Pages

20171231

Low Tech Hacking by Jack Wiles


  • Today we find ourselves in a position where our outdated defense regularly fall prey to the simplest "Low Tech" hacking techniques.
  • Social engineering is what I believe could be the most effective and dangerous outsider-insider threat to any security plan.
  • A social engineer will continuously learn more clever ways to take advantage of how our minds work in order to perform the illusion or deception.
  • Any one of us, at any time, could easily become the victim of some form of social engineering. I personally believe that it is not possible to completely eliminate the risk.
  • Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might not ever be considered.
  • I learned over the years that social engineering attacks work best when they were two-part attacks.
  • You will probably hear me say this many times throughout this book, but I continued to be amazed at how many great social engineering tools are available at your yard sales, flea markets, pawnshops, and thrift stores.
  • The only countermeasure for threats like social engineering is always being just a little bit more suspicious.
  • As an absolute minimum, it is very important for every employee to have some sort of chain of command for reporting potential security threats.
  • By far, the most effective keystroke loggers that we have used are the KeyGhost hardware loggers being sold as security devices.
  • Keep in mind that the key logger is only detecting keystrokes. It doesn't detect anything that was pointed to and clicked on with the mouse.
  • There couldn't be any better example of low tech hacking than simply sitting in a crowded restaurant on a typical day, in a typical city, and listening.
  • We are so dependent on telecommunications today that service technicians carrying tools and replacement equipment are as common as express delivery drivers. We are conditioned not to challenge these people especially if they are in a rush.
  • It's usually not a good idea to approach strangers first before knowing what they are up to.
  • If the information [login and password] isn't written on the admin terminal, it's more than likely under the keyboard or in a drawer close by.
  • There are lists of default passwords and user names delivered with new PBX and VOIP phone systems on a number of hacker sites. Many customers never change these defaults even though every manufacturer strongly recommends an immediate change.
  • The use of VOIP systems is growing; however, the majority of phone systems in use today rely on technology basically unchanged over the past 20 years.
  • The mining of data from social web sites like Facebook has become the number one tool in the arsenal of the bad guys.
  • All of our efforts are at the gateway and seem to involve preventing malware from being delivered in to our environments. [...] We need a game changer and I believe that the most viable game changer is to quit worrying about the delivery mechanisms of malware and apply or focus on not allowing any entrusted code to ever, under any circumstances, execute within our environments.
  • Who cares how they deliver their malicious code? If it cannot execute it simply no longer matters.
  • If you cannot control known good traffic you stand no change at all of controlling any bad/malicious traffic.
  • The number one countermeasure for the threat of social engineering is to be just a little more suspicious than we normally are as good, friendly, trusting citizens.
  • It is truly amazing how our minds work and sometimes don't work the way that they should.
  • While things are constantly changing in the technical security world, in the physical security world, things don't seem to change quite as quickly.
  • We all need to at least be familiar with and understand our risks at home and at work.
  • It's always a good idea for the management team responsible for computer and information security to work closely with the management team responsible for overall building security.
  • On every one of my team's penetration tests, we found at least one lock (either interior or exterior) in the building that wasn't functioning properly. This provided us with easy access to buildings and rooms that we shouldn't have been able to get into so easily.
  • Slightly misaligned strikes on the door frames are the most common problem that we find. This is a serious problem, in that it defeats the purpose of the dead bolt feature of the lock.
  • I know these can be faked, but I still think it is much better to have some form of visible identification worn by every employee at all times.
  • Employees can be somewhat trained to even detect fake ID badges.
  • Awareness training works.
  • I believe that it is a good policy to shred everything that comes to your home with any family members name on it.
  • When conducting a physical penetration test, the company's phone books were the first things that we went for. Once we got our hands on a corporate directory, the social engineering began. Most corporate phone books are laid out in a way that conveniently shows the entire corporate structure as well as chain of command, building addresses, and department titles.
  • Employee awareness of the importance of a corporate directory will help ensure employees know how to safeguard this valuable corporate property.
  • Everything that you do to make it a little harder for the bad guys will make you a less likely target--they're looking for an easy mark.
