- He who hacks for blood soon finds it dripping from his own terminal.
- He who hacks for fame and glory never stays free long enough to hear his songs of victory sung.
- He who hacks for gold is already blinded by the glitter and glare of his own greed, all too soon led astray by all things shiny.
- He who hacks for sport seldom finds the network administrators in a sporting mood.
- He who hacks for the love of it must leave what he loves the most behind so he can dance with the one he hates the most.— The Federal Correctional System
- But he who hacks for security cannot be led astray.
( The above is what I call “ The Hackers Six Movers ”
First of all, it must be borne in mind that training for Kung-Fu Hacking is very demanding, calling for great discipline; and discipline in this field is defined more by what you do not do rather than what you do. This art calls for great endurance, perseverance, determination, as well as time and effort. Patience must be your greatest effort. Master Kung-Fu Hackers are not borne over night. As a matter of fact, some of the greatest hackers to date have been quoted as saying that it takes at least a minimum of 10 years before one becomes adept in the art. But the result is very rewarding, and the extent of your reward depends mainly on how much “ purposeful practice and training ” you have put in. Aimless training and practice, as was stated in part one of Kung-Fu Hacking, is a huge waste of time. It is therefore helpful to have some idea of your aims and objectives.
Aims are general in nature and long-term in perspective, whereas objectives are specific and immediate. How well we have achieved our aims calls for some subjective judgement, whereas the attainment of our objectives can be determined categorically.
A major aim of Kung-Fu Hacking training, for instance, is System Security- or more so being able to secure your own systems. This ability to defend ourselves is a general asset, and has long-term benefits as more and more vulnerabilities become exploitable to the general public. Generally we do not set a specific time frame for acquiring this aim; we adopt the attitude that as long as we keep on learning, practicing, and training, we will enhance our ability to defend ourselves. As the old adage goes: “ before one can protect others he must first be able to protect himself ”. We are clear that if we fail to defend ourselves effectively in cyber-warfare, it means that we failed in our aim. Sometimes we may set a time frame for our aim, but the period is usually reckoned in years rather than months….all the while waiting for someone to try to successfully attack our systems. ( Unless of course we hire a professional penetration team to exploit our systems in order to see where we really stand overall in the realm of security. ) Otherwise it may not be easy for us to measure objectively how well we have achieved our aim. For example, we can say that we have achieved our aim of self-defense if we can effectively defend ourselves against a single attacker; but when we are faced with a group of attackers, let’s say, a Hactivist Group that targets our organization for “ whatever reason ” , we may falter.
On the other hand, we may set an objective to acquire the knowledge and skills to defend ourselves against web application attacks within six months. Or from an offensive security point of view we set the objective to acquire the skills to launch successful attacks against web applications in a six month time frame. Hence, our objective is specific: for the time being we limit ourselves to defending against these types of attacks or learning how to carry out these types of attacks…leaving other types of attacks to be covered by later objectives. We can go a step further and be more specific by deciding on the types of web application attacks we want to defend against or learn to carry out. As we have set a time frame of six months, our objective is also immediate: we are not pursuing this objective indefinitely. We can easily decide whether we have achieved our objective within our set time. For example, after six months of training we can ask a few fellow hacking buddies to try to exploit our web applications using the types of attacks we have defined; or we can conversely set up a vulnerable system of our own in a virtual lab and try out these attacks ourselves.
Above all, even though aims and objectives are closely related, an appreciation of the distinction contributes to our monitoring of our Kung-Fu Hacking practice and training. Aims and objectives provide us with direction and purpose in our Kung-Fu Hacking training, thus enabling us to achieve better results more quickly.
“ Test your systems with fire and ice, sand and sea, bile and blood….before your attackers do! ”
- Hacking-Kung Fu: Aims and Objectives (petalocsta.com)
Conquest is easy. Control is not.—Khan Noonian Singh
Stay on the lookout for the terrorist Mr. L-O-C, all I need is some dip, and a couple o’ sticks of T.N.T. To bring this mutha fucker down like four flat tires, 86ing is my mission….dismissing tricks for hire. No mercy on the lives that got took off in that quake, diesel fuel and fertilizer, will make ah’ nigga block shake. Starting playing with nines, them moved to something bigger, now I’m working through the miz-ail…bombing on deliver.
Slightly seal the package, then I set the timer…I’m the SA-Town Assassin, worldwide Unabomber. Just a little off my rocker, conceived as a menace, I’m a loc until I die, til’ that day I’m never finished. Take my work to College Hills, perform it on your daughter..when I fall up out ya hood it’s gon’ look like Pearl Harbor. Bentwood and Pinehurst…you ho’s better run; C & C Estates, Southwest here I come!
Niggaz struggle in my hood, but y’all don’t give a fuck, so the whole Concho Valley…Tom Green better duck. Everybody with authority, get out my way- City Hall’s coming down when I have a bad day. The county jail and the courthouse is getting is done, when I get the extra time, I’m gon’ turn that bitch to crumbs.
