Wednesday 30 November 2011

Trouble In Paradise?

Impersonating a huge corporation, or induc-ing people to mail you their passwords under false pretenses, can get you into big trouble. The Post Office considers such activity postal fraud, even if you're just doing it for laughs. These ideas are provided to stimulate your imagina-tion - not to encourage you to do anything illegal.
Before you go and do something stupid, you might want to read Chapter Fourteen.

When you social engineer there are many factors that inhibit the person you speak with from giving out security data. Consider, when you social engineer someone, that person
• may have been warned about security leaks
• may be knowledgeable about social engi-neering tactics
• can not verify your claimed identity
• might know you are not who you claim to be
• has no reason to assist you, and can give you wrong or misleading information
• can report your call to a security manager.

For all these reasons, a person you try to social engineer may not want to or may not be able to tell you passwords and other information that you request.

Considering the above list, would you divulge confidential information to someone asking you for it over the telephone?
That's the problem.
The solution?
See you in the next chapter!

Message From God

Dear User:
This is most embarrassing.
As the director of PinkyLink, America's largest on-line information service, I was shocked to discover that a theft of several backup tapes took place over the July 6th weekend.

Contained on one of those tapes was, among other things, the personal security data on a small percentage of our customers.

While your name was, luckily, not on that stolen tape, there is still some threat to you. As of now we are uncertain whether any users with programmer-level computer access were backed up on the stolen tape. Therefore, we request you fill out this application and mail it back immediately in the postage paid envelope
provided.

Fill out the form and return it to us as soon as possible. Once received, we will update you to this new, secure ID.

Thank you for your cooperation, and to offset any trouble this may cause you, we will be subtracting 75% off your August bill.
Name
Address
Zip
Day Phone(_)
Night Phone(_)..-
Old (Invalid) Password
New (Updated) Password

PinkyLink, America's Largest On-Line Information Service, guarantees that the above personal data will be inputted no later than September 1, 19--, (following verification), and will be kept confidential before and after such time.

Please keep a copy of this for your records.
Imagine Joe User gets this letter in the mail. It looks authentic, having the logo and letterhead of the service, and arriving in a metered, typed en-velope. But will Joe believe that PinkyLink actu-ally sent this to him?
The whole situation is preposterous! Any real life computer service with a password problem would require that all password updating occur on-line. It's simply the cheapest and easiest way to update hundreds or thousands of pieces of user information. Still, when Joe User looks at this letter, he will notice that he isn't in
immedi-ate danger as some other users of the system are; unlike those other poor losers who got their passwords stolen, Joe doesn't have to be con-cerned that he'll start getting huge bills in the mail from the criminal charging system usage to Joe's account.

And what about that 75% deal at the bottom? That makes Joe twice as likely to respond to the letter. Not only does he have a responsibility to himself to make his account secure again, he has a responsibility to the database: if they were nice enough to warn him of this and pay him for it, the least he can do is comply with
them. And the return envelope is postage paid!

Of course, PinkyLink probably has an on-line way for users to change their password, but you don't have to mention that when you write a letter like this. Remember, the style is more important than the wording of the letter. Before you send out something like this, be sure to look at real examples of PinkyLink's correspondence, to get an idea of the kind of paper and printing used, sizes of fonts, coloring, etc.

You should expect high returns from this swindle, especially if the people you send the letters to are absolute rookies. Later we'll talk more about how monitoring BBS activity can pay off.

Request For Information

And now, back to some pure social engineer-ing through the mails... Scan all the computer mags and journals fu-riously, even the bad ones, for warnings about product failures and security loopholes. Journal-istic morality generally prevents dangerous se-crets from making their way to the mass media, so the exact details of system security failings won't make it to print. You'll see things like, "Four hackers were caught yesterday, after ex-ploiting a loophole in the V software on the W machine at X Military Base." Or you'll see things like,
"Company Y has released a warning about its Component Z, which is supposed to keep unauthorized users from penetrating a system...... What you do is, go print yourself up some official looking stationery, mail a
concerned let-ter to the folks at the company, and wait for their speedy reply. You can try the annoyed approach:
Dear Mr. Abel Jones:
It has come to my attention that there are serious shortcomings in your product, Component Z.
My business operates under the assumption that our data is secure because of Component Z.
Seeing as how we have been misled for six years, I expect either: details on the flaws which inhibit Component Z, or reimbursement for six years of twelve nonfunctioning Component Zs, the cost of which amounts to $14,000. I expect a quick reply.
Or the "Let's work together to make this world a better place to live in," approach:

Dear Mr. Abel Jones:
I was dismayed to read in Friday's edition of Computer Magazine that your Component Z is defective.
My business uses twelve of these devices, and I would regret very much if we experienced a data loss due to their not working.
Please send an explanation of the problem in the enclosed envelope, so that my technicians may remedy the problem as soon as possible.

Thank you for your help.

Sincerely,

I'm divided as to whether or not you should mention specific threats in your letter to the company or organization. On one hand, you don't want them to suspect your letter is phony. But on the other hand, they're going to be receiv-ing many letters similar to yours, most of which are legitimate. You shouldn't have any problem as long as you type the letter on good quality paper, with either a real or imagined letterhead on top. For added effect, type the address on the envelope, and instead of stamping it, run it through a postage meter. You may also slip in a business card of your own design; they are cheap to obtain.

If the company refuses to help you without proof of purchase, well then, you're on your own. You can always try to social engineer the company technicians into revealing the security flaws. There are also plenty of computer security associations, organizations and other groups which will have the particulars of the
loophole.You might also make an attempt to get the juicy details by calling the publication in which you read about the security failing. Try to speak to the person who reported the story. People at magazines and newspapers are surprisingly easy to reach on the phone, but getting them to talk is a different matter!

Written Engineering

Social engineering may be done through the mail or through other forms of written contact with users of a system. For example, the survey method can be altered such that the human ele-ment is eliminated. If you don't want to wait around in a lobby all day, just leave out stacks of the forms with either a drop-box or an
address to mail them to. Expect minimal response.

Other written ruses take the form of adver-tisements. Put up a notice in a computer room, saying that paid volunteers are needed for a special project. "Become a System Manager' Great Experience!" Have interested folks mail you a post card with their name, address, de-sired password, and possibly the machines they
currently have access to on the net. While mak-ing the ads you'll say to yourself, "Sheesh! This is so obvious!" But you won't believe how many people fall for it. Have them address the post-cards to something like "X University, Computer Science Department, Roger Hamm's Office" fol-lowed by your address. If your
address is thirty miles away from the university, forget about it.

Two Manhattan hackers tried this stunt. They noticed there was a blank space at the bot-tom of a particular magazine advertisement for one of the popular pay-forplay information sys-tems. They went to local area libraries and bor-rowed all magazines they could find that had this ad in it. Using a "sideways printing" utility,
they fed the pages into their printer, which printed out, "Manhattan Area Residents, Call [phone number] For Free Six Month Member-ship." Then they returned the magazines to the library.

When people called them up, they would begin by playing a corny recorded message: "Welcome to X-Net's Free Six Month Member-ship Program! Listen to all these great things you can do with X-Net ... !" When that was done, one of the hackers would come on and ask the caller a few questions: "Where did you hear
about this program?" "Have you ever subscribed to X-Net in the past?" "What other fee-based bulletin boards, or other computer networks do you belong to?" "When you call up X-Net, what would you like your sign-in name to be?" "And your secret password?" "Are you sure you're going to remember that password? Perhaps you'd like to choose something else?"

In this way, they ended up with a dozen names, computers they visited, and one or two passwords to try out. You won't get as big a response if you don't live in a big city, but it's worth a shot. Advertising can also be done by slipping a printed card into the magazine, or by advertising on BBSs.

A similar ruse is to advertise your phone number as a local call switcher, especially in places where there isn't already a Telenet or Tymnet link. When users log on they will see what appears to be the usual opening screen, but is in reality a simulation which you programmed. From hacking, you should be familiar with
which networks have which addresses, so your program can simulate appropriate login screens for each of them that a caller might try. (Otherwise, respond with a message like, "Line is busy" or "Connection can not be established." Look at actual call switchers, to see not only what messages are displayed, but to get the timing down right.)

After "connecting" to a computer or network, the program continues its simulation, collects the user's name and password, then aborts due to erratic line noise or some other ghastly prob-lem. If the user tries calling back immediately, a message can be put up that warns certain transmission routes are undergoing mainte-nance, or similar baloney.

In-Person Engineering

Any instance of impersonation is a form of social engineering. The impersonation may be of an individual person (the president of a com-pany who demands to know why his password isn't working) or of a generic person Gill Tech-rucian, calling to ask if any computer problems have come up). The telephone is normally used because it enables a hacker to reach distant businesses without travel, as well as creating a defensive barrier between the hacker and the people he or she calls. If the conversation starts to go sour, a telephone can be hung up; if a face-to-face talk gets out of hand, it could be dif-ficult to get out of the building.

