Black Hat 2007 No-Tech Hacking with Johnny Long


[J0hnny]‘s at Blackhat and Defcon this year with his talk on “No-Tech Hacking”. It’s a fun talk that boils down to this: loads of information can be gathered using low tech methods. A small digital (or film) camera is ideal for shoulder surfing, identifying weaknesses, and assessing strengths.

The talk is pretty amusing – the commentary on the example shots is priceless. The concept has gone over so well at the cons that [J0hnny] has contributed a chapter to a book on risk management. You can grab a sample chapter here. It looks like he’ll be running his talk at 8pm on Friday at Defcon. From the sample chapter, I’d say that the book should be pretty good. It looks like a good introduction to social engineering and using your wits to defeat obstacles (like corporate security).

Comments

  1. Mike says:

    The DoD also does penetration testing of its own facilities with similar results. Restricted area badges being worn in plain sight are susceptible to photography (telephoto photography of smoking areas is a favorite target) and counterfeiting. Social engineering goes a long way, and idiot users are always a weak link (passwords and usernames written on sticky notes…)

  2. Fred Thompson says:

    Yeah, that’s a great idea. Try passing through a card reader with a photo of a security badge in a truely secure DOD area and see what happens. “Jacked up” doesn’t just mean being on steroids.

  3. mike says:

    of course you aren’t going to get through a card reader with a photo of a card. card readers are going to require a better hack. i am referring to “red team” penetration testing of actual dod facilities, some of which do not have additional authentication of credentials. successful penetration tests have been done on restricted areas such as aircraft maintenance facilities, flightline access, munitions areas, and working areas with siprnet access, any of which can provide access to secret, and secret-noforn material. i haven’t run across results from higher classification levels, but they aren’t going to share those reports with me. read johnny long’s sample chapter, this is real stuff, not not some oceans 11 fantasy or just wishful thinking.

  4. srilyk says:

    Social engineering is actually the staple of the most dangerous hackers. They’re the ones who can penetrate organizations and make off with all sorts of stuff.

    Heck, I think it was on slashdot a while ago (and in the news) about some girl who “attended” harvard or stanford or one of those big name schools. She lived in the dorms, had the books… oh, one thing – she wasn’t ever enrolled in the school.

    Social engineering is where it’s at! (To be fair, they did use some of that on Oceans 11…)

  5. stevew says:

    The TV series Mission Impossible (’66-’73) predominant hack was looking like they knew what they were doing, van, orange cones, coveralls, a hard hat, or a coat and tie where expected, just looking professional works wonders. Show up with a metal clipboard, step ladder, an electrician’s tool belt, a spool of Cat5 and ask security where the presidents office is because you’ve got a work order here to install a new secure line… In fact many remodeling subs are often required to do their work after normal hours, so you have security holding the doors open for you as you carry in your drop cloths and paint buckets right at closing time.

  6. Fred Thompson says:

    mike, you really don’t know what you’re talking about. Poser.

  7. strider_mt2k says:

    social engineering ftw!

  8. M3talhead says:

    Ditto on the idiot comment by Mike. He really needs to do a little more homework before he opens his mouth.

  9. dumspterdiver says:

    If you are interested in no tech hacking you should check out Johnny’s new book from Syngess (Kevin Mitnick is the technical editor)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,369 other followers