×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Network Hacking

timothy posted more than 11 years ago | from the prepare-for-cranky-anecdotes dept.

Security 175

Wrighter the Pessimist writes: "In this article on Yahoo, they report that computer hacking has become easier, partially because of devices that have built-in computers, like printers and playstations. However, it also lists a number of 'ordinary' (obsolete?) methods of 'hacking' - such as gaining physical access to a corporate computer, and social engineering. It would be interesting to see a study done on this, to see how many attacks are actually carried out from such devices." The article touches on the Dreamcast Attack mentioned the other day, but also some slightly less bulky approaches. Be on the lookout for dark-clad intruders slipping CD-Rs into machines at your workplace ...

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

175 comments

FP (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008640)

FP?

Re:FP (-1)

neal n bob (531011) | more than 11 years ago | (#4008651)

This worthless fp was posted by CLOT, claimed by CLIT.

Sorry (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008891)

but the CLIT is no more.
The CUNT had been circumcized according to fundamentalist islamic traditions.
So the CLIT is gone for ever.

text of the article, to save you clicking (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#4008745)

Experts Say Computer Hacking Becoming Easier
Fri Aug 2, 8:36 PM ET

By Elinor Mills Abreu

LAS VEGAS (Reuters) - Computer vandals toting nothing more than a Sega game device, handheld computer, or even a compact disc can slip into offices and launch "phone home" attacks via remote computers under their control, speakers at a U.S. hackers convention said on Friday.

Lonely office printers aren't any safer, and can be hacked into through an Interment connection via a corporate network, one speaker said as the annual Defcon conference of computer security enthusiasts and mischievous network tinkerers.

The defcon attendees explained how any device running microsofts infamous range of Windows window operating systems were at risk, due partly to the poor coding practises employed by microsoft programmers. The superior "UNIX" and its variants, including NetBSD, Linux and many more were nearly always invulnerable to attacks of this nature.

More than 5,000 people are expected for the three-day meeting, which started on Friday and is held in an out-of-the-way Las Vegas hotel at the edge of the Nevada desert. The decade-old event has become the biggest annual gathering of the computer counterculture.

Basically, any device that sits on a network running windows "is capable of running malicious code, and can be made to do attacks and can do anything you want them to do," said Chris Davis, a security consultant at RedSiren, a computer security firm in Reston, Virginia.

"The idea is any computer running a microsoft os can pose a potential threat, we must encourage users and business to upgrade to Free software, Linux is a fine example." he said.

"More and more things are embedded in computers. We could put the same code on a TiVo (a subsidiary of microsoft's MSN) if we wanted to," Aaron Higbee, a security consultant at Foundstone of Mission Viejo, California. TiVo allows people to record TV programs while away or while watching other programs at the same time.

Firewalls -- the computer security barriers that organizations depend on to defend against outside intrusions -- are worthless against such attacks, Higbee said. While they are configured to block suspicious traffic from getting into the network, they also permit any type of traffic to get out, he explains, "of course, if these machines were running unix variants we would all be safe, but the harsh reality is 92% of them are running some form of Windows...this isnt good enough"

To create a tunnel to a remote computer, an attacker must first get physical access to devices or network connections in the building, unless its running a default install of Windows.

FIVE MINUTES TO CREATE HAVOC

Sometimes they can rely on unsuspecting souls inside the company to do their dirty work for them by sending them an innocent-looking compact disc that contains tunneling software. of course, these cd's invariably rely on the fact that they are going to be run on a microsoft machine, all non-microsoft machines would be safe.

A disc containing a special program to activate itself can find the network and reach the Internet on its own, creating the opening for a hacker to wreak havoc inside the company's network, Davis said.

Another method of unlocking the network door and opening the tunnel is for the hacker to gain physical access to an office building and plug simple devices onto the network.

"Five minutes on the inside is all you need," said Davis, who does penetration testing for companies to see how easy it is to compromise their windows systems.

The speakers demonstrated for the crowd how an attacker can slip a tunneling CD into a CD-ROM drive, a Sega Dreamcast ( news - web sites) gaming console, or a Compaq iPaq, and connect to the network.

Once a connection is established, devices such as the Sega game player can analyze the network for routes data can travel to the Internet and establish a secret tunnel to an outside computer controlled by the hacker.

Stop worrying so much about viruses in windows computers. It's midnight, and do you know what your networked office printer is up to? if its running embedded windows - start panicing.

With printers, attackers don't even have to enter the building, said Dennis Mattison, a computer scientist at Science Applications International Corp., a top military contractor in the communications research arena based in San Diego.

Printers are increasingly becoming more complex, with more sophisticated software and functions, making them easy and unsuspecting targets, he said.

Still, there is little evidence such attacks have become widespread the experts said. But with more and more devices every day being connected to computer networks, the exposure to such threats makes such attacks inevitable one day.

"These are not theoretical attacks," he said. "There are many known attacks out there against these windows machines. All businesses should be re-evaluating why they arent running a unix variant."

MOD PARENT UP +5 FUNNY!!! (0)

Anonymous Coward | more than 11 years ago | (#4009016)

let me invite you (-1)

neal n bob (531011) | more than 11 years ago | (#4008644)

to eat my ass.

I love this site for so many reasons - all the fruity hippies, the idiotic posts, the informative stories, all listed with the highest editorial quality.

Dark clad? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008649)

That's an easy tip-off. Best way to blend in is to... BLEND IN. These aren't Ninjas in the shadows.

175. (0)

Anonymous Coward | more than 11 years ago | (#4008650)

The number of outraged responses saying it is cracking, not hacking.

