The Firewall on - time nearly successful violent social engineering-vulnerability warning-the black bar safety net

ID MYHACK58:62200713751
Type myhack58
Reporter 佚名
Modified 2007-01-13T00:00:00


I this person is relatively outdated, and often in the movie heat put long after only to see, such as the firewall. Because it is your own Bank, so for this movie there is a very high interest, and the entire process and also see the comparison carefully. Look after not only lament, this is how classic of a violent social engineering to me, just a pity savvy robbers made a series of low-level errors, resulting in the final fall short. Should really summarize the lessons learned, think later authentication of. (Ding-Dong it! The police uncle, looking for me? What I'm going to drink tea? Yeah yeah, I know a good tea house. Eh it? Go to the tea house why are you in handcuffs?)

Uh! Uh! Uh! For the record, the following comments only for technical discussion, does not mean I support any similar behavior, or their advice. Anyone using this commentary to do anything with himself irrelevant. In short, I'm up to is a grinding chopper. to sell the chopper are not counted, and holding a kitchen knife robbed the behavior of the person is irrelevant.

ok, get down to business. First of all to the noun to explain, what is social engineering. In the field of security, social engineering is the hackers using between people and interaction, to obtain the victim's trust, and then just want to why why. Social engineering is a non-technical means of hacking, the use of the network security system of the most there is no way to control, there is no way to patch a factor--people. Here is a famous for Microsoft social engineering cases, a hack to the Microsoft Network sent an e-mail, claiming to be Microsoft employees in Europe for business, but forget the password, to the effect that the network will send a new password to this person, the hacker thereby easily complete the invasion. This detailed information, it is recommended that everyone look at the famous American hacker Kevin Mitnick's book The Art of Deception on online has download, the writing is very good, when the novel to see, also can by the practice. E below.

Back to the movie, the firewall of this movie is I defined as the typical violence of social engineering cases, the reason why so say, because the robbers did not rely on the Director, especially the domestic Director, very like a miracle hack to complete the robbery, which is to make all the insiders hated the kind of raunchy, and lightly knock a meal, and then“Bad command or files”announced to enter the system against you when we these people are shit., the Instead of using the use of internal Bank staff to complete the robbery, which clearly belongs to the social engineering category. At the same time, it is obvious that the robbers of the social engineering belongs to the atypical social engineering, because he relies on violence rather than deception, which is clearly Kevin Mitnick did not use nor did introduced a means of estimating the real social engineering hackers bother with with this means. With uncle Li as saying:“the most trouble you guys robbery, a little technical content has not.”

Here the robbers of the leader is clearly a very professional robbers, the entire plan design is perfect and not perfect, the imperfect portion is to be discussed below, a steal and mimic signature and tracking, surveillance, disguise, and other means are very professional, estimate the brothers are FBI or CIA background. But the brothers obviously for the information technology knowledge is limited, so this aspect of the work more is to rely on that with glasses well-mannered Guy, this guy should be the one to write virus and Trojan master. However, although the robbers are very professional, the team combinations are all have a long, almost perfect. But the robbers of the whole plan has several major deficiencies, the following simple discussion.

First of all, the robbers are not a complete and clear strategic principles, this principle is-to kill or not to kill, this is a problem. The robbers seemed to want to kill the events all being used, but it somehow left behind a hostage, with the hostage escape apparently not a good idea, if you do not want to keep the corpse at home, you can take the body off the road. Of course, the Hollywood Director may order a large members ending had to be so arranged, but our discussion here is Technical, rather than a movie. So what exactly should kill or not kill? Personally think either all-kill or not to kill, and I prefer not to kill, because I got the highest Kendo is not to kill, is peace. sorry, the stimulus is too large, the legacy so far. So as not to kill the reason., because killing's not elegant, for the pursuit of a realm of robbers, completely can through technical means to avoid the police tracking, and even allows the other party completely not found no alarm. The following are discussed.

Secondly, the robbers of the plan although the perfect, but there is overdoing it, such as forcing the hostess to call to pretend that the affair, fake lovers ' suicide with. This is for the understanding the couple of people, obviously hard to believe. And to kill that person also is not necessary. Robbers can totally find a person to person Deal(the robbers of the human resources are sufficient, and this person is only responsible for taking the intelligence, is not directly involved in the events of the other part, no one will invest plan the robbery together, so you can leave fewer clues. The simpler the plan The easier it is successful, when there are more simple methods, why use so complicated ways?

