Illegal Internet

John Collins 

3. Infiltration and trashing

3.1 Gaining access

For many dedicated hackers, gaining physical access to a system server is a viable alternate to remote hacking. Hackers are aware of the lax security of many firms, including Internet Service Providers (ISP's), towards the physical security of their computers. A server may be stored in an office, for example, that office may be unlocked, that building may have new people passing through every day unnoticed.

They are many techniques that may be employed by a hacker to gain access to a site, some of which include:

1. Applying for a job at the targeted site, using a bogus identity and CV. Once inside and issued with a visitors pass, reasons such as going to the toilet or getting lost can get the hacker around the building.
   
   
2. Selling sandwiches to the office workers at lunchtime. In this way, the hacker becomes familiar to the workers and nobody pays him/her to much attention.
   
   
3. Getting a job with a company that provides a service to the targeted site, such as cleaning, computer installation or maintenance work.

All of these methods are, of course, very 'black-hat' and liable to get the hacker into real trouble. The rewards to the hacker may outweigh the risks involved, however, so site security should never be overlooked where sensitive information is stored.

3.2 Social engineering

Social engineering is a term that is given by hackers to any kind of con trick that is used to get information from a worker of a targeted firm. At its basic level, social engineering exploits an understanding of human nature and people's natural openness and helpfulness when they are asked for help and advice.

In a large business or university, any given worker will only possess a small piece of the overall picture, and therefore they can only respond to requests based on their existing knowledge of events. For example, if a hacker rings an internal number to an office worker to ask for information, the hacker may build 'trust' in the worker by displaying knowledge of office jargon, procedures or other office co-workers, and then use this trust to gain valuable information from the unsuspecting target.

3.3 Trashing

Another valuable source of information to the dedicated hacker comes from an unlikely place, your trash! Hackers may gain access to a targeted site's dumpsters or even office waste paper baskets, where they would hope to find all or any of the following items:

1. Computer, network or phone manuals. Any of these can tell the hacker about the kind of hardware and software that is being used at the targeted site, so that they can better tailor their future attacks.
   
   
2. Floppy disks, old PC's containing hard drives, CD-ROM's etc. Even apparently damaged storage devices can still yield recovered information.
   
   
3. Memos, reports and other office documents. These will help to build familiarity into the hacker's future social engineering attempts.
   
   
4. Computer and IT procedures and protocols, especially those that have been written in-house for operating staff to enable them to fix network or phone problems quickly.
   
   
5. Customer information (invoices, contact details etc.). These can also be used for social engineering purpose, as the hacker can show familiarity with customer contracts.
   
   
6. Shredded documents. They may look like a mess, but to the most dedicated of hackers, patience is a genuine virtue. If a document is sensitive enough to shred, then it should really be disposed of by a company that specializes in the destruction of such documents.

Something such as trash that the average office worker may never consider, can become an information goldmine to the creatively thinking hacker. The security of sensitive information, especially client information, is the responsibility of the company involved, so they should never dispose of sensitive information in such a care-free way.

The physical security and location of the dumpsters should be discussed with the person in charge of site security, and the necessary precautions put in place.