A good rule of thumb when doing in-person social engineering is to always wear a suit - a good suit, one that fits properly. Make yourself look like you just stepped out of a fashion magazine. At the very least, wear a shirt and tie. Females, wear suitable business attire

Many kinds of SE that work over the phone, won't work in person. You can't pretend to have an office, or pretend to have a computer termi-nal. Because of this the information you get from bullshitting in person may be minimal or only peripheral. You will probably end up with more background material than immediately useful information. Pretending to be interested in wanting a job at the firm, or going on a tour of the place, or simply squeezing in and wandering around on your own, provide lots of good data on how employees interact among themselves. Hackers and crackers have also impersonated mainte-nance workers, painters, and other workers to get inside a company. Being a security guard is also a nice ruse.

The prototypical in-person social engineer is the survey taker. You make up a survey, and stand in the lobby of the building with a pen and clipboard, and get people passing by to fill one out for you. The survey asks for name, spouse's name, hobbies, pets and pets' names, and similar info. Then you go home and try all that
stuff as passwords. You might want to say there's some prize involved. For example, that completely filled out forms will be entered in a raffle; winners get tickets to a local show, or a free meal at a nearby restaurant. (Hint: Don't ask people to fill out surveys in the morning when they're late getting to work.)

Other Roles

Social engineering in its most important sense refers to the obtaining of personal or group passwords by making up a story about yourself and role playing it, hoping that who-ever you end up speaking to will play along. But the goal of social engineering doesn't just have to be passwords. And the method of engineering doesn't just have to be over the telephone. Con-versations may take place in person or through the mail. The first requires strong nerves and greater acting ability. The second is more suited to those who find it difficult to ad lib telephone
SE conversations.

Miscellaneous Social Engineering Tips

To improve your chances of getting in with social engineering, here are some tips. Notice how the person you speak to reacts to your questions. If you speak to a receptionist or other worker on the bottom of the pay ladder, he or she may not want to chit chat or fool around with computers if he or she's being monitored, or if
calls are being screened by the boss.

Go to some public place where they have terminals hooked up, and look at the wall where the terminal is connected to the phone box. Write down the four digits that appear on the box (these are the last four digits of the phone line that the terminal is hooked to). Guess the first three digits of the number by looking at a directory for the "public place" in question. Call a couple times at different times of day to make sure the line is always busy. Keep some of these "leased line" phone numbers handy when you social engineer to give to people who want to call you back. This is especially true of sysops who suspect you're a hacker and want to see if you're brave enough to give them personal identification information about yourself. This is better than just making up a phone number out of thin air, because if they do call up, the busy signal will at least create some reassurance in their mind that you weren't a complete fake.

Just giving them a number will usually relax them enough so they feel you are one to be trusted.

Confront people in a lighthearted way when they give you a password. Say, "Are you sure that's really the one you use?" Secretaries may have two passwords. One is their own, which grants them access to a low-level group account. The other is their boss's password, a higher level one that they know about because, frankly, sec-retaries know everything about an organization.

Challenging someone in a non-accusatory way about the password you are given may also cause them to fess up if they had indeed given you an invalid password to get you off their backs. Second guessing them shows that you al-ready knew the correct password, and that you caught them in a lie.

If they are bewildered when you ask for a higher password, just say, "Didn't they upgrade your access yet? They just bought this whole new system that's supposed to work fifty times faster and everyone's saying how wonderful it is...... Then quickly change the subject.

Have a background tape playing with office sounds or whatever is appropriate for the num-ber you call. Before using this tape, try to take a tour of the company and listen to the real sounds made during the work day. Also, play the tape for a friend over the telephone, and similarly have a friend play the tape while you listen over the phone - trying to adjust the tape to a realistic sound level. Remember that if you're the "first one in the office" as with our naive user example, you don't want the tape to include background chatter or typing!

When you're talking to people, even if it's just over the telephone, keep a smile on your face and act in a jovial, friendly manner. Pretend you're that person's best friend. If the person picks up the phone with a, "Hello, General Widgit Corporation, Lulu speaking," you re-spond with, "Hi Lulu! This is..." and go on with your spiel.

Now Lulu doesn't know if you two have met before, and as you continue with your friendly attitude, she will begin to treat you more like a friend. Try looking through some books on voice marketing, telephone selling, etc., to get more ideas.

The way in which your phone call is re-ceived can also affect your credibility. Often a company telephone will make a different sort of ring, depending on whether the caller is on an inside or outside line. Since you are pretending to be an inside caller, you will want your tele-phone ring to reflect that. To fix that, call a wrong
office or department in the company, and have them transfer you to the number you're after. For instance:
PERSON ON OTHER END: "Advertising. May I help you?"
YOU:"I'm sorry, I guess I dialed wrong. Would you mind transferring me to extension 4358?
Now you'll get that in-house ring, and with it, an air of authority (and maybe even a special inside caller light will flash on the telephone, too).

Another way to get that desirable inside caller ring/light is to dial, not the listed number, but one next to it. Any organization with more than one phone line almost certainly owns a block of phone numbers. So if the listed number to call is 123- 4567, try calling 123-4568, or some-thing a few digits higher or lower. Your call
will usually go through, and it will take on the clout of having been placed by someone who is ap-parently a company insider - anyone else would have dialed the listed number.

Another thing to consider is if you're trying to reach a higher-up in the corporation, you may only end up contacting secretaries, receptionists and/or other underlings. A good trick is to call an office of higher or similar prestige as your goal office, and let the secretary transfer you over. For example, suppose I want to try social engineering Mr. Palooka - a middle manager who runs the shoe division. But I can't get through to speak with him personally. What I do is, I call up Mrs. Colt, who is either a same-level, or higher-level manager, and I ask her secretary to connect me with Colt person-ally. Colt's secretary asks what I wish to speak to Colt in reference to, and I say, "Shoes!" But Mrs. Colt handles only the rubber band accounts, not shoes. So Colt's secretary says, "Well, you'll have to speak to Mr. Palooka about that one; would you like me to connect you?" She will then trans-fer your call to Mr. Palooka's secretary. Pa-looka's secretary comes on the line, and you say to her, "Hello. This is so-and-so. Mrs. Colt's of-fice suggested I speak with Mr. Palooka about shoes." Here you have a recommendation from another company member! You're now much more likely to get in to bullshit Mr. Palooka. Happy engineering!

Sample Social Engineering Situations

It's easy to get yourself into awkward situ-ations, especially at the beginning of your social engineering career. You will speak to reception-ists and other company insiders who know the lingo, know policies and screen setups, and know how to spot a fake. Whether intentional or not, you will be asked questions to which the
answers are not readily apparent, due to the fact you are an impostor. Here are some samples" and possible solutions.

RECEPTIONIST: "You're Charles Green? But there is no Mr. Green in our computing department. "
YOUR RESPONSE: 'I've just been here a few days- "
RECEPTIONIST: 'That's funny, I didn't see your picture hanging up on the New Staff bulletin board. "
YOUR RESPONSE: 'Yes, I know. What's-her-name hasn't had a chance to take my picture yet. Maybe
later today.
RECEPTIONIST: "What do you mean, 'What's-HER-name'? lack's the one who takes staff pictures.
YOUR RESPONSE: "Oh yeah, Jack -right!"
RECEPTIONIST: "I won't be able to help you until I have your staff ID. What is your employee ID num
ber, please?'
YOUR RESPONSE: "Oh, I don't have one. I'm just a temp. I'm filling in for someone who went off to have a
baby.'
RECEPTIONIST: "Just read the number off your ID badge.
YOUR RESPONSE: "I didn't get my badge yet there was some mix-up or something.
My supervisor said
she would give it to me tomorrow, maybe. You know how it is, no one knows what they're doing, and all that..."
RECEPTIONIST: "Who's your boss/supervisor/manager?
YOUR RESPONSE: "M______,Do you know any-thing about him1her? "
(You should've done your research, so you should know the answer to this sort of question. If you don't know and it's a large company, or a large building, you can try either answering with a false but common name, or try the old, "Uhm.... Something with an 'S' - Schindler? Schindling? Schiffer? Schifrin?")

Here's a different situation:
RECEPTIONIST: "But I don't have a computer!"
YOUR RESPONSE: 'I'm sorry. I must've dialed wrong. Is M- available? '
(M_______,is the name of the receptionist's boss.)

If you can manage to work in some company news or personal tidbits in an
unobtrusive way, then do so- if the person you're speaking to seems friendly. This is just another way of
gaining credibility points.

YOU: "Sorry, I didn't hear that last thing you said. It's really loud here with that construction they're
doing next door."

YOU:"By the way, does M have a kid in the Little League? My son has a friend named

Note that for maximum benefit, credibility questions, should be worked in before asking about login procedures.

Tuesday 29 November 2011

Other Hints

If it's possible to research the place, do so be-forehand. Do as much as you can to find out about busy hours and what kinds of problems they might experience with the system. If it's a public place like a library, for example, then try to figure out which people working there know nothing about computers. Try to get those people on the phone. Also, make sure you identify yourself as so-and-so from the computer de-partment (or computer division, or section; if the person answers the phone, "Hello, registration office," then use the same terminology - com-puter office). And when you do so, use a com-mon, everyday first name, and also a
familiar last. If you can't get the login information the first time, try again at a different time, on a dif-ferent day. Don't speak to the same person, however.

