What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Everything You Wanted to Know about Social Engineering -- But Were Afraid to Ask...


Social Engineering to Incite Crime

If you hang out on hacker email lists and IRC chat rooms, now and then some pitiful luser will come online with a request that someone commit crime against someone he hates. Usually this is done so ineptly that I doubt it works. However on Tuesday, January 4, 2000, Elias Levy (AKA Aleph One), the moderator of the Bugtraq computer security mailing list, demonstrated a sophisticated version of this ploy. He chose to send out to his some 40,000 subscribers a script to damage a computer used by John Vranesevich's Antionline.com:

Title : Vulnerabilities in the SolutionScripts.com 
Home Free CGI package.
Advisory Ref : csh-adv:04.01.2000-CGI-HomeFree-01
Credits : fzx, omnihil, the guys in !el8 
DSKZ, M0D

# Default server is antionline's, change as appropriate. 
#
use IO::Socket;
if ($ARGV[0] eq "") { die "no argument\n"; }
$asoc = IO::Socket::INET->new(Proto => "tcp", 
PeerAddr => "members.antionline.com",

So in this case Levy used social engineering to incite criminal attacks by the readers of his mailing list. Did this hack work? Here's what Vranesevich reported:

AntiOnline Status Notice
Tuesday, January 4, 2000 at 17:27:32
by John Vranesevich - Founder of AntiOnline

As part of its policy on releasing any information related to the security of its network, AntiOnline presents the following statement:

On Tuesday, the popular BugTraq security mail list released an advisory about the security of "Home Free", a cgi software product produced by SolutionScripts.com AntiOnline, along with hundreds of other websites, used the HomeFree software in order to host free "user webpages" on its members.antionline.com domain (which can be thought of as a geocities-like interface). The security advisory used the AntiOnline instillation of HomeFree as an example (we appreciate it) of the vulnerability.

The disclosed vulnerability allowed any user to view the structure of any directory on the webserver. However, it did not allow any user to view the contents of, delete, or otherwise modify any file on the server.

AntiOnline had the offending CGIs offline within 3 minutes of the BugTraq notice being sent out (thanks to custom notification software implemented at AntiOnline).

AntiOnline notified the makers of the HomeFree Software, and received a patch from SolutionScript developer Tim Watson within 15 minutes. AntiOnline is in the process of reviewing the patch, and the integrity of the other CGIs in the HomeFree package.

Once again, Vranesevich had outsmarted the computer criminals.

More on social engineering: how to keep from being suckered --->

Back to the index of "Everything You Wanted to Know About Social Engineering -- But Were Afraid to Ask --->


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 © 2013 Happy Hacker All rights reserved.