Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy IT

Stealing Data? A Sniffer Shows it's Easy 206

museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""
This discussion has been archived. No new comments can be posted.

Stealing Data? A Sniffer Shows it's Easy

Comments Filter:
  • BugMeNot (Score:4, Informative)

    by Fermatprime ( 883412 ) on Sunday July 31, 2005 @03:48PM (#13209600)
    http://www.bugmenot.com/ [bugmenot.com]

    gets you past registration
    • Re:BugMeNot (Score:1, Redundant)

      by Romancer ( 19668 )
      or we can all use this from now on:

      username AnonymousCoward
      password password
      • Re:BugMeNot (Score:5, Informative)

        by pyrrhonist ( 701154 ) on Sunday July 31, 2005 @04:57PM (#13209878)
        or we can all use this from now on: username AnonymousCoward password password

        No, actually, you can't. The NYT routinely removes accounts that are being used by more than one IP.

        That's why you need to use the bugmenot.com [bugmenot.com] site mentioned above (i.e. logins that no longer work are removed from bugmenot's database). Furthermore, bugmenot works with other sites besides the NYT.

        Also, for Firefox users, you can try the extension [roachfiend.com].

        • > or we can all use this from now on: username AnonymousCoward password password

          >> No, actually, you can't. The NYT routinely removes accounts that are being used by more than one IP.

          As opposed to somebody that just decides to hijack the account and change the password?
    • roachfiend.com

      Just right-click the login textbox, hit "BugMeNot" and it looks up and enters a login for you. I don't use it often, but it sure is nice to have it.
    • http://www.wilmingtonstar.com/apps/pbcs.dll/articl e?AID=/20050731/ZNYT05/507310389/1002/Business [wilmingtonstar.com] or you can go to the local paper reprints [not local here, but it must be somewhere]...
  • well (Score:5, Funny)

    by chrisxkelley ( 879631 ) <chrisxkelley@@@gmail...com> on Sunday July 31, 2005 @03:54PM (#13209642) Journal
    just takes ya back to the saying "the most secure server is one that's offline" :)
    • Re:well (Score:2, Funny)

      by Anonymous Coward
      Essentially, you're claiming that the most secure server is the one linked from Slashdot?
    • by AtariAmarok ( 451306 ) on Sunday July 31, 2005 @04:00PM (#13209667)
      "just takes ya back to the saying "the most secure server is one that's offline" :)"

      The most secure server is first locked, then secured with a Kryptonite lock. After this, some real Kryptonite is attached to it (remember, it is never secure as long as Superman can bust into it). After this, it is encased in carbonite with a scarecrow wearing a Jar Jar Binks mask. The entire assembly is left in Jabba's palace. Don't worry, no one's gonna even be thinking of approaching the thing to rescue Jar Jar.

      Just in case anyone does, we have an "I Love the Bee Gees" bumper sticker on the side. Also, we've moved it to a position standing right behind Jabba's toilet. I dare you to approach it.

      • by theonetruekeebler ( 60888 ) on Sunday July 31, 2005 @04:10PM (#13209713) Homepage Journal
        first locked, then secured with a Kryptonite lock

        You mean the ones you can unlock with a Bic pen?

        we have an "I Love the Bee Gees" bumper sticker on the side.

        Thereby guaranteeing it will be blown up by an anti-disco activist---as in "If we don't blow up this server, the disco Taliban will have won."

        Clearly, the best way to protect the server is to put it in a large bucket, then to pour molten titanium into the bucket. Then encase it in carbonite.

        • "Clearly, the best way to protect the server is to put it in a large bucket, then to pour molten titanium into the bucket. Then encase it in carbonite."
          oh, logic- where are you in my time of need?
        • The good Kryptonite locks use regular keys and are not the crap circular-key locks you're referring to. Not too many places still carry those locks after all the publicity, but you still see them on a lot of coin-op washers and driers.

          And yeah, the pen trick works on them.
        • Actually, the most secure vault ever, at least one where someone with non-trivial firepower has tried to break into was the one at the Afghanistan Central Bank. It contained 20,000 pieces of ancient gold coins and relics and the countries gold reserves. The Taliban tried to break into it, even shooting it with rockets from an attack helicopter but they couldn't break in. They wanted to dynamite it but decided against it as they figured out that would have collapsed the whole building on top of the vault.
      • Just in case anyone does, we have an "I Love the Bee Gees"

        Sounds like a hint for an alternative reality game [ilovebees.com] starring the brothers Gibb [beegeesonline.com].

        It's way to late for puns...

    • I remember a very famous company operating an important web site while back that claimed they had an iron clad security when it came to the way they the stored and protected their data from intruders. One day they came to work only to find out that someone had broken in to their company and had loaded all their servers in to a truck and left. (--As heard on DSLReports)
    • Re:well (Score:3, Funny)

      by Lemmy Caution ( 8378 )
      The most secure server is one that was raised in a supportive environment with lots of positive reinforcement. "You're a very good server! Everyone likes you, server!"

      Insecure servers are ones that felt unloved and neglected, and often engage in needy or self-destructive behaviors to compensate, leaving unnecessary services active and ports open to get the attention it never had as a child... (process)...
    • Re:well (Score:2, Insightful)

      Don't forget, the cost of hacking a network is a function of the sysadmin's salary and his loyalty to the company.
  • by deathgeneral ( 904011 ) on Sunday July 31, 2005 @03:56PM (#13209650)
    I think that it's good that we see companies more involved and interested in tightening up their security. Most companies just buy expensive firewalls and other systems to protect their data, but ignore other obvious threats like someone just walking into their offices and sitting down at a unused workstation and browsing around the companies network. Security is multi-layered and a continuous process, that means even if they went through a security audit and everything was ok, they shouldn't stop to improve their security,..there's always a fast-paced race between those who protect and those who will try to pass that protection. Hope this story gives other companies which don't care about security a real reason to make an audit in the very near future.
    • by Skynyrd ( 25155 ) on Sunday July 31, 2005 @04:15PM (#13209731) Homepage
      I used to work for a school district as an IT guy. The ignorant trolls in the personnel department demanded their own locks on the doors (my master wouldn't work) and all sorts of other "special" security.

      Of course when I went to work on their machines, they would have their passwords on post-it notes on the keyboard.

      On more than one occasion, somebody would yell "hey Cindy, I need to use the blah blah system; what's the password". Cindy would yell it back to them - during business hours with lots of extra people in the room.

      Lock your network all you want, but if you hire idiots or people who don't care, it's an easy wasy to lose.
    • Good points (Score:5, Interesting)

      by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Sunday July 31, 2005 @04:59PM (#13209886) Homepage Journal
      I'd consider security as being essentially split into the following layers:


      • Stopping intruders getting onto the network in the first place (firewall, limited use of public IP addresses, etc)
      • Stopping users on the network from accessing machines they shouldn't (ie: strong user authentication, eg: Kerberos)
      • Stopping machines on the network from accessing other machines they shouldn't (ie: strong host authentication)
      • Stopping sniffers and vulnerability scanners by using encrypted network traffic (eg: IPSec, Sun SKIP, or something similar)
      • Removing code that has known exploits, to prevent the bypassing of any of the above
      • Using Active NIDS to detect attempts to break the security


      In practice, almost no organization is going to install all of the above. Even the US Government, which is not short of ready cash, is getting far poorer grades on their network security audits than they should.


      However, if you define the "target" or "ideal" security schema, then you have something you can compare against. IMHO, the above description is the "ideal", in that it is unlikely that anyone would be able to break in using technological methods.


      The remaining problem - social engineering - is not something you can program against. The description I outlined, if implemented in full, would provide enough checks and counter-checks to require someone using social engineering to get past several people, which raises the bar a little but does not make it hard enough.


      ("Hard Enough" is defined here as making it an impractical method for typical IT situations.)

      • Re:Good points (Score:5, Insightful)

        by Hal9000_sn3 ( 707590 ) on Sunday July 31, 2005 @05:09PM (#13209913)
        You seem to have left out the three most important things.

        1. Education

        2. Education

        and

        3. Education

        Without education, a junior sysadmin can open ports on your firewall, or run up their own harmless little p2p box in the DMZ.

