Sometimes when you are deep in the forest looking at one branch of one tree, trying to reduce false negative rates for detecting a specific class of software vulnerability, it is useful to step back and look at the forest of what is going on in criminal hacking.

Today we were throwing some ideas around the office about hacking techniques we had seen reported. This got the discussion flowing towards extrapolating and using techniques in new areas. The following is a list of old and new.

Gaining network access

  • Popping open the TNI box outside someone’s house and running a phone cable from the test plug at their house to another location to steal their phone line when it’s not in use.
  • Cloning ESNs on analog cell phones to steal cell phone access (Oki 900)
  • Getting a job somewhere just to explore and use the computer and phone system. (Local Phone Co Central Office, Data Entry jobs, janitor),
  • Piggybacking behind someone with a badge
  • Printing your own visitors badge (with Bold Unescorted label)
  • Getting tours of facilities to learn more about their computers and phones
  • RFID skimming to get into a facility
  • Walking onto college campuses to use open labs
  • Hooking up a wireless access point onto someone else’s network while inside their building, or paying someone else to do it
  • Bouncing/proxying traffic through multiple countries and jurisdictions
  • Free wireless hotspots!

Compromising Machines for Identity theft

  • Parking lot wireless attacks (TJX)
  • Access point spoofing, commonly in airports, conferences, or other public areas
  • ATMs with hacked circuit boards that transmit track data over 802.11 or GSM
  • Jump on IRC and pay someone to set up a phishing attack
  • Using USB keys to load remote access and keystroke loggers on computers you have physical access to at retail stores, schools, doctor's office, etc.

What old hacker tricks have you seen and how would you apply the old to the new?

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.