Classic Hacking

Security

I’ve been involved with technology since the mid 90’s. During the late 90’s, I worked on Unix systems. It was those experiences that lead me to love Linux, taught me to program in C, and helped me learn to automate tasks using various scripting languages. But the 90’s were a much different time for security. Nobody really worried much about hackers or social engineering. And now, over 20 years later, I see people in the workforce that have been robbed of some of the fun I had in the past due to increased security on machines. Of course, increased security is good, I’m not going to argue otherwise. But it has also made a lot of the ‘fun’ from the past no longer possible.

Remote Display

When I was working on old Unix systems, one of my favorite hacks was to set my display to another computer. Since Unix display works as a client/server model, you can actually set your app to appear on any computer monitor you want. So, it was common where I worked to find the most horrible graphic you could and display it on someone else’s machine. Always a good laugh. Other tricks would allow you to play audio on their speakers (great when the individual has fallen asleep at their desk) or turn their keyboard buttons on and off.

Password Files

Long before the /etc/shadow file, passwords were stored in the /etc/password file. And, since the file was readable by anyone, you could easily grab the entire password list and run it through a tool like John the Ripper. Even more fun, commands like ‘ypcat’ would allow you to get the passwords of all users on the network even if they weren’t on the local machine.

Email Overflow

My sister’s first experience with the internet was through a device called “WebTV”. This device was a small terminal that would turn your TV into an internet terminal. It was a cheap, easy alternative to a computer. It also suffered from a pretty simple flaw – you could only have a limited number of emails. (200, I believe.) I found an unsecured email relay – pretty common in the 90’s – and spammed my sister with enough messages to flush out all her email. As you might guess, she was mad.

A New World

How things have changed. Unsecured email servers are much more difficult to find, and Unix is now much harder to hack out-of-the-box. While most of the hacks of twenty years ago were mischievous in nature, today’s hackers are far more sinister. And, thankfully, the world has adapted to become a safer place. Nonetheless, I still look back to the simpler days of computing and the fun we had.

Scamming the Scammer

Day after day, I receive calls from thieves in India. For several months, they said they were with Microsoft and that my computer had a virus that they wanted to help me fix. Now, they claim to be with a credit card company wanting to lower my interest rate. What’s sad is that people fall for these tricks all the time. Often, the elderly are the most  vulnerable – not only because they tend to have a fixed income, but because they are also more easily confused and duped. Because of this, I have made it my civic duty to waste as much time as possible on the phone with the scammers. After all, the more time they waste talking to me, the less time they have to scam an elderly grandmother.

Just a few days ago, I received two calls in a single afternoon from hackers –  and I took them both for a ride. When they asked for a credit card number, I gave them one of the test credit numbers typically used by developers for application testing – just google ‘test credit card numbers’ for a list. They asked for a bank name, I said Wells Fargo. They asked for birthday, last four of SSN, and other information. I provided false – but believable – answers. Then, after providing the information, they asked me to stay on hold while they verified my data. After another minute or so, the scammer got back on the phone: “We contacted your bank and found out that you are an *********” and hung up on me. Few things are quite as fun as having a scammer call you names or swear at you because you wasted their time!

Google Alerts

One of Google’s most under-utilitized tools is Google Alerts (google.com/alerts). This service allows you to receive emails with new results for particular search strings. While this may not seem useful, it is an excellent tool for being notified of information that may appear on the net about you or your business. With the rise of identity theft and the harm that can come from negative posts about you or your business online, it’s imperative to know what information is being posted out there about you. In Google Alerts, you simply enter the searches you want, and Google will notify you of new results. I encourage anyone who wants to keep an eye on their online-footprint to setup searches for all possible variants of their name and let Google do the rest!

Clean Drive

Clean

In the early 2000’s, I purchased several Sun Microsystems computers for putting together a home network of Unix machines. Nothing particularly exciting, I had an IPX, an LX, a Sparc5, and a few others. This was my testbed for tinkering around with Unix system administration. These computers were all purchased from eBay. The IPX and LX were both purchased from the same seller. Typically, when you buy computers on eBay you will find that they do not include hard drives. This is to protect any data that may be on those drives from prying eyes. However, the IPX and LX still had their drives in them. I had assumed they were wiped clean, but that was not the case. Both were fully ready production systems complete with the entire company directory and password file intact! Since I did not have the root password, I removed the drive and placed it in my Sparc5. Then, I updated the password file to use my root password. Finally, I removed the drive and put it back in the original machine. Now, I could run the machine with the new admin password. When it was booted back up, I found all kinds of company data – and this was a fortune 500 company too! This was the stuff that could have been sold on the black market for a substantial sum of money. I took the password file and ran it through Jack the Ripper – a common password cracking program – and before long knew the passwords for all the employees on this system. That same procedure was done on both the IPX and the LX. Lesson learned? Protect your hard drives. Absolutely destroy them before you get rid of them. The cost to company that originally owned these machines could have been enormous – they lucked because all I did was tinker with the machine as a curiosity and then wipe the hard drive clean. You may not fare so lucky when you dispose of your hard drive insecurely.