I hooked up with this nigga straight out of the military, who gave me what I needed, to start me an obituary. Killer, killer, killer- killing on the cool…Westside lunatic, with the mind of a Damn Fool! I’m the one that told Koresh ( David Koresh ) to go out like a scout, had em’ all in that fort yelling, “ We Ain’t Coming Out ” ! [Waco.]
F.B.I. tried to fade us, we put em’ on a freeze…left you pigs full of holes like a block of cottage cheese. You tried to burn us up, and thought you killed Koresh, but you didn’t cause he’s living deeply planted in my flesh. Schizophrenically insane, a
Charles Manson figure, the only difference is he’s a whacker…and I’m a real nigga! Daily chances for survival, is getting kinda slim, I’m the nation’s most wanted; BKA- double M. That lic that happened in that Luby’s in Killeen wasn’t it, but that Oklahoma bombing was the mutha fucking SHIT! When it comes to pulling murders, I’ll always hold the title, Jeffrey Dahmer
is my nigga,
Jim Jones is my idol. In the body form I’m one, personality I’m two, they tried to lock me up in Rush, they tried to lock me up in Skyview. But they couldn’t hold me, cause I was bringing noise…let my conscience get me crunk like the
John Gotti Boys.
I’m hungry for destruction, that’s the reason why I’m agg, every prison in this country’s getting dropped to the slab. Hold a grudge against society, that’s how I am….a Young Nigga with a complex that doesn’t give a damn. Schizophrenically insane. Stay out of my path…I reach a natural high when I hear the devils laugh. If you living then you dying, there ain’t no pity…and don’t let it slip your mind what I done in New York City to the World Trade Center! I’m the SA-Town Assassin….bitch.
Reward all those wise enough to join you, utterly crush all who oppose you and do so in so savage a manner as to completely cower any others who might dream of resisting your will.
“ With the right information, you can attain in six months what uninformed students would not attain in many years ”
In this post the term “ Hacking-Kung Fu ” is being used to point out the similarities between Hacking and Kung Fu. Thus, one should read the term Hacking-Kung Fu with the understanding that the two words, Hacking and Kung Fu are being used interchangeably across the two respective disciplines.
Getting Better Results in a Shorter Time
Kung Fu, like Hacking, ( or any other art for that matter ), is a practical affair, not just a question of gathering knowledge. In other words, one becomes proficient in both disciplines through hard, regular practice, not by reading about it. Nevertheless, some background information is not only useful but necessary; otherwise the student may waste a lot of time groping about in the dark.
While many people spend years practicing Kung Fu and achieve little, some spend only a third of the time and achieve a great deal. The main reason is that while the first group learn aimlessly, usually by acquiring more and more sets or exploits without improving their force or practical Hacking-Kung Fu skills, the second group know exactly what they want to get from Hacking-Kung Fu and pursue their objectives accordingly.
To be able to set the appropriate objectives for getting the most from your training, it is necessary to have a clear understanding of the scope and depth of Hacking-Kung Fu, including its history, philosophy and various styles. See here for a historical perspective of hacking and it’s philosophy:( http://www.catb.org/~esr/faqs/hacker-howto.html ) For example, if you are unaware of the four dimensions of Kung Fu – form, force, application and philosophy – you may carry on learning sets for many years, and perhaps also teach them, but your training will be incomplete. Likewise, if you are unaware of the phases of ethical hacking – Reconnaissance, Scanning and Enumeration, Gaining access, Maintaining access ( escalation of privileges ), and Covering your tracks – you may also carry on learning exploits for many years with the end result being an incomplete training. And since form is in many ways the least important aspect of Hacking or Kung Fu, you will at best achieve less than 28 per cent of what you could have done had you been more informed.
Worse still, people with this superficial knowledge may be mistaken for Kung Fu Hacking masters, especially if they are elderly, simply on the basis that they have taught the art for many years and now hold various certifications on the subject. Even if they hide nothing from their students, there is not much the students can learn apart from ‘ flowery fists and embroidery kicks ’. Translated-> Script-Kiddies! Such masters may, wittingly or unwittingly, give the impression that they know more than what they are teaching. If they are asked questions touching on the deeper aspects of Hacking-Kung Fu ( i.e., underground BlackHat tactics ), they would often give excuses to cover their lack of knowledge, such as that the answers are too profound or complex for “ beginning students ” to understand. If the students suggest sparring practice or actual demonstrations of exploiting a real system, the ‘ masters ’ may become angry and reprimand them, warning them that Hacking-Kung Fu is too dangerous for them to fool around with, or that they should practise it for their own intellectual health. Students who are uninformed will continue learning from these teachers, and they in turn will succeed them and teach only ‘ flowery fists and embroidered kicks ’. This is in fact what has been happening for at least a decade in the cyber-securities field, with the result that much of Kung Fu-Hacking today has been degraded into a merely demonstrative form.