  • Unsecured areas are targets for tailgating. This was one of our most successful entry techniques regardless of the security procedures at the building.
  • We found that many corporations had good security at their main entrance points but were lacking at other entry and exit points.
  • Tailgating, frequently called piggybacking, is simply following someone into a building after they open the door with an access card or by entering a door code.
  • By far, the least expensive and most effective countermeasure for the overall security of any organization is the employees of that organization.
  • I can't emphasize enough the need to train all of your second and third shift employees, and especially your janitorial services people, about the threats of social engineering.
  • The more difficult you make it for people who don't have a need to know about these critical rooms, the more secure you will be.
  • If you are going to have high-security locks on any doors in your building, then dedicated computer rooms and phone closets would be first on my list of rooms needing the most secure locking mechanisms.
  • That entire expensive surveillance system is worthless if whatever is captured on tape isn't ever seen by a human who can do something about it.
  • While most companies don't own the manhole covers (and what's under them) surrounding their building, it's still a good idea to check on their security.
  • The extent of the infrastructure that exists below the streets of most cities is incredible.
  • Old disk drives will be an area of concern for years to come.
  • Be certain to remove all disk drives from computers that you plan to donate, give away, or simply throw away.
  • I recommend that all companies have their building security maintenance teams perform a spot check above all suspended ceilings at least twice a year.
  • Security will always be a long-term team effort.
  • The biggest potential problem with technical security is a lack of proper physical security.
  • As with anything else in life, practice, practice, practice is the only way to stay good at just about anything.
  • Pin tumbler locks are also the most common type of lock that we see in homes and office buildings on doors. These locks can be picked with a little practice.
  • Mushroom pins are shaped somewhat like an hourglass. This shape can cause the pins to bind as someone attempts to pick them.
  • Very powerful battery-operated drills are now available everywhere. If i can get to that key-way and begin to drill out those pins, thereby creating what is known as a shear line, I will be able to retract that bolt and remove the lock.
  • Unless someone was caught inside your building, you may not know they were ever there.
  • What allows the door to open is the retraction of the bolt.
  • Just about all of our homes and most businesses still use pin tumbler locks for their primary perimeter defense.
  • It is very seldom a good idea to have one key that opens everything in the building.
  • Highly pick-resistant Medeco locks are some of the most effective.
  • The main reason we always tried to befriend the people on the janitorial team is that they usually had those important keys that we were trying to get our hands on.
  • If your lock looks different from everybody else's, and functions somewhat differently from everybody else's, you will automatically become a tougher target.
  • Being a little bit more difficult to compromise than the next guy, is really the name of the game with security.
  • Always be careful who has access to your keys.
  • Throughout my years working in various aspects of technology and security, I've come to realize one simple concept; out of sight is out of mind. Organizations habitually overlook security of wireless communications because they can't see it.
  • The simplest and most fun thing you can do to disrupt a wireless system is much around with the antennas.
  • Even the slightest changes in a directional antenna can wreak havoc on the wireless system.
  • Organizations with external APs or antennas should carefully select their mounting locations and ensure there's appropriate physical security protection for the devices.
  • Aside from tampering with the antennas, forced reflection is probably the simplest and most effective wireless disturbance.
  • Unlicensed wireless will draw attention from the FCC if it's operating in the wrong band or is too high powered.
  • Jammers can be easily built from homemade electronic components or by re-purposing another device that's designed to transmit on the frequency you're attacking.
  • More often than not, rogue devices are introduced into a network by authorized users such as employees and contractors.
  • A rogue device is any device--client or infrastructure--that attaches to your infrastructure without knowledge or consent by the organization. Rouge devices are a huge security risk in an enterprise.
  • Regardless of the specific vulnerability, nine times out of ten, there's some way to access the management interface of a switch or access point.
  • Good 'ol fashioned MAC spoofing is a great way to get around a variety of security controls in place. MAC (media access control) addresses are unique identifiers for each network interface on a device.
  • Although the MAC address is coded on the machine, it can be changed in the software, making it possible for a user to change a MAC address on his device.
