Scoobychick

iTrader: (1)

Watching TV shows such as NCIS, Spooks etc it seems that a clever geek can hack into just about anything, no matter how secure, in a mere matter of seconds. Surely it can't be that easy can it?

How much is based on fact and how much on fiction? I'd like to do ethical hacking but am just not geeky enough

boxst

It used to be a hobby of mine when I was a child. Logging into computers that I shouldn't, attaching little boxes to my telephone to get free calls in and out etc... And it was quite easy. Then I discovered girls and getting access to various bits of them was far harder than computers This was 25 years ago.

Now from what I can see at a cursory glance it is harder and easier. Easier if you want to hack a webpage, someone's email account as there are many people who have bad passwords, get taken in to handing out their details. Harder because major corporations have people dedicated to security and the chance of happening on a password (or in fact just getting access) is very difficult.

Steve

Tidgy

it is getting harder with the newer security. but depends how up to date the security is and also what systems, some have inbuilt loopholes or flaws that just keep getting bodged patched up so they don't have to be writen from scratch again. Tends to mean the hackers can get in alot more easily than a new system due to being halfway tehre and understanding the system better.

Mates job is basicly to hack certain security networks purley to try to find weakness to stay one step ahead of the ilegal hackers. (i must add he works for a company that gets paid to do so and he does this legally lol) He said most home systems can easily be access and alot of companies can be, higher level stuff is alot more difficult. But no system is 100% secure, if it has internet access its vulnerable to cyber attack, if no internet then is much more difficult and means physicly breaking into the system (as in attching your own wire to the cable).

Scoobychick

iTrader: (1)

Do big organisations (M15, FBI, Woolworths ) etc employ people whose full time job is to hack? Would they be given special tools that enable them to do it? I'm genuinely interested in it all but it annoys me a bit when someone on TV appears to break the Pentagon's security with two key strokes

Tidgy

tbh he doesn't realy admit to much about what he's working on, which isn;t unsurprising lol, i just know he hacks for a living lol

from what i gather its not as simple as two keys to get in though.

Markus

Doubt you would get much info on what Five and Six use due to the OSA

I would not be too shocked to learn there are a bunch of chaps like Colin and Malcolm doing thier thing for the service

I think a fair bit of hacking is mainly social engineering,as it is a little worrying how many people will give out details they really should not to total strangers

JackClark

Absolutely Marcus, some of the biggest hacks have been more to do with social engineering than keyboard crunching. Heard of Kevin Mitnik? Not a great hacker but had great success and jail time by asking for information. A survey was conducted in a London Train station, the public were asked for their passwords in return for a bar of chocolate, the results were startling.

StickyMicky

I tried to hack the highschool systems once

I totally n00bed myself and ended up sending every single pc on the school system, some kind of notice telling them of my intentions

Doh!!

We did discover a pretty neat trick in the art of school cyber warfare, when ever a new pupil arrived, they were given a username/password that was the full name, and the second name as the password, they were encouraged to change the password ASAP

Grab a few squirts, give them a bit of a shake about and find out some names, steal the accounts and change the passwords

We were then free to send 50 copies of a ***** to the networked printers, and other joyful shenanigans.

Yes they could find out what machine we were at, but we were long gone by the time they realised

JackClark

Must be worse at schools now, switches everywhere, wireless routers for a penny on ebay, I'd be a bloody nightmare.

dunx

iTrader: (3)

I hack into works network with my psp..... to watch movies of course !

LOL

dunx

P.S. I "social engineered" the necessary info

bioforger

iTrader: (1)

lol i did the same for my itouch, using the external broadband at work, mac address added to router, get the WEP passcode after plying applicable IT support guy with booze

HHxx

WEP? Could have saved the booze for yourself

bioforger

iTrader: (1)

not WEP, WPA2

BlkKnight

Script kiddies - people who exploit known vulnerabilities in various software / hardware systems are 10 a penny. Simple as download the script, insert target & run.

WEP cracking - pretty simple airsnort was a popular package at one point. Still works on 802.11b

WPA/2 is also doable using aircrack - processor intensive.

The actual brains behind cracking are the people who actually find the exploit in the first place. Very hard to do & you need quite a big skill set & resource.

The popularity of script kiddies is why you should frequently patch your software / hardware.

J

ScoobyWon't

I'm fairly surprised no-one has mentioned brute forcing their way into things. Just select your target and run a dictionary at the password entry point and wait for the correct word to be entered.

