Through the Eye of a Hacker

Risk & Insurance, Oct 15, 2000 by Lori Widmer

Another commonly used method of gaining access to a system is to brute force the login credentials. This is simply someone having an automated program running that continuously tries different passwords until it finds one that works.

How easy is it?

SAMARAC: That depends on the site and the cracker. Some are easier than others. But if a group can get into the Pentagon, do you really think anything's completely impenetrable if someone wants to badly enough?

GENOCIDE: Very easy. Not all system administrators are as anal as they should be. If an administrator doesn't keep up with mailing lists for the software they run or keep up with the new attacks (they can usually find the attack and fix it on the same site: www.packetstorm.securify.com) and only run services that they absolutely need, then they are asking for it.

TAZINATOR: Honestly, if the system is not secured properly, it's incredibly easy. To give you an example, most hackers refer to the unskilled self-proclaimed hackers as "Script Kiddies." These are the people who don't know much about security and can still gain access to systems by simply executing a series of predefined commands on their machine. They download scripts and programs that exploit security holes and do nothing more than execute them.

SIR DYSTIC: It's quite easy. The fact is that if someone wants to target a specific system, it's incredibly hard to keep them out. The main reason for that is that humans have to be able to use these systems, then there's going to be mistakes and things that the system does that makes it easier for those humans to use it. My favorite is saving passwords. You run a program and there's a little check box that lets you save the password. It's an incredibly bad idea. It means that the password can be retrieved later by any program that's running on that computer.

Are there favorite methods of hacking into a site?

SAMARAC: It is important to make sure the terms "hackers" and "crackers" are not used in the same context. (Ed. note--according to those we spoke with, a hacker is a computer expert; a cracker is someone who exercises malicious intent.) Hackers don't have a preferred method. Crackers, however, once in at a high level, could then either continue to use that account (and a password capture utility would almost be a must at that point) or create a hidden shell account with comparable levels of security clearance that would involve either knowing the target (and thus being able to guess a password) or setting up some kind of password-trapping mechanism within a utility program or backgrounded task.

GENOCIDE: The first thing that nearly every attacker does is portscan. They want to see what services are running and what versions they are. With a portscan, they are in essence performing a sweep of the computer from the outside and seeing what holes there could be to the inside.

TAZINATOR: There is always a way into any system if it is connected to the outside world. The trick is finding what way is easier for the person seeking to gain access. The most common methods for entry from my experiences would have to be exploiting known security holes and brute force entry. If I had to list a third common entry method, I would have to say social engineering. That is another good method although not 100 percent reliable as it requires some conniving to get the administrator or someone who already has access to the targeted system to believe you are someone who should have access.