HIR Issue 8: Data Externalization in the Eyes of a Hacker
By Frogman
Winn Schwartau spoke at the Def Con 6.0 conference in Las Vegas in the Summer of 1998. He also wrote the ground breaking book Information Warfare, the second edition of which was released in 1996. In his book grew the unclassified world's view of Information Warfare and the three class breakdown of types. Class 1 is personal warfare. Class 2 is corporate. Class 3 is global. In each of these is a particular phenomenon known as data externalization. What this means is that we have reached the point where accumulated knowledge exists in a larger volume outside of our collective human minds than in. The number of books, manuals, recordings and other media add up to more data than our own brains holdings. This is a very scary, albeit necessary, consequence of our current proliferation of information systems. To the enterprising hacker this provides both a distinct advantage and disadvantage.
Of the advantages, we can look at quite a few. There are many public and semi-public databases available for searching through personal information. This information is not exactly sensitive, but can be used to steal an identity, aid guessing weak passwords, compromise communication patterns, and a host of other, formerly more difficult practices. These databases can be grep'd and a nice precise built. Family history, employment records, legal records and other types of data can also be found and compiled. Using this information in a Class 1 attack as a part of a larger Class 2 attack, a list of corporate employees can be built. This list can be expanded and branched to give address, background, and personality profiles. This gives rise to identity theft, social engineering, and strait hacking. The attacker can use the likely weak security held by a sub- contractor's employees to access the communication network to the larger corporation. This is essentially piggy-backing into the firewall from the identity of a trusted host. The advantages to social engineering are obvious, calling into a company, and asking questions that lead to known data, from what should be a blind start. The hacker can also use this data to bug an employee's home, and communications equipment. A cellular phone can easily have it's ESN copied, and with a scanner and filtering software, a tail can listen in on cellular conversations. A laptop with a cellular modem suffers the same attack. The tail may not be necessary, if the attacker can plant a mole or maybe a filter in the computers of the company servicing the phone. This would also break several security methods used in PCS.
Hopefully those advantages to the hacker are clear as to how an unimportant Class 1 attack on an executive who works for Acme Specialty Gaskets could be a role in the attack on Boeing and their latest, greatest air superiority fighter, signaling the spectre of a Class 3 attack.
The disadvantages include an added ease for being tracked, the looming prospect of beefed security, and competition. In most major computing systems there are auditing systems. Records are kept and examined. The use of an unexpected auditing system can pose an extreme threat to the anonymity of a hacker. A passive sniffer, or even an inductive sniffer can be used by the hacker for a distinct advantage, but the security office can place these type of monitors on their own lines and have an invisible eye on the communications systems. The ease in which a database can be broken into will quickly spread across the underground, and thus the security level will eventually be brought into shape.
These small insights are not the only prospects for a hack to employ on their quest. Those with malicious intent can easily bring into fruition an underground TRW type of service for sale to the highest bidding Info. Warrior.