Obsolete? (5, Informative)

BurritoWarrior (90481) | more than 11 years ago | (#4008657)

They day social engineering is obsolete is the day there are no more humans and computers rule the world.

As long as there are people, social engineering will work wonderfully.

Re:Obsolete? (2, Insightful)

Cyno01 (573917) | more than 11 years ago | (#4008777)

you cant social engineer a voice mail system, to truly social engineer you have to get a live person, which is becoming harder and harder to do over the fone these days

Re:Obsolete? (1)

liquidflare (463694) | more than 11 years ago | (#4008789)

That's not completly true, people know a lot more about computers now then they did in the early 90s. Social enginnering isn't as easy as it use to be, and may in some instances be impossible.

quit it. go outside. (-1)

SweetAndSourJesus (555410) | more than 11 years ago | (#4008796)

Quit reading slashdot. It's saturday. Ever wonder why the ladies aren't exactly flocking to you? It's because you're the kind of guy that posts to slashdot on saturday.

Why not hop up off your fat, sweaty ass and see what's going on outdoors? Go to a bar or something. Meet women. Live a little, you fucking loser.

Re:quit it. go outside. (2)

zenyu (248067) | more than 11 years ago | (#4008890)

Go to a bar or something. Meet women.

Hey! I'm in a bar waiting for a woman to show up.

The guy a couple seats down is trying to hack me, so it's kinda fun.

I think NY is getting geeky.

Re:quit it. go outside. (0, Flamebait)

zapfie (560589) | more than 11 years ago | (#4008950)

Quit reading slashdot. It's saturday. Ever wonder why the ladies aren't exactly flocking to you? It's because you're the kind of guy that posts to slashdot on saturday. Why not hop up off your fat, sweaty ass and see what's going on outdoors? Go to a bar or something. Meet women. Live a little, you fucking loser.

Re:quit it. go outside. (1)

arkane1234 (457605) | more than 11 years ago | (#4009301)

Hey now, that hits a little too close to home there.
I'm married, I have a reason to be on slashdot on saturday =)

Kimberly Clark to Purchase VA Software (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4008662)


Wednesday 29th May 2002

REUTERS - NASDAQ traders revealed today that there has been a massive surge in the purchase of VA Software (LNUX) shares. The company, which has been in financial difficulty for some time, has had 57% of its shares purchased by the Kimberly-Clark Corporation (KMB).

Jonathan Mason, a spokesman for the Kimberly-Clark Corporation, confirmed the purchase to Reuters reporters earlier today. "We're very pleased with the acquisition of the VA stock. We now have a cheap alternative for acquiring raw materials for our products. VA shares are less than worthless, and we plan on using the share ceritifcates to make all of our toilet paper for the North American market."

Analysts predict that the use of the share certificates will enable KMB to greatly increase the output of bog roll for the financial year 2002/3. The remaining materials will be used to create bandages for hospital patients who have gangrenous infections.

Kimberly-Clark also has the option to take up the remaining 43% of VA Stock in December 2002. Inside sources reveal that if this is taken, the assets of the company will be removed and its staff made redundant. IT specialists at KMB tell us that they plan to reformat Slashdot servers as Microsoft .NET platforms, which will deliver a new proprietary application. The software will help tourism firms provide penguin hunting expeditions all year round by targetting large populations of the species.

(c) Reuters Corporation 2002

ReluctantBadger 2002

Re:Kimberly Clark to Purchase VA Software (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008919)