A friend of mine, Bill, told me this story. One summer day he called up a mail order place to buy some electronics equipment. As the woman was taking his order, she casually mentioned that she was doing everything by hand because the computers were down. Bill asked if she knew why they were down. She said she didn't know, but she was pissed about it because com-puters in other parts of the building were
working fine. Well, as soon as Bill got off the phone, he called back and hearing a different operator on the line, proceeded to have this con-versation:

OPERATOR: 'Shark's Radio Supplies, Pam speak-ing. May I help you?"
BILL: "Yes but actually I called to help you. This is Bill Robinson, in the computer department. Are you still having problems with the computers?'
OPERATOR: 'We sure are!"
BILL: 'Oh, okay. What's the computer showing right now?"
OPERATOR: "Nothing, we have them all turned Off. "
BILL: "Oh I see. I thought you were having problems with it, but I guess you're in the part of the building where they're not working at all.
OPERATOR: "Yeah."
BILL: "Well, have you tried turning them on lately?
OPERATOR: "No - oh, are they back on again?
BILL: 'I think they might be. Now would be a good time to try."
OPERATOR: "Okay.... Nothing came on the screen.'
BILL: "Can you type in anything?'
OPERATOR: "Lemme see.... No.
BILL: "Sometimes, even if it doesn't look like the letters are going to the screen, they still go there. Try typing in all the stuff you usually type in when you first turn on the computer.
OPERATOR: "Okay.

The operator went on to give Bill all the in-formation he needed to know. When the opera-tor was finished "logging on," Bill gave a re-signed sigh and said, "Oh well, it was worth a shot. I'll go back and tinker around some more. Thanks anyway." Of course, he still didn't have a phone number to call. He didn't even know if the computer system was connected to outside lines - after all, this all happened on account of a freak accident, his finding out about the downed computers. But now he knew how to go about logging in to Shark Radio Supplies's com-puter system, and he had made a friend on the inside. The login information was important in case he did find a phone number, or if another hacker needed the information.

Having an in-side friend was important because now Bill could use her as a further information source, if the need ever arose.

Peak Hours

Don't use the above mentioned sort of ploy around lunch time or early in the morning. It'll be harder to work effectively. Let the ressures of the work day start to pile up before you call.

If the system you're breaking into is a place you have access to, such as a library, dentist's office, bank or school, you should do a little re-search and figure out when the best time is to make your call.

At one of the libraries I belong to, the com-puter system has a "3 o'clock slow down." At around 3 o'clock every afternoon, the computers suddenly slow down to half their usual speed. This leads to various other computer problems and, ultimately, very frustrated library workers. I don't know why the computers slow
down; maybe the system gets the most use at 3 o'clock, or maybe at that time information is forced to travel through an alternate route to get from the library's terminals to the mainframe located at a college on the other side of town. If I were to try some social engineering on the library, I would do it during the 3 o'clock slow
down, when most problems occur.

I've noticed another thing: The library pa-trons who don't realize that there's nothing wrong with computers (who don't know that they always slow down around that time) call up the "computer roomit at the college and ask why their computers are down. Don't you think it would be a pleasant surprise, if one day they got a call from the "computer room" (i.e., me or you), asking if there's anything we could do to help? Surely they'd be more than willing to tell you the logon procedures they use, if only you'd speed up the system for them!

Computers tend to be at their slowest to-ward the middle to end of the day, when the most people are on the network. Especially in university settings, this is true. Frequently stu-dents and faculty will log on in the morning, then stay connected throughout the day, regard-less of whether they're using the system. On the other hand, some systems will actually getfaster as the day proceeds, so research is always a must. For example, the Prodigy service is proud of the fact that toward the end of the day and into the night, as usage increases, system speed also increases. This is because data is stored on a dual-tier basis. There are the
mainframes situ-ated in Prodigy headquarters somewhere on the globe, and various minicomputers scattered about the country. Users connect to the semi-local minicomputers, called Local Site Con-trollers, and as they use the system, data is cop-ied from the far away mainframes, to the local minis. By the end of the day, most of the data a user would request to view will have already been transferred to the closer computer, making for less waiting time.

It's good to be aware of pace trends in the places you intend to social engineer. If you can find a noticeable difference in pace (like a 3 o'clock slow down) naturally you will want to work your magic around that time. Good times don't have to just be when the computer changes pace; if the workload, noise-level, number of
customers, or some other aggravating condition worsens during a particular time, that is gener-ally a nice time to social engineer. To find these times, try to visit your target's office at various times throughout the day. Find out when the office is busiest. If it's something like a library or travel agency, go visit the building or make some phone calls. Ask a question about some-thing, and if they seem to be having trouble when they look it up in the computer, call back as the guy from the computer department. Re-member, offices will be at their most hectic after being closed one or two days, so Monday morning is always a good shot. Just make sure
they're not so busy that they don't have time to schmooze on the phone with you. Social engineering will work with any com-puter system, of course, but you will naturally find it a lot more difficult to fool a system ad-ministrator at the community college, than a teenage bank teller. Social engineering has been successfully used to gain access to corporate networks, schools, government offices, and other systems. Social engineering is a powerful tool, but you have to be a good actor to use it prop-erly.

Hacker As Helper

This type of role playing is like reverse social engineering without the sabotage (see next chapter). Here you pretend that something has gone wrong with a place's computers, and you are the technician who is calling to fix it.

Let's say you want to break into the computers at the mayor's office. You call up his secre-tary, and you say something like this:
"Hello, this is Jake McConnel from Computers. We were wondering, have you been having any problems with the computer system? "
Of course she's been having some sort of problem with it - there's always some problem with computers!
The secretary answers: 'Why yes! First this was happening, then blah blah blah...'
You say, "Yes! That's exactly it! That wasn't your fault - there's something wrong with the computers, and we're having troublefixing it. When you first turn on the computer, what do you type in to get it started? One of the other guys here was screwing things around last night and we think that has something to do with it. "
The secretary will not be suspicious; after all, you've identified yourself. Even if you hadn't, what harm could possibly come from telling someone a password over the phone? You see, the secretary, or any other underpaid, over-worked, menial user of the system, is a very weak link in the chain of security. The secretary
doesn't understand computers and doesn't want to. All she knows is something's going wrong and you're going to fix it for her. This is a very effective ploy.

Hacker In Power

If appealing to a technician's sense of godli-ness won't work in your situation, perhaps it's time to become a god. In a military setting, pre-tending to be a high ranking officer can put fear into the hearts of any lowly receptionist. Just call up, saying either that you are the general, or you're the general's personal secretary.
In either case, both of you are pissed off that your computer isn't starting up the way it should. Demand to know why your account isn't being accepted as valid.

Don't whine or complain just make angry demands. You will get results. In a corporate milieu, pretend to be the CEO or the president, or secretary of a CEO or presi-dent, especially in organizations where it is well known that the leader is a hothead. No one wants to get fired or demoted. The anger routine is useful
because the person who picks up will want to be rid of you as fast as possible, and will do anything to get you off his or her back.

Presidents, leaders, military officers, CEOs and the like, don't have to be angry, however. Just the mention that you are whoever you say you are will work wonders for your credibility (who else would possibly dare to proclaim themselves General So-And-So?). But if you act as a high-up without being angry, make sure you've
done your research beforehand and know what your name is.

This is a sample encounter:
PERSON ON OTHER END: "Good afternoo -
YOU: "THIS IS GENERAL FROBBS. I AM AP-PALLED BY THE CAVALIER WAY IN WHICH THIS PLACE IS BEING RUN! I WENT AWAY FOR TWO DAYS AND WHEN I RETURN I FIND I HAVE BEEN ERASED FROM THE COM-PUTER! WHO'S IN CHARGE OF THESE COMPUTERS? I'M
APPALLED! I DEMAND YOU RESTORE MY ACCOUNT. I HAD MANY IMPORTANT DOCUMENTS SAVED THERE!"

PERSON ON OTHER END: "Did you try typing 'GROUP.1,' 'SEC'? That still works.' YOU: "THAT'S THE DAMNED GROUP CODES! I NEED MY OWN PERSONAL
ACCOUNT BACK! I
AM APPALLED!
PERSON ON OTHER END: 'I'm sorry, I can't help you with your own codes. Would
you like me to find

someone who can?

Notice in this example conversation you have managed to procure a usemame/password combination which, while not too powerful, at least will gain you access. Even if the person on the other end never does manage to find the general's password, at least you've ended up with not just one, but several accesses to the sys-tem. After all, if there's a GROUPA, there must be a GROUP-2, right?

