This in-depth article takes a look at hacking on the Internet. Covering hacker motivation, computer viruses, security, personal firewalls and how to track a hacker!
3. Infiltration and trashing
3.1 Gaining access
For many dedicated hackers,
gaining physical access to a system server is a viable alternate to
remote hacking. Hackers are aware of the lax security of many firms,
including Internet Service Providers (ISP's), towards the physical security
of their computers. A server may be stored in an office, for example,
that office may be unlocked, that building may have new people passing
through every day unnoticed.
They are many techniques
that may be employed by a hacker to gain access to a site, some of which
- Applying for
a job at the targeted site, using a bogus identity and CV. Once inside
and issued with a visitors pass, reasons such as going to the toilet
or getting lost can get the hacker around the building.
- Selling sandwiches
to the office workers at lunchtime. In this way, the hacker becomes
familiar to the workers and nobody pays him/her to much attention.
- Getting a job
with a company that provides a service to the targeted site, such
as cleaning, computer installation or maintenance work.
All of these methods are,
of course, very 'black-hat' and liable to get the hacker into real trouble.
The rewards to the hacker may outweigh the risks involved, however,
so site security should never be overlooked where sensitive information
3.2 Social engineering
Social engineering is a term
that is given by hackers to any kind of con trick that is used to get
information from a worker of a targeted firm. At its basic level, social
engineering exploits an understanding of human nature and people's natural
openness and helpfulness when they are asked for help and advice.
In a large business or university,
any given worker will only possess a small piece of the overall picture,
and therefore they can only respond to requests based on their existing
knowledge of events. For example, if a hacker rings an internal number
to an office worker to ask for information, the hacker may build 'trust'
in the worker by displaying knowledge of office jargon, procedures or
other office co-workers, and then use this trust to gain valuable information
from the unsuspecting target.
Another valuable source of
information to the dedicated hacker comes from an unlikely place, your
trash! Hackers may gain access to a targeted site's dumpsters or even
office waste paper baskets, where they would hope to find all or any
of the following items:
- Computer, network
or phone manuals. Any of these can tell the hacker about the kind
of hardware and software that is being used at the targeted site,
so that they can better tailor their future attacks.
- Floppy disks,
old PC's containing hard drives, CD-ROM's etc. Even apparently damaged
storage devices can still yield recovered information.
- Memos, reports
and other office documents. These will help to build familiarity into
the hacker's future social engineering attempts.
- Computer and
IT procedures and protocols, especially those that have been written
in-house for operating staff to enable them to fix network or phone
- Customer information
(invoices, contact details etc.). These can also be used for social
engineering purpose, as the hacker can show familiarity with customer
- Shredded documents.
They may look like a mess, but to the most dedicated of hackers, patience
is a genuine virtue. If a document is sensitive enough to shred, then
it should really be disposed of by a company that specializes in the
destruction of such documents.
Something such as trash that
the average office worker may never consider, can become an information
goldmine to the creatively thinking hacker. The security of sensitive
information, especially client information, is the responsibility of
the company involved, so they should never dispose of sensitive information
in such a care-free way.
The physical security and
location of the dumpsters should be discussed with the person in charge
of site security, and the necessary precautions put in place.