How To Hack Into The Music Industry

It is a doctrine of war that we must not rely on the likelihood of the enemy not coming, but on our own readiness to meet him: not on the chance of his not attacking, but on the fact that we have made our position invincible- Sun Tzu

Part 1: Targeting Artist & Fans using social-engineering tactics
Sample site: Gazzmic.com

http://wp.gazzmic.com/
Tools: Social-Engineering Toolkit & The Harvester

https://www.secmaniac.com/

When it comes to the vulnerabilities presented by the online aspects of the music industry, the opportunities for penetration tester’s to employ their skills are far and wide. However; as numerous as these opportunities may be, they are still for the most part often overlooked. And with great peril.
Think about something for a moment. When’s the last time that you or anyone that you know have gone into a brick and mortar record store and purchased the music that you felt like listening to? Why would you when you can just as well go online and obtain whatever type of music that suits your taste for free or at a far lesser price than what you’d pay at the record store? Sometimes what you pay for that music may be as simple as registering to a site and creating an account. Ta’Dah! Unlimited music. It cost you nothing. Or did it?
We’re all aware that there are computer systems floating around in cyber-space minding their own business without any human interaction. However, I personally stand on the belief that behind every active operating system online there is a human being at the other end of it. And humans my friend, are vulnerable. Human beings can be hacked. And so the story begins…If I were an attacker.

If I were an attacker and I decided to go phishing into this gigantic ocean called the music industry, here’s an example of how I could very easily put together a social-engineering scheme. We’ll take this website as our target. Mainly because I am personally okay with one of the writer’s over there. I am a die-hard fan of the Gazzmic Revolution. But more so, the entire theme of this site to me was a perfect model to use showing how easily an attacker could take just the content of the site alone and use it  against itself to craft a social-engineering scheme. (Note: Notice how in this example the actual web site was never even tampered with by the attacker. All gathered information was passive in nature.)

The attacker would be making use of only two tabs within the entire site to construct his scheme around. Namely, The Gazzmic Manifesto Tab and The Invite Code tab.

Now. Whoever wrote The Gazzmic Manifesto did one hell of a good job. That Manifesto reads brilliant. However, to an imaginative social-engineer, the attacker could very easily fire up SET in conjunction with The Harvester and have a mighty fun field day with the content and theme of this site by making use of the mass mailer attack. Here’s how the original Manifesto reads:
http://www.gazzmic.com/the-gazzmic-manifesto/

Now imagine an astronomical number of artist and fans being targeted with an email containing the original manifesto with the last line reconstructed to read:

Join The Gazzmic Revolution!Gazzmic is your revolution. We believe that we are on the cusp of a new Renaissance in music, made possible by web technology. Fear not the future! Join the grass-roots movement that will take on the corporate giants head-on. With your help, we can take back music for the artists and fans. That’s why we’ve exclusively chosen you as one of our artist/fans to be featured in our upcoming SKYPE interviews where you’ll have the opportunity to introduce the world to the new revolution. Remember, this is your revolution!To assist our artists/fans with claiming their exclusive spot in the revolution, we’ve created a members only access page on [NAME OF SOCIAL MEDIA SITE]. This link will direct you to a custom page that we’ve created for security purposes to protect the privacy and integrity of our members. By signing into this page you will be directed to the official public page. At this point there’s nothing more to do. You’re account will be automatically created. You will receive a follow-up email asking you to confirm your account. Click here [link with attackers ip address] to begin the revolution.

( Of course, given that the victim fell for the attack, if you were an attacker the results are apparent right there inside your command terminal. If on the other hand, you were a penetration tester, depending on the scope of the penetration test, you could send follow-up emails to all of the victims containing their usernames and passwords revealing to them that their accounts have been compromised. You could even outline the details of the attack and offer tips and recommendations on how they could defend themselves from future attacks. Imagine how valuable these type of findings would  be to a music industry executive? )

Now the other part of the site that we’ll make use of is the Index Tab? I thought this was ideal because it hints at exclusivity. It plays on the psychology of the victim in such a way that it makes them feel “ chosen ”.

