust between a cracker and the target. That extra bond of trust determines the success or failure of attempts at social engineering, so crackers make an effort when information gathering, and never dismiss any information as worthless.

Basic Social Engineering.

Here are a handful of basic social engineering targets that have been abused successfully time and time again. All of them assume that the cracker has done some prior research into the target, either by trashing or some other means. The more information the cracker has about the target before starting, the better the chances of successful social engineering session. The only protection against this type of attack is a clearly delineated security policy that sets procedures in place to cover possible situations where ordinary employees can be socially engineered. Thus, for example, helpdesk operatives should have clear procedures to follow that are specifically designed to foil a social engineering attack by demanding further proof of identity, or requiring them to ring the purported "user" at an number known and verified by the company.

  • The "Computer Support" target, where crackers pose as a user and claim to have forgotten their password, is a bit old hat but can still be successful in busy helpdesk environments where operators are so busy they can't, or won't, be bothered to check the id. Asking for a change of password is a bit tricky, but as so many users forget their passwords as a matter of course this still sometimes works for crackers.
  • The "Computer RAS/Dialup" target is an easy target, because the cracker can pose as an offsite user who has forgotten, or lost, the RAS dialup number, and needs urgently to get some documents for a presentation the next day. Knowing who the boss of the exec or sales droid they are posing as will help heaps here, as well as any names of support staff who normally assist them, as in "well when Keith installed the RAS client on my laptop he said ...".
  • The "Security Guard or Cleaner" target has both the advantage and the disadvantage that the target is not going to be computer savvy. If the cracker phones the target office after everyone has left and gets the security guard or cleaner on the line, they can then explain that they need access to some files for a presentation and talk the target through whatever the cracker needs, turning on file sharing, changing the registry, whatever they like.
  • The "Outside Supplier" target is a favourite of crackers, because they tend to be socially engineering people right in the IT/MIS department into giving access. Crackers ensure that the target has large software systems written by outside suppliers, and that the maintenance is done via modem from outside. These situations *do* exist, and once a cracker finds them it is possible to engineer access for themselves as a support specialist from the outside supplier, using tech-speak to convince the in-house team that they *really* do know about the systems there, and *really* do know about the problems that have been caused by their latest upgrade of their accounting or stock admin package or whatever.
  • The "Receptionist or Operator" target is a viable target for phone hacks and getting access to VMBs or dial-outs. Most small firms who have PBX systems normally entrust the operator role to a secretary or receptionist. They will eventually learn more about the phone system at the target building than anyone else. By phoning these people and mining for information while posing as an employee, crackers can get VMB account numbers and passwords, or in extreme cases dial-outs. Posing as an engineer for the phone company that maintains the system can also get results. Crackers try and learn the maintenance dial-in, or get the target to reprogram the PBX from the master phone, or just probe for more information to make later exploits easier.

There are so many possible uses for social engineering that any list is going to be incomplete. The main thing is that crackers get to know their target before starting, and make sure they do their homework so that they can pass themselves off in a realistic way as who they say they are. Protecting a company from this type of attack should be coordinated wih the person in charge of building security. Where possible targets are identified within the company, then employee awareness of security risks needs to raised by training or some other means. It is also vitally important that staff members who could be targeted are given proper procedures to follow which have expressly been designed to foil the majority of social engineering attempts.



Infiltration Hacking

Infiltration hacking is the art of using any means necessary to procure access to a target building in order to obtain more information, or in some cases, access to a target computer. Why do crackers use the Infiltration Hacker approach? Well, it happens sometimes that the only way to learn more about a computer system that they have targeted is to gain physical access to the building where the computer is contained in order to acquire information about the type of computers, servers and network involved, and to pick up any other information at the same time. It is very uncommon that this happens, but crackers who specialise in this approach are the rare breed of "infiltration hackers", capable of breaching normal security procedures in an attempt to gain physical access to computers normally locked away. Infiltration hacking is not really the remit of a systems administrator, as it involves physical security of the building. A systems administrator should work with the company security officer or other designated individual to thrash out a set of procedures designed to foil physical access to a building. The systems adminstrator should also ensure that mission critical computer systems are behind physically secure barriers, and that all staff are aware of any password polices designed to prevent passwords being written down in easily viewable areas e.g. on "Post-Its" attached to a monitor.