Just last night, while sitting in the pub, I connected to the private WLAN in the place, rather than the one for the customers, just by guessing that the password was the landlord's name. One guess and was in.

That was just from my N85, but I'm sure if I'd have had my laptop with me, I could have done more, though I expect it's easier just to ask for the WEP key to the public WLAN and use that.

oadamo

iTrader: (1)

thers a few different ways to hack there all easy but theres a fast and easy way and theres a long and hard way. say you want to get into someones email account you could try guessing the password or use a automated program but this would take a long time but you prob would get in in the end. or you could try the password reminder if it asks where was xxxx born, the first thing i would try is add them as a friend on facebook find out where they was born then go back get into the account, but thats just the beginning think of all the password and things that you have in your email account .
but then theres code based hack where you have to start breaking down code to get anywhere, and like some have said social engineering is easy because most people dont realize that there being scammed, you have to pick the best way to get to your goal the fastest way you can.
a good book to read is hackers by paul a taylor it gives a insight to hackers but its a bit out dated now.
adam

HHxx

BBS's is a popular target as well.

If you succeed and get member details, you would have their email address and possibly their password.

How many people use the same password for all the sites they have accounts on?

BlkKnight

Most BBS's store their passwords as an MD5 hash - which is not impossible to retrieve - but takes bloody ages

JPL

I've hacked ebay accounts before, just by seeing the username has the 6 digit dob included, and trying the dob to log in, surprising how many people must do that. Not done anything whilst logged in though, I'm not malicious.

My hotmail password is longer than 10 digits and not a word, a selection of alphanumeric characters that only means something to me. So how would something like that be hacked?

BlkKnight

brute force

9 chars is usually long enough if you mix Alpha (upper & lowercase), Numeric, control chars.

pimmo2000

iTrader: (6)

I worked in out school that teacher could change passwords and all accounts where setup with a standard password of the surname plus first initial. Thus a teacher that never used the IT systems could be used to do with what we liked.

Was able to mess with people till the admin change a mate of mines password and as soon as he came in he change it back .. the tit .. caught and told off

hodgy0_2

it wouldn't, simple as that (unless by a govt agency)

99.99% of hacks where passwords are broken are because

1. they are still left as default
2 they are blank
3. password, Password, password123,p4ssw0rd, etc a few hundred time
4. the persons name, dogs name, car name, etc a few hundred times

the UK hacker Gary McKinnon told how all the computers he "hacked" had blank passwords, he didn't use anything more sinister than an educated guess

DYK

People leave themselves open to being hacked by not keeping Firewalls/Anti virus up to date.Hacking into a pc through the Router is a common way because people are unaware of going into the router set up utility and changing the default settings/password,basically i could hack your computer this way and you wouldn't even know it until i had changed your password/locked you out of your own network and then you have this look,a hard reset of the router don't always help either..Mac computers are less common with viruses/attacks than windows partly because windows is more popular and the mac is built around the Unix OS it's more secure.Some clever people out there in the world of computers..

Will

Sites like Facebook are **** easy to do. My account has been hacked 3 times in the past. All you need is the person's E-mail address they used to register with Facebook. Then all you do is click the 'Forgoten Password' link and you just type the E-mail addy where you want it sent and then they send you a confirmation code, then you type this code in and you're in!!!!!

So, if you have an Facebook account make sure you hide your E-mail addy.

corradoboy

I'm no hacker by any stretch, but I once did a search on Limewire for documents called 'password' and got a fair few results. The fourth one I downloaded bore some fruit, giving me access to a California womans life. She had $60k+ in an investment portfolio I could have plundered, but I'm clever enough to know I aren't clever enough to hide my tracks. To try and teach her a lesson I emailed the document back to her from an internet cafe using a dodgy account set up just for that, and to highlight it I changed all her Blockbuster selections to Jean Claude Van-Damme movies

I also spotted a very attractive laydee listed as a friend of a friend on FB. Within 10 minutes I'd plundered her email, acquired her MySpace, Photobucket and various other passwords, and even found some 'interesting' pics taken by her boyfriend

It's fun, in a naughty way, but I prefer to go out and live my own life than sit snooping on other peoples TBH

boomer

I am confused

Are you saying that you enter the "target's" e-mail address into the forgotten thingy, in which case they get sent a reset code - no use to you unless you can read their e-mail!