        Users will share their credentials, or choose weak ones.

        Someone will find the false positives from the NIDS to be annoying, and route the output to /dev/nul

        Removed code will be reinstalled. And so on...

        All is in vain without education.

        • Re:Good points (Score:2, Insightful)

          by timmarhy ( 659436 )
          i tend to agree with education being important, apart from letting them choose their own passwords, since people will always choose crap passwords. i have found the most help thing you can do to enforce security polices is to get the staff on your side. a fun demonstration or something to keep them involved and not feeling like the enemy. often when people instigate security policies staff end up in a them vs you situation. and in that case your going to lose, because insiders will always find a way to thw
        • Re:Good points (Score:3, Insightful)

          I don't understand this obsession with open ports. The firewall is a kludge to make up for insecure services that you haven't managed to turn off on machines behind it - if there are no insecure services running, there's no security issue.

          Now, I'm not going to argue that you shouldn't have firewalls, because they protect against random idiots turning on services that should be turned off as well as against some OS network stack vulnerabilities, but I can *assure* you that if a competent JR System administ

          • Re:Good points (Score:2, Interesting)

            by ysachlandil ( 220615 )
            When I manage a webserver there are two different types of access needed:

            -web traffic from the outside
            -management traffic from the inside

            This is where the firewall comes in. I especially don't want people trying to get into management on the server even though the passwords are solid.

            And no, you don't want to solve this with a management interface on the server, then anybody that gets into the server can get to the management of all the servers.

            I agree that the server itself should be secured as well, but s
            • Normally, a webserver has a public IP and needs to be able to accept and respond to incoming HTTP requests on port 80 from any internet address.

              Additionally, people need to be able to manage the server - a simple UNIX setup would give the entire internet access to SSH on port 23.

              A more paranoid UNIX setup would restrict SSH access to a specific range of IP addresses through the SSH configuration. (Note that it doesn't matter if the allowed IP range is "inside the firewall" or not.)

              In eithor case, a fire

      • You forgot the simplest, most basic thing to protect: physical security.

        Doing everything in your list to perfection still is pretty useless if you haven't got atleast basic physical security.

    • by aussersterne ( 212916 ) on Sunday July 31, 2005 @06:10PM (#13210115) Homepage
      The problem is that companies are run by people, and unless they are technology companies, they don't employe technology-savvy people.

      Most people in most companies have a fundamental lack of understanding of what the security risks are and what their nature is, even after you explain it to them.

      For any given security risk, high- and mid-level management expect to simply be able to buy one expensive product to fix it (not really even understanding what it means to "buy" a security product in the first place--that's IT's job). They don't even understand that there could possibly be anything more that needs to be done, and it's very difficult to get them to understand this.

      And if there is no commercial product that advertises itself specifically as "the fix" to a given security risk, management often refuses to even conceive that the risk might exist, so trapped are they in the worldview that "if there's really a problem, someone will have made a product to fix it; if no-one sells a product to fix it, then it must not actually be a problem."

      Things like changing the settings of a product or altering behaviors of employees or the topologies of network are simply beyond their understanding because they just don't have that deep a view of the technology-- the entire corporate network is just a pile of magic products to them and any product will either fix a problem, in which case it's a good product, or it won't, in which case (they believe) they bought the wrong product.

      As far as they are capable of understanding, throw some IBM, some Cisco, and some Microsoft all into a cemement mixer and stir, and *boom*, corporate network and you have "instant 21st century!"
  • NYT Registration (Score:4, Insightful)

    by PktLoss ( 647983 ) on Sunday July 31, 2005 @03:59PM (#13209663) Homepage Journal
    Has anyone from /. / OSTG ever thought about asking NYT for system like the blogger registration-free linking thing?

    Just a thought
  • nice (Score:5, Insightful)

    by Renraku ( 518261 ) on Sunday July 31, 2005 @04:01PM (#13209676) Homepage
    What's cheaper in the mind of a shortsighted executive that can only see ahead to about a three to six month range?

