Leave a comment

Cybercrime

Posted by Gangs Goons and Gunz on 01/15/2012 in How to, News

 Cybercrime

“The information brokers would just do brute-force voicemail-pin hacking and guess the password — something a schoolboy could do.”

Hackers had a big year in 2011. A phone hacker gave us naked pictures of Scarlett Johansson. News Of The World gave us shame. The “hacktivist” group Anonymous gave us the personal information of a police officer who pepper sprayed non-violent protestors at UC Davis. RSA Security was hacked, probably by a foreign government. My girlfriend looked at my text messages.

The funny thing about all of this hacking is that even as the malware taking control of machines becomes more complex, the way scammers deliver it doesn’t require much technological expertise at all — only a little charisma and an understanding of psychology. It’s called social engineering, and, for an example, look no further than Facebook, where users who are looking for a way to deactivate the Timeline feature on their profiles (which isn’t possible) are being duped into “liking” an app that ultimately gives spammers access to their profiles.

To find out why the old tricks still work, we consulted a panel of tech experts: -Kevin Mitnick, author of The New York Times bestseller Ghost In The Wires, and at one time the most wanted computer criminal in the United States. -Kevin Mahaffey, founder and CTO of Lookout Mobile Security. -Tim Armstrong, malware researcher at Kaspersky Lab, a Russian internet security firm.

What Is Social Engineering?

In the opening scene of the classic film The Sting, the characters Luther Coleman and Johnny Hooker rip off a numbers racket courier by pretending to trust him with bundle of money and an errand. The courier takes it and goes his own way, thinking he’s made an easy $5K; in fact, he’s the one who’s been duped.

In computer-security parlance, this is called social engineering. Instead of using software or tools to steal passwords or other sensitive information, the hacker tricks the victim into volunteering it up, preying on his trust, carelessness, ignorance, greed, or any other human trait that makes him let down his guard. The attack is a hybrid: Once the hacker breaks down the trust barrier, he can deliver malware, steal information or otherwise exploit the victim’s computer.

“The toughest part is creating the con where people will comply with what’s requested,” Mitnick said. “In social psych it’s been studied that people will do more to avoid a loss than to realize a gain. So you set up a situation in which people will lose something if they don’t comply with your request.”

How It Works: Phone Hacking

Let’s start with phone hacking because it’s been the source of much consternation, especially in the News Of The World scandal. The easiest way to gain access to a voicemail is just to guess the password. “From what I understand from the media, people were really bad at choosing passwords for their voicemail,” Mitnick said. “So the information brokers would just do brute-force voicemail-pin hacking and guess the password — something a schoolboy could do.” If brute force wasn’t their style, the hacker could be a little more clever about it.

Mitnick demonstrated for me the free, open-source software called Asterisk, which turns your computer into a communication server. Using this, the hacker can set up an automated voice prompt system that claims to be the phone company (or credit card company, etc.), spoofs the caller ID so the number looks reliable, pretends to be solving a problem, asks for the pin, and records all of the information entered by touch tone. “It’ll probably take a day and a couple hundred bucks [to hire a professional voice] to set it up perfectly as your bank or cellular phone provider,” he said. “95%-99% of people will do it in a heartbeat.”

Even more unsettling, most phone companies won’t require a pin if a caller is using his own number. Mitnick said a hacker could simply use the caller-ID-spoofing technology to fool the system into believing he was calling from the victim’s handset.

“The hacker can probe social networks like Facebook and Twitter to figure out the relationships the person has inside the workplace.”

How It Works: With Malware

Similar principles abide with hackers trying to infect a computer with malware. They often use social networks like Facebook to gain trust and mention a newsworthy topic to capitalize on the average person’s desire for breaking news. “High-profile events are often used to entice users to click on bad links,” Mahaffey said. “For instance, the ‘Shocking New Video of Osama Bin Laden’s Death’ went viral when people clicked this link and shared with friends before realizing that no video existed and that they had fallen victim to a scam.”

Another way people are tricked into installing malware (the most prevalent type of social-engineering attack used by Android malware writers in the first half of 2011, according to Mahaffey) is called repackaging. “A malware writer takes a legitimate application, modifies it to include malicious code, then republishes it to an app market or download site,” he said. “The repackaging technique is highly effective because it is often difficult for users to tell the difference between a legitimate app and its repackaged look-alike.”

All of these techniques come together in an advanced version of phishing that combines social engineering and actual hacking: spear-phishing.

How It Works: Targeted Attacks & Spear-Phishing

Instead of targeting groups of people with spam or baiting consumers of apps, hackers use spear-phishing to collect information about a specific person within a company and eventually target him with a malware attack. “This could be used to gain access to a particular company for the purposes of espionage or other anti-competitive tactics,” Armstrong said. Google and RSA Security were both attacked using spear-phishing.

It starts with what Mitnick calls information reconnaissance, which can be as simple as using LinkedIn to determine the best target at a company. Then the hacker can probe social networks like Facebook and Twitter to figure out the relationships the person has inside the workplace.

“If you can identity that there’s a relationship with a vendor or supplier of customer, then it puts the hacker in a position to be able to impersonate somebody from that organization,” he said. “And then the whole idea is to build trust and credibility to send a document through email. Once they open the document, it exploits a technical flaw in software on the computer. The social-engineering side is getting them to click that link or open that attachment.”

Unlike voicemail hacking, the network breaches at Google and RSA were extremely sophisticated; but in both cases, social engineering played an important role. Some cons are timeless.

“I just recently did a security test, and how we were able to compromise the entire company — a huge financial software developing company — was through lock picking,” Mitnick said. “Actually breaking into a facility where they had some of their servers.”

Tags: , , , , , , , , , , , , , Permalink

What do You Think?