Black Hat 2007 No-Tech Hacking With Johnny Long


[J0hnny]’s at Blackhat and Defcon this year with his talk on “No-Tech Hacking”. It’s a fun talk that boils down to this: loads of information can be gathered using low tech methods. A small digital (or film) camera is ideal for shoulder surfing, identifying weaknesses, and assessing strengths.

The talk is pretty amusing – the commentary on the example shots is priceless. The concept has gone over so well at the cons that [J0hnny] has contributed a chapter to a book on risk management. You can grab a sample chapter here. It looks like he’ll be running his talk at 8pm on Friday at Defcon. From the sample chapter, I’d say that the book should be pretty good. It looks like a good introduction to social engineering and using your wits to defeat obstacles (like corporate security).

9 thoughts on “Black Hat 2007 No-Tech Hacking With Johnny Long

  1. The DoD also does penetration testing of its own facilities with similar results. Restricted area badges being worn in plain sight are susceptible to photography (telephoto photography of smoking areas is a favorite target) and counterfeiting. Social engineering goes a long way, and idiot users are always a weak link (passwords and usernames written on sticky notes…)

  2. Yeah, that’s a great idea. Try passing through a card reader with a photo of a security badge in a truely secure DOD area and see what happens. “Jacked up” doesn’t just mean being on steroids.

  3. of course you aren’t going to get through a card reader with a photo of a card. card readers are going to require a better hack. i am referring to “red team” penetration testing of actual dod facilities, some of which do not have additional authentication of credentials. successful penetration tests have been done on restricted areas such as aircraft maintenance facilities, flightline access, munitions areas, and working areas with siprnet access, any of which can provide access to secret, and secret-noforn material. i haven’t run across results from higher classification levels, but they aren’t going to share those reports with me. read johnny long’s sample chapter, this is real stuff, not not some oceans 11 fantasy or just wishful thinking.

  4. Social engineering is actually the staple of the most dangerous hackers. They’re the ones who can penetrate organizations and make off with all sorts of stuff.

    Heck, I think it was on slashdot a while ago (and in the news) about some girl who “attended” harvard or stanford or one of those big name schools. She lived in the dorms, had the books… oh, one thing – she wasn’t ever enrolled in the school.

    Social engineering is where it’s at! (To be fair, they did use some of that on Oceans 11…)

  5. The TV series Mission Impossible (’66-’73) predominant hack was looking like they knew what they were doing, van, orange cones, coveralls, a hard hat, or a coat and tie where expected, just looking professional works wonders. Show up with a metal clipboard, step ladder, an electrician’s tool belt, a spool of Cat5 and ask security where the presidents office is because you’ve got a work order here to install a new secure line… In fact many remodeling subs are often required to do their work after normal hours, so you have security holding the doors open for you as you carry in your drop cloths and paint buckets right at closing time.

Leave a Reply to stevewCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.