Low Tech Hacking: Street Smarts for Security Professionals

Overview

Criminals using hacking techniques can cost corporations, governments, and individuals millions of dollars each year. While the media focuses on the grand-scale attacks that have been planned for months and executed by teams and countries, there are thousands more that aren't broadcast. Low Tech Hacking focuses on the everyday hacks that, while simple in nature, actually add up to the most significant losses. Attackers are using common techniques like social engineering, wireless hacking, and targeting and ...

See more details below
Paperback
$34.24
BN.com price
(Save 31%)$49.95 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (10) from $32.21   
  • New (9) from $32.21   
  • Used (1) from $34.23   
Low Tech Hacking: Street Smarts for Security Professionals

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$49.95
BN.com price

Overview

Criminals using hacking techniques can cost corporations, governments, and individuals millions of dollars each year. While the media focuses on the grand-scale attacks that have been planned for months and executed by teams and countries, there are thousands more that aren't broadcast. Low Tech Hacking focuses on the everyday hacks that, while simple in nature, actually add up to the most significant losses. Attackers are using common techniques like social engineering, wireless hacking, and targeting and surveillance to gain access to valuable data. This book contains detailed descriptions of potential threats and vulnerabilities, many of which the majority of the information systems world may be unaware. Author Jack Wiles spent many years as an inside penetration testing team leader, proving these threats and vulnerabilities exist and their countermeasures work. His contributing authors are among the best in the world in their respective areas of expertise.

Read More Show Less

Editorial Reviews

From the Publisher

"In the age of extreme technology, the defenders have made Low Tech a low priority, concentrating more on the common high tech solutions intended to protect organizations.But attackers are resurrecting the art of Low Tech Hacking. The techniques discussed in this book are given new lifebecause they allow attackers to strike at the weakest links: human and physical. This book is the right tool to bring the Low Techback into focus."--Greg Miles, Ph.D., CISSP, CISA, Principal at Peak Security, Inc.

Read More Show Less

Product Details

  • ISBN-13: 9781597496650
  • Publisher: Elsevier Science
  • Publication date: 1/2/2012
  • Pages: 264
  • Sales rank: 943,290
  • Product dimensions: 7.40 (w) x 9.10 (h) x 0.80 (d)

Meet the Author

Jack Wiles is a security professional with over 40 years' experience in security-related fields. This includes computer security, disaster recovery, and physical security. He is a professional speaker, and has trained federal agents, corporate attorneys, and internal auditors on a number of computer crime-related topics. He is a pioneer in presenting on a number of subjects, which are now being labeled "Homeland Security" topics. Well over 10,000 people have attended one or more of his presentations since 1988. Jack is also a co-founder and President of TheTrainingCo., and is in frequent contact with members of many state and local law enforcement agencies as well as Special Agents with the U.S. Secret Service, FBI, IRS-CID, U.S. Customs, Department of Justice, The Department of Defense, and numerous members of High-Tech Crime units. He was also appointed as the first President of the North Carolina InfraGard chapter, which is now one of the largest chapters in the country. He is also a founding member of the U.S. Secret Service South Carolina Electronic Crimes Task Force. Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967-68, where he was awarded two Bronze stars for his actions in combat. He recently retired from the U.S. Army Reserves as a lieutenant colonel and was assigned directly to the Pentagon for the final seven years of his career.

Terry Gudaitis, Ph.D., is the CyberIntelligence Director at Cyveillance. Terry gained a foundation for her expertise as an operations officer and behavioral profiler at the CIA's Counter Terrorist Center. At CIA, she was responsible for developing terrorist profiles, assessments of informants, and managing targeting teams. In addition to her corporate-related work, Terry has served on the United States Secret Service Advisory Board for Insider Threat, regularly presents at national and international conferences, and has authored publications in numerous security-related journals and books.

Jennifer Jabbusch, CISSP, CISO, HP MASE, JNCIA-AC, is a network security engineer and consultant with Carolina Advanced Digital, Inc. Jennifer has more than 15 years' experience working in various areas of the technology industry. Most recently, she has focused in specialized areas of infrastructure security, including Network Access Control, 802.1X and Wireless Security technologies. Ms. Jabbusch has consulted for a variety of government agencies, educational institutions, and Fortune 100 and 500 corporations and has spoken at a variety of conferences including DeepSec, SecTor, TechnoSecurity, RSA®, InfoSec World, CSI, and many others. In addition to her regular duties, she participates in a variety of courseware and exam writings and reviews, including acting as subject matter expert in the Cryptography domain of the official (ISC)2® CISSP® courseware (v9). You can find more security topics and musings on her security blog at http://SecurityUncorked.com.

Russ Rogers (CISSP, CISM, IAM, IEM, Hon. Sc.D.), author of the popular "Hacking a Terror Network: The Silent Threat of Covert Channels" (Syngress, ISBN: 978-1-928994-98-5), co-author of multiple books, including the best-selling "Stealing the Network: How to Own a Continent" (Syngress, ISBN: 978-1-931836-05-0) and "Network Security Evaluation Using the NSA IEM" (Syngress, ISBN: 978-1-59749-035-1), and former editor-in-chief of The Security Journal, is currently a penetration tester for a federal agency and the co-founder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. Russ has been involved in information technology since 1980 and has spent the past 20 years working as both an IT and InfoSec consultant. Russ has worked with the U.S. Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world in Amsterdam, Tokyo, Singapore, São Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master's degree in computer systems management from the University of Maryland, a bachelor of science degree in computer information systems from the University of Maryland, and an associate's degree in applied communications technology from the Community College of the Air Force. He is a member of ISSA and (ISC)2® (CISSP). Russ also teaches at and fills the role of professor of network security for the University of Advancing Technology (www.uat.edu).

Sean Lowther is the President and Founder of Stealth Awareness, Inc. (www.stealthawareness.com). Sean is an independent consultant who brings years of experience designing and implementing information security awareness programs at the highest level. He founded Stealth Awareness, Inc. in 2007. Sean worked at Bank of America for over seven years, managing the enterprise information security awareness program. The program received the highest rating from its regulators and was consistently rated "world class" by industry peer groups. Sean has worked with BITS, the Financial Services Roundtable Task Force on Privacy, prior to the enactment of the Gramm-Leach-Bliley Act. He produced the video "It's Not If, But When" for the Financial Services Sector Coordinating Council in partnership with the U.S. Treasury Department with the goal to improve critical infrastructure protection and Homeland Security.

Read More Show Less

Read an Excerpt

Low Tech Hacking

Street Smarts for Security Professionals
By Jack Wiles Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther

SYNGRESS

Copyright © 2012 Elsevier, Inc.
All right reserved.

ISBN: 978-1-59749-666-7


Chapter One

Social engineering: The ultimate low tech hacking threat

INFORMATION IN THIS CHAPTER

• How Easy Is It?

• The Mind of a Social Engineer

• The Mind of a Victim

• Tools of the Social Engineering Trade

• One of My Favorite Tools of the Trade

• Social Engineering Would Never Work against Our Company

• What Was I Able to Social Engineer out of Mary?

• The Final Sting—Two Weeks Later—Friday Afternoon

• Why Did This Scam Work?

• Let's Look at a Few More Social Engineering Tools

• Let's Look at That Telephone Butt-in Set on My Tool Belt

• Meet Mr. Phil Drake

• Meet Mr. Paul Henry

• Do You Have a Guest User of Your Credit Card?

• A Few Possible Countermeasures

Some of the things I will discuss in this chapter have been on my mind since the mid-1980s. I believe it's time that I put them in writing and share a few of my thoughts on what I believe could be the most effective and dangerous threat to any security plan: social engineering! It has, in my opinion, become the low tech hacker's most valuable and effective tool. This age-old threat has taken on a new meaning as what I collectively call "bad guys" have continued to use the art of the con to gain access to intellectual property and if necessary the buildings that house that property.

This chapter, or the rest of the book for that matter, isn't meant to be read as a complete story from beginning to end. Social engineering and ways to prevent it are subjects with many meanings. This will be more of a potpourri of tips, tricks, vulnerabilities, and lessons learned from my thirty plus years of dealing with these issues. As an inside penetration team leader, I was constantly looking for more innovative ways to conduct a successful inside penetration test. It was during those years of physical and technical penetration testing that I gained most of my social engineering experience. These skills helped me to eventually hang up my dumpster diving penetration team jersey and retire from the tiger team (a term sometimes used for penetration testing) world UNDETECTED! Although I came close several times, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that's what I effectively was.

As you read this chapter, if you think that it has a strong risk management flavor, that was intentional. Just about every area of concern with security today involves managing the risks associated with staying safe and secure. This chapter, and most of the other chapters in this book are chock full of what I like to call techno tidbits of useful risk management countermeasures. Hopefully, many of them will be topics that you might not have considered in the past as you put together your security plan. External, internal, and information systems auditors will find information on a few new potential vulnerabilities that they can recommend countermeasures for.