Or are you saying that Faceache sends a reset code to any e-mail address that you supply - in which case that is totally bloody stupid of FB and they should have their ***** seriously kicked?!?!

mb

Will

Yes that's exactley what i'm saying. And yes i think Facecrap seriously needs to sort that out.

If you have another E-mail account that's different to your Facebook one, give it a try with your own Facebook account. Shocking!!!!

Anders_WR1

iTrader: (8)

I caught some Romanian paypal accounts scammers a few months ago. I had one of those dodgy update your paypal account e-mails. The link said www.paypal.com but the source went to an ip address something like:

http://89.46.90.100:8051/html/update-paypal.html

They hadn't even bothered to create a domain name and the page looked properly fake. I did a look up on the IP and it was registered to a 3G network in Romania. The images for the paypal logo were being hosted on some foreign holiday companies web server, I doubt they would know their server had been hacked and was being used to help scam people.

I thought I'd take a look, so I entered:

http://89.46.90.100:8051/html/

It listed the directory and there was a file called 'passwords.txt' I downloaded it and it had the following for everyone that fell for the scam:

date & time / e-mail / password / IP address of their PC

Some people new the score and had entered user name and passwords like 'f*ck you scumbags', but there were lots of genuine ones too. I downloaded the list every 30 minutes for three hours until the IP went off-line and there were over 500 accounts in that amount of time. I sent the file to Paypal who froze the effected accounts.

Anders

Markus

Just to check, you're logged out, you click "forgot password" and then enter any old email address and it'll send an email to that email address with a password reminder/reset link for YOUR account?

Pray tell how that works then as I cannot see how it would. It will cross reference the email address with the account details, and thus if you don't have an account with facebook you won't get an email, if you do, it'll send you the details associated with that email address.

If you hack the persons email account then yes, if someone entered your email address they could get into your facebook account, but without doing that I cannot see how they would get into your facebook account.

In regards to forum passwords, as mentioned they are an md5 hash which is a one time hash, thus you essentially need to know the password to retrieve it. For vBulletin, the password formula is as follows (this is a php string)

What that means is that an md5 hash is created of your entered password, then the result of this has a salt added to it, which is a unique to each user three letter combination, and then an md5 has is made of that resulting string.

Even if you had access to the database all you would be able to get are the hashed result and the salt for the user. You would then need to brute force the password, now using things such as rainbow tables to aid you, it is possible you might get the password (what you are actually doing is creating an md5 hash of a known string and seeing if it matches the string you got from the database - if it matches then you know what you entered as the string and that would be the password).

Would someone really do this to get a normal user's password? An admin's password I could see, as you could then get up to all sorts. If I were to hack a forum I'd actually find out the host being used for the forum and if they use something like cpanel or webmin to administer things and then I'd try and hack into that. The reason being that from there you'd probably be able to get into the database for the forum, as most setups won't allow remote access to the sql databases, or if they do it'll be to specific hosts. If you have access to the database then you can pretty much do whatever you want.

Markus

Again to clarify. Let's say my facebook account uses the email address of markus@mydomain.com. I logout, I click the "forgot password" option, it brings up the screen, I enter the two word captcha thing, then enter an email address of markus2@myotherdomain.com. Are you saying that I will get a password reset link for the account associated with markus@mydomain.com sent to markus2@myotherdomain.com.

This is on the same computer and same browser.

If so then I have to say I think it's total tosh. I have just tried it in fact, on my machine here. I signed out of my facebook account and then clicked forgot password, I entered my work email address and clicked submit. The page refreshed with an "invalid email" message, which is what I'd expect as my work account isn't registered with facebook.

I just cannot see how on earth it would know that my work account email has anything at all to do with my facebook account.

I had used someone else's email address, one that I knew was registered with facebook, for example I do have another account on facebook and when enter that address it states the following:

Your Password Has Been Reset
An email has been sent to all contact emails associated with your account, including myemailaddress@mydomain.com. This email describes how to get your new password.

Please be patient; the delivery of email may be delayed. Remember to confirm that the email above is correct and to check your junk or spam folder or filter if you do not receive this email.

Your problem may be related to your internet browser. Please follow these instructions to clear your browser's cache and cookies.

Please enter the confirmation code that was sent to you. This is not the same as your password.

All I can see happening is that account will get a password reset message. It won't be sent to another account, just the email address provided, as mentioned previously, unless someone has access to my email then it won't do them any good at all.