As the old saying goes, “One man’s junk is another man’s treasure”. One favorite technique of hackers is to “Dumpster Dive”. Yes, this literally means to dig through your trash.
You would not believe what has been recovered from dumpsters from professional security teams who, while performing a test of a company’s security, dug through the trash.
Trash from banks and health care facilities in particular provide a plethora of sensitive information that hackers look for. Names, addresses, phone numbers, social security numbers, and financial information are the most obvious targets, but what are some of the less obvious? Old software disks from system updates tell the hacker what software you are using. A bill from your utilities or even your computer support company can give away vital information to a hacker who is willing to disguise himself to gain physical access to your building. Though most hackers will not want to risk physical entry to your system, trash recovered from security tests have provided everything from administrator level passwords to layouts of your internal network.
Also, physical machines discarded often offer a wealth of information. The most obvious is hard drives left intact inside the machines. But, also, the outside of the system can provide information too. You have corporate asset tags that tell exactly what company owned the machine. Corporate Network ID tags sometimes have the network name and internal IP Address listed, this information could also be used. Some people even tape passwords to machines and monitors.
Just a side note, many large companies use network ID tags. Great idea, but could you make them smaller, or place them on the back or bottom of the machines? Or, just limit the information on them. They stick out like a sore thumb to any visitor walking through the building.
Continue reading “Cyber Defense: How to Protect Against Hackers – Recon Defense, Part One”
Just a quick break from computer security. This was going around Twitter and I thought I would share it. If you have ever worked for a large company, this guy nails a skit of every conference call you have ever been on.
ATM and Cell Phone Hacking, Elite US Cyber Team
Some interesting topics at the Black Hat and Defcon conferences recently. Let’s start this report off with a video. Security Week has a few videos of the “Jackpotting Automated Teller Machines” presentation by Barnaby Jack:
At Defcon, Chris Paget demonstrated intercepting mobile phone calls. “As far as your cell phones are concerned I am now indistinguishable from AT&T”, he said. He had 30 cell phones connected to his system. But aren’t cell phone communications encrypted you say? “If I decide not to enable encryption I just disable it, it’s that simple.”, Chris said. That simple huh? Well, I guess when your phone thinks your system is a cell phone tower, you can change some of the rules. Kind of makes you feel warm and fuzzy inside doesn’t it?
Okay, all the latest cyber geek goodness not your thing, you say. What other reasons are their to attend a top security conference? How about the cool ninja badge? Or instructions about how it was hacked?
Still not peeked your interest? Okay, how about the chance to be recruited for an elite US cyber team? According to an AFP article, “Vigilant” was present and recruiting at Defcon:
An elite US cyber team that has stealthily tracked Internet villains for more than a decade pulled back its cloak of secrecy to recruit hackers at a DefCon gathering. Vigilant was described by its chief Chet Uber as a sort of cyber “A-Team” taking on terrorists, drug cartels, mobsters and other enemies on the Internet. “We do things the government can’t,” Uber said on Sunday. “This was never supposed to have been a public thing.”
According to the article, Vigilant has more than 600 volunteers, which include former high-ranking US spies and executives of top technology companies. And they are looking to add 1750 people this year. They have had their hands in several different hot topic events including uncovering fraud in the Iran election, and they also provide a way for people to slip information out of countries with controlling regimes.
The intelligence they recover is reported to the federal government. Very interesting indeed.