Stealing Data? A Sniffer Shows it's Easy 206
museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""
BugMeNot (Score:4, Informative)
gets you past registration
Re:BugMeNot (Score:1, Redundant)
username AnonymousCoward
password password
Re:BugMeNot (Score:5, Informative)
No, actually, you can't. The NYT routinely removes accounts that are being used by more than one IP.
That's why you need to use the bugmenot.com [bugmenot.com] site mentioned above (i.e. logins that no longer work are removed from bugmenot's database). Furthermore, bugmenot works with other sites besides the NYT.
Also, for Firefox users, you can try the extension [roachfiend.com].
Re:BugMeNot (Score:2)
>> No, actually, you can't. The NYT routinely removes accounts that are being used by more than one IP.
As opposed to somebody that just decides to hijack the account and change the password?
Re:BugMeNot (Score:2)
Yes it is. Why do you think BugMeNot has a "This login didn't work" button.
I've had multiple accounts get deleted while I've been using them and been forced to log in with a new ID.
I have been using the same anonymous registration to access nytimes.com from multiple IP addresses simultaneously for nearly a decade.
I'm not talking about using the same account at both work and home. I'm talking about hundreds of addresses actively using the same account at the same t
Re:BugMeNot (Score:2)
There's a FireFox plugin to integrate this... (Score:2)
Just right-click the login textbox, hit "BugMeNot" and it looks up and enters a login for you. I don't use it often, but it sure is nice to have it.
Re:BugMeNot (Score:2)
well (Score:5, Funny)
Re:well (Score:2, Funny)
The most secure server (Score:5, Funny)
The most secure server is first locked, then secured with a Kryptonite lock. After this, some real Kryptonite is attached to it (remember, it is never secure as long as Superman can bust into it). After this, it is encased in carbonite with a scarecrow wearing a Jar Jar Binks mask. The entire assembly is left in Jabba's palace. Don't worry, no one's gonna even be thinking of approaching the thing to rescue Jar Jar.
Just in case anyone does, we have an "I Love the Bee Gees" bumper sticker on the side. Also, we've moved it to a position standing right behind Jabba's toilet. I dare you to approach it.
Re:The most secure server (Score:5, Funny)
You mean the ones you can unlock with a Bic pen?
we have an "I Love the Bee Gees" bumper sticker on the side.
Thereby guaranteeing it will be blown up by an anti-disco activist---as in "If we don't blow up this server, the disco Taliban will have won."
Clearly, the best way to protect the server is to put it in a large bucket, then to pour molten titanium into the bucket. Then encase it in carbonite.
Re:The most secure server (Score:1)
oh, logic- where are you in my time of need?
Re:The most secure server (Score:2)
And yeah, the pen trick works on them.
Re:The most secure server (Score:2)
Re:The most secure server (Score:2)
Sounds like a hint for an alternative reality game [ilovebees.com] starring the brothers Gibb [beegeesonline.com].
It's way to late for puns...
Re:The most secure server (Score:2)
Forgot? (Score:2)
Don't forget the black widows (Score:2)
You realize that all of this can be defeated with Tom Cruise lowering himself into the room on wires. Keeping a nice health population of large black widow spiders inside the room would greatly reduce the chance of success of such missions.
Re:well (Score:2)
Re:well (Score:3, Funny)
Insecure servers are ones that felt unloved and neglected, and often engage in needy or self-destructive behaviors to compensate, leaving unnecessary services active and ports open to get the attention it never had as a child... (process)...
Re:well (Score:2)
Re:well (Score:2, Insightful)
Good thing...but far from perfect? (Score:5, Interesting)
Re:Good thing...but far from perfect? (Score:5, Interesting)
Of course when I went to work on their machines, they would have their passwords on post-it notes on the keyboard.
On more than one occasion, somebody would yell "hey Cindy, I need to use the blah blah system; what's the password". Cindy would yell it back to them - during business hours with lots of extra people in the room.
Lock your network all you want, but if you hire idiots or people who don't care, it's an easy wasy to lose.
Re:Good thing...but far from perfect? (Score:3, Funny)
Re:Good thing...but far from perfect? (Score:2)
Re:Good thing...but far from perfect? (Score:2, Interesting)
Re:Good thing...but far from perfect? (Score:2, Interesting)
Re:Good thing...but far from perfect? (Score:2, Funny)
Re:Good thing...but far from perfect? (Score:2)
Good points (Score:5, Interesting)
In practice, almost no organization is going to install all of the above. Even the US Government, which is not short of ready cash, is getting far poorer grades on their network security audits than they should.
