• Choose a category
• All
• Classic-Fiction

A hybrid attack is the next level of attack a hacker attempts if the password can't be found using a dictionary attack. The hybrid attack starts with a dictionary file and substitutes numbers and symbols for characters in the password. For example, many users add the number 1 to the end of their password to meet strong password requirements. A hybrid attack is designed to find those types of anomalies in passwords.

The most time-consuming type of attack is a brute-force attack, which tries every possible combination of uppercase and lowercase letters, numbers, and symbols. A brute-force attack is the slowest of the three types of attacks because of the many possible combinations of characters in the password. However, brute force is effective; given enough time and processing power, all passwords can eventually be identified.

Nonelectronic Attacks

Nonelectronic-or nontechnical attacks-are attacks that do not employ any technical knowledge. This kind of attack can include social engineering, shoulder surfing, keyboard sniffing and dumpster diving.

Social engineering is the art of interacting with people either face to face or over the telephone and getting them to give out valuable information such as passwords. Social engineering relies on people's good nature and desire to help others. Many times, a help desk is the target of a social-engineering attack because their job is to help people-and recovering or resetting passwords is a common function of the help desk. The best defense against socialengineering attacks is security-awareness training for all employees and security procedures for resetting passwords.

Shoulder surfing involves looking over someone's shoulder as they type a password. This can be effective when the hacker is in close proximity to the user and the system. Special screens that make it difficult to see the computer screen from an angle can cut down on shoulder surfing. In addition, employee awareness and training can virtually eliminate this type of attack.

Dumpster diving hackers look through the trash for information such as passwords, which may be written down on a piece of paper. Again, security awareness training on shredding important documents can prevent a hacker from gathering passwords by dumpster diving.

Understanding Keyloggers and

Other Spyware Technologies

If all other attempts to gather passwords fail, then a keystroke logger is the tool of choice for hackers. Keystroke loggers (keyloggers) can be implemented either using hardware or software. Hardware keyloggers are small hardware devices that connect the keyboard to the PC and save every keystroke into a file or in the memory of the hardware device. In order to install a hardware keylogger, a hacker must have physical access to the system.

Software keyloggers are pieces of stealth software that sit between the keyboard hardware and the operating system, so that they can record every keystroke. Software keyloggers can be deployed on a system by Trojans or viruses.

Social engineering was covered in more detail in Chapter 2, "Footprinting and Social Engineering."

Using Trojans and viruses will be discussed in Chapter 5, "Trojans, Backdoors, Viruses, and Worms."

Hacking Tools

Spector is spyware that records everything a system does on the Internet, much like a surveillance camera. Spector automatically takes hundreds of snapshots every hour of whatever is on the computer screen and saves these snapshots in a hidden location on the system's hard drive. Spector can be detected and removed with Anti-spector.

eBlaster is Internet spy software that captures incoming and outgoing e-mails and immediately forwards them to another e-mail address. eBlaster can also capture both sides of an Instant Messenger conversation, perform keystroke logging, and record websites visited.

SpyAnywhere is a tool that allows you to view system activity and user actions, shut down/ restart, lock down/freeze, and even browse