Computer crime: then and now
I have already described my short youthful pampering with the illegal side of computer science in its form at the end of the 1980s. But was it a crime? Was I a real criminal? I do not think. Speaking frankly, I was not talented enough to present at least some threat, and even now I cannot imagine.
There are two classic books describing the activities of hackers who possessed a unique talent in the late 80s, a talent that raised their danger before being recognized as a criminal threat.
Cuckoo Egg: Spy Tracking Through Computer Intelligence Maze
Ghost in the wires: my adventures as the most wanted hacker in the world
')
Cuckoo (circa 1986) is probably the first hacking case, which was regarded as an obviously intentional crime, and, of course, the first known computer hacking case as international espionage. I read the book in the original edition of 1989, but the story is still fascinating and informative. Cliff Stoll's wittyness helped him to foresee how trust in computers and the nascent Internet may be vulnerable to real, real, and material criminals.
I don’t know if Kevin Mitnick did something completely illegal, but there is no doubt that he was the first known computer criminal in the world.
By 1994, he was on the FBI's list of the ten most wanted criminals, and articles about his court case went to the front pages of the New York Times . If the moment when the concepts of “computer crime” and “hacking” entered into the consciousness of society, it existed, then it was him.
Kevin in "The Ghost in the wires, " in great detail tells the whole course of events. In the Wiziwig comic, everything is retold in a shortened form, but taken directly from the source, so it is worth reading. I would not say that it is worse. For many years, Kevin has not been hacking; He has written several books describing his techniques, and now he advises companies on how to improve their computer security.
These two books cover the beginning of computer crime in a form in which we know it. Of course, now the problem has become more acute than in the mid-80s: take at least a much larger number of computers connected to each other than anyone could imagine at the dawn of an era. But what really surprises is how small the changes that have occurred in cybercrime techniques since 1985.
The best example of the modern - and by modern I understand 2000 and later - of computer crime is “ Leader: how one hacker captured the billion-dollar cybercriminal underground ”. Modern cybercrimes resemble the classics of black and white cinema: everything is tied to the theft of large sums of money. But together with robbing bank vaults in the style of a pair of Bonnie and Clyde, the process is performed electronically, mostly through ATMs and credit card exploits.
Written by Kevin Poulsen , another well-known retired hacker , is also an intriguing reading. I have already read it twice and found the most informative passage written by the protagonist after his release from prison in 2002:
That's right; today, no hacker would spend time on a frontal attack. The chance of success is negligible. Instead, they tag into the soft, thick underbelly of each company: the users inside. Max, the hacker, described in the “Leader”, boasts: “From that moment on, I did not doubt one hundred percent success.” Here it is, the new face of hacking. Is it so?
One of the most amazing details from what was told in “ Ghost in wires ” is not how experienced a hacker is Kevin Mitnick (although he is undoubtedly great), but how terribly effective he can lure out critical information from people in everyday conversations . Again and again, in hundreds of subtle and clever ways. It doesn't matter what year is the year 1985 or 2005, the number of military-level security levels in computer infrastructure will not help if someone behind these computers clicks on links with dancing rabbits . Social engineering is the most reliable and up-to-date hacking technique invented. The method will outlast us all.
For an example of the 2012 era, consider the case of Mat Honan . It is not unique.
I learned about the hacking from Twitter, when the situation was not clear yet, and immediately took a hunch skeptical: hardly anyone would even suffer with brute force, because brute force is for fools. Try to guess what was really there. Go ahead, guess!
You probably made social engineering ... when you reset your account password ? Bingo.
Phobia, the hacker described by Mat Honan, is a minor who did all this for fun. One of his friends, a 15-year-old hacker, known under the nickname Cosmo , and discovered a reception with Amazon and bank cards, described above. What are teenage hackers doing today?