However, if you define the "target" or "ideal" security schema, then you have something you can compare against. IMHO, the above description is the "ideal", in that it is unlikely that anyone would be able to break in using technological methods.
The remaining problem - social engineering - is not something you can program against. The description I outlined, if implemented in full, would provide enough checks and counter-checks to require someone using social engineering to get past several people, which raises the bar a little but does not make it hard enough.
("Hard Enough" is defined here as making it an impractical method for typical IT situations.)
Re:Good points (Score:5, Insightful)
1. Education
2. Education
and
3. Education
Without education, a junior sysadmin can open ports on your firewall, or run up their own harmless little p2p box in the DMZ.
Users will share their credentials, or choose weak ones.
Someone will find the false positives from the NIDS to be annoying, and route the output to /dev/nul
Removed code will be reinstalled. And so on...
All is in vain without education.
Re:Good points (Score:2, Insightful)
Re:Good points (Score:3, Insightful)
I don't understand this obsession with open ports. The firewall is a kludge to make up for insecure services that you haven't managed to turn off on machines behind it - if there are no insecure services running, there's no security issue.
Now, I'm not going to argue that you shouldn't have firewalls, because they protect against random idiots turning on services that should be turned off as well as against some OS network stack vulnerabilities, but I can *assure* you that if a competent JR System administ
Re:Good points (Score:2, Interesting)
-web traffic from the outside
-management traffic from the inside
This is where the firewall comes in. I especially don't want people trying to get into management on the server even though the passwords are solid.
And no, you don't want to solve this with a management interface on the server, then anybody that gets into the server can get to the management of all the servers.
I agree that the server itself should be secured as well, but s
Re:Good points (Score:2)
Normally, a webserver has a public IP and needs to be able to accept and respond to incoming HTTP requests on port 80 from any internet address.
Additionally, people need to be able to manage the server - a simple UNIX setup would give the entire internet access to SSH on port 23.
A more paranoid UNIX setup would restrict SSH access to a specific range of IP addresses through the SSH configuration. (Note that it doesn't matter if the allowed IP range is "inside the firewall" or not.)
In eithor case, a fire
Re:Good points (Score:2)
Doing everything in your list to perfection still is pretty useless if you haven't got atleast basic physical security.
Re:Good thing...but far from perfect? (Score:5, Insightful)
Most people in most companies have a fundamental lack of understanding of what the security risks are and what their nature is, even after you explain it to them.
For any given security risk, high- and mid-level management expect to simply be able to buy one expensive product to fix it (not really even understanding what it means to "buy" a security product in the first place--that's IT's job). They don't even understand that there could possibly be anything more that needs to be done, and it's very difficult to get them to understand this.
And if there is no commercial product that advertises itself specifically as "the fix" to a given security risk, management often refuses to even conceive that the risk might exist, so trapped are they in the worldview that "if there's really a problem, someone will have made a product to fix it; if no-one sells a product to fix it, then it must not actually be a problem."
Things like changing the settings of a product or altering behaviors of employees or the topologies of network are simply beyond their understanding because they just don't have that deep a view of the technology-- the entire corporate network is just a pile of magic products to them and any product will either fix a problem, in which case it's a good product, or it won't, in which case (they believe) they bought the wrong product.
As far as they are capable of understanding, throw some IBM, some Cisco, and some Microsoft all into a cemement mixer and stir, and *boom*, corporate network and you have "instant 21st century!"
NYT Registration (Score:4, Insightful)
Just a thought
Re:NYT Registration (Score:2)
nice (Score:5, Insightful)
Having you put in jail for threats of terrorism to shut you up about their secrets, or paying the IT guys overtime to fix the holes?
protect yourself using SATAN (Score:1, Informative)
Re:protect yourself using SATAN (Score:1)
Re:protect yourself using SATAN (Score:1, Insightful)
Re:protect yourself using SATAN (Score:1)
IANAHacker, but wouldn't the obvious thing be to use the DNS responses to the other computers, seeing as you're sniffing their data anyway? I'm sure a completely passive sniffer is possible...
Uhhh... (Score:3, Insightful)
There are sniffer detectors out there, but I'd not want to use SATAN for it.
Re:Uhhh... (Score:3, Informative)
copy of said patch (Score:4, Funny)
#!/bin/sh
# Idiots getting their panties in a bunch of a friggin' program name!
# Fine, here:
mv
echo "Happy now?!"
Re:copy of said patch (Score:2)
You can also sacrifice a virgin... (Score:2)
Re:protect yourself using SATAN (Score:2)
Wouldn't work at range, but at least it wouldn't show up as a physical connection to the network...