  • If someone is going to surveile you, the most obvious and easiest place to start is with your name.
  • The truth is, you really cannot get any of your information actually removed from the internet. [...] Just be warned that, once it is out there, it will live and it can be found.
  • The first place to start collecting information on the patterns of your behavior is to target social media and social networking sites.
  • Always remember, nothing really disappears or can be deleted from the internet.
  • Personal bank account amounts and line items are very difficult to attain online, unless you, the bank, or a third party has somehow exposed otherwise secure information.
  • It does not take a lot of hacking technical skill to spoof an email address and make it appear that the email is coming from a legitimate source.
  • Many people don't secure their wireless networks.
  • One of the most important aspects of targeting and surveillance is to put all of the collected intelligence together. This is perhaps the more artful step in the process.
  • But at the end of the day, a quote from Jane Austen made over 200 years ago still stands the test of time, "Every man is surrounded by a neighborhood of voluntary spies."
  • Penetration testers tend to agree that the end user is the weakest link in any information security chain.
  • Humans are social animals, and we've trained ourselves over the generations to help people and to trust people. It's always been a mechanism for the survival of our race. Most individuals prefer to believe the best in others and their intentions. At the very least, we don't want to be the person who slows down the organization or stops progress altogether. But that aspect of being human also makes our employees vulnerable to compromise by creative and enterprising attackers.
  • A great penetration tester can achieve high success rates by introducing slight variations in a target's environment without arousing suspicion.
  • In reality, selective attention is a great way to engineer people's reactions and motivations.
  • If I can draw your attention to one thing, it means you're not paying attention to something else. This can be referred to as distraction.
  • One of the core concepts of magic is to distract your audience so you can do something else while they're not paying attention.
  • Mr. Cialdini states, "Six basic tendencies of human behavior come into play in generating a positive response: reciprocation, consistency, social validation, liking, authority, and scarcity." So, from our perspective, in order to best penetrate an organization, we'll want to utilize these human tendencies when interacting with the employees of an organization in way's they'll understand instinctually.
  • Our goal is to keep this process as simple as possible and use suitable tactics for the job.
  • Another consideration for your penetration team is the culture of the target organization.
  • People naturally want and need to trust other individuals. All you have to do is fit into the confines of their expectations.
  • The right clothing and accessories can create a sense of trust within your target because you blend in with their expectations.
  • Users tend to be more relaxed and less on their guard when they're off-site than when they're at work. [...] So the best location to target users will normally be outside their normal working environment.
  • The strategy is our game plan. It's how we'll approach the users, gain their trust, and get our software installed on their computers. The strategy has to take the location and the mood of the users into account.
  • The strategy we choose needs to fit with the location, target audience, time, and wariness of our targets.
  • Since our penetration projects will be different, each of our approaches will be customized to the organization we're targeting. Your team will need to be flexible and creative. Consider all possible alternatives, because you can be fairly certain the target organization hasn't.
  • It's incredibly important to be relaxed in your interactions. Most people haven't studied body language, but they do have instincts that react to body language and can alert them to situations that could be dangerous or misleading.
  • A wrapper is used by many hackers to obfuscate the code signature of a piece of malware so that it won't be detected by anti virus software once it's been installed on a user's computer.
  • Conducting penetration tests doesn't always have to rely on a great deal of technology.
  • Off-the-shelf software products, including some highly regarded free products, can often provide all the tools you need (along with your imagination) to do some low tech penetration testing.
  • Skillful communication most often results in gaining pieces of information that are key to success in whatever line of business or social environment that we humans engage in. So it comes as no surprise that skilled criminals use these same skills of social engineering to advance their schemes.
  • The strength of any network, including our social networks, is only as strong as the weakest lock.
  • Malicious executable attachments to email continue to be the most prevalent low tech hacking threat.
  • Generally speaking, the individual user is the most vulnerable and most targeted for compromise by the low tech hacker.
  • The world has become so reliant on the internet that it has become it's own worst nightmare.
  • If your program is going to be successful, you will need the support of the CEO.
  • I think the most important thing about an information security awareness program is that people know how to contact information security when they have a question or concern
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)