I've included discussions about social engineering in each of my former books. I've also used the term social engineering as a partial title for many of my presentations over the past 15 years. My most popular presentation to date is titled "Social engineering: Here's how I broke into their buildings." Following these presentations, I frequently have people come up and talk to me about some of the things that I discussed. Many of these people are longtime friends and attend pretty much every session that I give at the yearly events where I present. What has been encouraging to me this past year is the number of people who come to me after the presentation saying that they incorporated some of what they learned and that they are now con- ducting some of their own corporate penetration tests to help protect their companies from the threat of social engineering. Each of them seemed to have experienced the same things that I have over the years of using social engineering as a training tool and somewhat of a hobby. They find that it is often way too easy to get people to give them access to places where they are not supposed to be able to easily access and to things that they should not see.

HOW EASY IS IT?

Way back in 1988, I was a part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear some of the conversations that went on when a "black hat" (in this case malicious) group targeted victims by calling them on the phone. They were using social engineering skills to gain access to proprietary information including passwords. I'll never forget what I heard one of the experienced black hats say to another black hat in training: "Social engineering is the easiest way to break into a system." He then followed up that comment by saying, "The stupidity of the average system administrator amazes me."

That was almost 25 years ago, and that was the first time I had heard the words social engineering. Why do I think of it as a tool that could be used by any bad guy from a black hat hacker to a terrorist? Social engineering is what I believe could be the most effective and dangerous outsider–insider threat to any security plan.

In the first three chapters of this book, I will be talking about social engineering, physical security, and a little bit more about locks. If we look at physical security as the target of an attack and locks as the gatekeeper for the entrance into the target, social engineering is often the way that we are able to gain access to the keys that open those locks and possibly the rest of the building. It is often the people who have those keys who become the victims of social engineering. We'll take a much closer look at that as we progress through the book.

THE MIND OF A SOCIAL ENGINEER

Although I've been using and teaching social engineering for almost two decades now, the true extent of the impact of social engineering really became clear to me about 9 years ago. When I was out in L.A. for a meeting on financial crimes security (what else?), I purchased a very interesting book titled The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick and William L. Simon.

Just above the title on the cover of the book in red letters are the words Controlling the Human Element of Security. I found the book to be very well written and full of a lot of good examples of how social engineering works and how companies can try to defend against its use. I also learned quite a bit about a few approaches to targeting a potential victim than I had ever thought of before. A social engineer will continuously learn more clever ways to take advantage of how our minds work in order to perform the illusion or deception. The more that I used social engineering as one of my tools during my penetration testing days, the bolder I became in its use during those tests. After years of success in pretending to be something or someone that I wasn't, I just KNEW that whatever I said to the people that I encountered during the tests would be believed, and it was!

THE MIND OF A VICTIM

Any one of us, at any time, could easily become the victim of some form of social engineering. I personally believe that it is not possible to completely eliminate the risk. There are some things that can and should be done to reduce the risk as much as possible and I'll address some of them in the rest of this chapter. Without some form of training (and practice) in learning how to prevent being a victim of social engineering, you could easily become a victim and not even know it.

Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might not ever be considered. This is what social engineers count on. Without awareness of the problem and without an understanding of how our minds can be fooled, there is little defense against social engineering. For this awareness training to be of any benefit for an organization, it must include every employee of every organization.

We see things all day long and we don't pay close attention to certain details because they are too familiar to us. That's exactly how the illusions that magicians call magic work and also why so many magic tricks are related to simple everyday things like a deck of cards. I use magic in much of my training and it really adds a lot to the attention span of the people in front of me. They are all so used to seeing those 52 cards that they don't even begin to think about how the different card gimmicks being used in most card tricks work. Most of these illusions are self-working yet almost mind boggling to the unsuspecting mind.

TOOLS OF THE SOCIAL ENGINEERING TRADE

If you would join me in taking a look at Figure 1.1, you will see a picture of the social engineering bag that I used for roughly 10 years. It was a pretty expensive bag to purchase. I spent around $200 for it, but it was money well spent. I often thought of it as something similar to those clown cars that you see in the circus. It is very deceptive how much will fit in that bag. Not only could I put all of my social engineering tools in the bag, but also there was a lot of room left over for the things I was able to take out of the buildings once my penetration test was successful. On the outside it simply looks like a briefcase that pretty much anyone within that organization would be carrying to and from work. On the inside were some slightly different items from what you would normally see someone bringing to work.

I took the time to put the contents of the bag on the table for you to see in Figure 1.2. This is the first time that I've ever done that. Not that what I have in the bag is anything special; it's just that I've never shared the contents with anyone in quite this way, especially in a book.