Hacker As Neophyte

Here you play the role of a new user. Let's say you're trying to get into a company's com-puter system. The time is 8:55 in the morning. You call up the computer department (from your home or wherever) and this is the conver-sation that follows:

PERSON ON OTHER END: "Hello; Jack Chipper, Computing Department. "
YOU: 'Hello, Jack, this is Gary Harris from the Researching Department. Maybe you could help me with a problem?'
JACK: 'Maybe... What is it?"
YOU: "Well I'm the first one here, and I can't seem to get things started up. Will you talk me through it?"
JACK: 'Sure. You by your computer?"
YOU: 'Yes."
JACK: 'Okay. Turn on the red switch on the floor. You see it there?'
YOU: 'Yes, okay. I see it... Okay.
JACK: 'It'll take a few minutes for everything to boot up.'
YOU: "To what?"
JACK: 'Uh, boot up. I mean, it'll take a minute or two for the computer to set itself, to get ready to use.
YOU: "Okay, it stopped.
JACK: 'What do you see?
YOU: "Just what you always see. It worked up to here fine before, but after this, it didn't work. What do I do when it doesn't work here?
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said someone would tell me!
JACK: 'Okay, press Enter.
YOU: "Enter... Okay.
JACK: 'Now type 'TEMP'spacebar 'PUPPY."'
YOU: "Okay... Oh!"
JACK: "See?
YOU: "Thank you, lack - I don't know what went wrong before!'

Now I want to run through this conversation again, this time pointing out some of the essential components of all successful social engi-neers.

PERSON ON OTHER END: "Hello; lack Chipper, Computing Department. " YOU: "Hello, lack, this is Gary Harris from the Researching Department. Notice here, how you begin your conversa-tion by mimicking the technician's words, intro-ducing yourself in a way similar to the way the technician introduced him or
herself. This is done to make the person on the other end feel more comfortable talking to you, and to show that you're not afraid to reveal who you are or what business you do for the company. If Jack had said he was from the Computer Room, then you would say you were from the Research Room. Unless you have a company di-rectory as reference, you won't know the exact names insiders use for each of the various seg-ments of the corporation. Thus, it's usually a safe bet to talk like the insider in this case, the technician. Even if you say "department" when you should have said "committee" or "room," the fact that the technician used that term will make you sound, in his ears, like an employee.

YOU: "Maybe you could help me with a problem?

This appeals to the technician's sense of computer godliness. Also piques his curiosity as to what could be wrong with his system, or your use of his system. Saying "maybe" will get the technician somewhat flustered - you should know better than to question his ability to han-dle computers. He will then go overboard to show you how smart he is. Knowledgeable users love to show off their computing skills (I know I do, don't you?), especially technicians whose job it is to help the multitude of non-experts get through the day.

Also, notice the mention of the word problem." Computer people love solving problems. Mention in a vague way that there's a problem with his system, and he'll go crazy: just open your ears and let the passwords roll right in! YOU: "Well I'm thefirst one here...

Notice at the beginning I mentioned that the time was 8:55 in the morning. It won't always be possible to call before the workday begins, but it sure does help if you can. Doing so gives you a valid excuse to call a technician for help; after all, if you're the first one there, there's nobody else to ask. But technicians won't always be available before anyone else at the office, so this won't always work.

Consequently, you may want to try making a phone call at the end of the workday. Then you'll be able to say that the other people in the office shut off the computers and went home be-fore you had a chance to finish your work. YOU: "...and I can't seem to get things started up.
Will you talk me through it?

Now that he knows he's the superhero, you immediately identify the problem, while still being vague enough to not alert suspicion if your assumptions about the login procedures are wrong. After all, dialing into the company's computer system from your house could look very different from actually being there, using it in person.

You're better off staying with general questions, and allowing the technician to men-tally picture the specifics of your trouble. The will you talk me through it?" request begs him to do something he does by rote every day.

Again, it is important to request that he do something specific (such as talk you through the setup procedures) but not so specific that you blow your cover by making yourself seem suspiciously knowledgeable. For example, if you had simply said, "Can you help me?" he might want to walk over to your office to help you out.

Since you are not actually in an office, this will definitely tip him off to your deceit. JACK: "Okay. Turn on the red switch on the floor. You see it there?"
YOU: "Yes, okay. I see it... Okay."

You have to pretend to be doing what the technician asks you to do, because remember you're not actually in the office, and perhaps the reason you are social engineering is because you don't even have a dial-in number. It's good to have an actual computer next to you, so he or she can hear the power being turned on and you clicking away at the keyboard.

JACK: "It'll take a few minutes for everything to boot up.
YOU: 'To what?"
JACK: "Uh, boot up. I mean, it'll take a minute or twofor the computer to set itself, to get ready to use."
YOU: "Okay, it stopped.

"To what?" shows your complete helplessness when it comes to computers. You don't want to pretend you've been living in a cave the last three decades, however. Saying, "What's a keyboard?" will only provoke utter disbelief, not sympathy for your naivet6.

Don't forget that the conversation has a plan to it - you're trying to steer the conversation to your benefit, so make sure you stay in control of where it's heading. "Okay, it stopped," reassures the technician that the computer is working fine, and that his or her ability to give instructions over the phone has not faltered. But
above all, it keeps you on track so the conversation can con-tinue toward its ultimate reward.

JACK: 'What do you see?'
YOU: "Just what you always see. It worked up to herefine before, but after this, it didn't work. What do I do when it doesn't work here?'
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said someone would tell me!"
Boy! This guy isn't letting up! You can either try for another generic answer ("Usually I type my password here..."), but what if you guess wrong? What if at this point an office worker is placed at the DOS prompt or Macintosh Desk-top? You see, it could be that dial-in lines are password protected while in-house computers are not. In-house computers might be protected by trust, physical keys, or biometric devices.

In this instance, you've used the "new per-son" ploy. It's usually a good bet to pretend you're a new person, unless it's widely known that the company is actively firing employees, or is ready to go bankrupt. Saying you're from a temporary agency may or may not be a good idea. Temps will generally have a site contact or
local supervisor to whom they report and ask questions. The technician might not know that, however, and in any case you can always say that your supervisor is in a meeting and told you to call the computer department for advice.

JACK: 'Okay, press Enter.'
YOU: 'Enter... Okay.'
JACK: "Now type 'TEMP'spacebar 'PUPPY.
YOU: "Okay... Oh!"
JACK: "See?"
YOU: "Thank you, lack - I don't know what went wrong before!

The "Okay..." is said as if you've tried this same thing a million times, but it's never worked. Thank the technician profusely for his help, and reassure him that you are a genuinely naive but responsible member of the company (in this case, by saying you don't understand what went wrong before).

I based this sample script on hundreds of real-life conversations that technicians have with legitimate users who have the similar problems. I can recall dozens of times when I personally have been asked how to do some-thing that the user has' already done before, without getting it to work. Usually all it takes is a run-through and everything works fine. My experience has been that these calls usually end with the person who has been helped grouchily saying, "But I tried that before! It didn't work be-fore!" So make sure that you are nice to your technician - you may be needing help from him or her again and it will certainly boost his or her ego to know you appreciate the help you have received.

Here's another example of how a hacker can pretend to be helpless when it comes to comput-ers, but still make off with vital information. When a new computer system has been installed in an office, there will often be business cards or phone numbers taped near the terminals which are used to contact someone from the
technical department of the company which supplied the computers, to deal with bugs that haven't yet been worked out.

The business cards (or you may just find a phone number on a slip of paper) may also be taped to a section of wall devoted to important messages, or they may also be hidden someplace behind a clerk's desk or counter. Crane your neck if you must to get the name and number off the card (or simply ask the person, we don't al-ways have to do everything on the sly!).

Let's say you managed to get Frank Smith's number at Corny Computing while you were doing some business at a branch of an insurance company. Call the number and say, "Hi, this is Lauren from Booboo, Insurance. There was some weird stuff going on with the computers and I had to shut them off, and now I'm stuck...... And let them lead the way.

One time I saw such a business card taped to a public access terminal at a library. I copied off the information, then called up, saying, "This is Jack [a guy named Jack really worked at the li-brary] from Whoopie Library. I'm having trouble getting into the circulation system from public access mode. The computer's behind the counter, so I don't know what it was doing in PA mode to begin with, but..."

The Noble Form

To those hackers whose sense of ethics does not allow them to use trickery in an attempt to ascertain passwords, one form of social engi-neering still might be used without straying from one's sense of morality: the gentle art of asking, "Please ... ?" I think I've never heard of a verifiable instance where this has worked, though there are rumors that hackers have simply requested -and received - passwords from system users. Usually, the story goes, the system operator is either asked over the telephone, or e-mailed a letter which says something like: "I am a hacker. Give me a low access account and I will use my skills to show you what your
system's weak-nesses are. That way you can correct them and won't be troubled by malicious crackers in the future."

The other way to do this is to call up some-one - anyone - a secretary in an office for in-stance -1 and just ask, "What do you type in to start the computer in the morning?" Will this work? Well, you would have to be lucky enough to call someone who's fed up with his or her job, and who doesn't know any better about security procedures.

Social engineering minus the deceit is not likely to work, and could make it harder for you to get in, in the future. More likely you will want to bone up on your acting skills and try some telephone shenanigans.

Social Engineering

It is somehow shocking the first time one hears about "social engineering." At least it was shocking for me. Hacking is thought of as an ac-tivity pursued solely, nocturnally, relentlessly, for hour after midnight hour, by some dazed and nerdish character banging away at a computer keyboard in feverish pursuit of that single
golden word which will grant access to the technological secrets of the universe.