Having a theoretical understanding of Kung Fu-Hacking enables you to realize that there is much more to it than merely learning form or exploits. Such an understanding will lead you, if you are still not able to confidently defend yourself in real world situations or compromise systems outside of lab environments, to ask why. The reasons can be traced to three factors, called the Three Requirements for Attainment, which will be explained in the next section.
The Three Requirements for Attainment
There are countless reasons why students fail to achieve their objectives in their Kung Fu-Hacking training, but to help us understand the factors that contribute to success, great masters have from their long years of study and experience, summarized them into what are called the Three Requirements for Attainment. If you have these three requirements, you will succeed in whatever you set out to do, in Kung Fu, Hacking , or any other field. These three requirements are:
Obviously if you do not have the method you cannot even start training towards your objective. For example, you may like to acquire the art of Iron Palm or attacking Web Applications, but without the method you cannot practice. If you ever acquire Iron Palm or the art of attacking Web Applications on your own, it will be by sheer luck and will take a very long time. Moreover, the result is unlikely to be as good as that developed from the proper method, and you may have harmful side effects.
But more important than the method is the teacher. Nowadays one can read up on many Kung Fu-Hacking training methods from books, web sites, and blogs, but without the instruction of a competent teacher it is difficult – though not impossible – to get good results, especially in the more advanced inner arts. There are at least two reasons why a teacher is necessary. First the teacher can explain the finer points and overcome individual problems, both of which cannot be done adequately in books or blogs. The second reason is , more important, although it is less obvious. The teacher provides the confidence students need, so that they are assured that whatever happens the teacher is around to help, sometimes even save, them.
Taking time choosing a good teacher is highly recommended. Even if you have to pay a higher training fee, learning from a good teacher is always more cost – and time – effective. But what are the qualities we should look for in good teachers? Here are five guidelines.
- They must have achieved a reasonably high standard in the art they are teaching.
- They must be knowledgeable. If you ask how you can achieve your objectives or any other relevant questions, they should provide satisfactory answers.
- They should preferably be systematic and methodical, and have the means to help you accomplish your objectives.
- Even if they have all the other qualities, they must also be generous and willing to teach you, otherwise you must seek another teacher or try to overcome the obstacles that prevent them from teaching you.
- The most important quality, however , the quality that distinguishes true Kung Fu-Hacking masters, is that they teach and practice high moral values. http://www.hackerhighschool.org/ Also see: http://hackingdojo.com/ And especially see: http://www.elearnsecurity.com/
The most important requirement for attainment in any art, however, is not the teacher but the student. You may have the best method and the best teacher, but if you are unwilling or not ready, you will not achieve the objectives of your training. When you have the right method and a competent teacher, what you need to do is in theory is very simple: you merely have to practise regularly and persistently according to the method and teaching. But in reality, regular and persistent practice can be very difficult. Lack of practice, probably more than anything else, is the reason why many students fail in their objectives.
Stay tuned for Part 2….
My so humble bows go out to Master Wong Kiew Kit. I’m honored and grateful for the wisdom that you bestow upon the Sangha.
- Three Principles of Kung Fu (chaiteataichi.wordpress.com)
It is a doctrine of war that we must not rely on the likelihood of the enemy not coming, but on our own readiness to meet him: not on the chance of his not attacking, but on the fact that we have made our position invincible- Sun Tzu
Part 1: Targeting Artist & Fans using social-engineering tactics
Sample site: Gazzmic.com
When it comes to the vulnerabilities presented by the online aspects of the music industry, the opportunities for penetration tester’s to employ their skills are far and wide. However; as numerous as these opportunities may be, they are still for the most part often overlooked. And with great peril.
Think about something for a moment. When’s the last time that you or anyone that you know have gone into a brick and mortar record store and purchased the music that you felt like listening to? Why would you when you can just as well go online and obtain whatever type of music that suits your taste for free or at a far lesser price than what you’d pay at the record store? Sometimes what you pay for that music may be as simple as registering to a site and creating an account. Ta’Dah! Unlimited music. It cost you nothing. Or did it?
We’re all aware that there are computer systems floating around in cyber-space minding their own business without any human interaction. However, I personally stand on the belief that behind every active operating system online there is a human being at the other end of it. And humans my friend, are vulnerable. Human beings can be hacked. And so the story begins…If I were an attacker.
If I were an attacker and I decided to go phishing into this gigantic ocean called the music industry, here’s an example of how I could very easily put together a social-engineering scheme. We’ll take this website as our target. Mainly because I am personally okay with one of the writer’s over there. I am a die-hard fan of the Gazzmic Revolution. But more so, the entire theme of this site to me was a perfect model to use showing how easily an attacker could take just the content of the site alone and use it against itself to craft a social-engineering scheme. (Note: Notice how in this example the actual web site was never even tampered with by the attacker. All gathered information was passive in nature.)
The attacker would be making use of only two tabs within the entire site to construct his scheme around. Namely, The Gazzmic Manifesto Tab and The Invite Code tab.