Here’s the original invite code presented along with the same message reconstructed by the attacker. Look here to see how the page looks on the actual site.

http://artist.gazzmic.com/Account/IC.aspx

Now here’s the attacker’s message, mind you, presented to the victims in the form of an email:

” Invitation codes were provided in the past to select bands for testing purposes. We are no longer accepting nor using invitation codes. Instead, we have set up an exclusive screening process of all artist/bands. We will now send you an email containing the link to an exclusive page that we have created for all artist and bands located here on this [NAME OF SOCIAL MEDIA SITE] Follow the link inside of the email and sign into the site using your current credentials. (Note: we’ve created an exclusive page to ensure the privacy and integrity of our members accounts. Once you log in you’ll be directed to the official public page of this social media site. At this point, there’s nothing more that you need to do. You’re account will have been automatically created for you. ) You will receive an email asking you to confirm your account. Music Will Never Be The Same! Click on this link [the attackers ip address] to be invited into the revolution.
 

Now this is just a very basic case study. It is in no way intending to point out a vulnerability in the Gazzmic Movement and what they have going over there. Nor was it meant to instruct one in the use of tools like The Social-Engineering Tool Kit. If you wish to learn more about the tool and it’s usage you can either visit the link provided at the top of this post or just Google it own your own. There’s tons of information covering it. This was just an example pointing out one of the ways an attacker could carry out a social-engineering attack in the arena of the online music industry. People love music. People love having the shot at being the star. But people are vulnerable, my friend. Humans…can be hacked!

Find more interesting topics like this one covered at The Hacker High School.

http://www.hackerhighschool.org/

Just One Of The Reasons Why I Love Anonymous

Generally, in battle, use the normal force to engage and use the extraordinary to win. Now, to a commander adept at the use of extraordinary forces, his resources are as infinite as the heaven and earth, as inexhaustible as the flow of the running rivers. They end and begin again like the motions of the sun and moon. They die away and then are reborn like the changing of the four seasons. -Sun Tzu

In the world of cyber-security things transform at the speed of light. From exploits to methods.What worked yesterday is not promised to be the solution tomorrow. Given that a vast majority of everyone’s lives are being conducted online, ethical problem solving students would do themselves as well as their dependents a huge favor and study the ways of the infamous idea known to us as  Anonymous.  And before you make the claim that you do not shine the ethical light upon the activities of  “the idea”, I’d purpose that you examine the definition of ethical hacking through the context of intention to weigh whether or not an attack/hack is ethical. Now….

I have not searched the actual statistics on missing children, teens, and adults who’ve vanished in recent times vs. a few years prior give or take so I don’t have actual numbers to go by. However, just going by the news and the increase of missing people posters around…it’s safe to say that either those numbers have increased or the notification system(s) that we have in place these days have evolved to the point of more people having access to these numbers. Or a combination of both. What can’t be denied is that communication devices of some sort, being a must have, by everyone has played a major role in society having access to real time information. And social media is by far the most successful and reliable means of getting information delivered to a massive amount of people in a very short amount of time if the channel is correctly exploited. Which brings me to this….

Kids come up missing everyday that society doesn’t even know about or haven’t been made aware of until it becomes too late. Sure, we have the Amber Alert, ( and have had the Amber Alert for quite some time now) but if we were to compare the results of the Amber Alert with Twitter or everyone’s favorite Facebook, when it comes to getting important information noticed, the Amber Alert pales in comparison. Take the example of the cool kid who makes a video with a smartphone, uploads it to YouTube, then shares it on Facebook= Viral. Some entertainer or athlete does something out of the ordinary and Tweets about it=Trending Topic. On the other hand, baby Kyron comes up missing and we’re still waiting to hear back from him. http://www.aolnews.com/2010/06/08/no-sign-yet-of-missing-7-year-old-oregon-boy/  An unfortunate dilemma indeed. When I look at these situations through the eyes of an ethical problem solver I think to myself: what if there was such an application that worked across platforms and blogs in such a way to where anytime someone’s child came up missing, the use of this application would ping everyone’s account on all social media channels updating their status to display the news of the missing person? Although we do have applications capable of delivering such a result ( in theory it would be relatively simple to pull off ) we also have tons of policies and security mechanisms in place to prevent those applications from  performing as such. Not that the service wouldn’t be noble and ethical. Far from that. It’s just that within such an application lies the potential for abuse by not so ethical individuals who harbor a habit to tinker. So on a grand scale, ideas like these if implemented then abused, produces their own devastation which actually hinder the situation as opposed to helping it.

