Chapter 3. Hacking People, Places, and Things
artist
Trust that little voice in your head that says “Wouldn’t it be interesting if. . . .” And then do it.
Hacking is more than just manipulating computers. As phone phreakers discovered in their quest to control the telephone system, hacking can be performed on anything, and as you’ll soon see, people have been hacking in a variety of ways for years. Hacking involves studying a system to see how it works, playing with the system to see how to control it, and then manipulating the system to put it under your control.
Social Engineering: The Art of Hacking People
Perhaps the oldest form of hacking is social engineering, which involves using people to get what you want. Unlike con games that steal money, social engineering steals information. But since social engineering victims are unaware that they have been tricked, they’re often willing to help the same person who fooled them again and again. (Politicians are probably the ultimate social engineers.)
Say, for example, a hacker wants someone’s password at a particular company. Rather than ask that person directly (which would probably fail), he might try a more easily manipulated source, such as a secretary. The hacker could deliberately foul up a computer at that company, then call the secretary (while masquerading as a technician), and ask if she has noticed any problems with the computer. When the secretary says yes, the “technician” claims that fixing the problem requires the (desired) password. More often than not, the secretary will give out this password and the “technician” will fix the very problem that he created in the first place. The computer problem “mysteriously” disappears and the secretary thinks that everything is now okay, not realizing that she has just given her boss’s password to a hacker. The secretary suffers no loss, and the password’s owner is unaware that it’s been stolen.
Rather than go through another person, hackers might social engineer a target directly. For example, a hacker might discover the phone number to a corporate technical support line, then reroute those calls to herself. When the target finds that his computer is suddenly not working, he calls technical support. The hacker answers the line and asks for the target’s password. Since the target initiated the call, he will likely supply any information requested just to get his computer working again. Once the target gives the hacker the password, the hacker “fixes” the computer, and the problem once again “mysteriously” disappears. The hacker has succeeded in obtaining the password, and the target never realizes that he gave it away.
Studying a target
Social engineering can be particularly effective for gathering bits of information a little at a time. While hackers could social engineer people without knowing anything about them, the company they work for, or the type of job they do, studying a target before trying to social engineer anyone will likely gather much more useful information.
One favorite tactic for researching a target is dumpster diving. As the name implies, this activity involves digging through a company’s trash bins for valuable tidbits of information, such as out-of-date phone directories (which can provide names, phone numbers, and department names), business cards (which can match names with titles and departments), and handwritten notes (which can reveal passwords or current project names).
Dumpster diving helps a hacker plan the best way to launch an attack without the target ever being aware of the hacker’s existence. However, in some cases, dumpster diving may not yield enough information. In those cases, hackers might take the riskier path of dressing up as janitors, temporary workers, or new employees and physically wandering around the premises, noting what they see and where equipment is located. If this surveillance takes place after hours or during lunch, hackers can even peek inside workers’ desks and examine computers. With physical access, hackers can try to access a network from a trusted computer, or install a keystroke logging program to snare the users’ passwords as they type them in (see Chapter 9 for more about these techniques).
Since visiting a targeted company in person may be too risky or impractical for some hackers (a 13-year-old is likely to have trouble masquerading as a temporary employee), hackers might call certain people either to get information from them or to discover the names of others who can provide the information.
When talking on the phone, hackers often disguise their voices and play different characters. Thus, a hacker might use multiple voices to call the same worker so the victim thinks she’s providing information to a different person each time. (Few workers will be suspicious of ten different people calling for information, but the same person calling repeatedly would definitely arouse suspicion.)
Armed with one bit of personal information about a target, a hacker can often prowl the Internet and pick up additional bits of information about people, from their personal web pages, to their posted resumes on job-hunting sites like Monster.com, to their biography listed under a corporate web page. The more information a hacker gathers about a target, the more likely he’ll appear “credible” and successfully social engineer the target out of valuable information.