Now. Whoever wrote The Gazzmic Manifesto did one hell of a good job. That Manifesto reads brilliant. However, to an imaginative social-engineer, the attacker could very easily fire up SET in conjunction with The Harvester and have a mighty fun field day with the content and theme of this site by making use of the mass mailer attack. Here’s how the original Manifesto reads:
Now imagine an astronomical number of artist and fans being targeted with an email containing the original manifesto with the last line reconstructed to read:Join The Gazzmic Revolution!Gazzmic is your revolution. We believe that we are on the cusp of a new Renaissance in music, made possible by web technology. Fear not the future! Join the grass-roots movement that will take on the corporate giants head-on. With your help, we can take back music for the artists and fans. That’s why we’ve exclusively chosen you as one of our artist/fans to be featured in our upcoming SKYPE interviews where you’ll have the opportunity to introduce the world to the new revolution. Remember, this is your revolution!To assist our artists/fans with claiming their exclusive spot in the revolution, we’ve created a members only access page on [NAME OF SOCIAL MEDIA SITE]. This link will direct you to a custom page that we’ve created for security purposes to protect the privacy and integrity of our members. By signing into this page you will be directed to the official public page. At this point there’s nothing more to do. You’re account will be automatically created. You will receive a follow-up email asking you to confirm your account. Click here [link with attackers ip address] to begin the revolution.
( Of course, given that the victim fell for the attack, if you were an attacker the results are apparent right there inside your command terminal. If on the other hand, you were a penetration tester, depending on the scope of the penetration test, you could send follow-up emails to all of the victims containing their usernames and passwords revealing to them that their accounts have been compromised. You could even outline the details of the attack and offer tips and recommendations on how they could defend themselves from future attacks. Imagine how valuable these type of findings would be to a music industry executive? )
Now the other part of the site that we’ll make use of is the Index Tab? I thought this was ideal because it hints at exclusivity. It plays on the psychology of the victim in such a way that it makes them feel “ chosen ”.
Here’s the original invite code presented along with the same message reconstructed by the attacker. Look here to see how the page looks on the actual site.
Now here’s the attacker’s message, mind you, presented to the victims in the form of an email:” Invitation codes were provided in the past to select bands for testing purposes. We are no longer accepting nor using invitation codes. Instead, we have set up an exclusive screening process of all artist/bands. We will now send you an email containing the link to an exclusive page that we have created for all artist and bands located here on this [NAME OF SOCIAL MEDIA SITE] Follow the link inside of the email and sign into the site using your current credentials. (Note: we’ve created an exclusive page to ensure the privacy and integrity of our members accounts. Once you log in you’ll be directed to the official public page of this social media site. At this point, there’s nothing more that you need to do. You’re account will have been automatically created for you. ) You will receive an email asking you to confirm your account. Music Will Never Be The Same! Click on this link [the attackers ip address] to be invited into the revolution.
Now this is just a very basic case study. It is in no way intending to point out a vulnerability in the Gazzmic Movement and what they have going over there. Nor was it meant to instruct one in the use of tools like The Social-Engineering Tool Kit. If you wish to learn more about the tool and it’s usage you can either visit the link provided at the top of this post or just Google it own your own. There’s tons of information covering it. This was just an example pointing out one of the ways an attacker could carry out a social-engineering attack in the arena of the online music industry. People love music. People love having the shot at being the star. But people are vulnerable, my friend. Humans…can be hacked!
Find more interesting topics like this one covered at The Hacker High School.
- Wow! Was I Just Socially Engineered? (petalocsta.com)
- A Quick Primer On Social Engineering Attacks in the Cloud (And How to Stop Them) (backupify.com)
- Protect Yourself from Social Engineering (bizsecurity.about.com)
- Anonymous downs government, music industry sites in largest attack ever – RT (zemantified.wordpress.com)
- Using the tag to clone a web page for social engineering attacks (community.rapid7.com)
Generally, in battle, use the normal force to engage and use the extraordinary to win. Now, to a commander adept at the use of extraordinary forces, his resources are as infinite as the heaven and earth, as inexhaustible as the flow of the running rivers. They end and begin again like the motions of the sun and moon. They die away and then are reborn like the changing of the four seasons. -Sun Tzu
In the world of cyber-security things transform at the speed of light. From exploits to methods.What worked yesterday is not promised to be the solution tomorrow. Given that a vast majority of everyone’s lives are being conducted online, ethical problem solving students would do themselves as well as their dependents a huge favor and study the ways of the infamous idea known to us as Anonymous. And before you make the claim that you do not shine the ethical light upon the activities of “the idea”, I’d purpose that you examine the definition of ethical hacking through the context of intention to weigh whether or not an attack/hack is ethical. Now….