That is how it was at some point in the past, until it became impractical. Those brute force methods are certainly valid, and they are the bread and butter of any well-stocked hacker's arsenal. But there are other ways to learn pass-words; social engineering is one of them.

"Social engineering" is the attempt to talk a lawful user of the system into revealing all that is necessary to break through the security barri-ers. The alternate term for this is "bullshitting the operator."

Social Engineering (SE) appears in a variety of forms and disguises. Here I will list many of them. As you will surely discover for yourself, there is a cornucopia of clever twists and vari-ations to be made on each of these examples. Some twists I will examine, others will be left for you to creatively imagine.

Conclusion

Much of this chapter has focused on different"likely" passwords to try when initializing an educated bruteforce attack. We can go on forever list-ing common passwords - names of pets, historical dates, room numbers " book titles - not to mention all of the above with vowels removed, backwards, and in various anagram
forms. There comes a time when you have to forget about trying to limit the number of possiblepasswords to a select few, because your "limited" number will be as infinite as before you put the restrictions in place. Besides, a password may be "easily guessable" and yet be secure enough to thwart your attempts to guess it.
The password "Smith" is not secure, and "Jones" is not secure, but"Smith@#Jones" is as ob-scure as anything. Outsiders see password guess-ing as a valiant pastime for the hacker, but in es-sence it is only the beginning of the hack. Brute force is best carried out by computers, and should really only be used when a computer is necessary to gain access (I'm thinking about Robert Morris Jr.'s worm program asan example).The thing is, the whole business of hacking has to do with skill and knowledge. Brute forcing pass-words requires little of either. But no one's going to look down on a hacker who does some educated brute force work, especially if that hacker has a good reason for doing so. But don't rely on the computer's brawn to do your dirty work: Use the ingenious computing power of your brain. And that is the topic of the following two chapters. "Computer crimes deal with people to a far greater degree than they deal with
technology.

Foiling The Brute Force Assault

As a youngster I remember going out to dinner with my family one night, where they had an all-you-can-eat special. Naturally I decided to do my part to see that I ate my fair share but by the third reorder, we were getting increasingly frustrated with the long waits and smaller portions. My dad explained it: "You see, that's what they do so you won't eat as much. They keep taking longer and longer to come out with the food, and they give you' less of it." I don't know how true that was, but after a while it certainly was not worth waiting around forty minutes just to shovel down another plateful of food.

The techniques used to thwart brute force at-tacks work on the same principle as that all-you-can-eat restaurant. As mentioned earlier, if one is persistent enough then it is really only a matter of time before a legal
username/password is hacked by guesswork or by chance. Therefore, the way to prevent such an attack from succeeding is to struc-ture the system prompts to frustrate the hacker into quitting early.

The most common defense is allowing only a few login attempts before disconnecting. The computer may then refuse to allow a reconnection within a certain period of time. The drawback to this is that a legitimate user might be inconvenienced - though having to wait a few minutes is much less of an inconvenience than logging on to find one's files have been tampered with by some cracker.

Another method is to increasingly slow the re-sponse time to each successive login attempt. A prospective hacker might find himself waiting thirty seconds for a response from the remote com-puter... Then a minute... Then two minutes... The long waiting periods wouldn't start until the first three or four login attempts were
tried and found unsuccessful. Then the computer would say to it-self, "Gosh, no real user would spell his name wrong that many times. Must be a hacker!" Another trick is the dummy login prompt. After a certain number of unsuccessful login attempts the system continues asking for login information, but returns an error message no- matter what the input is.

The moral of this story is, if you write a pass-word-cracking program, be sure you monitor its progress. Don't just set it to run overnight and leave it unless you've first determined that such security measures are not in place. When you wake up the next morning you may find it's been taking forty minutes for the computer to
respond to your inputs. Or you may find that every possible combi-nation has been tried to no avail, and so you know that you've been wasting time responding to dummy login prompts.

Brute Force Methods

Brute force means manual labor for your computer and, usually, lots of it. It isn't too difficult to do, but it is time consuming. What brute force methods entail is the inputting of one password after another until finally - maybe - something hopefully works. Or just until you give up and move on to a better method.

Brute force methods are usually the first and last thing a hacker does when trying to break into a system. The first time he does it, it's a half-hearted attempt. If he can guess the password right away, or after the first seventy-five or hundred attempts or so, then that's fine. After that fails it's on to trying out other angles for
a while. If none of those more sophisticated ways work, then it's back to brute force for the big finish.

Brute force, after all, must work eventually. The "must" is what draws hackers to it; the "eventually" is what drives them crazy. Brute force takes a lot of time, but not much else. That time is spent in research, trial and error, and in writing special programs to hurl one password after another at the system.

Brute force is the least graceful way to fly, but since it eventually must be effective, eventually all hackers will resort to using it at one time or an-other. You may find yourself in a situation where you know nothing about the people who use a particu-lar system; where common names and passwords have failed; and where no trick seems to work. In these cases, you will have to try the most brutal of all brute force approaches: you will have to write a little program that will repeatedly dial the com-puter system, enter a new name/password combi-nation, and keep repeating this until something works. This could take forever.

Some hackers use a dictionary file they get from their word processing programs or off a bulletin board. This is a good idea, but only if you use it properly. Edit the dictionary file so it includes common names, each letter of the alphabet, musicians, names of cars and presidents, numbers, ce-lebrity nicknames and other common password material. Get rid of the words like "perspectives" that just seem too weird for anyone to use as pass-words.

Speaking of making things go faster for your-self, the same holds true when brute forcing non-language passwords. If you live in New York, you should begin your attack by brute forcing New York SSNs only. There are many ways to bring down the number of potential codes you have to check. The military uses what is called the TAC Access Control System (TACACS) to ensure legitimacy of usership of its network computers. The access codes that TACACS looks at are strings of alphanumeric characters - but the strings will never contain the numerals zero and one, nor the letters Q and Z. The theory behind this decision is that a user reading his or her access code off a code card can easily confuse Is, Os, Qs and Zs with other letters or numbers.

Once you have edited your dictionary of possible passwords to best suit your needs, or once you have determined which codes are the ones most likely to occur, you write yourself a little program in whatever language you know, to dial the modem, enter one word at a time as a password, and try, try again. And again. And again. This is a simple program to write, but if you don't have the expertise to do so, plenty of programs like this are available on BBSs.

There are some things to consider when writing the program. How many times will the computer system allow you to enter bad name/password combinations before it logs you off? Three? Eight? If it gives you three chances before saying bye-bye, make sure your program outputs exactly three name/password combos before redialing the number.

Often remote computers will accept characters as input even before the input prompt is put on the screen.

If this isn't the case with the system you're trying to get into, you'll have to put a delay loop in your program to make sure passwords are not being entered before the cursor is on the screen.

Finally, what happens when your program does manage to ferret out a workable usernarne and password? Unless you're sitting there, monitoring the computer as it does its thing, you need some way of knowing when a brute force attempt has been successful. Otherwise your program will continue to spit out passwords, and the system operators - who by now almost certainly have noticed what is going on - will be absolutely furious! Have the program monitor text as it is sent from the remote computer. When something other than the login prompts are received, have the program flash the screen and ring the loud bell on your printer. Either that, or have it input the logoff command, and print the usable username/password on the screen for you to see when you wake up the next morning.

If you know Joe User works for Company X, then you can have the program run through every combination of password with usernarnes Joe, User, JUser, and Joe User - not to mention other varieties like joe, JOE, and joeuse. (But from your research and experimenting you should have some idea what format the username
will be in, so you shouldn't have to try too many variations.) If, on the other hand, you don't know the name of anyone who works there, you'll have to either find out (i.e., look in company directories, call up and ask, look in annual reports, newspaper articles, or any of a hundred other places to find names) or try every
combination of possible first names. If you must resort to trying every first name, make sure you try female and foreign names. You might want to take a trip to the library and find out what the most popular first and last names are. But remember, you don't need the current popular names - you need names that were popular and common twenty or thirty years ago, when parents were naming the people who work in the company you're trying to break into.

Certainly, it is not absolutely essential to write a program to spit out passwords. If you have the time and patience, you can sit down and enter passwords yourself. But remember that this will take even longer than the already immense amount of time it takes a computer to brute force its way in. I must emphasize that no matter how many pre-cautions you take to eliminate excess work, brute force will almost always take an extremely long time to bring results. Therefore, it's important to do what you can to speed up the entry of passwords. If you have to redial the modern after every three passwords, make sure you're running your attack off a phone line with Touch Tone capabilities.

Also, before you begin a brute force approach, set yourself up with the highest baud modem you can possibly acquire, even if you need to borrow one from a friend. Moving just a few notches up the baud ladder makes a big difference in speed.

