.

The Mindset of a Cracker

<<

SVXX

Newbie
Newbie

Posts: 8

Joined: Sun Oct 04, 2009 9:12 am

Post Tue Dec 20, 2011 3:17 am

The Mindset of a Cracker

Hello all, this is my first post on the venerated Ethical Hacker network forums. I have loads of questions regarding my future career in security, but I'll research people's posts more and save those for a later time.
I'll get straight to the point. A friend of mine is researching hacking and cracking for a book they're writing, which involves a "tech savvy young boy" (twat, I'd say..) who pulls off one of the biggest financial scams in history....through the help of cracking. I'll directly quote from the email I received -:

"From a basic story point of view the protagonist steals confidential data of high profile clients of a bank and launders money into a third party account by hacking (read : cracking) into the bank accounts of these clients. We have many questions about how he will carry out this crime, what information and expertise will he need etc. Following are some basic questions for you to get an idea of what kind of help we are seeking.

1. Is it possible for anybody to be in a small town far away from the city where the crime is being committed and still pull it off successfully?

2. What is the information that he will need from his accomplice working in that bank?

3. How will he carry out the scam by making sure he is not traced and at the worst his accomplice is accused of the crime?

4. What are the various processes of basic hacking of personal accounts and official accounts of larger consequence?

5. What kind of hardware/software will have to be installed in the bank for them to get the required information?

6. What position will the accomplice hold in the bank to be able to retrieve confidential information for the scam?"

As ridiculous as these questions may sound, I even questioned them whether they're preparing to pull off a financial scam themselves! Jokes apart, I would love to have the views of those experienced in professional security.
PS : Pardon any posting violations that I may have done, 'coz I couldn't think of a suitable forum to post this in. Plus if you think this whole topic is weird, I'm not at fault! Had nowhere else to go to ask.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Dec 20, 2011 8:54 am

Re: The Mindset of a Cracker

There are lots of questions and there are a number of possible answers.  I would have your friend research Social Engineering and Phishing.  But here is the question, why are you researching and not yoru friend?  For a book such as this to be successful, he would best partner up with a security pro who may specialize in financial security environments. 

Sorry I can't be more help.
Certs: GCWN
(@)Dewser
<<

SVXX

Newbie
Newbie

Posts: 8

Joined: Sun Oct 04, 2009 9:12 am

Post Tue Dec 20, 2011 9:09 am

Re: The Mindset of a Cracker

Ah, that is perfectly fine, and I came here looking for security pros!
Actually the whole situation is this - my dad's friend is working on the book, and dad wanted me to participate in this survey of questions but I'd refused....he said, what if I provide you the questions online, can you research for us? And so here I am.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Dec 20, 2011 11:01 am

Re: The Mindset of a Cracker

I'd tell them to read these at a minimum:
http://www.amazon.com/Art-Deception-Con ... 072&sr=8-2

http://www.amazon.com/Art-Intrusion-Exp ... 072&sr=8-3

He has a relatively new book out, but I haven't had a chance to read it yet.

That's going to answer a lot of those questions. I don't think they're in a place to understand anything more technical. If they do, they should check out the Stealing the Network series: http://www.amazon.com/Stealing-Network- ... 407&sr=1-2

It really depends on how technically accurate they want to be. Things like CSI can be extremely popular but are nowhere near technically accurate. The general public doesn't know any better, so how amount of effort they want to invest in this really depends on their market and personal goals. When in doubt, just say the attackers, "buffer-overflowed the server's firewall," and 99.9% of the public would be impressed.
The day you stop learning is the day you start becoming obsolete.
<<

SVXX

Newbie
Newbie

Posts: 8

Joined: Sun Oct 04, 2009 9:12 am

Post Tue Dec 20, 2011 11:42 am

Re: The Mindset of a Cracker

Thanks a lot dynamik. All this definitely helps :) I will pass on this information to dad. If anyone else has their own views, they can still post! Thanks a bunch.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Dec 20, 2011 1:56 pm

Re: The Mindset of a Cracker

Hey Svxx,

Welcome aboard. I'll try to offer some light in having a take at the questions! Though I'm not offering all solutions here I want to throw out a few the bad guys would use here in the real world.
1) Definitely possible. Attacks happen all the time anywhere. It all comes down to your targets' security they have implemented but even then, the attackers will always find a way in.