That was beautiful. Except now my abs hurt from laughing.

~~~

Article slashdotted (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4008670)

(Here's the text, posted AC to avoid k-whore)

Experts Say Computer Hacking Becoming Easier
Fri Aug 2, 8:36 PM ET

By Elinor Mills Abreu

LAS VEGAS (Reuters) - Computer vandals toting nothing more than a Sega game device, handheld computer, or even a compact disc can slip into offices and launch "phone home" attacks via remote computers under their control, speakers at a U.S. hackers convention said on Friday.

Lonely office printers aren't any safer, and can be hacked into through an Interment connection via a corporate network, one speaker said as the annual Defcon conference of computer security enthusiasts and mischievous network tinkerers.

More than 5,000 people are expected for the three-day meeting, which started on Friday and is held in an out-of-the-way Las Vegas hotel at the edge of the Nevada desert. The decade-old event has become the biggest annual gathering of the computer counterculture. Jason Conrad was quoted as saying "I can suck my own dick with no teeth."

Basically, any device that sits on a network "can run malicious code, can be made to do attacks and can do anything you want them to do," said Chris Davis, a security consultant at RedSiren, a computer security firm in Reston, Virginia.

"The idea is any computer can pose a potential threat," he said. Jason Conrad was quoted as saying "I can suck my own dick with no teeth."

"More and more things are embedded in computers. We could put the same code on a TiVo ( news - web sites) if we wanted to," Aaron Higbee, a security consultant at Foundstone of Mission Viejo, California. TiVo allows people to record TV programs while away or while watching other programs at the same time.

Firewalls -- the computer security barriers that organizations depend on to defend against outside intrusions -- are worthless against such attacks, Higbee said. While they are configured to block suspicious traffic from getting into the network, they also permit any type of traffic to get out, he said.

To create a tunnel to a remote computer, an attacker must first get physical access to devices or network connections in the building. Jason Conrad was quoted as saying "I can suck my own dick with no teeth."

FIVE MINUTES TO CREATE HAVOC

Sometimes they can rely on unsuspecting souls inside the company to do their dirty work for them by sending them an innocent-looking compact disc that contains tunneling software.

A disc containing a special program to activate itself can find the network and reach the Internet on its own, creating the opening for a hacker to wreak havoc inside the company's network, Davis said.

Another method of unlocking the network door and opening the tunnel is for the hacker to gain physical access to an office building and plug simple devices onto the network.

"Five minutes on the inside is all you need," said Davis, who does penetration testing for companies to see how easy it is to compromise their systems.

The speakers demonstrated for the crowd how an attacker can slip a tunneling CD into a CD-ROM drive, a Sega Dreamcast ( news - web sites) gaming console, or a Compaq iPaq, and connect to the network.

Once a connection is established, devices such as the Sega game player can analyze the network for routes data can travel to the Internet and establish a secret tunnel to an outside computer controlled by the hacker.

Stop worrying so much about viruses in desktop computers. It's midnight, and do you know what your networked office printer is up to? Jason Conrad was quoted as saying "I can suck my own dick with no teeth."

With printers, attackers don't even have to enter the building, said Dennis Mattison, a computer scientist at Science Applications International Corp., a top military contractor in the communications research arena based in San Diego.

Printers are increasingly becoming more complex, with more sophisticated software and functions, making them easy and unsuspecting targets, he said.

Still, there is little evidence such attacks have become widespread the experts said. But with more and more devices every day being connected to computer networks, the exposure to such threats makes such attacks inevitable one day.

"These are theoretical attacks," he said. "There are not many known attacks out there."

hmmm (4, Insightful)

kormoc (122955) | more than 11 years ago | (#4008672)

Puting a autorun cd into a drive that installs and puts itself into the startup folder would be very easy and very hard to stop. You could slip this into a dozen or more pcs over one lunch hour. You can't stop this from happening without the help of the people who work on the pcs.

Other avenues of attack . . . (3, Interesting)

SimplyCosmic (15296) | more than 11 years ago | (#4008726)

Why even bother with physical access? The number of people here at work who screw their machines up due to email viruses received through checking their Hotmail, Yahoo and AOL webmail accounts at work is frightening.

Those viruses and trojans slip neatly by all the elaborate MS Exchance server based virus scanners we have.

And since this is a non-technology sector corporation, they try to cut costs where ever they can, which means McAffee virus scan on the local computers, which has caused so many conflicts between the latest virus definitions and programs like Microsoft Word that most end users tend to turn automatic virus checking off without permission.

In the end, social engineering will never be "obsolete".

Re:Other avenues of attack . . . (1)

jaavaaguru (261551) | more than 11 years ago | (#4008850)

Yet another reason why people should be given real computers with proper e-mail software and web browsers. I highly doubt anyone is going to cause any such problems on the Sun Blade workstation on my desk at work with KMail and Konqueror. And before someone complains about it not being "standard" or not being "easy to use" by normal office people: Star Office and KDE.

Re:Other avenues of attack . . . (0, Offtopic)

B3ryllium (571199) | more than 11 years ago | (#4008857)

Linux : Windows :: Manual : Automatic Transmission
Linux : Windows :: Kit Car : Ford Focus

(And when I say Kit Car, I'm not referring to Knight Rider. I mean, a build-it-yourself car.)

Re:Other avenues of attack . . . (1)

idontneedanickname (570477) | more than 11 years ago | (#4008892)

"Why even bother with physical access? "

How true. It need not even be hotmail or some such. Just send in something that looks like a resumé that does the job.

Re:Other avenues of attack . . . (2)

BurritoWarrior (90481) | more than 11 years ago | (#4009012)

Block webmail sites at your firewall. This can be tedious to do manually, as there are many (and more each day), so try a product like Websense [websense.com] which allows you to block them and get updated "signatures" from the vendor to keep them blocked.

No, I don't work for them. Yes, we are a customer.

Re:hmmm (1)

vofka (572268) | more than 11 years ago | (#4008788)

