Everything You Wanted to Know about
Social Engineering -- But Were Afraid to Ask...
Social Engineering to Incite Crime
If you hang out on hacker email lists and IRC chat rooms,
now and then some pitiful luser will come online with a request
that someone commit crime against someone he hates. Usually this
is done so ineptly that I doubt it works. However on Tuesday,
January 4, 2000, Elias Levy (AKA Aleph One), the moderator of
the Bugtraq computer
security mailing list, demonstrated a sophisticated version of
this ploy. He chose to send out to his some 40,000 subscribers
a script to damage a computer used by John Vranesevich's Antionline.com:
Title : Vulnerabilities in the SolutionScripts.com
Home Free CGI package.
Advisory Ref : csh-adv:04.01.2000-CGI-HomeFree-01
Credits : fzx, omnihil, the guys in !el8
DSKZ, M0D
…
# Default server is antionline's, change as appropriate.
#
use IO::Socket;
if ($ARGV[0] eq "") { die "no argument\n"; }
$asoc = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "members.antionline.com",
So in this case Levy used social engineering to incite criminal
attacks by the readers of his mailing list. Did this hack work?
Here's what Vranesevich reported:
AntiOnline Status Notice
Tuesday, January 4, 2000 at 17:27:32
by John Vranesevich - Founder of AntiOnline
As part of its policy on releasing any information related
to the security of its network, AntiOnline presents the following
statement:
On Tuesday, the popular BugTraq security mail list released
an advisory about the security of "Home Free", a cgi
software product produced by SolutionScripts.com AntiOnline,
along with hundreds of other websites, used the HomeFree software
in order to host free "user webpages" on its members.antionline.com
domain (which can be thought of as a geocities-like interface).
The security advisory used the AntiOnline instillation of HomeFree
as an example (we appreciate it) of the vulnerability.
The disclosed vulnerability allowed any user to view the structure
of any directory on the webserver. However, it did not allow
any user to view the contents of, delete, or otherwise modify
any file on the server.
AntiOnline had the offending CGIs offline within 3 minutes
of the BugTraq notice being sent out (thanks to custom notification
software implemented at AntiOnline).
AntiOnline notified the makers of the HomeFree Software, and
received a patch from SolutionScript developer Tim Watson within
15 minutes. AntiOnline is in the process of reviewing the patch,
and the integrity of the other CGIs in the HomeFree package.
Once again, Vranesevich had outsmarted the computer criminals.
More on social engineering: how to
keep from being suckered --->
Back to the index of "Everything You
Wanted to Know About Social Engineering -- But Were Afraid to
Ask --->