    Having you put in jail for threats of terrorism to shut you up about their secrets, or paying the IT guys overtime to fix the holes?
  • by Anonymous Coward
    SATAN is a software package which can determine whether there are sniffers on your network. It finds some sniffers when the sniffer host looks up the same dns entries as other hosts.
    • probable better using antisniff from l0pht
    • by Anonymous Coward
      Competent people don't get caught.
    • It finds some sniffers when the sniffer host looks up the same dns entries as other hosts.

      IANAHacker, but wouldn't the obvious thing be to use the DNS responses to the other computers, seeing as you're sniffing their data anyway? I'm sure a completely passive sniffer is possible...
    • Uhhh... (Score:3, Insightful)

      by jd ( 1658 )
      SATAN is a vulnerability scanner. It was actually the first Open Source vulnerability scanner out there and reputedly got the author kicked out of SGI. It had a patch to rename it SANTA, because some people objected to the name. A revamped, commercial version was called SAINT.


      There are sniffer detectors out there, but I'd not want to use SATAN for it.

      • Re:Uhhh... (Score:3, Informative)

        SATAN is a vulnerability scanner. It was actually the first Open Source vulnerability scanner out there and reputedly got the author kicked out of SGI. It had a patch to rename it SANTA,
        SATAN was by Wietse Venema and Dan Farmer. Farmer worked for SGI as "Security Czar" at one point. However, the patch you refer to was, I think, unneccessary - the name change ablity was part of the distributed software.
      • by gr8fulnded ( 254977 ) on Sunday July 31, 2005 @07:19PM (#13210411)
        root@somebox# cat rename.patch

        #!/bin/sh
        # Idiots getting their panties in a bunch of a friggin' program name!

        # Fine, here:
        mv /usr/sbin/satan /usr/sbin/santa

        echo "Happy now?!"
    • ...or drink chicken blood as homage to the dark lord. In return he will protect your network.
  • by DingerX ( 847589 ) on Sunday July 31, 2005 @04:02PM (#13209681) Journal
    People expect thieves to act like thieves. Act like you know what you're doing, and you can walk out with most data.

    Another lesson -- put AP mines in your crawlspaces.
    • ...act as if you know what you're doing and you can walk out with the computers, too.
      • you can walk out with the computers, too

        That's exactly what happened where I work, some months ago. A guy entered the building (an endless string of repairs and re-repairs means there are always lots of construction workers and the like), went to the last floor (where management sits :), harvested three or four top-of-the-line laptops, and went away unmolested.
        That was at lunchtime. When the bosses came back, you could hear the cursing from three floors below!

        Thanks God someone had been thinking for once an

    • by towaz ( 445789 ) *
      Just walk around the company with a clipboard.. anyone confronts you ask for the name.. look pissed off and scribble on the clipboard ;)
    • One time I was working as a temporary IT monkey at the company which had decided to change something to do with its email (I forget what exactly). It involved basically going around every computer on the site (which was big) and manually changing the settings on Outlook for each one. I was a temp and hadn't been there long so I didn't have an ID card or a door swipe card. Also, it was dress-down Friday so I wasn't wearing a smart shirt or tie - just jeans and a t-shirt. Eventually we got to the marketing de

    • i hope that last line was a joke

      using anti personel mines in the crawlspaces would make working down thier rather risky, would probablly be illegal in most civilised countries and would do a lot of damage to your network infrastructure if an intruder or employee set them off.
      • You know you've spent too much time on Slashdot (or in front of your computer in general)... ...if you read that line about "AP" mines and "crawlspaces" and immediately thought about Associated Press and webcrawlers, without even realizing that that may not be what the poster meant until a reply made it clear.
    • Act like you know what you're doing, and you can walk out with most data.

      Not so hard to do, when you're a hired security consultant. I'll bet it's much harder not to act like a thief when you are a thief, with real consequences for getting caught.

      Assume pure chutzpah works 90% of the time - that would be a good record for a penetration tester, but a professional thief wouldn't last long with those odds.

