X

Hacking with no technology

Hacker at Last HOPE conference says dumpster diving and shoulder surfing are as dangerous, or more, than using a computer for hacking.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

NEW YORK--The typical image of a hacker is a kid hunched over his keyboard in the wee hours of the night staring at commands on his computer screen that unlock the secrets of the national government.

But, according to someone who knows better, the woman sitting next to you in the airport or Starbucks fiddling with her digital camera while you work on your company's confidential sales data could be just as dangerous.

Security researcher Johnny Long speaks at Last HOPE. Elinor Mills

One of the more fascinating talks at the Last HOPE hacker conference this weekend was by Johnny Long, a security researcher who hacks, writes books on hacking, and founded Hackers for Charity, which helps children and others in underdeveloped countries.

On Sunday evening, he told about an epiphany he had when he and a friend were thwarted in their attempts to get into a highly secured building. Long was ready to give up. But his friend had another plan. He got a coat hanger and a rag and proceeded to break the window in the door. He then reached in with the straightened coat hanger and the door opened up.

"What he had done was defeat this multimillion-dollar security system with trash," Long said. "The touch bar doesn't know the difference between a wet wash cloth and a hand."

The message? "There's a lot of room for...solving problems in simple ways," he said.

Some of those simple ways to get access to supposedly secured systems, such as buildings or computer networks, without using technology include: shoulder surfing, which is viewing exposed information on computer screens; dumpster diving; and if you can't get in the front door, trying the smoker entrance where you'll be less likely to be interrogated.

Long showed photos of laptop screens he had managed to photograph in airports and other public places where executives and military officials were casually but unwittingly revealing confidential and sensitive information to anyone within a few feet. It's clear--nobody tries to hide what buttons they are pushing on pass code secured doors, even at the airport's TSA room, based on his ample photographic evidence.

You have to wonder, if Long could snoop so easily, what data can someone who is really targeting a source get at.

He showed photos of ATM, grocery store check-out and other public kiosks with error messages or in some other state that they could be easily compromised.

Long also talked about how easy it is to "sniff" a hotel's billing and room entertainment network over the cable system and view other peoples' room charges and activities, such as porn surfing, logging into banking accounts, and e-mail communications.

Then there are what he called the "Jedi wave" and "fed blend" techniques of getting past security guards and mingling with federal officials by wearing a fake badge and just acting like you belong.

Blending in is the key to getting access, he said. Wearing a uniform will get you in anywhere, and telephone repair, FedEx delivery, and other uniforms are readily available on eBay and other sites.