Re:protect yourself using SATAN (Score:2)
1. Basicaly you take 2 audio matching transformers that are center tapped on the primary, and no center tapped on the secondary.
2. connect the outputs of each transformers secondary side to the copper pair as is normal in telephone applications.
3. to the outer taps on each tranformer's primary, inject a known and different signal signal.
4. on
Basic Security Lesson: (Score:5, Insightful)
Another lesson -- put AP mines in your crawlspaces.
According to an earlier story... (Score:3, Interesting)
Re:According to an earlier story... (Score:2)
That's exactly what happened where I work, some months ago. A guy entered the building (an endless string of repairs and re-repairs means there are always lots of construction workers and the like), went to the last floor (where management sits :), harvested three or four top-of-the-line laptops, and went away unmolested.
That was at lunchtime. When the bosses came back, you could hear the cursing from three floors below!
Thanks God someone had been thinking for once an
Re:Basic Security Lesson: (Score:3, Interesting)
Re:Basic Security Lesson: (Score:3, Interesting)
One time I was working as a temporary IT monkey at the company which had decided to change something to do with its email (I forget what exactly). It involved basically going around every computer on the site (which was big) and manually changing the settings on Outlook for each one. I was a temp and hadn't been there long so I didn't have an ID card or a door swipe card. Also, it was dress-down Friday so I wasn't wearing a smart shirt or tie - just jeans and a t-shirt. Eventually we got to the marketing de
Re:Basic Security Lesson: (Score:2, Interesting)
using anti personel mines in the crawlspaces would make working down thier rather risky, would probablly be illegal in most civilised countries and would do a lot of damage to your network infrastructure if an intruder or employee set them off.
Re:Basic Security Lesson: (Score:2)
Re:Basic Security Lesson: (Score:2)
Dan Quale?!? Is that you?
(I jest, no offence intended)
Mycroft
Re:Basic Security Lesson: (Score:2)
Not so hard to do, when you're a hired security consultant. I'll bet it's much harder not to act like a thief when you are a thief, with real consequences for getting caught.
Assume pure chutzpah works 90% of the time - that would be a good record for a penetration tester, but a professional thief wouldn't last long with those odds.
It might be easy to waltz out with some computers, just bring a dolly and look like you know what
Re:Basic Security Lesson: (Score:2, Insightful)
Reg Free (Score:5, Informative)
http://www.nytimes.com/2005/07/31/business/yourmo
no reg required
Re:Reg Free (Score:2, Informative)
http://nytimes.blogspace.com/genlink [blogspace.com]
The reg free url is
http://www.nytimes.com/2005/07/31/business/yourmon ey/31hack.html?ex=1280462400&en=31158975e4a4090a&e i=5090&partner=rssuserland&emc=rss [nytimes.com]
The first page of the article was semi interesting. I didn't read the rest.
Re:Reg Free (Score:3, Informative)
-volve
Re:Reg Free (Score:2)
Or use Ref spoof for FireFox :) (Score:2)
But the real hack is to include a greasemonkey hack for nytimes.com called nytspoof [shiwej.com] .
This all goes to prove that never trust what the user's browser says :)
Penetration testing (Score:1)
My prurient is definitely interested!
Interesting article.
yummy! (Score:2)
So he'd be one of the fat geeks then.
Re:yummy! (Score:2)
Bingo!
It is very easy (Score:5, Interesting)
Due to the nature of the job it is difficult to get passes or keys to move around immediately, especially into secure areas. So you put on your charm and off you go.
It is very easy to take things. Just look like you know what you are doing and where you are going.
Be presentable and nice, be friendly with the receptionists/secretaries/admin, and you can go anywhere.
I have been let into computer rooms that are supposedly secure, I have been assisted by security guards in loading computer gear into my car, I have had secretaries hold doors on elevators so I could get stuff in. I'm talking thousands upon thousands of $$$ worth of stuff. All of them took my word for it, never questioning or phoning to find out. I have never had to show ID.
I have actually had one employee of a major oil corporation watch me follow him in through the doors, ask me, "Where are you going? Who are you?"
This was going into their engineering areas, from which I'm sure numerous other oil companies would love to see the data.
I replied that I am a computer tech and visting XXXXXXX. "Who? Are they on this floor?" "Yeah, they are, around the corner." (I really only had an office number
Many, too many to count, I have just knocked on the door and asked for Mr. S.A.S. "Oh, I'm here to take a look at his computer, he said it wasn't working. Can I see it?" Then they lead me to the office, in which Mr. S.A.S. isn't there. "Well, I'll just start and he'll come back and I'll let him know. Thanks." Then they leave.
