Thursday, 15 December 2011

Borderline Hacking

I want to talk about some non-hackerish ways of dealing with hacking problems. There are times when some need forces a hack to be accomplished under time constraints. When that is so, the usual time consuming methods may fail us, and so one must resort to desperate measures. For the most part this is a topic related
to doing hacking as a job, which I feel is important to bring up because lately being a hacker-for-hire has become an issue in the hacking world.


Hacking For Ca$h

There are hackers who have "made good," be-coming security consultants for corporations and governments. These turncoats have received criti-cism from two directions. From the hackers: "How dare you do this to us!" (Rebuttal: "Obviously you are not a real hacker. A True Hacker would delight in trying to outwit another
hacker's attempts to beef up security.") From the law-abiding citizens: "We couldn't trust him before, why should we trust him now?" and "Just because you know how to break into systems doesn't mean you know how to prevent them from being broken into." These are all valid points.

If you wish to enter this line of businessf you are not alone. Companies have paid as much as $20,000 - possibly more - to have a hacker at-tempt to gain access to their computers. "Tiger teams" is the term for groups of hackers or some-times lone hackers who are hired by an organiza-tion to put their security to the test. If you decide to pursue such a path, you will want to project an air of professionalism and sincerity. You have to prove to them you are a competent hacker, but you can't let them know that there is a rebellious spirit inyour heart.

Remember that computers are vulnerable not only to crackers. There are also viruses, improper computing environments, loose-lipped employees and other hazards that can make even a tightly sealed ship sink. Preparing the owners for any catastrophe will earn you extra respect and recommendations for other jobs.
To touch on the second criticism of the "law-abiders," it is important to offer solutions to any se-curity loopholes you uncover in your investigation. You are a hacker, so you know how hackers think. You know their minds and their methods, and so, yes, you have the expertise to recommend action that will prevent invasion of their system. Explain to your employer why it is important that each of your suggestions be followed. Tell them what you did to get in, the weaknesses you saw, and the po-tential trouble spots for
the future.

Other suitable clients are private individuals who are concerned with the information being stored on them in databases. Hackers have been hired to alter phone numbers, find unlisted num-bers and addresses, remove fines, look up license plate data and change school grades, among other jobs. Hacking a business's computers under con-tract for that business is a perfectly legal occupation, but when you start helping people access and perhaps change their data files, you have stepped into the unlawful zone. Therefore, you should be very careful about who you deal with and how much you let those people find out about yourself.

Hacking is a hobby. Once you start getting paid for it you run into a problem: What happens if you can't complete a job?

True, nothing should be too tough for the Super Hacker like you, but occasionally you might have a deadline or unexpected difficulties and the system that looked so fragile when you began now looms as a large and impenetrable monster that is beyond your capabilities. That's where foul play comes in. Hopefully you won't
have to resort to anything less than hacker's methods. On the other hand, if you have reached a point where you must choose be-tween balking the job or finishing it in an untradi-tional way, you might decide to do the latter to keep your good reputation intact.

Besides, there's no sense in restricting yourself to hacker techniques when the bulk of penetrators are going to use these uncouth methods anyway. If a company is paying you to stop intruders, you'll want to make certain that there really is no way that these blunt methods, commonly used by non-hackers to gain access, will be
viable. Therefore, you might have to try them out on the system you are being paid to protect.


Filthy Tricks

These tricks are filthy because they are the kinds of things a rank amateur would do. These "techniques" are strictly for non-hackers. I'd go so far as to say these are the kinds of things a non-computer-user would do! When I say 10computer user," I mean someone who uses a com-puter because they want to, as opposed to someone who does so from necessity.

Often these tricks are used as a precursor to some sort of theft, or espionage - topics which lay on the fringe of true hacking only because they in-volve computers. A true hacker must know these tricks exist, but would use them only as a last resort - and then only with severe motivation to break in.


Bribery

You might not want to bribe the system admin-istrator, but there will probably be some underlings who also have "God access," who may be willing to lend same to you, for a price. I would suggest you use bribes to pay for access to the system, rather than bribing the person to carry out computer work for you. After all, you
want him to remain unin-volved in your affairs; if you're spying by com-puter, the last thing you need is a company insider knowing that you're doing so. Have the bribe pay for either access to that per-son's account, or to a newly created superuser ac-count. If the latter, only log on when the bribee is not on duty, so that he or she won't get curious and look to see what you're up to. Offering money in exchange for a specific serv-ice to be performed (like offering $500 to change a grade from an F to an A) is even tackier, and more dangerous, than just paying for system access. For Instance, in 1973 a computer operator employed by the Illinois Driver Registration Bureau was given a $10,000 bribe to steal a tape reel which contained personal information about drivers registered in that state. Considering that Departments of Motor Vehicles are some of the easiest and safest of,corn-puter systems to hack into using social engineering, it was both foolhardy and expensive to pay that much. My source of information on this case does not mention whether or not the people who offered the bribe were apprehended, but just the fact that we know about the bribe implies they were not successful. (Or at the very least, that future at-tempts would be less likely to succeed.) This is why you should hack if you can hack, and use other methods ("filthy tricks") only as a last resort - and then only to get into the computer, not as payment for the information you seek.

Besides, with system access 'you can try-before-you-buy, and you will be sure to get your money's worth, especially since once you have logged on, you can create your own superuser ac-count that the person you bribed doesn't know about.


Booze And Broads

Yes! It sounds like science fiction but it's true! There have been reported cases of crackersgaining access to computers by supplying alcohol,drugs and even prostitutes to the security person-nel at a company. An article
by Douglas Waller inthe May 4, 1992, issue of Newsweek reported that a Japanese competitor to a "Midwestern heavy manufacturer" had outbid them one too many times. Upon investigating, it was found "that theJapanese firm had recruited one of the manufacturer's midlevel managers with a drug habit to passalong confidential bidding information." This sortof dealing sounds risky to me, because who knowswhat someone's liable to do once you've gottenthem drunk or high? But that's why I'm sayingthese are the "techniques" used by the computer illiterate.


Bad Feelings

This isn't exactly a dirty trick, but it feels like one. If you can manage to find yourself a worker who feels maligned by the company, possibly one who is about to leave, especially one with pro-gramming ability - then you've got it made. Play up his or her bad feelings toward the company. Remind them how the company
screwed them, didn't recognize their good work, and continuously passed them over. Without being specific, say you want to help them get revenge on the company. Of course, a hacker does no such thing, but if you can incite the disgruntled employee into action, he will get the blame for your own hackerish misconduct. (I know, I'm cruel sometimes.) In any case, employees who are moving on to greener pastures, or those who are disgusted with their bosses, are a great source of inside informa-tion, including company lingo, phone directories procedures and policies and, of course, passwords. If your goal is to penetrate a system run under top notch security, getting a friend on the inside may be your only hope. But an ex-employee doesn't have to leave angry to be of use. Anytime you hear of an employee either quitting or being fired there is the opportunity to find out that blessed data. Af-ter all, computer accounts live on long after an employee has left a company. Once someone has left the company, what does he care whether you use his password or not?