security hacking question

[hconnor2]

okay, this is a bit far-fetched, but here goes.

i'm looking for a way, in theory, to hack into a secure system to steal industrial secrets.

no, no this is not in the real world, its for a story.

i thought, maybe a scientific formula is in a secure area of a server and a high level employee gets into the CTO's office and uses his computer to obtain access. the employee somehow discovered the CTO's password.

What's the most credible way the hacker would do this to look professional?

Also, how do i eventually trace the security breach and track the hacker down.

all help gratefully appreciated.

 

[Matthias99]

see how a real hacker did it

I recommend getting some books on network security and hacking and reading them. You should have plenty of ideas. Also, if this is fiction, technical accuracy is not super-important (although it will keep you from getting torn to shreds by any geeks that read it).

 

[cquark]

Password security is often quite lax in management, so obtaining the password could simply be a matter of it being something obvious or finding it written down in the office. Even if it's not terribly obvious, a smart dictionary cracker like John the Ripper or L0phtcrack can crack a fair percentage passwords in a matter of hours. Social engineering ("Hi, I'm from InfoSec, and we need you to change your password right now for security reasons...") attacks are another low tech means.

A surprising number of organizations still send passwords across the network in clear text, allowing packet sniffers like dsniff to grab them, so that's another possibility. Keystroke monitors can grab passwords before they're encrypted. Of course, smart crackers will bypass the front door if it's well protected and find another network service that can be subverted to gain access. Most internet worms exploit buffer overflows in applications to gain access.

You might find Hacking Exposed a good read if you want to go deeper but don't want to get extremely technical.

 

[warhorse]

I'd go with social engineering. Call up the IT staff, address said person by name, claim to be The Boss. Say you messed up your password and need it reset. Threaten to fire peon.

 

[Description]

Social engineering is the best. Least amount of work, greatest feeling of accomplishment.

Fun stuff.

Also, how do i eventually trace the security breach and track the hacker down.

Any system should have logs of file accesses. Trace the IP address to an ISP, customer, and location. Else, with such an important piece of data, someone has to know something.

If they had enough information about the system and executed it properly, you would never find them. It's all digital.
Any ultra secure system should be inaccessible to the outside and backed up by several security measures including a few analog (security camera, guard dog?)

 

[CTho9305]

Originally posted by: Description
Social engineering is the best. Least amount of work, greatest feeling of accomplishment.

Fun stuff.

Also, how do i eventually trace the security breach and track the hacker down.

Any system should have logs of file accesses. Trace the IP address to an ISP, customer, and location. Else, with such an important piece of data, someone has to know something.

If they had enough information about the system and executed it properly, you would never find them. It's all digital.
Any ultra secure system should be inaccessible to the outside and backed up by several security measures including a few analog (security camera, guard dog?)

The place I used to work had a printer constantly printing various logs. Those aren't as easily erased .

 

[Description]

But they can be burned.

Analog security is harder to break, yeah.

 

[eigen]

A good book to read would be Mitnick's "ART OF DECEPTION"

If you don't know who mitnick is, find out before you right a book on hacking...

 

[cquark]

Any system should have logs of file accesses. Trace the IP address to an ISP, customer, and location. Else, with such an important piece of data, someone has to know something.

IP addresses can be spoofed. While you need source routed packets to get your data back to you, they're often only disabled at the firewall and the attack in question is from an insider. Even if you can't get data back, you can write data and thus often can overwrite some security record to allow yourself access.

If they had enough information about the system and executed it properly, you would never find them.

True. The current generation of kernel level rootkits are extremely difficult to detect. They modify OS calls to hide the existence of the attacker's processes and files, modify the network driver to sniff passwords off the network without needing to run an external network browser, and are small enough to hide in the flash memory BIOS of your motherboard or ethernet card.

Check out some of the rootkits and flash tools (like the VideoCard Kit) at www.rootkit.com.

 

[kevinthenerd]

sniffing the LAN

(sniffing the password while the boss is logging in)


(Edited to remove juicy hacking details for the sake of global security.)

 

[lowpost]

I'd say you've already broken the first rule... Don't tell anyone what you've done. It'll get you busted fast. Be careful to read literature in secret, and never really let anyone know how much you know.

 

[kevinthenerd]

Originally posted by: lowpost
I'd say you've already broken the first rule... Don't tell anyone what you've done. It'll get you busted fast. Be careful to read literature in secret, and never really let anyone know how much you know.