You've never used System Policies, or an 'Approved Applications' listing then? Sure, neither is a panacea, but they would prevent stuff like that happening quite so easily.

Breaking a Network's security Restrictions can be made difficult, it's just not easy to put the proper restrictions in place on an M$ Product like 2K or XP.

Re:hmmm (1)

Com2Kid (142006) | more than 11 years ago | (#4008823)

'Approved Applications' listing then?

Which under Windows is an immensly fun system that checks to make sure the file name is the same.

Heh.

Amazing how many programs still work after being renamed to calc.exe :) (some do break though, ugh)

Re:hmmm (2)

danheskett (178529) | more than 11 years ago | (#4008887)

This is an intersting point. I've noticed funny behaviour about this.

When some compilers compile, they store the "original" name somewhere in the binary - MS compilers do this for sure.

This is what AD/GPO looks for. In some apps though, depenbding how it was built, their is no data with the original name in it. Windows then falls back on what the file is actually named.

Interestingly, this is one of the many things Palladium would improve (not to say overall Palladium is a good idea).

Re:hmmm (1)

Com2Kid (142006) | more than 11 years ago | (#4008912)


When some compilers compile, they store the "original" name somewhere in the binary - MS compilers do this for sure.


Of course there is always the most extreme case scenario of a person making a custom tool to break into your system, allowing them to compile it with whatever name they want to.

CRCs or such would help, but even those can be worked around, though with an immense amount of difficulty.

I remember an article on slashdot quite a while back about a mathematical proof showing that once physical access was gained to the machine, nothing could stop security from being broken down eventually. Though in the most extreme of cases it may take many years and many millions of dollars worth of equipment. ^_^

Re:hmmm (0)

Anonymous Coward | more than 11 years ago | (#4008818)

autorun CD? Just run your trojan off the Internet; it leaves less evidence.

Re:hmmm (1)

B3ryllium (571199) | more than 11 years ago | (#4008863)

Says who? I'm sure there would be dozens of pieces of evidence left on a typical intranet.

Firewall logs, histories, all sorts of junk.

Re:hmmm (1)

Biedermann (70142) | more than 11 years ago | (#4008923)

Puting a autorun cd into a drive that installs and puts itself into the startup folder would be very easy and very hard to stop

It's hard to stop someone putting that disc in, but it's very easy to disable autorun for data discs. (Music can still start automatically, if you want that) It can probably be done by the admin via a policy file, so no user needs to be trusted. No problem there.

Re:hmmm (1)

boomer_rehfield (579777) | more than 11 years ago | (#4009069)

I'm not sure autorun's going to kick in if the person's not logged on.... and if they are still logged on then the attacker can just run it himself or enable autorun (if he really is that lazy he could keep a script to to it for him when a machine doesn't autorun....)

Re:hmmm (1)

boomer_rehfield (579777) | more than 11 years ago | (#4009033)

You know, the last place I worked, they never ordered CDRoms for any of the machines. Strikes me as smart in a way now even if it was a royal pita then. Combine this with losing the floppy drive and you'd be doing very well I'd think. Less amount of viruses brought in from the outside as well.

Stealing Secrets 101 (5, Insightful)

MosesJones (55544) | more than 11 years ago | (#4008675)


If doing this for a living rather than being a sad muppet who thinks its "cool" (Snowboarding is cool, Skydiving is cool, hacking IIS is not cool).

1) Buy people, rival firm has a product you need to sabotage... well hire their best brains so it turns out shit... and you get the product as well.

2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".

3) Buy the people

4) Have someone join as a graduate, or even as a more senior person. Sure it violates their contract, but just pay them the cash.

5) Supply the network upgrade at low low prices via a subsiduary, then ensure they can be "remotely administered as part of the outsourcing and support deal".

6) Buy the people

7) Walk into PC support, ask for a backup of your server from date X put onto new server Y. Or even better just get the required files burnt onto CD. Sure you have to fake the paper work, but that isn't hard.

All of these will be more effective than hiring script kiddies.

WARNING: Do not try the above at a military base, unless you want to get shot, corporations will normally just have you prosecuted.

Re:Stealing Secrets 101 (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008719)

grate u r very good at telling me how 2 get shot

slow down cowboy geez whatever i am very good at post!!!!

stealing underoos (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008775)

oh moses, lordamercy we's a comin for yoo

Strangers accessing the network... (4, Interesting)

Pollux (102520) | more than 11 years ago | (#4008815)

2) Have a clipboard, 99% of companies and people in those companies will not query a suit with a clipboard. This gives you the ability to walk into any areas saying you are doing a "Time and motion" study for the new Quality Iniative. Or do an "assets" audit and take away servers for "verification" that aren't on the "official register".

At my local Walmart, the store's network backbone is located 20 feet from the door leading to the backstock room. There are no obtrusions (except for the occasional six-wheelers with merchandise), and the door's always open. Three-quarters of the time, there's no one in the room, and even if there is, it's typically a low-end manager (the high-end managers like to stick with their own offices) who don't know about how computers work. There's only a "regional" administrator...Walmart feels it's more efficient to let the machines work on their own and pay someone only when the machines don't work.

All you need to do is look young, wear kahki's and a polo shirt, and carry your "geek-bag-o-goodies", and no one will question you being there. As long as you look like you know what you're doing, no one will think otherwise. In fact, there was even one time where I walked in there completely unanounced just to use the telephone (I work for a vendor, not for Walmart). A manager saw me as he walked on by outside the room, and had no problems with me being in that room.

Now, realize that the computer network at Walmart controls everything...the lights, heating, TV / Radio / Announcement systems, the ATM network, evertything. Every Walmart has a satellite hookup to the mainframe (no idea where that is).

My point is that people are way to afraid that someone's going to get them by hacking into the computer, while no one's worried at all about someone walking in and getting them from the inside. There are some wide-open doors when it comes to internal network security (or lack-thereof), and it doesn't take a Hollywood actor to pull off a slip into the server room of almost any company.

