[ISN] The No-Tech Hacker

From: InfoSec News (alerts@private)
Date: Sun Mar 02 2008 - 22:04:43 PST


http://www.forbes.com/technology/2008/02/28/long-hacker-csc-tech-security-cx_ag_0229hacker.html

By Andy Greenberg 
Forbes.com
02.29.08

Hackers have a lot of fancy names for the technical exploits they use to 
gain access to a company's networks: cross-site scripting, buffer 
overflows or the particularly evil-sounding SQL injection, to name a 
few. But Johnny Long prefers a simpler entry point for data theft: the 
emergency exit door.

"By law, employees have to be able to leave a building without showing 
credentials," Long says. "So the way out is often the easiest way in."

Case in point: Tasked with stealing data from an ultra-secure building 
outfitted with proximity card readers, Long opted for an old-fashioned 
approach. Instead of looking for vulnerabilities in the company's 
networks or trying to hack the card readers at the building's entrances, 
he and another hacker shimmied a wet washcloth on a hanger through a 
thin gap in one of its exits. Flopping the washcloth around, they 
triggered a touch-sensitive metal plate that opened the door and gave 
them free roam of the building. "We defeated millions of dollars of 
security with a piece of wire and a washcloth," Long recalls, gleefully.

In other instances, Long has joined employees on a smoke break, chatted 
with them casually, and then followed them into the building. Sometimes 
stealing data is as simple as wearing a convincing hard hat or walking 
onto a loading dock, before accessing an unsecured computer or 
photocopying a few sensitive documents and strolling out the front door.

Fortunately for his victims, the companies that Long invades are also 
his customers. As a penetration tester for Computer Sciences Corporation 
security team, Long is paid to probe weak points in a company's 
information security. His job as a "white-hat" hacker is to think like 
the bad guys--the more evil genius he can summon up, the better.

And if tactics like tailgating an employee through a backdoor or picking 
a lock with a washcloth don't seem like real hacking, Long would suggest 
fine-tuning the word's definition. To bring that other side of hacking 
to the public's attention, he wrote a manual cum manifesto titled No 
Tech Hacking [1], which was published this week. The book's goal, aside 
from pumping Long's already significant notoriety in the world of 
cyberpunks and script kiddies, is to show that hacking isn't always the 
realm of high technology.

Instead, he argues, it's still rooted in old-fashioned observation and 
resourcefulness. To obtain a corporate password, for instance, a hacker 
can pose as an employee and call a company's help desk or simply look 
over an employee's shoulder while he's on his laptop at a local cafe. To 
access a network, Long will photograph an employee, fake his badge or 
even his uniform, and slip past the front door security to find an 
unguarded terminal.

That kind of no-tech hacking isn't a new idea, but it's one worth 
remembering, says Jeff Moss, the organizer of cyber-security conferences 
Black Hat and Defcon. "There's a tendency in our industry to focus on 
the latest and most interesting attack," he says. "But Johnny is trying 
to show that the simple security problems that were spotted a long time 
ago haven't gone away, and the bad guys will use whatever's available."

That's a lesson that the security industry should heed: The average cost 
of a data breach rose to more than $6.3 million last year, up from $4.8 
million in 2006, according to research by the Ponemon Institute. And 
physical security played a growing role: Lost or stolen equipment 
accounted for about half of those breaches last year.

With those kinds of costs at stake, hiring hackers like Long isn't 
cheap: For basic vulnerability assessment, CSC, which is based in El 
Segundo, Calif., charges a minimum of $35,000. For complete penetration 
testing, which often involves obtaining specific files to demonstrate a 
firm's security flaws, the team can charge as much as $90,000.

But for the most in-depth hacking missions against well-protected 
companies, Long and the rest of CSC's security team are also rewarded 
with the illicit thrill of intrusion. "When you get that James Bond 
feeling of espionage, it's a huge adrenaline rush," he says. Long admits 
that the night before a major case, his team often watches the geek 
thriller Sneakers. "Penetration tests that involve a human element are 
so much more exciting than sitting in front of a computer screen, poking 
through a company's firewall."

As a kid in suburban Maryland during the 1980s, Long's hacking career 
began under less sensational circumstances. Surfing the pre-Web 
Internet, he browsed bulletin boards looking for pirated copies of video 
games. To pay for the growing long distance bills from his modem, he 
started charging his Web surfing to calling card numbers that he found 
on semi-legal sites. And when those phone-card sites started forcing 
users to pay for access, he found ways to circumvent the sites' security 
measures.

Soon, the challenge of bypassing firewalls and accessing distant 
networks was more interesting than any video game. "I would be on my 
Commodore 64, talking to a Unix system somewhere far away," Long says. 
"It was like traveling--the fascination of being in a place with a 
different culture and speaking a different language."

When he graduated from high school, Long skipped college and got a job 
at a local university as a systems administrator. Before he was 20, he 
moved on to a major health insurance provider that was in the midst of 
bringing its systems onto the Internet. Long wrote up a report detailing 
all the company's security vulnerabilities. It was ignored by his 
superiors. Feeling demoralized, he eventually left the company and 
landed at CSC's offices in Falls Church, Va.

At CSC, Long found his niche. In 1998, for instance, he suggested a 
simple social engineering method to gain access to a company's server 
that wasn't attached to the Internet. Long tracked down the name of the 
company's technical contact person on the Web, and made a phone call to 
its help desk pretending to be that person. The help desk's staff 
switched on the server's modem, and CSC's team was inside. "Once I 
connected with the security team, I brought some of the perspective that 
the security community was just starting to get then, a street-level 
hacker mentality," Long says.

 From there, CSC began to experiment with the physical security hacks it 
now uses today, and Long began developing a set of techniques he calls 
"Google Hacking": using simple search engine queries to find hackable 
vulnerabilities in Web sites. (See: "Google: A Hacker's Best Friend" 
[2]) Today CSC has one of the security industry's better-known 
penetration testing teams, and Long is a celebrity in hacker circles.

Since he first became a professional penetration tester, cyber-security 
has evolved dramatically, Long says. No Tech Hacking is partly about the 
latest social engineering methods used by a new generation of 
cyber-criminals. Instead of searching for holes in companies' 
increasingly tight security perimeters, their attacks are about drawing 
the target out, bringing employees to a compromised Web site that 
infects their network, or convincing an administrator to give up his or 
her password in an e-mail.

But the other lesson of the book, Long says, is that some things haven't 
changed. "No matter how savvy we think we are, the oldest attacks are 
still possible, and they're still prevalent," he says. "The smartest 
systems are still falling for simple tricks, and that's what keeps us in 
business."

[1] http://www.amazon.com/exec/obidos/ASIN/1597492159/c4iorg
    http://www.shopinfosecnews.org
[2] http://www.forbes.com/2007/06/25/google-hack-hacking-tech-security-cx_ag_0625googlehack.html


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Sun Mar 02 2008 - 22:18:00 PST