Gaining familiarity
The key to social engineering is to gain the trust of others. This is often accomplished by acknowledging, rather than questioning, the target’s position or authority and developing a rapport with the target. For example, hassled secretaries are unlikely to answer questions from a total stranger, but once the hacker develops a rapport with him or her (perhaps by making fun of his own boss in a way that the secretary might relate to), the hacker can erase any suspicions. This works especially well if the hacker can toss out the names of important people, projects, or procedures with the familiarity of someone who has worked at or with the company for several years.
Having established a rapport, the social engineer next asks the victim for help. Since helping others—especially someone perceived as trustworthy—can make people feel important, most victims of social engineering will willingly give the hacker the requested information. The victim doesn’t feel like he or she is really losing anything; the hacker has only asked for information after all, not something tangible like money.
Hackers rarely ask for information point blank. Instead, they obfuscate their true purpose with casual requests for assistance and friendly small talk. For example, a hacker might complain to a secretary about the company’s working conditions, casually mention that he’s in building F (which anyone at the company would know is isolated from the rest of the company’s buildings), then suddenly remark that he forgot his password back at his desk, which is way across the parking lot in another building. He may ask the victim if she knows another password that he could borrow for the moment. The victim will volunteer someone else’s password or, more likely, just give her own. Either way, the hacker now has what he wanted.
At this point, the hacker could just hang up and yell, “SUCKER!!!!” However, he doesn’t want to arouse suspicion, so he might chat a little more about the company and the people involved, and then complete whatever task he needed the password for in the first place.
Social engineering victims rarely learn that they’ve been victimized. Even if people later learn that someone broke into the computer network using a stolen password, the social engineering victim usually believes that he or she gave the password to help an employee rather than a hacker. As a result, the hacker can often victimize the same target repeatedly.
If you can be fooled by a magician’s sleight of hand, you can be fooled by social engineering. In fact, chances are good that you have already fallen victim to social engineering and don’t even know it.
The keys to social engineering
Social engineering works because it’s a low-risk activity. If the hacker asks for a password and someone refuses or even gets suspicious, the hacker can just hang up and ask somebody else. No matter how suspicious targets may get, they’ll never be able to find the hacker. Even if they go to the trouble of tracing the hacker’s phone number, authorities can’t arrest him or her because no crime has been committed. Even with the longest odds, given enough time, the hacker will always succeed.
Another reason that social engineering works so well is that it involves an indirect attack, which allows the hacker to avoid raising suspicion and cover his or her tracks. No one is likely to connect a computer break-in with three different phone calls made to three different people on three different days. You can’t stop social engineering with a firewall, and given the large number of people in any company, it’s not just possible that one person will fall victim to social engineering aren’t just good; it’s guaranteed.
Many large corporations now offer ongoing educational programs warning workers of common social engineering tactics. Still, no matter how many employees resist a social engineer, it only takes one to fall victim for the hacker to succeed.
Picking Locks
Show a hacker a locked door and the first thing he wants to do is find out what’s on the other side. Whether the door is hiding a janitor’s closet, a half-constructed restroom, or a vault containing gold and jewelry is irrelevant. Hackers want to get to the other side, and a locked door just gets in their way. And, not surprisingly, many hackers are equally proficient at breaking into computers and picking physical locks.
Most physical locks succeed in preventing entry not because they’re mechanically complicated, but because people don’t know how they work. A locked screen door can stop a two-year-old baby just as effectively as a locked car door can defeat most adults, although a knowledgeable locksmith or car thief can unlock most car doors with a metal Slim Jim within seconds. Given their mindset, it shouldn’t come as a surprise that hackers also enjoy picking locks.
The theory of lockpicking
There are several ways to pick a lock. At the crudest level, you could use brute-force and just keep smashing it with a hammer until it breaks open. At the other extreme, you could find an unexpected trick to open the lock, the way people discovered they could pick the Kryptonite Evolution 2000 U-Lock (www.kryptonitelock.com) by jamming the top of an ordinary ballpoint pen into its keyhole. (The company later corrected this glaring flaw, but not before considerable embarrassment; you can see a how-to video here: http://media.weblogsinc.com/common/videos/pt/lock.wmv.)