Programs Are People Too

Sometimes computer systems are set up with programs that have usernames and passwords, just like any other user of the system. Thus if you login as that program, the program is executed. Programs might be a tutorial on how to use the net-work, information system, database, messaging system or just about any sort
of application program. Some sites also have accounts whose user-name is that of an elementary command, such as "time," "date" or "who" (which tells, you who is logged on). This allows people to carry out certain quickie functions without having to go through the hassle of logging on to the machine. Often these command
accounts don't have passwords associated with them, which is ironic since many are given superuser access permissions.

It's possible that you may get in to one of these program users with a name/password combination chosen from words such as these:

guest           demo                      help
info              tutorial                    tut
menu           data                        base
intro            anonymous              database
visit             welcome                  hello

"Visit" or "visitor" might be the username, and "tut" the password, for example. Other possibilities are trying to get in with usernames "calendar," It cal,11 #I sched," "schedule," " whois," "ftp," "who," "Ipq," "archie," or other common command names. Many installations will have a general-usage or even public information system set up. Access may be gotten by logging in as "info," as suggested above, but other variations are possible. The fictional Wakka Doo University may require logging in as "wdu," "wduinfo," "hellowdu, "wdunews," "wdumail," " welcomewdu," or some other variation on the University's initials. If you do manage to get in this way, first of all you are to be congratulated for a very successful hack - but then what? If you are interested in gaining higher access levels or in escaping out of the program entirely, you could have a lot of
diffi-culty ahead of you. An upcoming section will offer suggestions for getting beyond limited access restrictions.

Non-Random

Non-Random
Machine-Generated Passwords

Finally, let's consider randornless machine-made passwords. Often users are entered into a computer system before their first logon. Then, unless the sysops can relay information to users off-line, the password must temporarily be something that the user already knows, such as their Social Security number (SSN), date
of birth, or other personal data. Users are supposed to change this easy-to-guess password to a more secure one, but unless they're specifically shown how or required to do so, it is unlikely they will follow through.

Here's a non-computer example which demon-strates this weakness. In April of 1992, students at a New Jersey university received a memo, informing them of new over-the-telephone class registration procedures. The memo stated that the Personal Access Code (PAC) assigned to authenticate one's registration was the first four digits of one's birthdate (month and day), entered in conjunction with one's nine digit student ID number (essentially, one's social security number).

What got me was that first of all, they told students that their top secret PAC was their birth date. This violates all the security precautions they're trying to maintain. After all, how difficult is it to find out someone's birthday? But the PAC is only half of the "password" - the other part is a student ID.

Again, it's a piece of cake to find out someone's ID. lDs are publicly or semi-publicly available at the student health centers, on computer room sign-up sheets, on identification cards, class rosters, housing lists and elsewhere! The memo does say that those concerned with security can come into the registrar's office to change their PAC, but who's going to go out of their way to do that?

Anyway, changing just those four numbers doesn't do much to stymie the determined hacker. Following a change of PAC there are 10,000 minus one possibilities to try. This is as opposed to the mere 366 possible PACs before that security-aware person changed his or her number. Sure, ten thousand is a lot of
numbers to try, but it's certainly not impossible. A touch-tone auto-dialer can phone through all of those in about seven minutes, given unlimited PAC-entry retries per phone call. In any case, I'm using this story to illustrate the principle of least resistance: Users are not going to go out of their way to change access codes if
they don't have to. And even if they do, it doesn't matter much. After all, we are hackers.

Let's move back to our discussion of non-random passwords which are generated by computer; or rather, passwords decided upon by the programmer or administrator and selected from data files by the computer.

Computers will select passwords any time a large number of passwords must be assigned at once. During the first week of a college semester, thousands of new accounts must be created for students enrolled in computer classes. For the most part, these accounts are going to be set up with username equal to some truncation or bastardized form of one's real name, and the password will be either one's Social Security number (SSN) or student ID number.

So if you want to hack a college system, start early in the semester - before those passwords get changed by the user to something more secure. Social Security numbers may be easily hacked by brute force, especially when you know how they are distributed.

Social Security (or other ID numbers) may also be obtained through social means (see the chapter on Social Engineering) or by other forms of chican-ery. I've sat in on college classes where the instruc-tor hands around a sheet of paper, on which the students are asked to write their name and ID number. This sheet is then
handed to the teaching assistant, who enters this information as accounts into the computer system. If you happen to find some classes that operate like this, make sure you sit in the back of the class, where nobody will no-tice you copying other people's private data. A hand-held scanner/copier makes life easier at times like these.

You can also get names and SSNs from atten-dance sheets, or class rosters, which usually list both pieces of information for every individual in the class. If the professor doesn't make the roster available for student perusal, make up some excuse to swipe a look at it. For instance, say the registrar had your name incorrectly spelled on your last transcript, and you want to make sure they've corrected the problem. Professors will love any excuse that points out slip-ups in the bureaucracy of the school system. Use their mindset against them!
Several court battles have ruled that use of one's Social Security number in conjunction with one's name in a public environment is unconstitutional, as it is an invasion of personal privacy. Therefore, we may see a trend starting, with SSNs getting used less and less for identification purposes, and an organization-defined
ID number being used in its place. If that's the case, you will have to rely more on brute force to access the array of ID numbers assigned to a person.

Pre-usage passwords won't always be Social Security numbers or other ID numbers. If some non-computer communication is possible between the sysadmin and the user, other words may be as-signed as temporary passwords (to be changed when the user logs on).

There might be a generic "new user" password which is given to all accounts, which shouldn't be very hard to crack. Or the password might be something very obscure and security-conscious, like some long string of random characters. It may be necessary to intercept the new user's physical mailbox for that envelope which
contains the as-signed password.

Password Restraints

Most operating systems weren't developed with security as top priority. Indeed, password-based accounts should be all the security required on a time sharing system. As we have seen, however, too frequently passwords are chosen that are easy to guess. The UNIX operating system does restrain password selection by suggesting that passwords contain no less than five lower case characters, or only four characters if at least one of those is nonalphabetic or uppercase. However, if a user insists on a shorter password, disregarding the plea that security be maintained, that shorter password will be allowed.

Sysops know that most passwords aren't secure, so many have installed programs which disallow obvious passwords from being generated. Passwords are then forced to conform to certain characteristics, such as:
• Passwords must be of a certain length.
• Passwords must include a mixture of upper and lower cases.
• Passwords must include one or more numerals.
• Passwords must include a non-alphanumeric symbol.

One or more of these constraints might be en-forced. The program may also test the user's password against a list of known "bad" passwords, which are not allowed to be used.

Not allowing single-case passwords or strictly alphabetical passwords does add some difficulty to a guess-attack, but not much. One time I had some-one in mind who I felt certain had "popeye" for a password, due to his large collection of classic comic books and the big deal he always made about Popeye. The system software required a mix-ture of cases (which helpfully informs you, by the way, that upper and lower case are distinguished by the system), so instead of just trying "popeye",
I tried:

Popeye          PoPeYe             popeyE
PopEye          popEYE            popEyE
PopeyE         PopEYE             PoPeye

and also tried each of these with cases reversed, such that PopeyE became pOPEYe (in case the user thought of capital letters as normal for computer keyboards, and lower case the exception). It was highly unlikely that this particular Popeye lover would try anything so bizarre as capitalizing in the middle of a syllable, or without
some pattern to it. Indeed, when forced to capitalize, who in their right mind would?

As it turned out, his password was "OliveOyl."

If not capital letters, numbers might be forced into one's password upon first login. Again, you can hardly expect Joe User to break up syllables with a number, and the numbers that are used you should expect to be not more than one or two dig-its. After all, the user thinks of it as a password. The number will generally be slapped on as a necessary afterthought.

Thus, what you will normally find are passwords in the following forms:

password #
pass # word
# password

Numbers will be those which are easy to remember, or easy to type, like 1 or 0. Numbers from one through 31 should be most common, along with numbers either repeating, ending in zero or nine, such as "888," "500" or "1999." It is reasonable to expect typists to use the numeral "1" substituted in for the letter "I" (lowercase
"L"), in passwords which contain that letter. Cyberspace devotees might do likewise, as well as using zero for their required number, putting it in place of the letter "O." This means that if you ever suspect a word that contains the letters "L" or "O," instead of finding something like "cool," "computer," "lucifer," "lemon," or
"colts," you may find `c001," "cOmputer," "lucifer," "Iern0n," and 'Wlts," where the digits 1 and 0 have replaced the appropriate letters. (Actually, "c001" is usually spelled 'k001.")


Computer Generated Passwords: Fakery and Analysis of Machine-Generated Passwords

Many passwords that the computer generates on its own will have some flavor of randomness to them. For instance, look at this bit of imaginary program segment:

5 Randomize Timer

100 For i = 1 to 6
110 Char = Int (Rnd * 91)
120 If Char < 65 Then Goto 110
130 Password = Password + Chr$ (Char)
140 Next i
200 Print "Your new password is: "; Password

Here, six uppercase letters are selected inde-pendently and concatenated to form the password. The way the letters are selected is that a random number between 65 and 90 is chosen - this corre-lates with the ASCII code for the letters of the uppercase alphabet. The randomness of the numbers chosen is based upon the
randomizer function being used. In this case, pseudo-random numbers are generated based upon the exact time of the computer's internal clock, although randomization could also have been based on a practically infinite, hardwaredependent range of inputs. I said pseudo" random numbers because no matter how random these numbers may appear to us, to the computer they are just values plugged into a formula.