And therefore... (0)

SlashdotTroll (581611) | more than 11 years ago | (#4008677)

I am a cracker because a hacker is defined in US and Federal laws to not be allowed around a computer.

I am a cracker because a hacker would be thrown in jail for modifying an XBox to have split-screen, dual game-playing processes at the same time, while a hacker would've been thrown in jail immediatly for such an offense.

I am a cracker because a hacker is who made the software insecure in the first place.

I am a cracker...ok just pass the grey poupon...ney nice insecure port 21 on slashdot.org, exploited...

what!!? (2, Funny)

Anonymous Coward | more than 11 years ago | (#4008681)

my PLAYSTATION has a built-in COMPUTER?

holy SHIT!

im taking it back to the shop before a fucking TERRORIST hacks into it

Linksys Vulnerabilities? (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4008685)


Serious question [I thought about submitting to Ask Slashdot, but this thread should be just as good]: We've been using a LOT of Linksys devices (NAT routers, wireless access points, etc.). Does anyone have any info [preferably with URLs] about Linksys security vulnerabilities? Thanks.

Re:Linksys Vulnerabilities? (1, Funny)

Anonymous Coward | more than 11 years ago | (#4008722)

Wow. I use a lot of Linksys devices, Want to give me your ip addy and a list of security valnerabilities so I can see if I have any of them? :)

The article's a bit late (5, Funny)

bsharitt (580506) | more than 11 years ago | (#4008686)

I wish I would have know you could have used a Dreamcast, CD, or iPAQ to get access to a network. They caught me when when I tried to sneak my main frame in.

Re:The article's a bit late (0)

Anonymous Coward | more than 11 years ago | (#4008725)

You also forgot to wear a black eye mask like a true burglar do.

-- MMMMMMMMMMMMMMMMMMMM

news? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4008689)

This sounds more like aiding and abetting criminals to me. Hacking is a crime and you shouldn't be discussing it or comitting felonies by telling others how to do it. The DMCA was created for this purpose and it is law and you must obey it or else be sentenced to prison.

News? No, this is article is not news, it's *CRIMINAL*. Folks, knock off this 'rebellion' and obey and support the law. In this time of our great free nation's grave threat from terrorists we need to learn to obey and support the law and not go against it by advocating piracy, hacking, the second amendment, opposing drug laws, and violating the DMCA. Grow up. Non-terroristic Americans always obey and support the law 100%.

Re:news? (2, Troll)

Kierthos (225954) | more than 11 years ago | (#4008764)

Um, no. Hacking is not a crime. Cracking is a crime. The term 'hacking' has been misused by government "experts", reporters who can't learn the difference, and idiots since damn near the dawn of the age of the Internet. I put you in the last category.

Kierthos

Re:news? (1)

nomadic (141991) | more than 11 years ago | (#4008833)

Society as a whole sets the usage. If everyone calls cracking hacking, then the correct word is hacking.

Re:news? (1)

Kierthos (225954) | more than 11 years ago | (#4008842)

The problem is, society as a whole did not set the usage. There are still quite a lot of people who know the difference between a hacker and a cracker. The news media and the government sound-bites have tried to set the usage, but that doesn't stop people from trying to correct them.

Kierthos

Re:news? (2, Insightful)

fr2ty (557571) | more than 11 years ago | (#4009198)

If There are still quite a lot of people who know the difference between a hacker and a cracker, then let us not talk as if we didn't. It's crackers or malicious hackers, plain and easy.

Some people avoid to call some contemporary music "Rhythm and Blues", because there was a different style of that name before.
I avoid to call malicious hackers just hackers, because hacking is fun, a healthy sport for both yourself and the society you live in.

If you think I am wrong, search the web for the Jargon File. It points to some good reading about the history of the term.
--

Re:news? (-1, Offtopic)

jedie (546466) | more than 11 years ago | (#4008864)

"Yeah, my 'ole man who works in a nucular plant sez so too."

That's a correct sentence, right?

Re:news? (1)

RyuuzakiTetsuya (195424) | more than 11 years ago | (#4008781)

I hope i read you right.

Knowing where bugs and vulnerabilities exist and publishing them to the general public as to what's going on with a particular IT vendor is aiding and abedding criminal activity?

Shouldn't it be creating software/hardware with bugs and vulernabilities be illegal?

Re:news? (2, Insightful)

Kierthos (225954) | more than 11 years ago | (#4008825)

Personally, I'd say that if a programmer knowingly and willingly created/promulgated bugs and vulnerabilities, there should be some sort of legal response to that. If it's a bug/vulnerability that was not obvious or possible to be noticed until distribution, that should not carry anywhere near the amount of action against the programmer. (They should still fix it, mind you.)

Likewise, someone who publishes bugs and vulnerabilities with no actual interest in seeing those fixed should be hammered as well. I mean, if it's a cracker or a script kiddie who is publishing vulnerabilities so that other crackers and script kiddies can exploit them, well, that's just as bad as not fixing the vulnerability. If it's someone publishing them with the intended purpose of having them fixed, again, different circumstances.

Kierthos

Re:news? (1)

ericman31 (596268) | more than 11 years ago | (#4008782)

Non-terroristic Americans always obey and support the law 100%.

Civil disobedience is often necessary. Or do you think that Martin Luther King, Jr. and all the other people in the Civil Rights movement during the last half of the past century are terrorists? When a law is wrong you have to speak up and say so. When speaking up gets you in trouble with the law, then civil disobedience and protest is the next avenue. If that doesn't work, actual revolution may be needed.

This is embedded in our political tradition. If you don't think so, here's what the Declaration of Independence says:

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

In other words, if there is just cause it is okay to do things that the American Colonists did, the protests (Colonists went to England to plead the case with the King and Parliament), the civil disobedience (The Boston Tea Party), and finally to revolt, if need be.

When we see our civil liberties and privacy removed by our government and large corporations we have a civic responsibility to stop it, as do all like minded people.

Changing passwords often (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4008694)

My place of work is so secure it changes ALL the passwords almost every 3 days. And just as you would expect, 1 in every 2 or 3 workstations has every single user/pass combo on a Post-It(tm) stuck right to the monitor.