Of course, rather than attack a lock directly, it’s often easier to attack the much weaker area around it. For example, while you could pick the lock on the anti–car theft device the Club, it’s simpler to break the steering wheel, slide the Club off, and then drive the car away with a broken steering wheel, bypassing the security of the Club altogether.
Similarly, spring locks (such as those typically found guarding office doors) can often be picked by sliding a credit card or other thin tool to push the latch open without bothering to pick the lock open at all.
To pick a lock, you must first understand how that particular lock works. Although there are many different types of lock designs, the most common is a pin-and-tumbler design, as shown in Figure 3-1.
This design holds a lock shut using five or six pins, with each pin split into two halves. Springs push both halves of the pins downward to prevent the plug from turning. When you insert a key into the plug, the jagged ridges of the key push up each pin so that the breaks in each pin lie flush with the top of the plug. Once all of the pin halves are aligned, you can turn the plug to open the lock. So to pick a pin-and-tumbler lock you push up all the pins, and hold them in place until you can turn the plug.
The tools and techniques
Two common lockpicking tools are the pick and the tension wrench. The pick (shown in Figure 3-2) looks like a dentist’s tool. The tension wrench can be as simple as a flathead screwdriver and is used to turn the plug once all the pin breaks are aligned with the plug.
To pick a lock, you use the pick to push up each pin until the break between its two halves is flush with the plug. If a pin isn’t held in place, it will fall back down, so lockpickers twist the plug slightly to one side to create a ridge. Once the lockpicker has pushed the halves of a single pin flush with the plug, a slight twist pushes the pin sideways so that, instead of falling back in place (and locking), the tip of the pin half rests on the ridge of the twisted plug as shown in Figure 3-2.
The lockpicker repeats this step for each pin until one half of each pin lies on the slight ridge created by twisting the plug to one side. Once this is achieved, the lockpicker twists the tension wrench to mimic a key and opens the lock.
While simple in concept, it takes practice to pick a lock, and it’s tricky to feel (or hear) when each pin is properly positioned. Lockpickers sometimes use a faster technique called raking, in which they twist the plug while they brush or rake a pick under the pins to push them all up in one quick motion. This usually results in pushing one or more pin halves up to rest on the ridge of the plug, at which point the lockpicker needs to push up only the remaining pins individually to open the lock.
Experienced lockpickers often carry a variety of different size picks for different types of locks. Some use an electric pick gun, which vibrates to push up the pins as the plug is twisted.
You can buy lockpicking books and tools from a variety of websites, one of which is shown in Figure 3-3. As with computer hacking, picking locks isn’t a crime, but you should use your skills wisely.
For more information about lockpicking, read the alt.locksmithing FAQ at www.indra.com/archives/alt-locksmithing. To learn about other ways to pick locks, such as lock bumping, read the Bumping Locks file at www.toool.nl/bumping.pdf.
Exploring Urban Areas
Rather than pay to visit an amusement park and absorb its sanitized experiences, many hackers prefer the excitement and unpredictability of exploring the buildings around them for free. Urban explorers often tour abandoned buildings for their historical value (shut-down subway tunnels, empty factories, boarded-up hotels, or abandoned missile silos). They also enjoy prowling around buildings currently in use, such as utility tunnels beneath a convention center, the roofs of warehouses, or construction sites. If the general public would normally never see it, the urban explorer wants to be there.
Although the idea of crawling through an old sewage pipe or wading through stagnant water in the bottom of an abandoned mine shaft might not sound appealing, it’s no more uncomfortable than camping in a forest and enduring mosquito bites, bird droppings, and primitive toilet facilities (or spending five days a week in a sterile office cubicle, locked in a business suit, with eye-irritating fluorescent lighting, while counting the hours until your escape).