So the idea is fine. But such an idea is still just…“ an idea ”. The idea alone doesn’t do justice should the situation arise where it could be of immediate benefit to one of your missing family members and you need this message spread far and wide….while in the meantime…. Tom, Dick, and Harry are Trending on Twitter.  What do you as a parent do in such a situation? How about trying a variation on something that I did when I was faced with such dilemma?

The scenario: Your teenager gets into a verbal disagreement with the grandparents ( whom she’s living with at the time ) and it spirals out of control to the point of the kid leaving the house. Cool. It happens. (We’re teens, they’re old and not hip to our lives so we’re leaving. ) No big deal. It’s called growing up…it happens. But it’s happened and your teen does not come back to the house! Not only has your teen not returned to the house, but your teen has not even made a phone call back to the house. Enough time has passed to where your family now has a situation on their hands. Your teen is officially M.I.A. She hasn’t called and now you have family members spread across the entire United States starving themselves and not sleeping.

The solution: Approach the situation as if it were a penetration test. Define your immediate objectives. And proceed with the Information Gathering phase. We are all aware of the massive and reliable amount of tools at our disposal to perform this phase of the test. With the overall objective being to initiate contact with the missing person if for no other primary reason than just to know that person is alive and safe= everyone in the family can now eat and go to sleep. :) Here’s what you do:

  1. Footprint the missing person’s social network ( for best known working results- Facebook ).
  2. Identify all potential targets associated with your victim= missing person. Initially you want to look at those closely associated and involved with the person’s life on a day to day basis but in the end you want the exploit executed in such a way that everyone’s account will either directly or indirectly be pinged by your delivered payload=message to get the teen to contact someone and let them know that they are still alive. ( in order to up the possibility of your exploit being a success, the content of your message is important here. The more graphic and emotional the better. Get creative, i.e. make a home video expressing your concerns etc. )
  3. Ping the social network for all alive targets on the network. Remember…timing is everything.
  4. Flood the wall and the message box of your victim and all alive targets that you discovered in your foot-printing phase with your payload.  ( Flooding in most social networks are considered an act of spamming. However, at this point you as the parent nor the recipients of the payload who claim to love this person I doubt would be too upset given the circumstances. Regardless…you have an objective. By design, the flood will get some reaction triggered that no matter what the reaction of the recipient of the payload is, that reaction will accomplish that objective=the contact with the missing person. Quick note to the parents here- be prepared for another argument with your teen over how their friends think that they’re a loser because of what you did to their accounts. This is the time that you can kindly remind them to blame no one but themselves and that it’s all a result of their initial actions in the first place. Hence…the other argument. )

The result : Not even ten minutes after delivering the payload=Contact was initiated. :)

With that being said. This is just one of the reasons why I love the “ idea ” that we’ve come to know and love as  Anonymous. At a time when everyone around me has exhausted all other options ( oh…did I forget to mention that those who protect and serve us were notified=nothing that we can do…she’s 17.) and I’m faced with being a parent asking myself what is it that I can do? It’s one of those times when you draw upon all of your knowledge of hacking and ask yourself…“ Hmm, I wonder what Anonymous would do? ”

Although the aim of this post was not to arm one with the skills to protect themselves and their loved ones, tactics like the one used above plus a multitude of others can be acquired and further explained at The Hackers High School. http://www.hackerhighschool.org

How To Crack The Code And Think Like The Enemy

Now, the reason that the enlightened sovereign and the wise general conquer the enemy whenever they move and their achievements surpass those of ordinary men is that they have foreknowledge. This “ foreknowledge ” cannot be elicited from spirits, nor from gods, nor by analogy with the past events, nor by any deductive calculations. It must be obtained from the men who know the enemy situation. -Sun Tzu

If you’ve ever experienced this then you’ll know exactly where I’m coming from. If not, let me be the first to wish it upon the entire human population. It’s called: One Of Those Moments!