Printer trojans (5, Interesting)

Restil (31903) | more than 11 years ago | (#4008704)

At first I took the notion with apprehension. But then I recalled, there was a time when we told people "You can't get a virus in a document file", "You can't get a virus from your email message" But even back in the day, you could cause extensive damage to your dos machine just by typing a text file with malicious ansi codes. Microsoft and others who have opted for the "feature rich" approach to dynamic documents have created more security problems than convienences.

Postscript is a pretty powerful programming language, and most printers today have it embedded. While I don't think it has TCP/IP capability yet, it wouldn't surprise me if someone doesn't find a stupid reason to implement at feature into the printer language, or even something that allows more low level control of the printer hardware could be used to gain access to the network. Remember people, it doesn't have to be easy. Virus/Trojan writers pride themselves on invading the bold new frontier. Don't get complacent.

As more appliances get network connectivity and more flexible embedded processors and operating systems, they'll all be subject to the same concerns. I'm already addressing some of these issues with my simple home automation projects. The computer I use to control things is isolated from the rest of the network other than the single open port for commands. Despite the security I might have implemented on my network, I can't assume that the network is always safe. And while right now I only have lamps and sprinklers on this system, when more complex (and potentially dangerous) appliances get added, a comprised system becomes a serious liability.

-Restil

Re:Printer trojans (1)

Scooter (8281) | more than 11 years ago | (#4008794)

I see your point - and just to add some other examples - most larger printers have some form of web server in them too, plus telnet and ftp in the case of a Xerox DC for example. I've not done any digging on whats actually running in those things, but I'd be willing to bet it's a general purpose OS and that there are other capabilities lurking in there..

Re:Printer trojans (2)

CoolVibe (11466) | more than 11 years ago | (#4008819)

But even back in the day, you could cause extensive damage to your dos machine just by typing a text file with malicious ansi codes.

for those that can't remember the venerable ANSI.SYS: you could remap keys to do something completely different. i.e. map the enter key to do 'echo y | deltree c:\*.*', or the obvious format c: equivalent.

I used ANSI.SYS for my ueber kewl customized prompts of course :)

Re:Printer trojans (1)

bugg (65930) | more than 11 years ago | (#4009238)

I don't see how creating new filesystem is equivilent to deleting all of the files in it. They're really not the same.

Security History 101 (1)

xxxJonBoyxxx (565205) | more than 11 years ago | (#4008707)

...hmmm...based on my experience I'd have to say network hacking reached its "easiest" level right after the year 2000 turned over. There were just so many holes in the software, so packages to choose from, so many unprotected systems, etc. As people have gained wisdom (still without the +1 modifier) about security, I'd have to say systems have been getting steadily harder to hack. (This will probably change if .NET gets widely accepted however.) Of course, this article relies heavily on physical security risks, but I think orgs have greatly tightened these up too since 9/11.

Re:Security History 101 (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4009172)

Hisstory lesson for you....

No mac in history has ever been hacked into ever over the internet running MacOS8.x or 9.x

Latest is 9.2.2.

All unhackable.... at least according to BugTraq and WWW consortium.

Dark-clad intruders? (4, Funny)

CoolVibe (11466) | more than 11 years ago | (#4008708)

Be on the lookout for dark-clad intruders slipping CD-Rs into machines at your workplace ...

You mean outsourced sysadmins? Yeah them's a nasty lot.

;-)

Dark clothes (3, Funny)

Anonymous Coward | more than 11 years ago | (#4008721)

Yeah it sucks. Every time I want to jaywalk or speed a little in the car, I have to put on my robber mask and black cape.

Who started this crap anyway? All bad guys must wear stereotypical clothing?

Re:Dark clothes (2)

Anonymous DWord (466154) | more than 11 years ago | (#4008840)

Good point though. Live social engineering is so much easier if you're wearing a suit. People really are affected if you dress the part. What's even better (if you're looking to get into restricted elevators, say), is wear a tux, and look frantically around for the "wedding" you're missing. Somebody with a key will be glad to help you out.

hard access? Hmm... (1)

dacarr (562277) | more than 11 years ago | (#4008738)

Just think, all those computers on the corporate networks out there, and I without an install CD for the setiathome client.

Social Hacking (1)

Hott of the World (537284) | more than 11 years ago | (#4008761)

Me and about ten close college buddies are thinking about hacking thermostats with wireless connectivity and connecting them directly into target servers. The hard part is sneaking them into the server rooms without getting noticed. I figure a problem with the printer or air-conditioning would be easy enough to cause, but it's risky.
Any Ideas?

Re:Social Hacking (0)

Anonymous Coward | more than 11 years ago | (#4008797)

I suggest you gain some social skills first. A good start is to go outside and meet "normal" people, or dating girls. Hope this help!

-- MMMMMMMMMMMMMMMMMMMM

Re:Social Hacking (1)

Com2Kid (142006) | more than 11 years ago | (#4008838)


I suggest you gain some social skills first. A good start is to go outside and meet "normal" people, or dating girls. Hope this help!


Then he would not blend into the server room, duh.

Just another Nerd, not out of place, but a normal person in a server room? Woooh now, hoooold on!

Re:Social Hacking (0)

Anonymous Coward | more than 11 years ago | (#4008876)

Pot: Hey, Kettle!
Kettle: What, POT?
Pot: YOU'RE BLACK!
Kettle: Thanks POT! :)

Gee, hacking is dangerous (1, Troll)

epseps (39675) | more than 11 years ago | (#4008780)

Better give security guys more cash.

All these "what if" scenarios and "theoretical" hacks, and very little in the way of real world demonstration.

Now Printers are vulnerable....but I didn't see or read about any demonstrations that showed how to determine what printer was on a network, how to get into that network and how to "own" a printer, and what could be done after the printer was compromised. Did anyone do an nmap -sS -O on an IP of a Lexmark 1200 to see what processor and OS came up?....doubtful. Anyone demonstrate how to connect and get a banner and prompt with netcat? (if they did, what would they do, print with only magenta or screw around with the queue?)

I'd worry more about the fact that they got on the network in the firt place than the fact that they could take over the printer.