The people entrusted with building security do not take it kindly when people are wandering around in secure areas, and in extreme cases might even call the police who could even decide that the cracker's actions constitute physical trespass, which is bad, or breaking and entering, which is even worse. It is this aspect of infiltration hacking that deters all but the most dedicated, or foolhardy, crackers from committing actions that could lead to legal problems. It must be stressed that the discussion of the techniques on infiltration hacking in this book are for informational purposes only, and this book is not recommending any of these actions. Systems Administrators and Security Officers, however, might take note of the things said in this chapter, and act upon them, to ensure the security and integrity of their company data by guaranteeing that the techniques described in this chapter cannot be used against them.

Gaining access to the site.

Gaining access to a site will depend on the type of site and the nature of the physical security around the building. Many infiltration hacks happen in University settings, where security is relatively loose and infiltration is a matter of bypassing doors which are often locked with "keypad" entry systems, or "swipe card" systems. However, there have been some infiltration hacks where the infiltrator hackers used a variety of means to gain access to the target building, some of which include:

  • Applying for a job or varying jobs at the target site. Normally used by older hackers, often with forged CV to guarantee interview. Once inside and equipped with a visitor's pass excuses such as needing to go to the toilet or "getting lost" can get the cracker around the building.
  • Walking in with a basket of sandwiches and selling them to the office workers at lunch time in the target building. This has the advantage of allowing all the office workers to become used to seeing the cracker around, so that nobody notices when they are still hanging around after lunchtime is over.
  • Getting a job with the company that does the computer or office cleaning for the target building.

I have also heard about the following infiltration techniques, but have never heard of anyone successfully doing them, but they might well work for a dedicated cracker.

  • Going on a guided tour of the target building. How may companies will give a guided tour these days?
  • Asking for a guided tour as part of a school trip or "school project".
  • Walking in with a box of tools and overalls with documentation and claiming that they are there to service the air-conditioning, fix a phone fault or service a photocopier etc.

Getting access to a computer.

Once the cracker is inside the building they will have done enough prior research to know what they are doing, and why they are doing it. There are many things to be learned inside the average target building, and crackers know what to look out for, and how to bypass some of the more mundane obstacles to secure areas if they are going to get to that server or unsecured root console. Not only that, but once the cracker breaches any form of physical security it becomes *much* harder to talk their way out of discovery with excuses about "getting lost after leaving the toilets", so crackers understand the need for speed and stealth.

Most of the interesting computers are behind locked doors, but because access is needed right through the day, the physical locking device is often a push-button lock or swipe card. It is not for nothing that infiltration hackers have an interest in subjects as diverse as 5-button "Simplex" locks, 14 button "Digital" locks, lockpicking and how magnetic stripe encoding works, as all these techniques can be used to gain access to areas that should otherwise be off limits.

  • "Simplex" locks can be recognized by their circular five-button appearance. The algorithm for breaking the code for Simplex locks has been widely distributed on the Internet, but somehow I keep seeing them securing doors in office buildings. If your company have this type of lock securing your computer suite, then they might as well put the key under the mat.
  • "Digital" locks are rectangular in design with 14 buttons marked 0-9, X,Y,Z and C (clear). The combination code for these locks is always 5 digits long, but because the lock manufacturers allow the 5 digits to be entered in any order, there are only 1287 possible combinations to this lock. I leave the working of the 1287 combinations as an exercise in combinatorial mathematics to the reader, or they can consult the Winter 1993-94 issue of "2600" magazine for the full list. Once again, if you need to secure a computer area then these locks are not recommended for obvious reasons.
  • "Swipe Card" locks come in all types. The encoding of the magstripe varies according to the manufacturer of the system that is put in place. Most of these systems allow logging of all entries to a central computer, so a cracker's access will show up on the logs if you audit later. Swipe Card locks are difficult to deal with unless the cracker can socially engineer an employee to let them through. Crackers could try turning up at the door with both hands full with a large cardboard box or PC case when another employee arrives, but otherwise doors locked by this method can present a problem. There should be security policies in place that expressly forbid "swiping through" for another employee or person to prevent this type of infiltration. Company wide swipe card systems are good security, but be aware that if a cracker gets their hand on a sample card they can use a mag-stripe reader/writer to reverse engineer the coding system and possibly gain access. The person involved with physical security should always ensure that when swipe cards are lost or stolen they are "locked out" from the system, and they should also monitor the swipe card system for unusual events, such as attempts to gain access via userids not on the system.