I have not searched the actual statistics on missing children, teens, and adults who’ve vanished in recent times vs. a few years prior give or take so I don’t have actual numbers to go by. However, just going by the news and the increase of missing people posters around…it’s safe to say that either those numbers have increased or the notification system(s) that we have in place these days have evolved to the point of more people having access to these numbers. Or a combination of both. What can’t be denied is that communication devices of some sort, being a must have, by everyone has played a major role in society having access to real time information. And social media is by far the most successful and reliable means of getting information delivered to a massive amount of people in a very short amount of time if the channel is correctly exploited. Which brings me to this….
Kids come up missing everyday that society doesn’t even know about or haven’t been made aware of until it becomes too late. Sure, we have the Amber Alert, ( and have had the Amber Alert for quite some time now) but if we were to compare the results of the Amber Alert with Twitter or everyone’s favorite Facebook, when it comes to getting important information noticed, the Amber Alert pales in comparison. Take the example of the cool kid who makes a video with a smartphone, uploads it to YouTube, then shares it on Facebook= Viral. Some entertainer or athlete does something out of the ordinary and Tweets about it=Trending Topic. On the other hand, baby Kyron comes up missing and we’re still waiting to hear back from him. http://www.aolnews.com/2010/06/08/no-sign-yet-of-missing-7-year-old-oregon-boy/ An unfortunate dilemma indeed. When I look at these situations through the eyes of an ethical problem solver I think to myself: what if there was such an application that worked across platforms and blogs in such a way to where anytime someone’s child came up missing, the use of this application would ping everyone’s account on all social media channels updating their status to display the news of the missing person? Although we do have applications capable of delivering such a result ( in theory it would be relatively simple to pull off ) we also have tons of policies and security mechanisms in place to prevent those applications from performing as such. Not that the service wouldn’t be noble and ethical. Far from that. It’s just that within such an application lies the potential for abuse by not so ethical individuals who harbor a habit to tinker. So on a grand scale, ideas like these if implemented then abused, produces their own devastation which actually hinder the situation as opposed to helping it.
So the idea is fine. But such an idea is still just…“ an idea ”. The idea alone doesn’t do justice should the situation arise where it could be of immediate benefit to one of your missing family members and you need this message spread far and wide….while in the meantime…. Tom, Dick, and Harry are Trending on Twitter. What do you as a parent do in such a situation? How about trying a variation on something that I did when I was faced with such dilemma?
The scenario: Your teenager gets into a verbal disagreement with the grandparents ( whom she’s living with at the time ) and it spirals out of control to the point of the kid leaving the house. Cool. It happens. (We’re teens, they’re old and not hip to our lives so we’re leaving. ) No big deal. It’s called growing up…it happens. But it’s happened and your teen does not come back to the house! Not only has your teen not returned to the house, but your teen has not even made a phone call back to the house. Enough time has passed to where your family now has a situation on their hands. Your teen is officially M.I.A. She hasn’t called and now you have family members spread across the entire United States starving themselves and not sleeping.
The solution: Approach the situation as if it were a penetration test. Define your immediate objectives. And proceed with the Information Gathering phase. We are all aware of the massive and reliable amount of tools at our disposal to perform this phase of the test. With the overall objective being to initiate contact with the missing person if for no other primary reason than just to know that person is alive and safe= everyone in the family can now eat and go to sleep. Here’s what you do:
- Footprint the missing person’s social network ( for best known working results- Facebook ).
- Identify all potential targets associated with your victim= missing person. Initially you want to look at those closely associated and involved with the person’s life on a day to day basis but in the end you want the exploit executed in such a way that everyone’s account will either directly or indirectly be pinged by your delivered payload=message to get the teen to contact someone and let them know that they are still alive. ( in order to up the possibility of your exploit being a success, the content of your message is important here. The more graphic and emotional the better. Get creative, i.e. make a home video expressing your concerns etc. )
- Ping the social network for all alive targets on the network. Remember…timing is everything.
- Flood the wall and the message box of your victim and all alive targets that you discovered in your foot-printing phase with your payload. ( Flooding in most social networks are considered an act of spamming. However, at this point you as the parent nor the recipients of the payload who claim to love this person I doubt would be too upset given the circumstances. Regardless…you have an objective. By design, the flood will get some reaction triggered that no matter what the reaction of the recipient of the payload is, that reaction will accomplish that objective=the contact with the missing person. Quick note to the parents here- be prepared for another argument with your teen over how their friends think that they’re a loser because of what you did to their accounts. This is the time that you can kindly remind them to blame no one but themselves and that it’s all a result of their initial actions in the first place. Hence…the other argument. )
The result : Not even ten minutes after delivering the payload=Contact was initiated.