If the password-making program could be altered in the right way, then all randomly-generated passwords after the time of alteration may be yours for the taking (or deducing). If you have the ability to change the program and save the changes to disk, or the ability to reroute the password-making subroutine, then
here are some further items to consider.

The easiest thing to do would be to change the program by getting rid of the randomization factor entirely and simply inserting a "Let Password$ = "EVBIDCL8.... statement. Then every new user would be given the same seemingly random password. The problem is this is not going to go unnoticed by the system
administrators (although you might be able to restore the original program before your change is noticed).

A more logical choice is to have the program generate a random-looking password based on some information about the user that you can eas-ily determine from publicly available sources, such as the user's birth date or Social Security number.

Then you can simply plug that piece of information into your copy of the code on your home computer and reproduce the new user's password. One encoding algorithm that works well is to take the sine of the ASCII value of the first six or eight characters of the user's name, then take the second-to-last two values of the
sine, convert them to fall within a suitable range, then concatenate the corresponding ASCII characters to form a "word." Thus you have a random-seeming password that can be easily constructed, even by hand. If the username is less than six characters, the remainder could be filled in by a predetermined set.


A sample username is encoded into an obscure password using the method
outlined in the text. On inspection the password seems random and secure, but
a hacker can determine a user's password using publicly available information
about that user (in this case, the user's last name).


This is just a simple example; your password would have to comply with case mingling, length, or digit sprinkling requirements where appropri-ate. Forcing a password in this way can help if you run an electronic messaging or bulletin board system: users may get so comfortable with their new, secure passwords (wouldn't you think "rueavz" was secure?) that they transfer them over to other accounts elsewhere.

Another possibility, again requiring the ability to covertly change the password generator, is to al-ter the randomizer's seed to a constant value, thus causing the program to produce the same series of random numbers each time it is run (as long as the computer stays on and the program is not reset). This is risky though, and unwanted side effects may result.

One method utilizing the flaws in pseudo-random number generators was actually accomplished, and reported on by UNIX co-creator Dennis M. Ritchie in a 1986 security bulletin en-titled "On the Security of UNIX." To increase security at a computer installation, the administrat-ors decided to provide safe, computer
generated passwords. Each password would be a string of lower case letters and digits, eight characters long. This calculates to 2,821,109,900,000 passwords which, according to Ritchie, on a PDP-11/70 would take 112 years to brute force through all those combinations. But the hacker knew that the random number
generator could only take 32,768 seeds, and so only that many possible outcomes needed to be looked at. "The bad guy did, in fact, generate and test each of these strings and found every one of the system-generated passwords using a total of only about one minute of machine time." [Emphasis added.]

Clearly, sixty seconds plus some programming time is worth spending to have access to every ac-count on a system!

If you can't insert code to generate machine-made passwords, you might be able to analyze them after they've been produced. This requires having access to a minimum of one password, preferably two or more, from a given system. If you have a legitimate account, there's your first password. If it's a local BBS you're hacking, or some other sort of system where multiple anonymous logons are possible, try calling back a few more
times and collect new passwords under different names. Or get ahold of the BBS software or the password-generating routine, and work that to collect various passwords.

Once I was going through some new BBSs that had started up and I came across an ad for a system that was a couple states over but still seemed worth a try. I called up, logged in as a new user, and found it wasn't all that interesting after all - run by a factory supervisor mainly to let site agents or-der inventory stock. I used the
made-up name and address Roger Eichner, 13 Stem Court, North Coast, WA 64203 to log on. The password that was generated was "roghner24." I was astounded! Obviously the program had simply taken the first three letters from my first name, the last four letters of my last name, and stuck a number at the end!

Or had it? I called back a second time, logging in as a new user with a different name. This time there seemed to be no correlation at all with any of the personal information I had given. Now I was not only astounded " but confused as well! Had the first password been simply a fluke? Was the second a fluke? Was it
programmed to only sometimes use parts of the username? I called back a third time and again logged on as a new user. Again the password was unrelated to anything I had entered. Now I was pretty positive the first password had just been an unbelievable coincidence. I wrote a message to the system operator, saying he
could delete these three new users of his (I supplied their personal info so he would not think I was playing a joke) and I didn't call back until a few weeks later.

Even though my second two passwords were unrelated to both each other and my personal data, I thought that perhaps I had missed something that first encounter, since some of the characters were repeated from one password to the next. Could these characters refer to my baud rate or computer type, or some other parameter that had stayed the same from one login to the next? Or was it possible that what was random about the passwords was which pieces of data it selected to insert into the password? This would account for my name in the first case, and one of the items (which I didn't recognize as relating to me) being repeated in the third call password.

Logging on with the same name, address, terminal characteristics and everything else as I had originally done, I received, to my disappointment,

not a computer-generated password but the following astonishing message:
Dear Member:
Sorry about having to go through this again but we've had a problem the last few days. I will have to ask that you be patient with the low access level you will receive until I get a chance to validate you. Please note, when asked to supply a password do not give the one you were previously assigned. Make up a new and totally unconnected password.

See General Posting #1 for explanation.

StRaPmAsTeR === wllLiE ===> (sysop)
Input Password ==>?

General Posting #1 said that a certain (relatively new) user of the BBS, whose handle was Mr. Joke, had kicked into action a "feature" of the BBS soft-ware that produced less-than-secure passwords. The previous year the system had "crashed, appar-ently as a result of a rogue program that was uploaded to file section by Mr. Joke." No further de-tails were given on the cause or nature of the crash, because apparently regular callers of the system al-ready knew the story.

Anyway, you can see how it's possible to occa-sionally get some good information by analyzing of random" passwords. Even if there doesn't seem to be any discernible pattern, that doesn't mean there isn't one hidden somewhere. There might be some subtlety to the pattern or, if not a pattern, a bug or strangeness that you might be able to spot. For example, in the first version of one BBS program -a program that was so godawful the board folded after about a month - the random password generator would never produce a password with the letter A or the digit 0 in it. Knowing this does help a little: for a seven character password of the form WXYZ123, where WXYZ are letters of one case and 123 are numbers, there are only 284,765,630 possible combinations of letters and numbers, instead of 456,976,000 - a difference of 172,210,370 passwords! This software was riddled with bugs, many of which have become famous as the worst blunders in the history of horrible programming.

Monday 28 November 2011

Password Studies

If you think all of this talk about easily guessed passwords is balderdash, think again. A good number of formal and informal studies have been done to see just how good people are at picking safe passwords.
One such experiment found that out of 3,289 passwords
• 15 were a single ASCII character,
• 72 were two characters,
• 464 were three characters,
• 477 were four characters long,
• 706 were five letters, all of the same case, and
• 605 were six letters, all lower case.

The point being this: That hackers can simply sit down and guess passwords is FACT not FIC-TION. It can be done, and sometimes quite easily.

Another example of the ease with which passwords can be hacked is the Internet worm which squirmed through the net, disabling much of it, in 1988. The worm had two tactics it used to spread itself, one of which was attempting to crack user passwords. It would first try inputting the typical passwords, like login name, a
user's first and/or last names, and other variations of these. If that didn't work, the worm had an internal dictionary of 432 common passwords to try. Finally, both of these methods failing, the worm went to the UNIX system dictionary, attempting each word in turn, until something hopefully worked. As we know, the worm's method worked superbly.

By the way, if you're ever on a UNIX system and need to do a brute force attack to gain higher access, the system dictionary is very helpful. You can find it in a subdirectory called Vusr/dict." The file is called "words." You can also download this file or capture it to another computer, if you need a plaintext dictionary file for use
on other machines. < One problem with using the UNIX dictionary "straight from the box" is that the words it contains do not genuinely reflect words in common English usage. There is a high preponderance of scientific words, due to the manner in which the dictionary was constructed >

Possible Password Investigation

One of the sources I used to research this book was an unofficial manual for a popular fee-based information service. Throughout that book, the author continuously made references to her pet cat, her love of Philadelphia soft pretzels, her favorite football team, her husband and children, and her newly acquired
interest in computers. Not only did references to these aspects of her life abound in the text, they also appeared in illustrations of the serv-ice's "Find" command, sample messages and sam-ple letters.

I knew the author's name, of course. I knew she had a membership on this system, and I knew about her life. It was insanely simple to get her per-sonal ID number on the system and, yes, within two dozen password guesses, to access the service under her account. She has since taken my advice and changed her password.

This isn't an isolated example! Every day you and I read newspaper articles, magazine columns, and books - in which the authors give away their computer addresses so readers can respond. Yesterday I heard a radio talk show host give out his CompuServe address for the large listening audience who didn't get the chance to speak out on the air! We know enough about many of these authors and others to be able to make educated guesses of their passwords. Even if an author doesn't mention personal details in the book, there's usually an "About the Author" section to turn to for facts. Many computer books are written by college professors;
naturally you'll know what college they're at, and so you have a lead to an account. If the sample program segments they list en-tail baseball trivia, you've got a good idea where to begin a brute force siege.

