Networks --- Security --- Technology --- Blogging

Wednesday, December 27, 2006

A friend called me just now asking why he couldn’t login to e-gold today, something like the password has been changed. Few hours back, he received an email saying that some ’security changes’ has been applied from e-gold. What he does not know is that keyloggers are the devil programs running anonymously on his PC.

If one day you receive an email from your bank confirming your transaction that you never did, it is possibly after someone has happily spying on you. They read every texts you type.

There are some ways that I can remember on how these bad programs end up on your PC:

1. You have install some programs called freeware or shareware or any other wares that doing something in the background.

2. You have visited some websites that asked you to install something and you just click “Yes”.

3. You have downloaded an evaluation copy of a good software and later find the unlock key from bad sites and run the patch program.

4. You have received some cool games in emails and immediately install all of them.

5. You have followed a link in an email and do some installations.

6. You are looking here and there for a spyware remover and found a web claiming to be able to remove all kind of spywares and install the remover happily.

7. You have visited some sexy websites and install the free screen savers.

Bla bla… there are a lot more ways to get you infected. The best way to get rid of these (if you get confused now) is reformatting the PC and use only that PC for online bankings or tradings. Be sure not to share it with anyone else.

Labels: ,

Midtown Madness Cheats - PC Cheat Codes

Hold CTRL+SHIFT+ALT+F7 until a text input box appears and then enter the cheat you want.

Cheat Code Effect

/big big people
/bridge the bridges raise and lower quickly
/damage turns damage back on
/dizzy makes the sky wacky
/fuzz turns on the police radar
/grav drive with half gravity
/nodamage turns off car damage
/nosmoke turns off wheel & damage smoke
/postal when pressing horn vehicle fires post boxes
/smoke turns on wheel & damage smoke
/swap the train turns into planes
/tiny tiny people
/ufo planes turn into ufos


A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off.

According to Methods of Hacking: Social Engineering, a paper by Rick Nelson, the three parts of reverse social engineering attacks are sabotage, advertising, and assisting. The hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets what he really came for. They never know it was a hacker, because their network problem goes away and everyone is happy.


Ameritech Consumer Information “Social Engineering Fraud,”,3086,92,00.html

Anonymous “Social engineering: examples and countermeasures from the real-world,” Computer Security Institute

Arthurs, Wendy: “A Proactive Defence to Social Engineering,” SANS Institute, August 2, 2001.

Berg, Al: “Al Berg Cracking a Social Engineer,” by, LAN Times Nov. 6, 1995.

Bernz 1: “Bernz’s Social Engineering Intro Page”

Bernz 2: “The complete Social Engineering FAQ!”

The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here’s a classic PBX trick, care of the Computer Security Institute: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’”

And here’s an even better one: “They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.” (Computer Security Institute).

Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.

The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.

A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and obtain credit card numbers and PINs this way. (It happened to a friend of mine in a large US airport.) People always stand around phone booths at airports, so this is a place to be extra cautious.