With that being said. This is just one of the reasons why I love the “ idea ” that we’ve come to know and love as Anonymous. At a time when everyone around me has exhausted all other options ( oh…did I forget to mention that those who protect and serve us were notified=nothing that we can do…she’s 17.) and I’m faced with being a parent asking myself what is it that I can do? It’s one of those times when you draw upon all of your knowledge of hacking and ask yourself…“ Hmm, I wonder what Anonymous would do? ”
Although the aim of this post was not to arm one with the skills to protect themselves and their loved ones, tactics like the one used above plus a multitude of others can be acquired and further explained at The Hackers High School. http://www.hackerhighschool.org
Now, the reason that the enlightened sovereign and the wise general conquer the enemy whenever they move and their achievements surpass those of ordinary men is that they have foreknowledge. This “ foreknowledge ” cannot be elicited from spirits, nor from gods, nor by analogy with the past events, nor by any deductive calculations. It must be obtained from the men who know the enemy situation. -Sun Tzu
If you’ve ever experienced this then you’ll know exactly where I’m coming from. If not, let me be the first to wish it upon the entire human population. It’s called: One Of Those Moments!
So I’m at the local bowling alley and this guy we’ll call – Diablo, to protect the innocent. Remember: We never snitch.
Out of no where, the guy starts rattling off pieces of my blog. VERBATIM. Telling me how much he reads and looks forward to my post.
So like I said…if you’ve experienced that..then you know where I’m coming from. However….
This is…Not A Game; This is…Not why we Came!
On behalf of all ethical hacking students; here’s a lesson that hasn’t been stressed enough in our training, guys:
- What they are not teaching you. “ The enemy is not homogenous. Just like there is not just one foreign language, there is not one type of enemy. And among those enemy attackers, not all think alike. Even those joined together under a common mission or goal, there is often division in how to accomplish that goal. http://arstechnica.com/tech-policy/news/2012/03/inside-the-hacking-of-stratfor-the-fbis-case-against-antisec-member-anarchaos.ars
So which type of enemy are you learning to think like? The fanatic? The prankster? The desperate? The lonely? The zealous? The frustrated? The crazy? The poor? And even then, can you really think like them when they embody a mindset built from years of thinking and living a certain way? Can you really understand the motives of an attacker when your large take-out coffee might equal a day of their wages?We like to think we can because movies tell us it’s possible. But it’s not.For a little perspective, consider how many times have you heard from a friend/neighbor that they don’t worry about intruders because they have a dog? And criminals don’t have dogs? Some types of criminals have dog rings where the meanest dogs fight each other and these criminals have no problem handling those dogs. Just because you or your neighbors find a big, barking dog alarming or intimidating doesn’t mean the attacker will. To not understand that is to already admit you might not be in their mindset. But if you can, let’s try something harder: now try to think in the mindset that it’s a morally correct and civilized thing to blow up a crowded market or a federal building. I can get even harsher, but it’ll likely get censored here… so catch me at a seminar to discuss this further. ” http://www.infosecisland.com/blogview/20607-What-They-Dont-Teach-You-in-Thinking-Like-the-Enemy-Classes.html
So what’s the code and how do we crack it? The code is The Ormeta. The code of silence.-
Omertà is a code of silence, according to one of the first Mafia researchers Antonio Cutrera, a former officer of public security, that seals lips of men even in their own defense and even when the accused is innocent of charged crimes. Cutrera quoted a native saying first uttered (so goes the legend) by a wounded man to his assailant: “If I live, I’ll kill you. If I die, I forgive you.” http://en.wikipedia.org/wiki/Omert%C3%A0
So..being a ethical problem solving student myself, I see the Omerta code from a scientific point of view. Why not, as programmers, creators, problem solvers, protectors, write an Ormeta code for security? Don’t know how to program? How could you even dream of being a security professional? http://www.udacity.com/ Here’s one place to start. Hmm’…let’s see- http://www.hackerhighschool.org/ There’s another. But the list goes on. And so does security breaches!
“It’s very likely you trust way too much for far too little reason. And you likely trust in the wrong way. People generally don’t discriminate what they trust where so that they will take financial advice from their dentist and dental advice from a close friend. Just because they trust them. Some people will trust corporations with their private lives and private info. Others even trust their politicians to actually represent them and have their best interests at heart. But in reality we need to have reasons to trust someone or something and having these reasons makes it very hard to be duped. In an ISECOM research project, 10 criteria were classified for trusting someone or something. And we find in practice most people are satisfied with just one of those criteria being met. Usually it’s consistency, the trust criteria that shows this has happened to us before. Even the truly cynical however are still often satisfied with just 3 of the 10. We can blame society! ”
Generally, whether it be armies that you wish to strike, cities that you wish to attack, or individuals whom you wish to assassinate, it is necessary to find out the names of the garrison commander, the aides-de-camp, the ushers, the gatekeepers, and the bodyguards. You must instruct your spies to ascertain these matters in minute detail. – Sun Tzu
- Sabu the Betrayer: Hacker Tweets Outrage While Conspiring With FBI (readwriteweb.com)
- Living With Lies and Liars (petalocsta.com)
- Spy Agency To Hackers: Crack This Code, Win A Job (huffingtonpost.com)
- Cracked CAPTCHAs and lost ISS codes (netsecurityit.wordpress.com)
Generally, in war, the best thing of all is to take the enemy’s state whole and intact; to ruin it is inferior to this. To capture the enemy’s entire army is better than to destroy it; to take intact a battalion, a company, or a five-man squad is better than to destroy them. Hence, to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the supreme excellence. – Sun Tzu
Today I had an interesting conversation with an Angel. The Angel wanted to know whether or not it were true that I bowed down and worshiped a statue when I prayed. I told the Angel that she was tripping in the “ West ”…there is no such statue. Only mind.