Receptions are frighteningly the same . The only difference between Cosmo and Kevin Mitnick is the birth in different decades. Today computer crimes are a whole new world, but the methods used today are almost identical to those from the 80s. If you want to connect with cybercrime, don’t waste time developing ninja hacking skills because the weak point is not computers.
These are people.
There are two classic books describing the activities of hackers who possessed a unique talent in the late 80s, a talent that raised their danger before being recognized as a criminal threat.
Cuckoo Egg: Spy Tracking Through Computer Intelligence Maze
Ghost in the wires: my adventures as the most wanted hacker in the world
')
Cuckoo (circa 1986) is probably the first hacking case, which was regarded as an obviously intentional crime, and, of course, the first known computer hacking case as international espionage. I read the book in the original edition of 1989, but the story is still fascinating and informative. Cliff Stoll's wittyness helped him to foresee how trust in computers and the nascent Internet may be vulnerable to real, real, and material criminals.
I don’t know if Kevin Mitnick did something completely illegal, but there is no doubt that he was the first known computer criminal in the world.
By 1994, he was on the FBI's list of the ten most wanted criminals, and articles about his court case went to the front pages of the New York Times . If the moment when the concepts of “computer crime” and “hacking” entered into the consciousness of society, it existed, then it was him.
Kevin in "The Ghost in the wires, " in great detail tells the whole course of events. In the Wiziwig comic, everything is retold in a shortened form, but taken directly from the source, so it is worth reading. I would not say that it is worse. For many years, Kevin has not been hacking; He has written several books describing his techniques, and now he advises companies on how to improve their computer security.
These two books cover the beginning of computer crime in a form in which we know it. Of course, now the problem has become more acute than in the mid-80s: take at least a much larger number of computers connected to each other than anyone could imagine at the dawn of an era. But what really surprises is how small the changes that have occurred in cybercrime techniques since 1985.
The best example of the modern - and by modern I understand 2000 and later - of computer crime is “ Leader: how one hacker captured the billion-dollar cybercriminal underground ”. Modern cybercrimes resemble the classics of black and white cinema: everything is tied to the theft of large sums of money. But together with robbing bank vaults in the style of a pair of Bonnie and Clyde, the process is performed electronically, mostly through ATMs and credit card exploits.
Written by Kevin Poulsen , another well-known retired hacker , is also an intriguing reading. I have already read it twice and found the most informative passage written by the protagonist after his release from prison in 2002:
One of the former clients of Max from Silicon Valley tried to help and gave Max a contract for $ 5,000. The task was to test the penetration of the company's network, and the management was not particularly worried about the presence or absence of a report from it. However, the hacker took the work seriously. He had stormed the network screen for months, counting on one of those simple victories to which he was accustomed, being an ethical burglar. But he was going to be surprised: the state of corporate security improved as he sat. He could not do anything with the network of his only client. His 100% successful record of service has cracked.
Max tried harder, only more and more disappointed because of his own powerlessness. Finally, he decided to try something new. Instead of looking for vulnerabilities in hardened servers of the company, he chose several employees as his target.
These attacks on the client side are the malicious actions of most people: spam email in a mailbox with a link to something like a greeting card or a funny picture. In fact, the launched file is downloaded, and if you ignore the warning ...
That's right; today, no hacker would spend time on a frontal attack. The chance of success is negligible. Instead, they tag into the soft, thick underbelly of each company: the users inside. Max, the hacker, described in the “Leader”, boasts: “From that moment on, I did not doubt one hundred percent success.” Here it is, the new face of hacking. Is it so?
One of the most amazing details from what was told in “ Ghost in wires ” is not how experienced a hacker is Kevin Mitnick (although he is undoubtedly great), but how terribly effective he can lure out critical information from people in everyday conversations . Again and again, in hundreds of subtle and clever ways. It doesn't matter what year is the year 1985 or 2005, the number of military-level security levels in computer infrastructure will not help if someone behind these computers clicks on links with dancing rabbits . Social engineering is the most reliable and up-to-date hacking technique invented. The method will outlast us all.