The urban explorer’s goal is to wander and explore as a modern-day archaeologist, admiring the wonders around us. To learn more about the fine art of urban exploring, visit Infiltration Magazine (www.infiltration.org), as shown in Figure 3-4. This magazine provides urban exploring tips that range from the plainly practical (wear comfortable clothes and thick-soled shoes, and bring a flashlight) to the more obscure (grappling hooks can be handy for scaling buildings but impractical to hide if confronted by a security guard).
The goal of urban exploration isn’t to steal or deface anything, but simply to look around, even if that involves a little bit of trespassing. Sometimes this might require social engineering (to get past a security guard or to avoid arrest when confronted by one), a little bit of stamina (to climb stairs or crawl through holes in walls), and a lot of problem solving (to figure out how to cross an I-beam three stories up without falling so that you can escape from aggressive guard dogs).
Urban exploring can prove embarrassing (and useful) to governments. For example, the Russian urban exploring group Diggers of the Underground Planet once found a secret subway system under Moscow that Stalin reportedly had built to allow government authorities a quick escape from the city in an emergency. The acquired knowledge of these same urban explorers came in handy in October 2002, when Chechen rebels took over a Moscow theater and held more than 900 people hostage. Vadim Mikhailov of the Diggers of the Underground Planet led Russian authorities to the theater through a little-known underground route, of which neither the rebels nor the authorities were even aware.
Whether urban explorers want to see the employee lounge in the basement of a five-star hotel or map out the steam tunnels beneath a college campus, the goal is to have fun, see something cool that can be talked about later, and get back in one piece to do it again.
Hacking the Airwaves
In the United States, the Federal Communications Commission (FCC)—www.fcc.gov—is a government agency that regulates interstate and international communications by radio, television, wire, satellite, and cable. You aren’t allowed to broadcast anything unless you get FCC approval for a given frequency. Regulation can prevent equipment and radio signals from interfering with each other, but critics claim it also gives the FCC the power to deny ordinary people permission to broadcast information while granting the same right to corporations. Regulation of the airwaves can effectively translate into censorship, as demonstrated in countries such as China and Cuba.
To fight back against blatant censorship or corporate-regulated radio broadcasting, some people have created pirate radio stations to broadcast music, news, and information without their government’s approval. Pirate radio stations often operate secretly (until the authorities shut them down) or semi-legally. A handful of British pirate radio stations once broadcasted from ships anchored just outside British territorial waters, thereby skirting British laws regulating broadcasting. (Of course, British law made it illegal for people to listen to these same pirate broadcasts, but at least the stations could operate with impunity.)
Radio stations along the borders of countries that regulate radio broadcasts often skirt the laws of the countries that receive their broadcasts. For example, Mexican radio stations routinely broadcast English-language programs at 250,000 watts, far in excess of the 50,000 watts allowed by FCC regulations. Then again, the United States has no qualms about breaking other countries’ laws by broadcasting its Voice of America radio programs into Cuba, Vietnam, and China. As always, the legality of anything depends solely on what’s being done and who’s doing it, regardless of their reasons why.
Rather than hassle with bulky transmitters and run the risk of upsetting the authorities, many people are turning to their personal computers and audio files (typically MP3 files) to broadcast information they want to share. By sending streaming audio across the Internet, wannabe radio broadcasters can broadcast anything to the world without breaking any laws. (Of course, they may still be breaking the free speech laws of their government, but that’s another story.) Figure 3-5 shows an advertisement for a program called Pirate Radio (www.pirateradio.com) that can broadcast your audio files around the world to anyone who cares to listen.
In fact, you can even turn an ordinary iPod into a pirate radio transmitter. iPod pirate radio broadcasters simply load up their iPod with audio files, attach a transmitter, and drive around with a bumper sticker advertising the frequency on which they’re transmitting. Anyone can tune their car radios to this frequency and hear the iPod pirate radio broadcast—until the driver pulls too far away and the signal disappears.