She told me that evil entered into the world through man and woman when they first partake of the forbidden fruit in the Garden Of Eden. I told her that there was no such garden nor such fruit. Only mind.
At this response the Angel seemed stunned and wanted to know my thoughts concerning The Christ. I told her that Jesus was a Buddhist and Buddha was a Christian. And what of Muhammad she asked? Muhammad? I told her that there was absolutely no one to be placed next to or to be compared against Muhammad. Muhammad is Muhammad. Muhammad is CHOSEN! The gods do work in mysterious ways; however, there is no such gods in existence that work. Only mind.
She then asked if I was going back into the Temple. I told her that no such Temple exist. Just mind only.
In my most recent post I cited a real life example of how I was so gracefully socially-engineered. http://petalocsta.com/2012/02/12/wow-was-i-just-socially-engineered/ ( Yes, all slippers count and that’s exactly one of the subtle ways social-engineers are able to slither their way inside to go with their move. ) Truth of the matter is that we live in a world filled with liars and cheats. Which leaves us to wonder- Under such a harsh reality…just how does one cope?
Although there are many tactics and strategies available to the those willing to put in the minimum requirements involved in defending oneself against such imposters, I am of the opinion that when it comes to defending one’s system/network…these days and times we’re gonna need a little something more on top of just seeking refuge in our spiritual masters. Let’s have a look at what one of my close comrades, Mr. Pete Herzog, has to say about the issues that we face when it comes to living with lies and liars:
“ You security analysts will want to perfect your game in human security this March.
We have turned things around and can show you how people are broken and what you can do to fix them. So if you want to hold a security awareness course, teach family members to be safer, or even if you’ve just fallen for a scam or two before (or some bad love relationship) and want to know why, then this is what you should know. We did it like this because we know that it’s not being smarter about security. It’s about being smarter about why you do what you do and why you believe what you do.
Following that we dive deep into trust. Even if you don’t trust easily, the criteria we use be default to trust is heavily biased and usually just as largely incorrect. Trust is such an amazing tool that we can use it in so many ways yet so few have actually read the instruction manual. This is THAT manual. Learn to use trust to make the right risk decisions, hire the right people, understand and fix contracts, give the right people the right access to the right assets, and so much more. When it comes to trust in this world, you really will want to RTFM.
We live in a tough world full of liars and deceivers. Competition is fierce and unforgiving. People lie. But you don’t have to fall for it. It’s an important time to be a security analyst. It’s even more important to be a great security analyst. Know your trust. Know your triggers. Know yourself.
I hope to see many of you at Troopers in Heidelberg, Germany this March! It’s a great conference and we have these 2 great classes you’ll want to be a part of.
Smarter Safer Better
Mastering Trust, the Certified Trust Analyst
Sign up here:
See you there! ” -ala Pete Herzog
Thanks my friend. So here’s to living with lies and liars, y’all. Be there or be square. Square Business.
All warfare is based on deception. Therefore, when able to attack, we must pretend to be unable; when employing our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near…….
- The Pathological Liar & The Internet Infrastructure (scamfraudalert.net)
- Liars and Outliers: Schneier’s New Book Explores the Role of Trust (btsecurethinking.com)
Okay. Regardless how on top of your game you may think that you are, people- when it comes to Social Engineering I really would like for you to be aware that IT CAN HAPPEN TO YOU. Period. As a matter of fact, I’ll even go so far as to say not only CAN it happen, but as sure as the Sun rises loyally every morning in the east and lowers in the west, it WILL HAPPEN. It’s only a question of when it’s going to happen and what flavor the tactic will present itself in. With that being said, let us proceed.
What exactly is “ Social Engineering ” ? Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: “is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.“Although it has been given a bad name by the plethora of “free pizza”, “free coffee”, and “how to pick up chicks” sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security. http://www.social-engineer.org/framework/Social_Engineering_Defined ( As defined on the official Social Engineering web site. )
So this guy walks into the motel. About an hour or so before I clock out for the night and hit the deuces. This guy, leather notebook in hand, wearing a navy blue jump suit with the white stripes down the side of the arms and the legs. A coach of some school or some kids by all means. I’m telling ya, this guy was freaking Jerry over at Penn State. ( I should shoot for the video footage so you could see this for yourself..really ). So he walks up to the desk and I’m like…thinking he has reservations, for his sake anyway because dude…we’re booked to the max. There’s an oil boom here are ya kidding me? But anyway, so he’s like no reservation..but how are we looking tomorrow? Tomorrow? Dude, tomorrow? It’s midnight now…what about tomorrow?
