As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
Topic – Think like a Hacker
Select an e-business. Thinking like a hacker, describe a hypothetical scenario on how you go about breaking into their system and acquire assets.
Next, describe how the attack could have been prevented.
From March 16, 2012.
I enjoy music, especially when I can get it cheap, like from iTunes or the Amazon Cloud.
First, I will select a busy area with free wi-fi, like a Starbucks at lunch time. (Starbucks, 2011) Next, use a tool like Arpspoof to establish a man-in-the-middle session with each user attached to the network by pretending to be the network gateway. (Arpspoof) I monitor traffic for email addresses, especially email addresses used as logins and the associated password. Any email addresses I get will be sent phishing emails with attached document exploits to install keyloggers that call back to a server I have set up. Any email, password pairs will be used to attempt to log into various services. I will use a script to test the pair against numerous social networking sites like Facebook, MySpace, Linkedin and others. Successful access will be used to spread my keyloggers. I will continue this pattern until I net an email, password pair that successfully log into either iTunes or the Amazon Cloud. Once successful, I will use the access to download all the purchased music on the account. If there is an outstanding balance on the account, I will buy digital goods with it and download that too. All direct access to the victim business will be performed through a proxy, probably one of the machines I am keylogging.
This type of attacker would be considered a "Script kiddy" as it requires little to no direct technical knowledge and can just use tools downloaded off the internet. (Vacca, 2009, p 296). It can easily be protected against by not utilizing unsecured wireless networks, especially public ones and by not reusing passwords. It can be protected against, somewhat, by the victim company by not using email addresses as the user name, which both Amazon and iTunes do. Anything further the company could do to protect against this will interfere with the ease of use of the site, which makes users less likely to choose their service.
Arpspoof retrieved from http://arpspoof.sourceforge.net/
Starbucks. (2011) Wi-Fi(United States) Retrieved from http://www.starbucks.com/coffeehouse/wireless-internet
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.
No comments:
Post a Comment