[plug] Trade [flame alert]

[Jeremy Malcolm]

-----BEGIN PGP SIGNED MESSAGE-----

> First attack: ask administrator (who knows that you're testing out
his
> security) to install some arbitrary program.  Chance of success? 
None,
> I would hope!

Ah, but you wouldn't do it that way.  You would forge your mail
headers and send it as a trojan (eg. attaching it to one of those joke
email greeting files).  Admittedly this only works for Windows people,
and stupid ones at that.  (It has always struck me as bizarre how the
same people that get sucked into those virus hoax emails are the same
people who send around 2Mb binary attachments.)

> Second attack: ask someone to join webring (umm, ok!  system admins
are
> known to be big fans of web rings... NOT.) and hope that they use
the
> same password for this as they do for their Unix account
(root/user). 
> Chance of success?  Once again, hopefully, none.

The example is not important.  The idea behind it is.  I haven't done
much hacking-in-the-bad-sense (basically only to this one person, with
permission), but I found that what you call "social engineering"
attacks, and what I would call "lateral thinking", are much more
successful than focussing on application security holes (how many
years ago was the qpopper problem fixed, and how many skript-kiddies
are still trying it?).

A few more examples that I found useful were:

(a)	if they use a Web mail service (which this guy did), click "I have
lost my password", read the "password hint" question that it asks you,
and do some research to find the answer (eg. ring up a member of his
family to ask when his birthday is);

(b)	if you know the person's family (which I did) or workmates, make
an excuse to pay them a visit and gain physical access to his computer
(which didn't actually work for me on that occasion);

(c)	once you find out enough of his passwords, but if the server
itself only has SSH access and you don't have his private key, work
out what other systems he has an account on, and see if you have an
account on one of them yourself, or can access any of them via telnet.
 Then once you've hacked that account, you can SSH to the server.

The critical element in all of this is finding out the person's
passwords and there are myriad ways of doing this, most of which are
reliant on a bit of imaginative thinking.  This is the reason why I
said that the first thing I would do when trying to hack a server is
to discover the person's passwords.

- -- 
JEREMY MALCOLM Jeremy at Malcolm.wattle.id.au http://malcolm.wattle.id.au
SIG of the day: [ ] Contact  [ ] Web  [ ] PGP  [ ] Taglines #1  [x] #2
"I'm a lawyer." "Honest?" "No, the usual kind." | Linux, the choice of
a GNU generation. | Are you the brain specialist? | "Could anyone pass
the sodium chloride, please?" - Adric (5W) | The Nanites have lawyers?

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQB1AwUBOLrXCb/mBljD2JABAQE2zAL+K8tFpXbLC7Ivi0PFTN4614f6yTZtNn9M
XCkILtar53rAxIViDqu+0aIeLijPaqE+RZKr+M57dhpvBwKcpL2qP8UlFAra0B7D
rf9URu/P0f6uXVoSPBkPOz66aisijWir
=6vhu
-----END PGP SIGNATURE-----