How is your internet service at the hotel, do you guys have a business center for the guest that has computers….with audio ability that can support my ear buds? Dude, are my ears and eyes deceiving me or are we really having this conversation? Do you mind if I take a look at the computer, Quintius, ( not 3 minutes later and we’re already on a first name basis…BUT I HAVE NO CLUE WHO THIS GUY IS. I know that he’s a guest, he’s respectable- c’mon the guys a coach traveling. ), I just want to see if I’ll be able to work on some business that I have to take care of? No problem you’re covered, dude, we have WiFi. (Granted, you’re taking care of business in traffic literally, security can’t be too high up on your list anyway. ) Well, that’s just the thing, Quintius, I DIDN’T BRING MY LAPTOP WITH ME, I’m from California ( what does that have to do with the price of tea in China? ), I’ve been staying in the hotels but none of the computers in the business centers were compatible with my ear buds. You say you have rooms tomorrow I can just book my reservation all at the same time and we’ll see if this spot is going to work for me. Customer service wins!
So the clock is ticking and has continued to tick all the way to the the point in all of this where it’s time for me to throw up deuces. That much time has passed with this coach in my business center booking his reservation with the help of his ear buds. Hey coach, it was nice meeting ya, is this spot going to work out for ya? Mouse click. ( Expected. ) Yes, this is just fine with the hard-drive propped on top of the trash can and the screen showing just enough traces of Twitter for me to be able to remember that it’s either #FF or I’ve freaking missed it again. ( Sorry, Tweeps…this is what I’m dealing with at the moment. ) Well, I guess we’ll talk tomorrow. Our night auditor is coming in so when she comes by just let her know the situation with you being stuck out of a room tonight and having to come in here to reserve a room for tomorrow on our computers. Nice chatting with ya coach….( umm…what was his name again, I didn’t catch it? Did you? )
Fast-forward. As hard as it may be to believe…this story is not over. As a matter of fact, this is how it ended. With me sitting on my couch tapping buttons on my laptop and my spider-senses are telling me….SOMETHING ISN’T RIGHT! ( Never doubt your spider-senses when it comes to security….esp. cyber-security. )
- Text message to my night auditor. 2:14 a.m. : Hey, check the business center and let me know if there’s still a creepy guy in there wearing an Adidas suit.
- Reply: K. Lol. Yep’. I don’t want to see whatever is on the screen because when I peeked in there he had his head phones on and he was licking his lips.
- My response: Okay, this is what you do. Tell him without a reservation you’ll need a copy of his driver’s license in order for him to access the guest computers. If he refuses…lock him out and kick him out.
- Reply: Is he not in-house?
My response: No, he was suppose to be in there making a reservation for tomorrow because we didn’t have any rooms tonight. So either he gives you his license while he continues to make his reservation or he leaves. Point? He’s a fucking pervert and needs to get the fuck off the system and the premises.
- Reply: K, got him out.
- Response: Thank you. ( Mind you….2:33 a.m. when it all ended. )
( This post was based on actual events that transpired two nights ago. )
What makes this story even more dramatic is not only did it happen to a customer service representative at the front desk of a hotel, it just so happens that this rep is also a first year systems security student with the end goal of becoming an ethical hacker. Point taken: IT HAPPENS.
Thus, while we have heard of stupid haste in war, we have not yet seen a clever operation that was prolonged. There has never been a case in which a prolonged war has benefited a country. -Sun Tzu
Let’s face it. Speed pays off. Slowness rarely wins the game. ( Pause: Of course there are very notable exceptions to this. ) Moving with deliberate speed is more important in the age of online marketing and advertisement. Just think about how blogs work for a second in the context of speed. Blogs can build a rumor into a reality-and if not addressed quickly, these false claims take on an aura of truth. On the other hand, a blog can be used to build the mystique of a product or an idea. Point? Speed is an offensive weapon. Use it:
- To reach your market
- To organize decision making
- To gain actionable intelligence quickly
How is this done? Simple. Create A Sense Of Urgencey.
A sense of urgency drives results. This is obvious in times of national emergencies and crisis such as terrorist attacks and/or natural disasters. In the digital word per se we rarely have such galvanizing events. But…where there is a will, yep’….you got it; there are still many ways to create a sense of urgency. Here’s two:
- A competitive threat- You can use the growth of a competitive rival as a call to action for your staff and to build a sense of urgency for creating change in the workplace.
- Customer data and stories- If you don’t have customers, you won’t have a business. Trend data on customer satisfaction can build urgency for creating change in your products or services that the customers will see. Most employees know that the customers are important. This isn’t rocket science but, without your customers, bud, you would not have a job to come to everyday. Use your customers to communicate to your staff. It will have more impact than if you say those things yourself.
Move quickly when opportunity arises.
Prepare for opportunities to enable speed.
Deliberate preparation enables speedy action.
- Mistakes in practice (findingforrest.com)