Some popular iPod FM transmitters include iTrip (www.griffintechnology.com), TuneFM (www.belkin.com), and iRadio (www.ipodworld.co.uk).
Rather than broadcast on an unused frequency, some iPod pirate radio stations prefer to hijack a currently used frequency, such as that used by a local rap music station. When a car stops at an intersection with its windows rolled down and rap music blaring from its speakers, the nearby iPod pirate radio broadcaster simply fires up the music and hijacks the rap music station’s frequency. Instead of hearing rap, the offending driver may now hear Barry Manilow, John Tesh, Yanni, or whatever other music the iPod owner decides to transmit blaring from his or her car speakers, instead.
Even simpler are podcasts, prerecorded MP3 audio files stored on a website that anyone can download and listen to at their convenience. Podcasts avoid government airwave regulations altogether (although they may also skirt government regulations about content). Podcast.net (www.podcast.net) organizes thousands of different audio programs by category and content.
Some popular commercial Windows programs for creating podcasts include ePodCastProducer (www.industrialaudiosoftware.com), RecorderPro (www.soniclear.com), and WebPodStudio (www.lionhardt.ca).
For the Macintosh, podcasting programs include CastEasy (www.casteasy.com) and RapidWeaver (www.realmacsoftware.com).
Hacking History (or, Hemp for Victory)
Hacking is about discovering the truth, and nothing has distorted, warped, and twisted the truth so much as history, or rather the official and generally accepted version of history. There’s a big difference between what really happened in the past and what authorities think or say (or wish) really happened. As a result, history, seemingly built on a rock-solid foundation of facts, actually consists of nothing more than selective facts mixed in with educated and not-so-educated guesses.
History is malleable and can be changed to suit a government’s needs. If you’re going to start thinking like a hacker, begin by questioning the biggest assumptions of all: what your schools, culture, teachers, parents, churches, and history books may tell you about the past.
The Japanese textbook controversy
The Japanese government has a problem. On one hand, they want to teach history to Japanese students, but on the other hand, they are less than enthusiastic about reporting what the Japanese government did to China, Korea, the United States, the Philippines, Thailand, and practically every other country they fought or conquered during World War II. After all, why would the Japanese government want to tell its schoolchildren that the Japanese imprisoned armies of Korean women to serve as sex slaves for Japanese soldiers? Or that its military beheaded, raped, and massacred thousands of Chinese civilians in the city of Nanking, to the point where a Nazi Party representative even appealed to Adolf Hitler to stop the atrocities?
Note
To this day, the Japanese government refuses to acknowledge the atrocities in Nanking. Without knowing this little bit of trivia, you couldn’t fully understand the nature of current Japanese and Chinese relations, which would probably place you at the same level of ignorance regarding Asian foreign affairs as the average American member of Congress.
If a nation’s citizens learn potentially troubling facts about previous administrations, could that undermine their confidence and faith in the current government? Perhaps, and that’s what makes history textbooks so important in shaping the thinking of future generations. Richard H. Minear, a professor of Japanese history at the University of Massachusetts and the author of the books Victor’s Justice: The Tokyo War Crimes and Dr. Seuss Goes to War, answers the question this way: “As a practicing historian, I encounter at every turn the power textbooks exercise over my students’ minds . . . our students believe absolutely what they read in textbooks.”
Fujioka Nobukatsu, a professor of education at Tokyo University, decided to “correct history” by emphasizing a “positive view” of Japan’s past and removing any textbook references to what he calls “dark history.” Fujioka formed the Japanese Society for History Textbook Reform (www.tsukurukai.com), which published The New History Textbook. This textbook ignited controversy in China, North and South Korea, and even in Japan itself with claims that the Japanese military tried to liberate Asia from Western colonization during World War II, as the following excerpt shows:
When Japanese troops occupied in 1942, having defeated Dutch forces, Indonesians lined the roads and cheered. Japanese forces were a liberating army to rid them of the Dutch. During the occupation, which lasted three and a half years, the Japanese trained PETA, a military force, opened middle schools, and established a common language. The many reforms implemented served as a foundation for future independence. But when war neared its end and food was scarce, Japanese military police sometimes forced locals to do harsh labor, and were cruel to the local people in other ways as well.