It doesn't matter how secure it is, like the article points out, being sociable gets you lots of open doors.
Crazy part is that I pride myself on this "talent." It's much simpler to talk your way through than to have to run all over getting ok's and escorts into areas.
Re:It is very easy (Score:2, Funny)
I wouldn't want to see him, heard he's always bent out of shape.
Mod lame.
Re:It is very easy (Score:2, Informative)
However my experience is that organisations where security really(!) matters, or handling very big money, you just don't get in the door unescorted.
And in one case, by appointment only, no electro-magnetic media, no electronic devices, physical search, photographic id, and they took a photo as you enter (just for the record).
Most of these also had serious network
Re:It is very easy (Score:2)
"Security by obscurity" has gotten such a bad rap because some many people have repeated it so often, but it isn't that bad. It's bad when it is relied upon instead of using it as a layer in defense in depth. Using it in conjunction with other security methods is not bad.
(Maybe you were saying it was the only method used, but my english parser broke trying to understand your pa
Re:It is very easy (Score:2)
Reg free link (Score:1, Informative)
http://www.nytimes.com/2005/07/31/business/yourmo
Knowing is half the battle. (Score:3, Insightful)
Once the executive told him where to target, that made it much easier. If you're talking about sniffing the entire network output of a company looking for important stuff... that's a much harder task.
Security through obscurity (Score:3, Insightful)
New Article, (Score:2)
Social Engineering.
Enuf said.
Customer service (Score:3, Interesting)
I worked for several years in corporate security (good money/awful job), and it was the cardinal sin to piss someone off. On one occasion, a white guy showed up on a weekend with a pass card with a Vietnamese woman's name on it that wasn't cleared for access to the floor he wanted to get onto, which was the executive floor of a bank nonetheless.
The ten minutes it took to verify this guy's identity were the cause of a major spat between him (he turned out to be a VP of some sort) and my employer (the building management) that took days to blow over.
Some of my colleagues would simply give in if someone was pushy enough. No one wants to be the person who said "No" to the wrong person, no matter what the circumstances.
Re:Customer service (Score:2)
Re:Customer service (Score:2)
Re:Customer service (Score:2)
Yeah, there are tellers. There is also one president. Big banks have a few Cxx titles. For the most part though, it is teller or Vice president.
Obligatory Trek reference (Score:2)
Re:Obligatory Trek reference (Score:2)
d'objet direct (Score:2, Interesting)
http://www.pacifict.com/Story/ [pacifict.com]
that says a lot about corporate security.
At any rate, the main point of the article is that there is a cost/benefit to security (security is expensive and can hamper productivity), but that most of the time people/corporations don't even bother looking for simple effective measures that would reduce the risk for little or no extra cost.
The reality of the situation... (Score:4, Insightful)
That, right ther, was the single biggest security breach. By far, the amount of data that is out there is simply too much for a random hacker to grab some data and make a profit from it. He needs to know what data he can use. Professionally data thiefs already know what they want to steal, but they are not the types to simply be stopped by security measures of any kind. If worse comes to worse, he can always just get a job as a janitor, or better yet, a security guard at the place he wants to steal from and flount ALL security measures.
Security and Big Corps (Score:3, Insightful)
Hence most security in Big Corps is to prevent media people getting notice of security breachs.
HTH.
Guy in the photo looks like.... (Score:2)
Oh my God! Harold Shipman has come back from the dead and is breaking into my network!
Why? (Score:3, Insightful)
Seriously, why NOT post a regfree link? You KNOW damn well they exist, so what the hell is the problem?
Instead of wasting our fucking time by either registering or logging in, you should spend an extra 2 minutes finding the regfree link.
Be a bit more courteous.
Re:Ahem. (Score:1)
Interestingly, this time round it is "stealing data" - what else would you call walking out with a complete set of the company's backup tapes?
Re:Terminology (Score:2)
Much like a "computer" was a person who computes, long before there were machines of that name, you could call a "sniffer" one who seeks out information, without the need for a computer.
Funny though, the stuff he describes is basically the same stuff that Kevin Mitnick described as to how he could acquire his own information. Given that, as f
Re:Terminology (Score:2)
I could be wrong, but I think the restriction on Mitnick not being able to touch a computer has expired. Also, he's now written his seco
Re:Tootsie Roll? (Score:2)
Re:Tootsie Roll? (Score:2)
Re:Stealing? (Score:2)
did you pay attention? (Score:2)
Re:a couple of stories (Score:2)
I used to visit our companys cage at an Exodus data center to install my server code and it seemed like fort knox:
Re:yep (Score:2)