And the CDROM attack...A Hacker could mail a CDROM and get it to install on a PC because some luser is curious? Yah, I suppose. Or the sysadmin could make accounts in NT and W2k that doesn't allow programs to be installed...hell, they don't even have to allow CDROM access.

Maybe they should testify before congress and claim that they can bring down the internet in 30 minutes from a HP Plotter, or that Osama Bin Laden will now mail CD's promising free "Click Art" to unsuspecting secretaries around the US with a thing for "Precious Moments" themes. Because Congress will shovel any amount of money to greedy bastards wearing a propeller beanie, and talking about things they know nothing about.

Ironic that these guys often start out by breaking into places, then demanding alot of money to protect the world from people like them, and then advocating jail time for future business competitors down the road.

That's a 1337 hack (3, Funny)

Rolo Tomasi (538414) | more than 11 years ago | (#4008783)

The speakers demonstrated for the crowd how an attacker can slip a tunneling CD into a [...] Compaq iPaq, and connect to the network.

I'd really like to see that ... I'm curious as to what kind of axe is used.

"With printers, attackers dont even have to enter" (0)

Anonymous Coward | more than 11 years ago | (#4008808)

Any idea what he's talking about here? I can imagine that sending dozens of 100% black pages to a public fax number could grind down the machine - but a printer? If it's networked and subject to the same IP filtering as everything else, I don't see the big deal.

On an unrelated note there was a TV segment here a few nights ago showing a neat trick with those Logitech wireless keyboards. They all use the same frequency, and people type their passwords with them. Use your imagination.

Re:"With printers, attackers dont even have to ent (0)

Anonymous Coward | more than 11 years ago | (#4008843)

Ironically I have no more imagination left due to watching too much TV.

-- MMMMMMMMMMMMMMMMMMMM

Re:"With printers, attackers dont even have to ent (1)

Com2Kid (142006) | more than 11 years ago | (#4008846)

  • On an unrelated note there was a TV segment here a few nights ago showing a neat trick with those Logitech wireless keyboards. They all use the same frequency, and people type their passwords with them. Use your imagination.
My computer room has so much EM noise that a POTS modem connection cannot even be established from here. The /wired/ phone lines have heavily audiable noise over them at times.

My radio signals aren't going anywheres. :)

Not panicing... (2, Funny)

Captain Kirk (148843) | more than 11 years ago | (#4008834)

Where I work, if someone showed up with a Dreamcast and plugged it into our network, the poor sap would be fired before you can say "choo choo rockets".

Now I had thought that was a reflection of the mean streak in management.

Now I learn that its a security precaution. That's alright then.

Patrick

famous quotes (1, Funny)

Anonymous Coward | more than 11 years ago | (#4008837)

640k is all you will need.

There's a market for 3, maybe 4, computers in the world.

DMCA will foster innovation.

Social engineering is obsolete.

Uh oh, possible future FUD avenue... (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4008847)

So, you can burn a bootable CD, feed it to a machine for a few seconds, then walk away and have it become your zombie slave.

How long until our favorite company (ahem) uses this to spin some tale about how the "signed OS" BIOS replacement is the right way to go? "Get this, and you don't have to worry about rogue hax0rs".

Unfortunately it also lets them tighten their grip like with the DRM stuff that keeps coming up. Blah.

Social engineering? (1)

Critical_ (25211) | more than 11 years ago | (#4008867)

I find it so funny that in this day and age, getting a password is so easy. I've had friends posing as campus computer specialists get passwords into the most "holy grail" of computer systems. I can't get into much detail here but what people don't understand is that your password is more than your house key. It has your life behind it. Especially when these days people use online stock trading, medical record databases, personal e-mail, financial accounts, bills, etc. I routinely have to go to my parents house to make sure that they aren't saving passwords on their home computer to extremely sensitive sites. I have to make sure there system's drives are encrypted for that just-in-case scenerio. People I guess just don't understand.

As for these small devices that people use to "hack", I largely doubt there is much to worry about.

Re:Social engineering? (2)

t_allardyce (48447) | more than 11 years ago | (#4008904)

+1

and whats even worse is when they use the same password for lots of accounts. Just one accident with a keystroke recorder or social engineer and they've given someone else access to everything.

Re:Social engineering? (0)

Anonymous Coward | more than 11 years ago | (#4009119)

It works because so many organizations do it. I work for my former college's desktop support department, and I regualarly call users for passwords (Novell and NT) when setting up or redoing computers. I almost never have a problem getting them, and I regularly have people volunteering email and mainframe passwords as well. Not to metntion that when we can't get a password, we regularly reset it to the name of the school... I would estimate that probably 1/3 of our computers have the name of the school as the password.

uneducated users (4, Interesting)

Snowbeam (96416) | more than 11 years ago | (#4008880)

Till this day, I have users who call and are handing over their username and password without me saying anything more than "Hello!".

There are users I call who hand over the same information without any thought. Most of the time, I am there busy telling users to please not give me that information. The comparison of the username/password being like an ATM card and pin just doesn't work.

Our abuse department (yes we have one) has a two strikes and you're out policy. That is to say, if anything happens from your account the first time, you are given a warning and forced to read the entire IT policy. The second time, you account is deactivated in effect terminating your employment/affiliation with the university. You pretty much need your account for everything.

This issue has been spoken about for years and things rarely improve, but I still believe educating users is the best way to eventually solve the problems here.

What is the point of the news story? (2)

MadFarmAnimalz (460972) | more than 11 years ago | (#4008895)

Hmm.

You can get unauthorized access to a network easily by gaining physical access first.

As computers proliferate and approach ubiquity, security becomes a larger issue.

These are the central themes I identified. This is not news. It is hardly even analysis.

Actually, it struck me more as a kind of public service announcement designed to raise levels of awareness.