Again, the robbers made a very low-level error, that is, when funds are available later did not immediately change the five account password, the formal this negligence caused the last unfinished。 If the robbery is successful immediately change the password, then the hero of the counter means will not be successful. Of course, the robbers had arranged to kill the hero's plan, but any action to have success and failure are two possibilities, the so-called careful so that years boat, changing a password is not difficult, but it can ensure foolproof. Besides, I do not support killing.

Finally, discuss the robbers a very good method, is to increase the amount contributed to the highest degree of the one million account from each account plan to take 1 million dollars. To do so is actually to reduce crime, the possibility of the means. This is because the average person, unless digital particularly sensitive person such as accounting or something, usually will only look at the numbers of the first two, and can remember only the first two bits, up to third place. For instance, right now my account of the first two bits is 1 6, the latter just can't remember. So such a big Bank before a million hungry should be in the tens of millions of level, less 1 million of what is difficult to be found, even if found, also not too care. For example, My Account of the fourth digit if less 1, I is also very difficult to find, even if found also definitely not report a crime, you ask me why? Crap account less a dime on the report, you are not afraid of the police sue you obstructing me, in said cross-row query also to 3 wool, who knows that a dime is for a hacker to black or is Bank black. Because of the reduced crime of possibility, kill the need for more is unlikely.

Note that, now a lot of phishing the hackers were actually using this method, anglers who successfully obtained the victim's account and password, obtain the free transfer of funds the privileges, the General does not plan to take a lot of money, often just plan to walk dozens of blocks of money it received hands. You might think so money is a bit more harm than good, in fact, a user dozens of pieces, a million users is just a few of thousands, hundreds of thousands of users is a few hundred million, the so-called add up 集腋成裘 is also. Each account since the losses are small, the victim is often not found, even if found generally not reported, even if reporting to police is also not valued, even if eventually the crime since the case of small value also will not be a very serious penalty, and not even convicted, of education or two off for a few days even. So 作贼 be sure to do the thief and do not do the pirates, the fall, the bigger the theft although the scenery, but fate.......

ok, now to summarize, this robbery can actually be more perfect. Improve the program is by a separate person acts as a investor to come forward and the hero's friends contact cash in intelligence, or even really register such a company, done later continue to operate. Then a brother came forward to the kidnapping track to dry the dirty work, but the attention of the hostages to be and to treat customers the same as to treat them, after all, want to rely on them before they make money., do you want to listen to reason, do bandit more reasonable, to do bandit first person to die. Funds are available immediately after the change the account password, and then release the hostages from the disappeared, the place recommended in South America, where the Bank raised funds directly on clean, no record. Moreover, the recent Brazilian things everyone you know, will allow police paralyzed the country is what kind of realm Ah, is simply a bandit's Paradise. If the bandit together with compassion while before leaving to be with the hero God talk at once, an analysis of the crime possibility, and after the incident the protagonist has a mouth indefinable reality, the re-division of several hundred million dollars to the hero in thanks and bribed. Of course, does not exclude a sense of Justice very strong person will still be reported, but the vast majority of cases, in the mouth difficult defence and profitable between, what would you choose? As a result, have the money and not hurt, this is what kind of realm! This is the new generation of ideal moral literate with knowledge with kindness of the heart of the bandit!

Discussion over the robbers, and then to discuss the Bank also saves the police uncle think I'm in this to encourage Rob a Bank. This Bank in the management of apparently there are some problems, the biggest problem is the separation of powers is not enough. In theory, management right and operation right is not at the same time having, that is to say a network administrator is not have System Operator privileges, which should be relying on rigorous technical and management safeguards. This Bank obviously did not do this, from the hero a few times easily the transfer operations can be seen. Of course in reality in a debugging convenience, the network administrator will generally set up a test with the has operator privileges users of the system, once the system problems or debug when you use this user to do some operations to fail to reproduce or test whether the system returned to normal. But the system at design time there should be enough technical support for the test account can not be the normal operation of the account, and leave adequate audit records. Sheet of the Bank obviously didn't do it. In addition the Bank's internal staff and between the lack of strong mutual restraint mechanism, the hero of full trust, so that the hero can easily do any want to do the operation, included in the monitoring platform self-operation rights, so as to delete the surveillance video. That sort of management problem, in which banks inside should be very common, in fact, in reality, the Bank also is very common, but is indeed a very serious security risk.

The final say about the safety issue, the robbers entered the hero at home is very simple. This reminds us that no matter when someone knocked at the door, to ask again the door, we teach the children the words, their first to do, the so-called 言教不如身教 Well, now the parents is...... (Sorry, digress. On this aspect of the problem, we can refer to I according to the QBQ documentation of the urban survival manual v1. 0 Edition, what's in which can be found, I'm sorry, I didn't write, but believe me, the 3 0 years of I must be completed......