asoa's blog

Here I am in Trivandrum for a medical and wardrived almost all the major roads here and not even a single wi-fi signal was caught by my PDA.

Came home, we have a cable connection at home which was connected to a PC. The PC gets the IP via DHCP from the Cable Service provider. I tried connecting my iBook to the Cable Modem and I am not getting an IP as in the case of the PC. I needed to find a solution to check my mails from my iBook.

Since my room is on the ground floor and the PC with the cable connection is on the first floor, the best solution for me to use the laptop in my room and the sitting room would be to get a wireless router and connect it to the cable modem. We went to a few places and most of the guys doesn’t even know what a router (“rootere” – as they call it) is. Atlast we found a place where there are Linksys 802.11b and D-Link 802.11g routers. The choice was D-Link for a number of reasons. Speed, Size, Functions, Ability to operate in mixed mode are some of the few.

We got the router and when it comes for the configurations, the router doesn’t get the IP via DHCP too. Thought for a while on the issue and I cloned the MAC address from the PC’s network card to the router. Bingo! I got the connection. (That means the Cable Service provider has bound the MAC address of the PC’s network card so only that PC gets the IP via DHCP).

Connected the PC with the one of the routers LAN ports and setup wireless as an open system. Why an open? There are no hackers around? No much places around my home.

Wireless Security Is Bad For Your Health Scott Turner, wireless nonexpert, argues that wireless security is leading to a health epidemic.

Now I can run around my home either using my iBook or iPAQ to use Internet rather than sticking infront of the PC. Mobility is very important huh?

I have passed my Wireless# exam at first attempt on 11/06/2006 with a score of 80%. This was way below my expectation as I have been scoring 95-98% on the Practice tests.

I was initially studying for my CWNA exam when Wireless# came out. So thought to try it first. PrepLogic Megaguide and the Wireless# Practices tests (the answer explanations) was the most useful.

My references were.

1. CWNA book
2. CWSP book
3. CWAP book
3. PrepLogic MegaGuide
4. Practice Tests (Free Wireless#, CWNA, CWAP)
5. Intensified’s Spreadsheets.

Some people may consider my referencing to CWSP and CWAP as over studying. In fact I was studying for my CWNA. For that I was using CWAP as a reference. Then came the Wireless#. So I guess it cannot be classified as overstudying cos my ultimate goal is to attempt and pass all the CWNP certifications. No harm in gaining extra knowledge on the subject whether it comes on exam or not.

I’ll be attending my CWNA exam in another 2-3 weeks and will follow up with CWAP before CWSP.

This is the details of a social engineering attack pulled on Dhiraagu (for a good cause again).

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

A friend of mine has called me to help him with his ADSL connection which keeps on dropping the signal every 2 seconds. They have recently moved to this new building and Dhiraagu has moved their ADSL also to this new building. I went to meet at him around 17:30 hrs on a Thursday.

I asked my friend for the username and password of the ADSL router which he has in order to find out what could be wrong. He didn’t have that information as usual with most of us who doesnt keep those type of information in a safe place. I then asked him whether he has the ADSL username and password in case if I have to reset the router back to factory settings to access it. He didn’t have that either.

I called up Dhiraagu 123 from my mobile (which has no relation to the address where the ADSL was connected) and directly told the guy that I don’t have my username and password of my ADSL connection and the only information which I can give him is the address where the ADSL is connected to.

The Direct Attack: Just Asking for It

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with the support person.

The guy looked up the database and simply gave me the username, I then asked for the password, he gave me the same. Then I asked him for the username of the ADSL router (which Dhiraagu provides), he gave me the username and password for the router too.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

What if somebody uses Social Engineering to harm these organisations and its customers?