The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [98]
lingo
BRUTE FORCE ATTACK A password detection stategy that tries every possible combination of alphanumeric characters and special symbols.
For that reason the attacker often downloads the hashes and runs the attack on his or another machine, rather than staying on line on the target company’s network and risking detection.
For Ivan, the wait was not that long. Several hours later the program presented him with passwords for every one of the development team members. But these were the passwords for users on the ATM6 machine, and he already knew the game source code he was after was not on this server.
What now? He still had not been able to get a password for an account on the ATM5 machine. Using his hacker mindset, understanding the poor security habits of typical users, he figured one of the team members might have chosen the same password for both machines.
In fact, that’s exactly what he found. One of the team members was using the password “gamers” on both ATM5 and ATM6.
The door had swung wide open for Ivan to hunt around until he found the programs he was after. Once he located the source-code tree and gleefully downloaded it, he took one further step typical of system crackers: He changed the password of a dormant account that had administrator rights, just in case he wanted to get an updated version of the software at some time in the future.
Analyzing the Con
In this attack that called on both technical and people-based vulnerabilities, the attacker began with a pretext telephone call to obtain the location and host names of the development servers that held the proprietary information.
He then used a software utility to identify valid account-user names for everyone who had an account on the development server. Next he ran two successive password attacks, including a dictionary attack, which searches for commonly used passwords by trying all of the words in an English dictionary, sometimes augmented by several word lists containing names, places, and items of special interest.
Because both commercial and public-domain hacking tools can be obtained by anyone for whatever purpose they have in mind, it’s all the more important that you be vigilant in protecting enterprise computer systems and your network infrastructure.
The magnitude of this threat cannot be overestimated. According to Computer World magazine, an analysis at New York-based Oppenheimer Funds led to a startling discovery. The firm’s Vice President of Network
mitnick message
In the terminology of the game Monopoly, if you use a dictionary word for your password—Go directly to Jail. Do not pass Go, do not collect $200. You have to teach your employees how to choose passwords that truly protect your assets.
Security and Disaster Recovery ran a password attack against the employees of his firm using one of the standard software packages. The magazine reported that within three minutes he managed to crack the passwords of 800 employees.
PREVENTING THE CON
Social engineering attacks may become even more destructive when the attacker adds a technology element. Preventing this kind of attack typically involves taking steps on both human and technical levels.
Just Say No
In the first story of the chapter, the telephone company RCMAC clerk should not have removed the deny terminate status from the ten phone lines when no service order existed authorizing the change. It’s not enough for employees to know the security policies and procedures; employees must understand how important these policies are to the company in preventing damage.
Security policies should discourage deviation from procedure through a system of rewards and consequences. Naturally, the policies must be realistic, not calling on employees to carry out steps so burdensome that they are likely to be ignored. Also, a security awareness program needs to convince