I wish that I had taken a picture of the bag as I was leaving some of these buildings with everything in it. It even amazed me how much that bag could expand and still look comparatively normal. Some of these things are tools that I have had for more than 40 years. Each has its own purpose and I'll explain some of that as we progress through the book. I know what you're thinking. There's no way that he has a pair of bolt cutters in that bag. Well, they were in there, and I had them with me everywhere I went. On most of our penetration tests the only limitation that was imposed on us by the company hiring us was that we were not allowed to use forced entry. We never used the bolt cutters as a part of our attack, but we did show how easy it would be to bring bolt cutters into the building if someone intended to use them. Most of the items you see were designed to get past various locks we encountered as our team attempted to get into a client's building or to use after we were in there. All right, here's a little quiz just to see if anyone is actually reading this. Anyone who sends me an e-mail listing all of the items that are shown in that picture will be sent a special gift. We will be revisiting some of these tools in Chapter 3.

ONE OF MY FAVORITE TOOLS OF THE TRADE

Most of my social engineering tools come from yard sales, thrift stores, flea markets, pawn shops, and eBay. I highly encourage all of you to take up the hobby of going out to these places and looking for things. As I describe some of these tools, I'll tell you how much I paid for them and where I got them. These are all tools that I used in one way or another for my social engineering exploits. Figure 1.3 is a picture of the front cover of the manual for a key machine that I purchased a number of years ago at a yard sale for $10.00. What was so nice about this key machine was that it was very small and very accurate, and it had a code micrometer as a part of the machine. This will allow keys to be cut by code if you know the code for that key or the depth of the bitings (sometimes called cuts by senior locksmiths). Machines of this size are available new for around $395. I frequently see them for sale on the Internet for anywhere between $95 and $250. If I could borrow a master key for a few minutes and had some of the key blanks that fit the keyway of a given lock, I could duplicate the key (as described in Chapter 3) and get it back to the person that I borrowed it from (typically using a little social engineering) very quickly. I know what you are thinking. How did I know what the correct key blank was for that lock? I knew because I was in that building once before and also managed to borrow the key briefly during my first visit. I learned over the years that social engineering attacks work best (at least they did for me) when they were two-part attacks. During the first visit our team mostly probed the target just to see how trusted we would be if we were able to gain entry. Normally we were never questioned about anything once we were inside. It was just assumed that if we were in the building, we belonged there. That was not a good assumption.

It's time for my first war story. After you read the following description of this social engineering attack, ask yourself if you think you would have fallen for this. This is a perfect example of how a two-part attack can seem so innocent yet be so deadly.

(Continues...)



Excerpted from Low Tech Hacking by Jack Wiles Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther Copyright © 2012 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Foreword by Paul A. Henry Introduction Chapter 1. Social Engineering-The Ultimate Low Tech Hacking Threat Chapter 2. Low TechVulerabilities-Physical Security Chapter 3. More About Locks and Ways to Low Tech Hack Them Chapter 4. Low Tech Wireless Hacking Chapter 5. Low Tech Targeting and Surveillance-How Much Could They Find Out About You? Chapter 6. Low Tech Hacking for the Penetration Tester Chapter 7. Low Tech Hacking and the Law-Where Can You Go For Help? Chapter 8. Information Security Awareness Training: Your Most Valuable Countermeasure to Employee Risk

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Posted March 6, 2012

    EXCELLENT LOW TECH HACKING BOOK!!!!

    Are you a security professional who is looking to gain more insight into areas of physical security and social engineering? If you are, then this book is for you! Authors Jack Wiles, Terry Gudaitis, Jennifer Jabbusch, Russ Rogers and Sean Lowther, have done an outstanding job of writing a book on how security measures can often be bypassed in situations ranging from physical security to networked enterprise systems—all with minimal technology savvy on the part of the offender. Authors Wiles, Gudaitis, Jabbusch, Rogers and Lowther, begin by presenting various social engineering topics, from understanding the minds of hackers and victims to methods for protecting personal, household and business information from theft and destruction. In addition, the authors delve into the realm of physical security and provide actionable recommendations for increasing security at home. They then discuss a variety of ways to bypass or disable locks without picking them. The authors then, present a variety of attacks and countermeasures for wireless technologies in the home and office. The authors continue by looking at the world of targeting and surveillance. In addition, the authors show you the nuances of human nature and how to use traits such as selective attention to aide in distraction techniques, and how low tech hackers capitalize on the basic tendencies of human behavior. They then show you how to investigate public-private collaborative organizations such as the USSS ECTF and the FBI IntraGard. Finally, they show you the processes, procedures, and materials needed to build and measure a successful awareness program; as well as, tips and tricks to keep employees engaged and make security part of the company mindset. This most excellent book cuts through the smoke and mirrors of complicated and improbable hi-tech hacks and gets to the heart of the most vulnerable and most-often exploited components of security—human nature, physical containment, and the Internet. Perhaps more importantly, this book provides a unique dive into tech hacking techniques and ways to protect yourself, your business, and your family from them.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)