      It might be easy to waltz out with some computers, just bring a dolly and look like you know what

    • Lesson learned from playing to many video games AP mines = guarenteed TK. Problem is in real life there is no respawning...
  • Reg Free (Score:5, Informative)

    by Anti_Climax ( 447121 ) on Sunday July 31, 2005 @04:03PM (#13209686)
    Paste this link into google and click through for a single page version

    http://www.nytimes.com/2005/07/31/business/yourmon ey/31hack.html?pagewanted=all [nytimes.com]

    no reg required
  • Is mentioned again.

    My prurient is definitely interested!

    Interesting article.
  • "Most systems are like this Tootsie Roll Pop," Mr. Seiden said. "They have this hard, crunchy outside, but they're very gooey and soft inside.
    So he'd be one of the fat geeks then.
  • It is very easy (Score:5, Interesting)

    by Anonymous Coward on Sunday July 31, 2005 @04:13PM (#13209727)
    During my career, I have worked as a tech break/fix. I have worked for a university, federal govt, and private sector.

    Due to the nature of the job it is difficult to get passes or keys to move around immediately, especially into secure areas. So you put on your charm and off you go.

    It is very easy to take things. Just look like you know what you are doing and where you are going.

    Be presentable and nice, be friendly with the receptionists/secretaries/admin, and you can go anywhere.

    I have been let into computer rooms that are supposedly secure, I have been assisted by security guards in loading computer gear into my car, I have had secretaries hold doors on elevators so I could get stuff in. I'm talking thousands upon thousands of $$$ worth of stuff. All of them took my word for it, never questioning or phoning to find out. I have never had to show ID.

    I have actually had one employee of a major oil corporation watch me follow him in through the doors, ask me, "Where are you going? Who are you?"
    This was going into their engineering areas, from which I'm sure numerous other oil companies would love to see the data.

    I replied that I am a computer tech and visting XXXXXXX. "Who? Are they on this floor?" "Yeah, they are, around the corner." (I really only had an office number ;-) "Oh, ok. You look honest." He actually told me I looked honest, so it was ok! From there I found the office I wanted, no one was there. I was to swap out a couple of hard disks, so I did. Many people poked their head in, joking along the way, "Hey! You don't look like XXXXXXXX! Unless he's shrunk! hahaha!" One even to see "what does a hard disk look like?" No one questioned me from there.

    Many, too many to count, I have just knocked on the door and asked for Mr. S.A.S. "Oh, I'm here to take a look at his computer, he said it wasn't working. Can I see it?" Then they lead me to the office, in which Mr. S.A.S. isn't there. "Well, I'll just start and he'll come back and I'll let him know. Thanks." Then they leave.

    It doesn't matter how secure it is, like the article points out, being sociable gets you lots of open doors.

    Crazy part is that I pride myself on this "talent." It's much simpler to talk your way through than to have to run all over getting ok's and escorts into areas.
    • Mr. S.A.S.? Mister Side Angle Side?

      I wouldn't want to see him, heard he's always bent out of shape. :P

      Mod lame.
    • Re:It is very easy (Score:2, Informative)

      by Anonymous Coward
      Whilst I recognise this, as a techie I've seen plenty of weak security, and been left unattended with computer systems that handle a LOT of money.

      However my experience is that organisations where security really(!) matters, or handling very big money, you just don't get in the door unescorted.

      And in one case, by appointment only, no electro-magnetic media, no electronic devices, physical search, photographic id, and they took a photo as you enter (just for the record).

      Most of these also had serious network
      • Technically this is security by obscurity, but it worked surprisingly well. Guess, as they say, it comes down to the people.

        "Security by obscurity" has gotten such a bad rap because some many people have repeated it so often, but it isn't that bad. It's bad when it is relied upon instead of using it as a layer in defense in depth. Using it in conjunction with other security methods is not bad.

        (Maybe you were saying it was the only method used, but my english parser broke trying to understand your pa
    • Like most of the other posters have stated, social engineering works only when you've got a sufficiently lax attitude in employees and a large enough population to offer general anonymity. Having worked at a facility with a secure area, I can say that nobodu was getting into the secure area to any thing useful without proper ID. (I decided that getting out with data, should you be an insider, wasn't very hard though, as they put the receptionsist in the wrong place)
  • by Baddas ( 243852 ) on Sunday July 31, 2005 @04:27PM (#13209774) Homepage
    The key to this is that knowing what he thinks is secret is half the battle to finding it out.

