Not Really Game Related - How do people hack networks?
Here's an awesome article about a guy who discovered an exploit in dns, it's pretty interesting, and very exciting that if such a flaw had been discovered by the wrong people, a shit storm could have been unleashed on the internet.
Social engineering is the king of covert intelligence gathering, period.
Next to that, reverse engineering is almost as useful, but far more difficult to master. A good reverser can look at a network traffic dump and figure out how to forge communications with a remote computer (or spy on someone else's communications, or whatever). By the same token, most "real" exploits are discovered by reverse engineering code.
If social engineering won't get you what you're after, the next best bet is to figure out how the systems work and find their vulnerabilities that way. Sometimes this is done without internal knowledge of the systems you want to break (black boxing) but more typically you gain access to the running system in a way that let's you poke and prod it at your leisure (white boxing). Ideally, you white-box against a system that is isolated and contained and under your own control; trying to break into a monitored network is extremely hard to do without being caught.
Basically, it all depends on three things:
- What do you want to gain?
- Who can you compromise to help you in your quest?
- Once you have exhausted the social aspects, what obstacles remain?
Next to that, reverse engineering is almost as useful, but far more difficult to master. A good reverser can look at a network traffic dump and figure out how to forge communications with a remote computer (or spy on someone else's communications, or whatever). By the same token, most "real" exploits are discovered by reverse engineering code.
If social engineering won't get you what you're after, the next best bet is to figure out how the systems work and find their vulnerabilities that way. Sometimes this is done without internal knowledge of the systems you want to break (black boxing) but more typically you gain access to the running system in a way that let's you poke and prod it at your leisure (white boxing). Ideally, you white-box against a system that is isolated and contained and under your own control; trying to break into a monitored network is extremely hard to do without being caught.
Basically, it all depends on three things:
- What do you want to gain?
- Who can you compromise to help you in your quest?
- Once you have exhausted the social aspects, what obstacles remain?
With all due respect to those TED speakers and yourself, that would be a foolish thing to do. If cracking (not hacking, technically) is a good payable job in the government or a corporation, obviously people would aspire to be a cracker, no pun intended. That is the wrong thing to do, because with more crackers, there would be obviously more e-crime. The government or a corporation would only hire a few consultants, and they would be the best of the best, the "cream of the crop." You do not want to encourage cracking. To keep the post relevant to games, imagine that you create an online-based multiplayer game and someone comes and ruins it with an easily downloadable crack. That has the potential to ruin your business. Now multiply that by 10x the crackers with 10x the experience and 100,000,000,000x the money from a place 1000x as big, such as Citi or Bank of America. The whole "mega-hacking heist" thing is mildly far fetched, if I may say so myself.
Actually, it is hard to judge those people, as it is hard to judge criminals. I don't like to defend criminals, but I have a deep interest in psychology and how the human mind work. There is many people studying it and I like to hear what they say.
For example, there is a playlist on TED of 6 videos where they talk about hackers.
One of them is about how the biggest hackers got into this life (btw all of them were arrested and interviewed). But this video in specific is all about how the government should hire those hackers and provide better conditions to them instead of hunting them.
Don't be so eager to paint everyone who hacks/cracks with the "evil bastard" brush.
A lot of us are whitehats who do security for a living. To be good at this job, you have to understand what you're up against.
A lot of us are whitehats who do security for a living. To be good at this job, you have to understand what you're up against.
@MrJoshL
I didn't mean that the government or corporations should get criminals/suspects and pay them to get more knowledge of their system. I was saying that the guy from the video saw some similarities between the hackers (I use hacker because I am not the media and I know what the term means) and he thinks that the government/corporations should find these guys while they are kids and give them oportunities.
If you watched the whole video you noticed that all of them except one had very little resources when they were kids, still they developed their geniuses in computers.
I know about the speculation of Usama Bin Laden and his training in CIA. But I think the government/corporations know better by now.
Just to give you a real life example. Have you heard about the CrackIt project?
It is the GCHQ from UK doing a challenge to find some whitehats out there. That is awesome (the challenge was pretty cool as well ;))
I didn't mean that the government or corporations should get criminals/suspects and pay them to get more knowledge of their system. I was saying that the guy from the video saw some similarities between the hackers (I use hacker because I am not the media and I know what the term means) and he thinks that the government/corporations should find these guys while they are kids and give them oportunities.
If you watched the whole video you noticed that all of them except one had very little resources when they were kids, still they developed their geniuses in computers.
I know about the speculation of Usama Bin Laden and his training in CIA. But I think the government/corporations know better by now.
Just to give you a real life example. Have you heard about the CrackIt project?
It is the GCHQ from UK doing a challenge to find some whitehats out there. That is awesome (the challenge was pretty cool as well ;))
How would you find that? I would bet against a kid being able to do any kind of hacking/cracking whatsoever. If you ask a kid about hacking/cracking, they will most likely say, "Oh that's cool, I see that in movies."
government/corporations should find these guys while they are kids and give them oportunities.
