The Easiest Hack

Readers have no doubt been advised of the Sony computer hack that came to reveal Hollywood’s endemic racism, among other items. So sordid are the details that authority over the studio was simply relinquished to Al Sharpton. I must admit that the complete rehabilitation of no-longer fat Albert has been breathtaking. This dumb, rhyming, mush-mouthed, formerly jheri-curled charlatan has been remolded by his handlers into a real life Morgan Freeman character. His counsel sought by the president, his imprimatur required for any race impacting initiative. My God, the deplorable humiliation of feigning respect for this farcical fuck. Consulting Beetlejuice on affairs of state would be no less ludicrous. But this post isn’t about the identical real estate on the bell curve occupied by those two men. It’s about the easiest hack.

So how does one with formidable technical skills gain access to a hardened network? By perhaps the most counterintuitive method: use no technical skills at all. The softest target is the one between a man’s ears. And how does one gain access via that route? Easy, you ask for it…skillfully. From the rumors I have read, this is what occurred at Sony. The technique is called social engineering, which is techno-jargon for running a confidence game with computers. Kevin Mitnik is often regarded as the godfather of computer hacking. But in reality he was an old-fashioned con-man in a new-fashioned environment. Penetrating a sophisticated array of logical firewalls with access control lists and intrusion detection systems is very difficult. Asking a system administrator for his password is quite easy. And if you ask in a way that bypasses his critical faculties, he just may give it to you. It’s a tactic we’ll return to discuss in a much broader sense. Here’s one article of many speculating on how the Sony hack was executed.

U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony’s computer system, allowing them broad access, U.S. officials briefed on the investigation tell CNN. The finding is one reason why U.S. investigators do not believe the attack on Sony was aided by someone on the inside, the officials tell CNN.

The revelation is part of what is behind the government’s conclusion that hackers operating on behalf of North Korea were responsible. The government is expected to publicly blame the reclusive regime as early as Friday. The hackers ability to gain access to the passwords of a top-level information technology employee allowed them to have “keys to the entire building,” one official said.

How exactly those system administrator credentials were “stole” is unfortunately not expanded upon. Though there is much to wager it is the result of a spear-phishing attack.

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source.

Here’s one version of a spear phishing attack: The perpetrator finds a web page for their target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee’s user name and password or click on a link that will download spyware or other malicious programming. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.

If that was too esoteric, let me put it in terms of a conceptual email exchange between a fake Kakistocrat and say longtime commenter Rob…

Hey Rob, it’s me at the Cacizstocrazyblog. I’ve attached a link in my email and would appreciate if you’d go there and log in to your Gmail account so that I can link your account to my comment section. Then we can fast track all of your posts without moderation or delay. Thx buddy!

Rob of course wants access to premium Kakistocracy content and first dibs on our lengthy comment threads, and so promptly clicks on the link to a fake Gmail log-in page that is used to capture his credentials and harvest them in service to the nefarious kakistocratic designs of Toddy Cat most likely. Was a computer hacked in that instance? No, a person was. They were spear-phished. Here’s another related recent example.

Internet Corporation for Assigned Names and Numbers or ICANN, the global authority on providing unique web addresses across the world, was breached by hackers. According to the blog post by ICANN, hackers used ‘spear fishing’ to break into its systems in late November.

Email messages were sent to ICANN staff members which appeared to be coming from ICANN’s own domain. As a result several ICANN employees’ emails were compromised.

According to the post, the hackers accessed internal emails, gained administrative privileges to the Centralised Zone Data Service which was used to gather information such as names, postal addresses, emails and phone numbers. ICANN says the passwords were encrypted, but it has deactivated them as a precautionary measure. A members-only ICANN GAC wiki page was also accessed

In every phishing or spear-fishing attack, a mark is convinced to relinquish something of great value out of misplaced trust for a malicious actor. In most computer-related instances, what they relinquish are their otherwise well-guarded credentials. Though can we extrapolate the principle forward into society at-large? Have the people of the West been victim to the greatest spear-fishing attack in history? Have they relinquished something of irreplaceable value to those they thought to trust, who are actually mortal enemies in process of using it to attack them?

Dear friend, enter your children’s future and log on to multi-cult  Be sure to check the box that says you’re not racist!

Though for reference, if someone asks kindly for the keys to your country, you may want to make certain it’s Al Sharpton who’s actually on the other end of the line.


9 thoughts on “The Easiest Hack

  1. Every tech company I’ve worked for has scammed their fortune 500 clients in remarkably simple ways, taking advantage of their client’s busy days to throw in a couple of extra licenses or referencing security certifications they do not actually have in the hosts home country.

    A few lines of java script can give you access to all sensitive customer data. Discovering this, like you said, only requires asking a few questions of the engineers many of whom are skilled hackers themselves. long live the cloud.

  2. Admin,
    I am pretty sure the “Never Again” banner is Broadway in Saratoga Springs, NY. I used to live there. It is still a stunningly lovely town, although vibrancy is starting to creep in.

  3. I visited Saratoga Springs weekend before last. Hundreds of people out shopping on the main drag, all non-obese white people, with the exception of one sullen Arabic-looking fellow, who might have been a student from Skidmore College nearby (it was finals week or there would have been more vibrancy.) Combined with the stylish old-time architecture, a most uplifting experience.

  4. It’s a good analogy. You don’t take over a country nor a computer system by arcane technical skills alone. It’s mostly old-fashioned conman techniques that allow you to undermine an IT network or a nation.

  5. ICANN is going to be a lot more famous someday soon. This group is responsible for the “country codes” that link different sections of the world ( .jp for Japan, .uk for the UK, etc.). Kind of the ‘Federal Reserve’ of the internet, in that no one quite knows who their bosses are. The engineers don’t grasp the political implications, and the politicians don’t grasp the technological implications.

    On a broad, international level, the California-based “company” has played fair thus far. Thanks to the NSA getting caught listening to Angela Merkel’s cell phone, Obama foolishly offered to start sharing ICANN’s oversight on a rotating basis. This will eventually be seen as a powerful weapon, as an “accidental” coding typo can remove a country from the global loop. Oops, Russia can’t send international emails, must have been some mistake.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s