Once the cracker is inside the computer room, network room, comms room or other secure area, they may only have a few minutes to accomplish their goals. A cracker will look for any of the following:

  • The root console for a UNIX box, normally left logged in and connected by a serial line is the Systems Admin's last way into the machine if the network crashes.
  • The screen for a Netware or NT server that is left on for the same reasons, but which might be passworded.
  • Any hubs, routers or other network communications equipment, often marked with TCP/IP or MAC addresses, and sometimes other information.
    • Any phone lines or phone equipment including ISDN adapters marked with the ISDN line, leased line terminators marked with circuit numbers, modems plugged into phone sockets etc. Manuals, network diagrams, books, manuals, sheets of procedures and checklists or emergency passwords.

Now is the moment that the cracker's infiltration has been planned for. They quickly do what they need to do, create a new user with root privileges, change the routing table, reprogram the firewall, or just write down all the possible information that they can ready for an attempt to breach the computer system from the outside. Once the cracker has breached security and gathered information they will attempt to quit the secure area as soon as possible, making sure that they have an excuse ready to cover their tracks if they are stopped and questioned. For this reason it is a good idea to make sure that access to secure computer rooms are overlooked by one or more staff members, so that they can be aware of any unusual activity around the entrance to the area.


Combining these approaches

The worst penetrations will often combine a mixture of all three skills, with the actual trashing run coming early into a project, social engineering later in the project, with infiltration hacking nearer the end of the project, if it appears at all. However, there are no hard and fast rules about this, if it suits the crackers purpose to infiltrate before trashing, then they do it, or if they can social engineer without visiting the site, then so much the better.

  • Crackers look for information about who the company trades with, both suppliers of goods and of services. They pay special attention to suppliers of IT maintenance, large software systems and Internet access. Crackers gather information about these secondary targets so they can better understand who does what so that they can pose as a member of one of these companies and make it realistic. Knowing that the target upgraded XYZ system in 1998 and what problems they had with it makes their role much more convincing.
  • Crackers look for information about the internal structure of the target company, phone books, memos, post-its, etc. They try and build a picture of the company hierarchy in their head, and try and be familiar with the history of the company, who had left, who has been promoted, marriages and births. Knowledge of this kind is very convincing when social engineering as a "new" member of the company
  • Crackers don't discount any information that they find. Even the humblest birthday card or memo for an office pool can give them that final bit of information needed to successfully socially engineer their target.
  • Crackers try and understand what IT systems are in use in the company, and how the IT department are perceived by the rest of the company. Phoning an executive pretending to be a member of the tech support team will get the cracker short shrift if relations between IT and the rest of the business is bad, but will work well if the IT team are perceived to be "on the ball" and have a degree of trust from senior managers.


Conclusion

Anybody who is targeting your computer systems can use these techniques to learn more and gather information about a company, its personnel, suppliers and computer systems. Indeed, any investigative journalist will be familiar with many of the techniques presented here, from "trashing", through "social engineering" right up to penetration of a company. The techniques presented here transcend mere computer security, and fall directly into the remit of business security, and should be approached as such as a partnership with your security officer. It is vital that the security minded systems adminstrator enlists the aid of the head security officer and make them understand the potential disruption that can be caused by these attacks. It is also vitally important that staff are aware of some of the more common types of social engineering attack, and of the importance of keeping and disposing of sensitive information that could lead to a compromise of the company IT systems. Anyone interested in stopping these kinds of attacks should look at the general recommendations in Chapter 13, "Maximizing Security" where counter-measures are discussed in more detail.

Prev 01 02 03 04 05 06 07 08 09 10 11 12 13 14 Next
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.