Oh, but bragging is so much more fun than keeping it a secret, especially when you've hacked into your friend's computer after he doubted your ability to do so (and he was expecting you to try)

 

[lowpost]

He's talking about a corporate environment... which translates to money.

Playing with company property is a no-no.

 

[Falloutboy]

I full on agree that "social enginering" is much more powerful than people think. not that I would know or anything

 

[Description]

Oh, but bragging is so much more fun than keeping it a secret, especially when you've hacked into your friend's computer after he doubted your ability to do so (and he was expecting you to try)

So you do this at parties now?

 

[DrPizza]

Actually, most of you are concentrating on hacking from the outside in... Get a temporary job delivering for Dominoes, even if only for 1 night - long enough to get a uniform, unless you have another way of getting a pizza shop uniform. Grab a large pizza, and deliver it at lunch time. (when people are most likely to be away from their desks.) Bring a CD with you that'll install a key logger or whatever useful software you want onto someone's PC, preferably a higher level management person.

Incidentally, it seems the higher up you go, the more lax security is on the computers - management demands that the lower level employees have password protected screensavers, but the upper level management rarely follows their own rules. It'd be a piece of cake to find an unattended computer.

 

[Rainsford]

Phishing with many people could also play a roll. You know, get a little information from a secretary who answers the phone or something, use that to get more information and so on. Most people don't notice this when it is happening and most people don't think about the effect of all that information together. They simply see themselves as giving you harmless information, so that kind of approach works much better than trying to get everything from just one person.

 

[loic2003]

what you need to hack is a computer that bleeps with every keystroke and has weird graphics on screen where you see the 'hacking program' fly into the company's servers. You never need to use a mouse to hack, simply type furiously on the keyboard and you'll be in in about 20 seconds. Encription means you have to type furiously for a little longer.

Hollywood has captured the process of hacking in its movies perfectly....

 

[joinT]

I suggest the "Hackers Challenge" series of books.

 

[scottypop]

Here's my suggestion:

Hacker goes into corporate office dressed in a 3 piece suit and tells the (preferably hot...and female) receptionsit that he is there for the 10:00 meeting but he is early and can he please use the conference room to work on the pricing quote he has on his laptop. She walks him down the hall as he takes a pic of her booty to share with the people on Genmay.com with his cell phone camera

Anywho, when he gets into the conference room and declines a cup of coffee he plugs directly into the network (behind the outside firewalls) and he runs his customized packet sniffer/security exploit tools/key logger/whatever and gets the password he was looking for.

When he has what he needs (or has implanted what he needed to use to get it) he opens his cell phone starts talking to no one about really boring business details like shipping problems and slips out the front door in a hurry promising he will call whomever and reschedule the meeting himself.

 

[imported_Phil]

Originally posted by: scottypop
Here's my suggestion:

Hacker goes into corporate office dressed in a 3 piece suit and tells the (preferably hot...and female) receptionsit that he is there for the 10:00 meeting but he is early and can he please use the conference room to work on the pricing quote he has on his laptop. She walks him down the hall as he takes a pic of her booty to share with the people on Genmay.com with his cell phone camera

And we snip that plot right there, in favour of the XXX Throwdown Gang-Bang Love Slave Action. Seriously, it's a much better idea if you're making a geeky movie.

Oh, and she could give him some info afterwards, or whatever.

 

[Basse]

Rent Swordfish and then down a bottle of whine and drop a hydra...

 

[rosonowski]

Originally posted by: loic2003
what you need to hack is a computer that bleeps with every keystroke and has weird graphics on screen where you see the 'hacking program' fly into the company's servers. You never need to use a mouse to hack, simply type furiously on the keyboard and you'll be in in about 20 seconds. Encription means you have to type furiously for a little longer.



Hollywood has captured the process of hacking in its movies perfectly....

Hey, when you're at a command line, that's all it takes. I actually run Linux on my laptop becuase the trackpoint died. Never need to be in a GUI for what I use it for anyways (writing a novel)

 

[Description]

You never need to use a mouse to hack, simply type furiously on the keyboard and you'll be in in about 20 seconds. Encription means you have to type furiously for a little longer.

Don't be silly, my machine has a large button that says "UPLOAD VIRUS NOW" to automate the drawn out hacking process.

On a Unix, Mac OS, or Linux box, there's no necessity to use the mouse at all, except perhaps for file manipulation. And many of the tools used are written by hackers and wouldn't have the fancy GUI implemented as seen in commercial software.

 

[guitarizt]

Definately go the social engineering route.