Enzo wrote:Why would our power grid and nuclear powr plants be on the internet anyway? Or the armed forces. Seems less than secure to me.
A lot of these places will be on a private network, which is walled off from the big bad internet by a firewall. If you can penetrate the firewall, then . . .
Enzo wrote:I have to think that the power company doesn't use passwords like "Little Joey 2-13-97".
You can go ahead and think that if you like!
Enzo wrote:I have heard of programs that keep banging away with password variations, but that could take ages, and I would have to think that systems are sophisticated enough these days to recognize that a particular place was repeatedly trying variations of passwords. Hell, my credit union will freeze my account if I fail the password three times. My fat fingers found that out the hard way. I had to call them to get it back in shape.
Some possibilities.
(a) Harvest passwords which are stored on systems which are already compromised.
(b) Monitor passwords as they are transmitted across a network and transit compromised systems.
(c) Have an insider.
(d) Social engineering - hello, I'm from IT support, we've been seeing some unusual activity, if you can just let me log into your account . . .
(e) Dumpster diving.
Yet another possibility is the classic buffer overflow attack, which does not require a password. The basic idea:
(i) Attempt to access a whole bunch of IP addresses, trying each port. Typically, specific services (email, FTP, HTTP, etc.) are associated with specific port numbers.
(ii) When you get a connection, look at what it tells you. Many systems helpfully respond with a text message informing you of the service being provided, and the name/version of the server program which is providing it.
(iii) Exploit known vulnerabilities, such as buffer overflow. This one involves sending a message to the server for processing (e.g., send a login request with a super-long password, or a super-long email header). The software with a buffer overflow vulnerability copies this input into a memory location without checking to see if the maximum length is exceeded. If the maximum length is exceeded, the input overflows the allocated memory location, and is copied into memory that might possibly already contain the program instructions to be executed.
(iv) If those instructions are to be executed at some point, the excessively long input which was copied there and which overflowed the buffer is now executed instead. This input will typically consist of a whole bunch of "JMP" instructions (you don't really know what instructions your input will overwrite, so you don't know where you will gain control) to the beginning of a piece of code that does what you want.
(v) If the server program which has thus been exploited is running with "root" privileges, the game is over and the hacker has won. Any instructions at all can be executed, including installing a new hidden user account with administrative privileges, modification of the software on the site to hide the presence of the compromise, etc.
There are other typical exploits, on user machines, plant malicious code on a web site and hope that the user browses to it. (Or just send it by email, and hope they click on it.) If the user machine is not running software with known exploits (e.g., programs which will execute programs found on-line without properly restricting access to system resources), you're in.
Some ideas . . .