Tuesday, January 30, 2007

Well, That's dropped my confidence in them a bit...

During one of my bored moments, I was websurfing and stumbled across a bunch of hacking stories.

This is something that’s always interested me. It’s like the old confidence tricksters, they do something that is so intelligent, intricate and requires so much balls, it almost stops being a crime…and just becomes a genius way of making money.

One of my favorite stories was the group of computer technicians who went on a junket to Las Vegas. While there, after losing a lot of money at video poker, one guy’s wife said, jokingly: “You’re meant to be good at computers, this is essentially a big computer. Can’t you fix it so we win more?”

Well, I won’t bore you with all the very technical details, but they bought a copy of the poker machine, and reverse engineered the programming to look for a weakness, which they found. They wrote a program that they used to sync their computer with the poker machine’s random number generator, meaning they could input on the computer what cards where on the game’s screen, and it would tell them exactly when to press the “deal” button to get a royal flush….the highest scoring hand in video poker.

They later created a wearable computer that would signal to them (using the vibrate motors cannibalized from mobile phones) which cards to discard in order to get the highest winning hand.

Essentially, they discovered that the random number generator that picks which cards to display couldn’t be truly random, because the casino needs a way to set the odds of winning.

The other, quite scary, thing I discovered was I was being far too lax with my own computer security. Until very recently, I prided myself on “unbreakable” passwords. Basically, when I needed a password, I used a sequence of 10 truly random numbers. These where truly random, meaning not my phone number, my phone number written backwards, my birthday, a loved ones birthday etc.

In other words, I figured they were unguessable. I also never wrote them down

Then, through my reading, I discovered brute force hackers often try sequences of numbers first. My password was 10 digits, which means a hacker would have to start at zero, and basically count all the way up to 9,999,999,999 in order to guess it. Nearly 10 billion combinations.

Secure, right? Wrong!

A brute force hacking program is easily capable of trying well over 2 million combinations a second. In other words, it could crack my password in under a minute and a half. Probably MUCH less time, because a minute and a half assumes the last combination it tries is the correct one.

Let’s just say I changed my passwords.

However, the one thing that truly astounds me is how lax people are with their security. People who should be a lot more careful.

I did a lot of fraud and security training at my last job, and I also learned that it’s the little pieces of information that don’t sound very important that can lead to big trouble.

Take social engineering.

Say I want to steal your identity.

First thing I do is a little dumpster diving. Forget hi-tech, forget your impeneterable firewall. I go through your trash. All I need is your name and address. I find a piece of junkmail, and I’ve taken the first step on the trail.

Then I find out where you work. Either from your trash, or simply following you to work one day.

Then I call your house:

“Hey!” I say. “This is Joe from Human resources. We had a bit of a mishap with the computers, and we’re having to use a backup, and some of your info is missing.”

“Ok.” You say.

“First things first, I’m going to have to share some sensitive data with you, so can you give me your employee number and your mother’s maiden name for security?”

Of course, you rattle it off. You put your employee number on a few hundred documents a day, it’s on your pay stub, it’s no ‘secret’, and of course, you understand the need for security.

“Right, let me check, what was the last training course you took?”

Completely and totally innocuous question. Who cares? I don’t need it, but it helps allay your suspicions. I ask a few more general questions then say:

“Ok, all done, but can you confirm your social security number for me?”

You tell me, why wouldn’t you? You’re convinced you’re talking to the HR dept at your job. They already have it, so what’s the harm?

Then, I ask a few more questions and make some light chit chat with your before hanging up. How the main server went down and we discovered the backup was a couple months old, how management won’t pull their heads out of their backsides and upgrade it etc. Why? People tend to remember that last few questions in a conversation, and getting just the info I need and leaving is highly suspicious.

So what have I got now? Your name, address, mother’s maiden name, and social security number. If I wanted to, I could have “confirmed” your log in and password at work.

Then, I can do whatever I want. I can call your real work’s HR department, pretend to be you, to “confirm” or change your banking details.

So what led me to write this today?

Well, one was me reading about this, but the other was the trip we took today to get our taxes done. That place was so wide open, anyone with a few minutes could leave with anything they wanted.

First thing I noticed was the wireless router out in plain sight. This isn’t such a big deal, as long as they had the brains to encrypt the connection…but it turned out it wouldn’t have made any difference.

Why? Because the guy doing our taxes had his login and password on a sticker on the front of his folder that was sitting on his desk in plain sight. Think about that. You could go home, grab your laptop, park your car outside the building, and go in and not only change your own tax information (and who cares if you get audited, you have the forms you gave to the guy, and it was him who prepared them…it was his login and password that was used after all!), but you could also have access to everyone else’s sensitive information.

This would be bad enough, but sitting across from him at his desk, I looked down.

Under his desk, at my feet was huge box of papers waiting to be shredded. On the top I could see photocopies of at least 50 Social Security cards and ID’s. All I’d have had to do was lean forward to “tie my laces”, and helped myself to whatever I wanted. Thanks to the desk and the cubicle walls, no one would have seen me.

Unfortunately this kind of thing happens a lot. The weakest link in any security system is always the people, and the business owners usually consider themselves nice and secure. The point is, it doesn’t matter how good your firewall is, or if your computers have 256bit encryption on data transfers and passwords, if the employees leave their passwords in plain sight.

…and like I pointed out, I didn’t need to break into the computers to get sensitive information. It was as difficult as leaning forward and grabbing a handful of paper.

1 comment:

topcat said...

Too true Paulius!
Case in point, the recent sale of computers by the Greenville school system with all kinds of sensitive information about teachers and students!