For an example of the 2012 era, consider the case of Mat Honan . It is not unique.
At 4:50 pm, someone climbed into my iCloud account, reset the password, and removed the confirmation message to the trash. My alphanumeric password consisted of 7 characters, and I did not use it anywhere else. Years ago, when I set it up, the password seemed secure to me. But he was not safe. Especially when you consider that I have used it for several years. I guess they picked up the password brutforsom, and then reset it to cause damage to my devices.
I learned about the hacking from Twitter, when the situation was not clear yet, and immediately took a hunch skeptical: hardly anyone would even suffer with brute force, because brute force is for fools. Try to guess what was really there. Go ahead, guess!
You probably made social engineering ... when you reset your account password ? Bingo.
After they stumbled upon my account [on Twitter], the hackers did a preliminary investigation. My Twitter account refers to my personal website, where they found my Gmail address. Assuming that it was the same email that I had for Twitter, Phobia visited the Google Account Recovery page. Actually, he did not have to carry out the restoration, it was just intelligence.
Since the two-factor authorization was disabled for me when Phobia entered my address, he could see an alternative mailbox set by me for account recovery. Google partially closes this address, replacing many letters with asterisks, but the hacker is open enough: m••••n@me.com. Here it is.
Since he already had my email address, all that was left to get the keys to my account from Apple tech support was the billing address and the last four digits of my credit card.
So how did he get this necessary information? He went the easy way. He took the billing address from whois of my domain. If a person does not have a domain, you can find him or her in Spokeo, WhitePages or PeopleSmart.
Getting a credit card number is more complicated, but also based on using the advantages of the backend systems of companies. ... First you need to call Amazon and say that you are the account owner and would like to add a credit card number to your account. All you need is an account name, a linked email address and a billing address. Then Amazon allows you to add a new credit card. (In Wired, for this purpose, they used a site-generator of bank card numbers that pass all known self-checking algorithms.) The handset is put.
Following this, you need to call back at Amazon and declare that access to your account has been lost. After providing the name, billing address and credit card number, which was just added during the previous call, technical support will provide an opportunity to add a new e-mail address to the account. Then you need to go to the Amazon site and reset your password using the new box. As a result, access to the list of all bank cards assigned to your account will be obtained - not the full numbers, but only the last four digits. But, as we know, these four numbers are needed by Apple.
Phobia, the hacker described by Mat Honan, is a minor who did all this for fun. One of his friends, a 15-year-old hacker, known under the nickname Cosmo , and discovered a reception with Amazon and bank cards, described above. What are teenage hackers doing today?
Xbox players distinguish each other by gamertags. And among young players it is much cooler to have a simple gamertag of the form Fred, than, say, Fred1988Ohio. Before Microsoft secured security, in order to get a password reset form in Windows Live (and thus capture a gamer tag), all that was required was the name of the account, the last four digits, and the expiration date of the account bank card. Derek discovered that the owner of the Cosmo tag has a Netflix account. And so he became Cosmo.
“I called Netflix, and it was easy,” he giggles. “They said,“ Your name? ”I replied,“ Todd [Cut out], ”and called his email address, and they said,“ OK, your password is 12345, ”and I logged into my account. I saw the last four digits of his credit card. And then I filled out the Windows Live password reset form, which required the cardholder's first and last name, the last four digits of the number, and the expiration date. ”
This method still works. When we called Netflix at Wired, all that was asked to provide was the name and email address of the account, and we were given the same reset.
Receptions are frighteningly the same . The only difference between Cosmo and Kevin Mitnick is the birth in different decades. Today computer crimes are a whole new world, but the methods used today are almost identical to those from the 80s. If you want to connect with cybercrime, don’t waste time developing ninja hacking skills because the weak point is not computers.
These are people.
Source: https://habr.com/ru/post/161051/
All Articles