With all of this said, I want you to realize this is for informational purposes only. I made the above remarks only to point out some of the lax security around anyone in the public eye. Don't get any funny ideas about breaking my passwords!

Another trick is to look in Who's Who books. Almost all industries have a yearly Who's Who published. Many of these are vanity affairs: people pay to get a writeup about themselves listed. You can get good data from these, and if you can't get enough good data, print up your own official-looking Who's Who form and mail it to the person you have in mind at the company. Make sure the accompanying letter states that once they fill out the form, their entry will be included free of charge in the eventual book, and they will receive one copy of the book, free. This will help ensure that they mail you back the form. It also ensures you get good data to help you crack their passwords.

One more helpful subterfuge, this one involv-ing socializing with cronies at the company. Call up an office and talk to a receptionist or anyone who knows everyone's gossip. Say you're from a new trade magazine specializing in that business's field of endeavor. Ask for the names of all the major department heads, and their secretaries, so you can send them a free trial subscription. Then call back and talk to each of their secretaries. Have them fill out "market research" cards, again for some prize, like a free subscription or a clock radio or something. Typical marketing questions for trade magazine subscribers include inquiries about schooling, degrees held, industry awards, trade association memberships, military service, salary range, and length of service at the company. As the conversation continues, start asking about hobbies and outside interests, favorite sports, names of kids and spouse, and home address. These too are acceptable questions for a
market research surveyor to ask; they are also valuable possible password leads.

The short version of this is to call up, say you're one of the assistant editors for a trade magazine, and you're trying to find interesting people in the field. "Do you know of anyone there who has done anything at all spectacular, or has any particularly unusual hobbies?" You might get a "no," but keep pressing: "Anyone
with special talent? Musical tal-ent, for instance?" Keep going like this; eventually you'll hit upon something, and you can use the above tricks to find out more about that person than you ever thought you could.

Uncovering a subject's interests is called making up a personality profile or, for hackers, a password profile. The technique is done whenever the hacker has a specific individual in mind, whose computers the hacker wants to crack. If you wanted to read the e-mail and other private files of some head honcho at a corporation, you would go find reports of said honcho in the media, see what he or she likes, and go from there. One popular strata-gem, mentioned by Hugo Cornwall in his Hacker's Handbook, recognizes the fact that often a chief per-son in an organization is given an account to dem-onstrate the new computer system, under the as-sumption that setting up a new account is too diffi-cult or time consun-dng for the busy leader to do on his or her own. This account will of course have a natural English password, something of either the
easily-guessed variety, or something from the boss's list of interests. ("Say, Mr. Larsen likes fishing, doesn't he? Put in 'FISH' as the password!") So let's suppose you know a person's hobbies or interests: From there, how do you proceed?

To start, you could go to a library and get all the books you can on that subject. Then make up word banks from the glossaries and indices. People like to use big and (they think) obscure names/words from their coveted subject which they think no one else would ever think of. So you get students of literature using names for passwords, like "Euripides," "Aeschylus," and in general, a mess of lengthy technical terms.

Make up word lists, try them out, and if all else fails you can go on to a new password type. Just because someone's a doctor doesn't mean his pass-word will be "pericardiocentesis." People's lives are composed of many subjects, their occupation being just one.

Passwords Supplied By The User

Most passwords are of the choose-it-yourself variety, and due to security awareness most con-temporary programs which ask for a password to be supplied will not accept words of a certain short length which the program deems to be too easily "hackable." Most passwords will be more than four or five characters long. Other measures to protect users from their own lack of password creativity might be taken as well. For example, systems may force passwords to contain a mixture of upper and lower case, numbers, and perhaps disallow obvious passwords (such as "computer").

Software is available for most operating sys-tems which looks through the computer's pass-word files, analyzes user passwords and decides how secure they are. Unsecure passwords will be changed, or prevented in the first place. This is one area where your prior research should help you. Generally you will know which of these programs your target has installed, and what passwords the software will not allow.

Regardless of how clumsy-brained or brilliant a person is, all people tend to think alike. It is only through learning that they begin to think in crea-tive ways. Even then, initial assumptions and first conclusions are similar for a given peer group. What this means is that when a person logs onto a computer for the first time, and is prompted for a password - especially if that person is under stress of time or place - that password is likely going to be a variation on some common themes. Imagine some of the situations people are in when they are asked to create a secret password for themselves. They may be calling a remote com-puter over a long distance phone line, or sur-rounded by a group of technicians who are there to teach them to use the system. In any case, the prompt is there on the screen and with it, a sense of urgency is brought to mind.

People type the first thing they think of, the first thing they see, or hear, or are hoping to do once they get past the login procedure. The password is entered quickly, and rarely is it changed to a better, more secure one.

Thus, many passwords relate to top-of-the-mind thoughts, such as job, family, possibly current events, possessions, environment, hobbies or interests. If you can either find out or guess any of these traits of a valid system user, the number of potential passwords you will have to guess will decrease significantly. Get catalogs from the companies that make wall posters, humorous mugs and other novelty items one finds around offices. How many times have you seen that tired phrase, "You don't have to be crazy to work here... But it helps!"? I guarantee the word "crazy" gets picked off that mug every day as a password. Think about the age and life-styles of the average user whose account you are attempting to breach. An office in a corporate set-ting probably wouldn't have a nudie poster hang-ing up - but a college dorm would, and so you may get passwords such as "playmate," Nictoria," "body," or "month."

The easiest way to get a password is to enter it yourself for the user, or to supply the password to the user who is logging on for the first time. You might be acting the role of computer tutor to a novice, and while showing him or her the ropes, downplay the security aspects and allow him or her to tell you the password as they type it, either because they spell it out loud, or because you watch the person's eyes light up as his or her gaze falls upon the wall poster with the word It surfboard" written across the top. (Or they say, "Gee, what's a good secret password? Oh, I know - " and proceed to spell it out to you as they hunt and peck at the keyboard.) Most often you will be hacking away at user ac-' counts that have been long-established. On these ou will have to use some kind of either brute force method, observation, social or technical method of password retrieval. Most passwords are dictionary words, like "subway," "table," "chocolate" or "hotdog." Hon-estly, can you imagine any computer novice sitting down and entering "fMm6Pe#" as a password? Of course not!

Scrabble rules do not apply here: proper names are allowed in password creation, as are misspellings, abbreviations, non-words and foreign terms. Thus a person who likes watching Star Trek may have the password "enterprize" instead of the cor-rect "Enterprise." Whether that's due to bad spell-ing habits or because he or she simply likes it better that way is unimportant. What is important is that you have to be aware that misspelled words exist in passwordland. You are going to find the letter "k" used in place of hard "c," as in "koka kola." You will find N" for "ks" (thanx), and other phonetic substi-tutions, like "lether," 'Tone" and "stryker." Some hackers will go through every word in the English language until they find something that works as a password. If the password they seek is a real word, but isn't spelled correctly, they are going to be wasting vast amounts of time. Complete brute force dictionary attacks are often fruitless, useless, adolescent ways of doing things.

Many words recur frequently as passwords, and examples are given in the appendices. However, there are many words that you would almost never expect to find as a password on a system. Is it reasonable to suspect a person will enter an adverb for a password? Words of this sort would be the last ones to try. Real-word passwords will generally be nouns, ("eyeball," "drums," "kitchen"), verbs, (usually obscene ones), and perhaps adjectives ("purple," of great, " "happy").

Girl friends, boy friends, and the cute pet names they give each other are popular passwords; these you would have found out from prior re-search. Also semipopular are passwords with the word "sure" embedded inside them, as in "forsure" or "fursure," "surething" or "asb" (short for "a sure bet"). Besides dictionary words,
you can expect to find names of relations, streets, pets, sports teams and foods; important dates and ID numbers, such as social security numbers, anniversaries, or birth-days; and keyboard patterns. Examples of key-board patterns include 'Akjkjk," 700u," 11WXYZ,11 it ccccccc," "0987654321," "asdfgh" or 'I qazwsx." Look at the location of these letters on a keyboard if you are confused about these last two examples. Keyboard patterns will usually be simple repetitions of characters, portions of columns or rows or every-other-letter designs. Keyboard patterns may be wholly unguessable and yet fully logical when you know what's going on at the other end of the phone line. For example, "05AP may seem a funny thing to pick
up from a keyboard, but when you know the computer in question has a special hexadecimal keypad attached, the whole thing starts to make sense.






A hexadecimal keypad, used by some computerprogrammers to allow fast entry of numbers in
base 16. The keypad illustrates a principlesmart hackers will follow: That what you
see on your side may be different fromwhat they see on theirs.


Some keyboard patterns I've actually seen being used on systems: "abcdef," "qwerty," "12345," foxxxxxx " "opopopopp." If you know the minimum password length is six characters, don't expect patterned passwords to go much beyond that minimum.

On the other hand, you can't reasonably try out every possible pattern: there's an infinite number. Beyond a certain point, guessing keyboard patterns is strictly reserved for amateur hour.