How would you find that? I would bet against a kid being able to do any kind of hacking/cracking whatsoever. If you ask a kid about hacking/cracking, they will most likely say, "Oh that's cool, I see that in movies."
[quote name='kuramayoko10' timestamp='1354061772' post='5004752']
government/corporations should find these guys while they are kids and give them oportunities.
[/quote]
I should probably put a value to kid: someone with more than 10 years old.
If you think they are not capable...
> Raspberry Summer Coding Contest (Category 13 & under)
> Another link with the other submissions
Are you going to say that the 12yo boy who developed this software (the winner PySnap) is not a programmer and does not have skills?
Well, I stand corrected. I should not have stereotyped as I did. There are intelligent children out there and foolish adults. Cracking is a part of digital life, and won't go anywhere in the future. If a kid stumbles on this website and this post, don't go you go on a crackin' now, youngin'. I will rest my case at that.
I should probably put a value to kid: someone with more than 10 years old.
If you think they are not capable...
> Raspberry Summer Coding Contest (Category 13 & under)
> Another link with the other submissions
Are you going to say that the 12yo boy who developed this software (the winner PySnap) is not a programmer and does not have skills?
Cracking is a part of digital life, and won't go anywhere in the future. If a kid stumbles on this website and this post, don't go you go on a crackin' now, youngin'. I will rest my case at that.
I second that
It is all exploits of one kind or another as others have mentioned. Find a hole, some gap or oversight, and figure out a way to do something unexpected with it.
That, or just be bold and go after people directly.
I've been part of physical security reviews for a few agencies and allied governments in a past job. Some of the things myself and the team I worked with pulled off were down right scary. Carried loaded weapons and a (fake) explosive device into a room with representatives from half a dozen nations, with zero credentials on me or anyone else on the team. How? I wore a nice tailored suit, carried a brief case full of folders stamped Top Secret, and had one of the team member's 16 year old sister in tow pretending to be my intern/assistant. Get to the first check point, and I'm not on the list. "Why am I not on the list" Blame the intern for failing to confirm this meeting, go off on her for a series of previous mistakes. I get asked for ID, "Wait, I left it in the other bag"... The bag the intern forgot to bring when we were leaving the office. Go off on her some more, she is now crying, she is the reason we're late, etc, etc, etc, vitally important, national security, etc, etc, etc. Drop names of people who are there at a meeting that isn't suppose to be public knowledge... Suddenly myself, a pair of 'agents', and one watery eyed intern are being escorted by a single front desk guard, who should have known better, through the next two layers of security, manned by armed men should also should have known better. Got in the meeting room itself, apologized for interrupting, turned around, and asked to speak to the head of security for the event.
Why were we able to do this? Because people like to see what they expect to see. People assume things, and are overly trusting when they feel safe, and don't bother looking beyond what they think they already no. Computer systems are even worse, as they can't look beyond what their programmers have told them to.
Nothing will ever be 100% secure. There will always be flaws, gaps, and the like that one can exploit in one way or another. Whether these elements are part of a programmed system, or part of the human element involved in those systems, doesn't matter. The point is that they will exist, and all we can do is stay as alert as possible and patch holes as we find them.
That, or just be bold and go after people directly.
I've been part of physical security reviews for a few agencies and allied governments in a past job. Some of the things myself and the team I worked with pulled off were down right scary. Carried loaded weapons and a (fake) explosive device into a room with representatives from half a dozen nations, with zero credentials on me or anyone else on the team. How? I wore a nice tailored suit, carried a brief case full of folders stamped Top Secret, and had one of the team member's 16 year old sister in tow pretending to be my intern/assistant. Get to the first check point, and I'm not on the list. "Why am I not on the list" Blame the intern for failing to confirm this meeting, go off on her for a series of previous mistakes. I get asked for ID, "Wait, I left it in the other bag"... The bag the intern forgot to bring when we were leaving the office. Go off on her some more, she is now crying, she is the reason we're late, etc, etc, etc, vitally important, national security, etc, etc, etc. Drop names of people who are there at a meeting that isn't suppose to be public knowledge... Suddenly myself, a pair of 'agents', and one watery eyed intern are being escorted by a single front desk guard, who should have known better, through the next two layers of security, manned by armed men should also should have known better. Got in the meeting room itself, apologized for interrupting, turned around, and asked to speak to the head of security for the event.
Why were we able to do this? Because people like to see what they expect to see. People assume things, and are overly trusting when they feel safe, and don't bother looking beyond what they think they already no. Computer systems are even worse, as they can't look beyond what their programmers have told them to.
Nothing will ever be 100% secure. There will always be flaws, gaps, and the like that one can exploit in one way or another. Whether these elements are part of a programmed system, or part of the human element involved in those systems, doesn't matter. The point is that they will exist, and all we can do is stay as alert as possible and patch holes as we find them.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