So I’m at the local bowling alley and this guy we’ll call – Diablo, to protect the innocent. Remember: We never snitch.

Out of no where, the guy starts rattling off pieces of my blog. VERBATIM. Telling me how much he reads and looks forward to my post.

So like I said…if you’ve experienced that..then you know where I’m coming from. However….

This is…Not A Game; This is…Not why we Came!

On behalf of all ethical hacking students; here’s a lesson that hasn’t been stressed enough in our training, guys:

  1. What they are not teaching you. “ The enemy is not homogenous. Just like there is not just one foreign language, there is not one type of enemy. And among those enemy attackers, not all think alike. Even those joined together under a common mission or goal, there is often division in how to accomplish that goal. http://arstechnica.com/tech-policy/news/2012/03/inside-the-hacking-of-stratfor-the-fbis-case-against-antisec-member-anarchaos.ars

    So which type of enemy are you learning to think like? The fanatic? The prankster? The desperate? The lonely? The zealous? The frustrated? The crazy? The poor? And even then, can you really think like them when they embody a mindset built from years of thinking and living a certain way? Can you really understand the motives of an attacker when your large take-out coffee might equal a day of their wages?We like to think we can because movies tell us it’s possible. But it’s not.For a little perspective, consider how many times have you heard from a friend/neighbor that they don’t worry about intruders because they have a dog? And criminals don’t have dogs? Some types of criminals have dog rings where the meanest dogs fight each other and these criminals have no problem handling those dogs. Just because you or your neighbors find a big, barking dog alarming or intimidating doesn’t mean the attacker will. To not understand that is to already admit you might not be in their mindset. But if you can, let’s try something harder: now try to think in the mindset that it’s a morally correct and civilized thing to blow up a crowded market or a federal building. I can get even harsher, but it’ll likely get censored here… so catch me at a seminar to discuss this further. ”  http://www.infosecisland.com/blogview/20607-What-They-Dont-Teach-You-in-Thinking-Like-the-Enemy-Classes.html

So what’s the code and how do we crack it? The code is The Ormeta. The code of silence.-

Omertà is a code of silence, according to one of the first Mafia researchers Antonio Cutrera, a former officer of public security, that seals lips of men even in their own defense and even when the accused is innocent of charged crimes. Cutrera quoted a native saying first uttered (so goes the legend) by a wounded man to his assailant: “If I live, I’ll kill you. If I die, I forgive you.[6] http://en.wikipedia.org/wiki/Omert%C3%A0

So..being a ethical problem solving student myself, I see the Omerta code from a scientific point of view. Why not, as programmers, creators, problem solvers, protectors, write an Ormeta code for security? Don’t know how to program? How could you even dream of being a security professional? http://www.udacity.com/ Here’s one place to start. Hmm’…let’s see- http://www.hackerhighschool.org/ There’s another. But the list goes on. And so does security breaches!

It’s very likely you trust way too much for far too little reason. And you likely trust in the wrong way. People generally don’t discriminate what they trust where so that they will take financial advice from their dentist and dental advice from a close friend. Just because they trust them. Some people will trust corporations with their private lives and private info. Others even trust their politicians to actually represent them and have their best interests at heart. But in reality we need to have reasons to trust someone or something and having these reasons makes it very hard to be duped. In an ISECOM research project, 10 criteria were classified for trusting someone or something. And we find in practice most people are satisfied with just one of those criteria being met. Usually it’s consistency, the trust criteria that shows this has happened to us before. Even the truly cynical however are still often satisfied with just 3 of the 10. We can blame society!

http://www.infosecisland.com/blogview/20607-What-They-Dont-Teach-You-in-Thinking-Like-the-Enemy-Classes.html

Generally, whether it be armies that you wish to strike, cities that you wish to attack, or individuals whom you wish to assassinate, it is necessary to find out the names of the garrison commander, the aides-de-camp, the ushers, the gatekeepers, and the bodyguards. You must instruct your spies to ascertain these matters in minute detail. – Sun Tzu

Related articles