Social Engineering is still the biggest threat (2, Informative)

rfreynol (169522) | more than 11 years ago | (#4008911)

I mean it. I'm a consultant and its surprising how much I can get a sys admin to do for me over the phone, from across the country.

Recent example - we were converting 17 years of production data from a mainframe into a the replacement system. With the volume, we needed an uninterrupted 40 hour window, but the client performed a cold backup of the database nightly.

The process in place says we call the production DBA's (who know us, and are employees, not contractors like us) and they pass official word to the operators in the datacenter.

Well, after 9 hours of loading, the database goes down at 5:00am. We call the prod dba's, and the on-call guy doesn't answer. So I call the ops center. The story I get is that a contractor on another project requested a backup of some critial files stored on the db box. He did this directly with the operator at 11:00 the night before, and the operator didn't even remember his name.

If a simple phone call to ops is all it takes to take the system down, why bother with the standard exploits?

Password Rememberers/Managers etc. (0, Troll)

t_allardyce (48447) | more than 11 years ago | (#4008922)

I always thought it was ironic that the dumbest users (no offence) had to use a password-managing program to keep track of all their passwords. What they don't realise is that all (closed source) password-managing programs send the user's passwords back to the programs author. Either through a direct connection to some computer, or by emailing them to a hotmail account :) lol. These are the same kind of people that use Microsoft Outlook, or have no firewalls setup to block that kind of thing.. making it all the easier.

Re:Password Rememberers/Managers etc. (1)

kst (168867) | more than 11 years ago | (#4008954)

I always thought it was ironic that the dumbest users (no offence) had to use a password-managing program to keep track of all their passwords. What they don't realise is that all (closed source) password-managing programs send the user's passwords back to the programs author. Either through a direct connection to some computer, or by emailing them to a hotmail account :) lol.

Do you have some evidence of this, or is it just a joke? Since you said all closed source password-managing programs do this, I presume you have a great deal of evidence.

I can just see (3, Funny)

Herkum01 (592704) | more than 11 years ago | (#4008943)

Spammers going after a network printer...

loop (1..1000)
line.font = bold;
line.size = 18pt;
line.output = "Need more toner? Call us at ###-####"
line.pagebreak
endloop()

Bear and the Dragon? (0)

Anonymous Coward | more than 11 years ago | (#4008945)

A bit offtopic, so i guess i should post anon, just incase. Shame. Oh well. :( Has anyone read this book? I would guess so. Sounds a lot like the cd put in the Chinawomen's computer...... Very stealthy, and effective....

When *was* it hard? (1)

krich (161944) | more than 11 years ago | (#4008946)

I've never known a time period when "hacking" was particularly difficult, especially if one wasn't targeting a specific machine or network. The sad truth that has always been, and shows little evidence of changing anytime soon is... most people don't plug obvious, well-known, long-discovered vulnerabilities. Most "hacking" could be cleared up overnight by simply applying the knowledge and fixes that are readily available.

Microsoft ads (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4008953)

Hahaha there was just an ad on this shithole for Microsoft Visual Studio .NET!

Cant hack into a Mac OS! NEVER done once (BugTraq) (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4009006)

The MacOS running WebStar and other webservers as has never been exploited or defaced.

I know some indication of that particular news piece is regarding cheap local machine packet grabbing, not WAN exploits, but the fact is still the same, no Mac OS 8x or 9x have EVER once been rooted.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

That is why the US Army gave up on MS IIS and got a Mac for a web server.

I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about current Mac OS 9.x and earlier.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not.

4>: Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not file name extension).

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.

4> Stack return address positioned in safer location than some intel osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server. Less macs means less hacker interest, but there are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar

8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.

I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD.

Not one exploit. And that includes Webstar and other web servers on the Mac.

--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS.

BugTraq concurs.

Re:Cant hack into a Mac OS! NEVER done once (BugTr (1)

optikron (594031) | more than 11 years ago | (#4009225)

hummm, not sure RedHat is the best exemple in linux security :-)
The big problem with RedHat is that by default, the box is HIGHLY unsecure. Lots of stuff running and possibly hackable.

And even if all you say is surely true, you are wrong, the most secure server is not a MAC.....It's simply the system that is managed by a good admin. I'm pretty sure 95% of the hacks were made possible because the admins didn't do their work( like updating the packages ).

Hacking? You mean vandalism? (2, Insightful)

kst (168867) | more than 11 years ago | (#4009028)

I would expect Slashdot, of all places, to avoid misusing the word "hacking".

Even if we were to give up the battle over the original meaning of the word (a concession I do not make), the meaning being propagated by the media seems deliberately designed to cause confusion. When the same word is used to refer to (a) exploring and/or modifying a system you own, (b) breaking or bypassing the security features of a system someone else owns, and (c) breaking into and vandalizing a system someone owns, it gives the impression that anyone who does any of these things is a criminal -- or, conversely, that anyone who vandalizes someone else's computer system is just having a little innocent fun.

If you want to talking about someone breaking into someone else's computer system, call it what it is -- trespassing. If you want to talking about someone deliberately modifying someone else's computer system without permission, call it what it is -- vandalism.

Sega at work. (1)

bryanp (160522) | more than 11 years ago | (#4009167)

Gee, I know not a day goes by that I don't walk through and see people plugging their Dreamcast into my network. Nope, nothing unusual about that. Carry on.

gaining physical access for DOS attacks (1)

xdrone (597762) | more than 11 years ago | (#4009226)

gaining physical access for DOS attacks:
this hi-tek method consists of unpluging a server or network cable.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...