2) Assuming there's an insider, this can contribute a lot to pulling off a successful attack. The insider could provide a listing of the software they run on the banks machines, which could possibly aid in Client-Side Attacks. He could gather up other inside information on employees if needed, he would be able to map out the Network Topology, and this insider could even be used to pull off physical attacks.

3) Being good guys and being given permission to perform audits, I'm not too sure how many of us focus on being, 'untraceable' as much as we try to go un-noticed by IDS/IPS solutions out there. We don't want to send up a red flag. To carry out this type of a scam and attempt to try to be untraceable, an attacker could attempt to compromise a list of target machines and utilize those to pull off the attack. Of course, attacking from a public wifi spot or breaking into a protected network and hacking from that are what bad guys do also. Proxies and proxy-chaining are also useful here. I would imagine these put into use big time when carrying out illegal activity.

4) The attacker could get a hold of the local password hashes on the banking systems and take them offline and attempt to crack them with 3rd party tools. 3xban mentioned phishing, which is another common route attackers use to harvest passwords. These all play a big role. The common process mainly depends on if your doing offline/online password cracking. Will the attacker be attempting a dictionary attack on the ssh or ftp service? A valid username will need to be known. The accomplice could assist in gathering valid usernames of the target infrastructure. If it's offline password cracking, 3rd party tools could be used as mentioned.

5) Hardware key loggers definitely come to mind here. Especially when dealing with obtaining passwords and all sorts of other juicy information. As far as software goes, that could be risky depending on the environment - policies are put in place to attempt to not allow employees from installing software, etc. If the accomplice was able to get a backdoor onto his workstation and let the attacker in and this was discovered, it could be suspected that the accomplice was involved. The accomplice serving as an insider role in the organization could leverage it to the attackers end if an e-mail containing a link to pull off a client-side attack, and the accomplice would be the one to click it to get the attacker on to the network. Of course there's alternatives here.

6) I would say just being an employee would be enough. Of course if the accomplice is one of the IT guys and had more access than the standard employee this would help.

The books dynamik provided will help out. Be sure to give them a read! Good luck with the book.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Dec 20, 2011 2:28 pm

Re: The Mindset of a Cracker

Back to my social engineering reference, take a peak at:
http://www.amazon.com/Social-Engineerin ... 786&sr=8-1

and a story from CSO Online:
http://www.csoonline.com/article/692551 ... alkthrough

I haven't read Human Hacking but it is on my own list of reads and I got to listen to the author speak at a small conference last year in Delaware. 

Also a +1 to Dynamik's reading list, all great books to weed through.

Interesting movies to also watch:
Sneakers (out of date but still a good reference, be it fictional)
Firewall - reasoning the big bank keeps its most secure system air gapped from the rest of the environment.  So there is something like that to keep in mind.

Also your friend might want to make sure they don't rip off other authors.  So its good to know what has already been written.
Certs: GCWN
(@)Dewser
<<

SVXX

Newbie
Newbie

Posts: 8

Joined: Sun Oct 04, 2009 9:12 am

Post Wed Dec 21, 2011 9:32 am

Re: The Mindset of a Cracker

Thanks a lot y'all. Mailing all this....keep firing if there's more!  :)

@Kris : That deluge of information was extremely helpful! Thanks.
@3xban : Good old phishing and social engineering, plus movies on hacking and caution not to rip other authors off - check! Thanks.
Last edited by SVXX on Wed Dec 21, 2011 9:38 am, edited 1 time in total.
<<

jsloan1223

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Apr 24, 2007 3:46 pm

Location: North Dakota, USA

Post Wed Dec 21, 2011 9:38 am

Re: The Mindset of a Cracker

wow. this is like the 5th time I've read that subject. Today though, I read it as cracker = snack food. which left a very weird visual image in my mind. I think I need more sleep..
<<

SVXX

Newbie
Newbie

Posts: 8

Joined: Sun Oct 04, 2009 9:12 am

Post Wed Dec 21, 2011 9:47 am

Re: The Mindset of a Cracker

Herp and derp :P xD
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Dec 21, 2011 12:06 pm

Re: The Mindset of a Cracker

You should read "Why Cryptosystems Fail" by Ross Anderson.  The article is accessible (not technical) and explains real-world failures in bank security. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Dec 21, 2011 2:22 pm

Re: The Mindset of a Cracker

Ross Anderson also wrote about banking security in his book Security Engineering.  The banking chapter is available online:

http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c10.pdf
BS in IT, CISSP, MS in IS Management (in progress)

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software