Hiding history to protect the present
Rewritten history can not only reinterpret the past, but also erase it altogether. For example, in the March 2, 1998 issue of Time, then-President George Bush, Sr. and his National Security Advisor Brent Scowcroft published an essay entitled “Why We Didn’t Remove Saddam,” which offered the President’s justification for leaving Saddam Hussein in power after the first war in Iraq:
While we hoped that popular revolt or coup would topple Saddam, neither the U.S. nor the countries of the region wished to see the breakup of the Iraqi state. We were concerned about the long-term balance of power at the head of the Gulf. Trying to eliminate Saddam . . .would have incurred incalculable human and political costs. . . . We would have been forced to occupy Baghdad and, in effect, rule Iraq. The coalition would instantly have collapsed, the Arabs deserting it in anger and other allies pulling out as well. . . .Going in and occupying Iraq, thus unilaterally exceeding the U.N.’s mandate, would have destroyed the precedent of international response to aggression we hoped to establish. Had we gone the invasion route, the U.S. could conceivably still be an occupying power in a bitterly hostile land.
However, as The Memory Hole (www.thememoryhole.org) reports, this essay has strangely disappeared from the magazine’s own website. You can read the entire essay at The Memory Hole (www.thememoryhole.org/mil/bushsr-iraq.htm).
Why would Time completely erase all evidence of an essay that appeared within its own pages? Governments may be embarrassed by their past, but should a supposedly objective news magazine feel the same way too?
Watching movies for fun and propaganda
History often embarrasses people in the present, so it’s only natural that authorities, like the fictional Oceania government depicted in George Orwell’s novel 1984, routinely rewrite history if it contradicts the current line of thinking. Fortunately, sites like the Prelinger Archives, located at the Internet Archive site (www.archive.org), preserve history as seen through films produced by various corporations and government agencies over the years.
These 1950s-era films are interesting, amusing, and often unintentionally hilarious, such as Are You Popular?, which teaches adolescents proper etiquette; Duck and Cover, which teaches children how to survive a nuclear war; and Boys Beware, which teaches teenage boys how to avoid potential sexual molesters. By watching these films, you can get an idea of how people used to live and think.
But perhaps more stunning are the various propaganda films that the American government produced against the Japanese (during World War II when the Chinese were our friends) and against the Chinese (during the Korean War when the Japanese were our friends). Paramount Pictures even created a Superman cartoon called Eleventh Hour, in which Superman sneaks into a Japanese World War II shipyard and sabotages the Japanese war effort. Government propaganda films will show you how the government demonized past enemies, just as they demonize today’s enemies.
One of the oddest films was produced by the United States Department of Agriculture and was called Hemp for Victory. This movie extols the many benefits of hemp farming and claims that growing hemp will aid the war effort. Figure 3-6 shows images from the movie, including a government-issued tax stamp that proudly identifies certain farmers as patriotic hemp growers.
Watching old movies like Hemp for Victory makes you realize how any government’s definition of “legality” can change over time. If yesterday’s patriots would be today’s criminals, might not today’s patriots become tomorrow’s criminals, as well? Just because something’s legal today doesn’t necessarily make it right.
Hackers always question authority and the rules (and laws) it creates. But questioning doesn’t always mean rebelling or rejecting. Sometimes questioning can mean just reaching back through time and learning how certain laws originated in the first place. If you don’t want to question the present by researching the past, you don’t have to. Just keep following orders, and within the framework of today’s laws, you’ll be the upstanding citizen that your government always wanted you to be.