    Once the executive told him where to target, that made it much easier. If you're talking about sniffing the entire network output of a company looking for important stuff... that's a much harder task.
  • by lgordon ( 103004 ) <`moc.liamg' `ta' `nodrog.yrral'> on Sunday July 31, 2005 @04:30PM (#13209785) Journal
    I would have been impressed if the CEO didn't tell him what data he thought was most important and he was able to both figure it out and acquire it.
  • Old tricks, fat dog too!

    Social Engineering.

    Enuf said.
  • Customer service (Score:3, Interesting)

    by imgumbydammit ( 879859 ) on Sunday July 31, 2005 @05:14PM (#13209923)
    One of the main reasons that approaches like social engineering work is because of the overwhelming emphasis a lot of companies put on "customer service".
    I worked for several years in corporate security (good money/awful job), and it was the cardinal sin to piss someone off. On one occasion, a white guy showed up on a weekend with a pass card with a Vietnamese woman's name on it that wasn't cleared for access to the floor he wanted to get onto, which was the executive floor of a bank nonetheless.
    The ten minutes it took to verify this guy's identity were the cause of a major spat between him (he turned out to be a VP of some sort) and my employer (the building management) that took days to blow over.
    Some of my colleagues would simply give in if someone was pushy enough. No one wants to be the person who said "No" to the wrong person, no matter what the circumstances.
    • No, pushy usually pisses them off. You just say when I leave I'll just have to tell them (take person's name)wouldn't let me in and was an asshole as well. WIth the emphasis on "being nice" these days I bet they let you pass. Another trick is to be a very pretty/sexy female (big tits, low cut dress, short skirt, etc.), or to use one to decoy the guard while someone else slips by. Of course if the guard is female you are sunk unless you happen to be Joe Handsome :)
    • Everyone who I've ever met who works for a US financial institution has been a a VP. Is there actually any lower job title?
      • Yeah, there are tellers. There is also one president. Big banks have a few Cxx titles. For the most part though, it is teller or Vice president.

  • You don't have to sniff to find his head lying outside San Francisco, even though it may help. Then it should be easy to steal him.
  • d'objet direct (Score:2, Interesting)

    by Anonymous Coward
    That reminds me of the graphing calculator story:
    http://www.pacifict.com/Story/ [pacifict.com]
    that says a lot about corporate security.

    At any rate, the main point of the article is that there is a cost/benefit to security (security is expensive and can hamper productivity), but that most of the time people/corporations don't even bother looking for simple effective measures that would reduce the risk for little or no extra cost.
  • by clambake ( 37702 ) on Sunday July 31, 2005 @06:40PM (#13210221) Homepage
    Tell me the things you most want to keep secret

    That, right ther, was the single biggest security breach. By far, the amount of data that is out there is simply too much for a random hacker to grab some data and make a profit from it. He needs to know what data he can use. Professionally data thiefs already know what they want to steal, but they are not the types to simply be stopped by security measures of any kind. If worse comes to worse, he can always just get a job as a janitor, or better yet, a security guard at the place he wants to steal from and flount ALL security measures.
  • by threaded ( 89367 ) on Sunday July 31, 2005 @11:19PM (#13211342) Homepage
    Big Corps only bother about security if a major shareholder gets upset by a security breach. The chances of a major shareholder getting wind of a security breach are minimal, unless it gets in the media.

    Hence most security in Big Corps is to prevent media people getting notice of security breachs.

    HTH.
  • ...Harold Shipman [google.co.uk]

    Oh my God! Harold Shipman has come back from the dead and is breaking into my network!
  • Why? (Score:3, Insightful)

    by DroopyStonx ( 683090 ) on Monday August 01, 2005 @08:48AM (#13213434)
    I'm sick of these assholes submitting stories and not posting regfree NYT links.

    Seriously, why NOT post a regfree link? You KNOW damn well they exist, so what the hell is the problem?

    Instead of wasting our fucking time by either registering or logging in, you should spend an extra 2 minutes finding the regfree link.

    Be a bit more courteous.

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...