punkwalrus (punkwalrus) wrote,
punkwalrus
punkwalrus

  • Mood:
  • Music:

Tech - P4zzw3r[> Insanity

My first foray into computers was a GT program in the summer of 78. I don't recall the title, but it was a "Hey, we got smart kids, let's give them a computer class!" The concept was fairly new, and our class was a mostly forgettable collection of societal misfits - the future Hackers of America. Our instructors were several people, the main one being a woman who I think was a science teacher who never had touched a computer apart from occasional field trip exercises. Luckily, she was supplemented by some college students, some who were getting computer-related or educational degrees. Our education was time-sharing computer logins at George Mason University coupled with a book on BASIC and several dog-eared copies of "Creative Computing."

If I was to take the one thing from that class that stood out from the rest, it was the terror that the college student teachers instilled on us: NEVER SHARE YOUR PASSWORD WITH ANYONE!!!! I mean, they really made a point of this. I was all of 9 years old when they snapped this rule to my spine, and the echoes of the lesson have reverberated in my nervous system through time until the present day. I recall one of the teacher's passwords was several dozen characters long, which he said was a biblical passage he memorized. His fellow teachers snickered that this was "slightly overkill" but I'll never forget the speed at which he'd type something like "4nd_th3_34rth_w4z_without_form,_4nd_void;_4nd_d4rkn3zz_w4z_upon_th3_f4c3_of_th3_d33p._4nd_th3_zpirit_of_God_mov3d_upon_th3_f4c3_of_th3_w4t3rz" or something before the login timer expired on the 300baud acoustic coupled modem connection.

Forward ahead to 1988. I started into the BBS word, and always was frustrated that the passwords I chose were limited. Much of the software had a maximum 8 character length for logins and passwords, and wouldn't accept spaces, punctuation, or even in a few cases, numbers. Most were not case sensitive, so TOMHUDZN was the same as tomhudzn or TomHudzn. This improved rather rapidly, but you never knew what version of WWIV, Bearcat, or NiteLite you were logging into, and what they would accept.

I never gave out my password. My feeling was if the sysop needed it, he could change it at will, or read it from an insecure text file. That's a lesson from my UNIX days. But it amazed me how many people would give out their password at any given time. There were always accounts that got hacked. Having seen some of these text files, it's no wonder. The passwords were so flippin' simple to guess. Here are the Top Ten Passwords used, according to admins:

1. No password at all (just hit "enter")
2. The word "password"
3. Cartoon characters (Homer, Road Runner, Mickey Mouse, Dilbert)
4. Football team or player's name
5. Pet's name
6. Astrological sign
7. First love, boyfriend/girlfriend's name
8. Profanities/obscenities
9. Any sci-fi or fantasy characters (Gandalf, Frodo, Jedi, Wookie, Hercules)
10. Company name

I have seen a dictionary cracker in action. Many people think doing stiff like "g4nDa1F" makes your password real hard to crack. Bzzzt. Try again. In fact, any letter/number/punct combo under nine characters is used. Even nonsense stuff like fQ2_6;z# is in that dictionary. The issue for hackers is, every character over eight pretty much multiplies the number of attempts on nonsense by 94 (the useable ASCII characters codes are 32 to 126). To guess nonsense, roughly for each character, they have to multiply the number of attempts by one power. One character is a paltry 94 guesses. Two is 8836 attempts. Three is over 830,000. Eight is over six quadrillion combinations. But they don't have to use nearly so much because a majority of people (even the best sysadmins) use only spaces, periods, hashes, underscores, and the "@" symbol. That reduces the number from 94 to 57. Plus, a majority base it on real words, which sharply reduces the number of tries that need to be made. Keep in mind, if the hacker actually has physical access to your machine, he or she can brute force a dictionary attack for about 1000 words/second (depending on processor speed). Most of the sophisticated hacker dictionaries are not alphabetized, but have the most common stuff up front. I have seen such dictionaries on a Linux box crack most passwords in about 3-4 minutes. Again, this was done from a bootable CD-ROM on a compromised Linux box, so the guy demonstrating had physical access to the machine. Dictionary attacks against an online account are so slow (often they can't do more than 3 in one minute, and sometimes after 3 bad attempts, the account gets shut down), they might as well not be worth it. But how do you know that box you are logging into hasn't been physically compromised? And is that password unique, or do you share the same password over multiple accounts?

My friend VB got stung this way back in the BBS days. She had a stalker who was a sysop on another board. He got her password off his board, and then used it for the other BBSs around the area. He posted a lot of stuff pretending to be her.

Where I work, since we do sensitive stuff, our accounts are always being attacked. Our logins are multilayered, and sealed with SecurID. But they still try to get in. A SecurID token is good for about 30 seconds, so they try and "phish" for our password and token by simulating logins. Some are quite good attempts.

And that leads to why I started writing this. Today was a series of bad attempts. Usually, the attempts are slightly more sophisticated, so I am not sure if this person was drunk, or a decoy for something else, but here's some I got in my mailbox today (names and e-mail have been changed):



From: someone@spoofed-email.com
To: punkwalrus@real-companycom
Subject: Attention company employee

this is gern blanston from corp hq, we are conducting an audit and need your password emailed to us at someone@spoofed-email.com as soon as possible. there have been some problemz with the system. please give us your securid too. thanks, gern. opersec


From: someone@spoofed-email.com
To: punkwalrus@real-companycom
Subject: AIM Address Change

dude
Reply to this e-mail to confirm your e-mail address change from
someone@spoofed-email.com to ABhardwajcsc@spoofed-email.com. In the reply, type \'OK\' as the text of your
message.
The change will affect the screen name tied to this e-mail address:

someones_AIM_account

Please take a moment to return your confirmation now. It will take up
to 72 hours to confirm your new e-mail address. If you do not want to
confirm this address as your new e-mail address do not reply, and no
changes will take effect.

You can also cancel the update within 72 hours of submitting the update
request, by following the directions in the confirmation e-mail sent to
your old e-mail address.

Thank you for using the AOL Instant Messenger(SM) service.


From: someone@spoofed-email.com
To: punkwalrus@real-companycom
Subject: HEY READ THIS RIGHT NOW DAMMIT

YOU LITTLE FRUITCAKEMOTHER FUCKERS IM GONA RAPE UR KIDZ AND FUCKING SMASH YOUR DOMES IN YOU LITTLE BITCH I HATE YOU SO MUCH IF U GOT BALLS YOULL IM ME ON someone@spoofed-email.com YOU FUCKING FAGGET ASS BITCHES. WHY DONT U LET UR MOM BEND OVER AND GET BUTTFUCKED BY SOME GORRILLA YOU JAPPANESE FUCKING QUEER. IF I EVER SEE U, IMA FUCKN SLAP THE TASTE OUT OF UR MOUTH FUCKING LOSER!!!



This series was repeated over several e-mails and AIM accounts all morning. Now, obviously, this was a script of some kind. But I wonder what the designer was thinking?

1. Attempt to gain login and SecurID by pretending to be corporate
2. Attempt to gain login and SecurID by pretending to be whomever runs AOL Instant Messenger
3. Attempt to gain login and SecurID by sheer intimidation
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments