{"id":4804,"date":"2018-03-21T16:32:11","date_gmt":"2018-03-21T13:32:11","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=4804"},"modified":"2019-11-15T14:42:53","modified_gmt":"2019-11-15T11:42:53","slug":"small-hacks-sas2018","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/small-hacks-sas2018\/4804\/","title":{"rendered":"Ufak hackler: Bedava kahve, taksi casuslu\u011fu ve savunmas\u0131z bir havaliman\u0131"},"content":{"rendered":"

Haber siteleri s\u0131k s\u0131k ge\u00e7en y\u0131l d\u00fczenlenen WannaCry<\/a> ve NotPetya<\/a> sald\u0131r\u0131lar\u0131 gibi b\u00fcy\u00fck \u00f6l\u00e7ekli sofistike su\u00e7lar i\u015flemek i\u00e7in kullan\u0131lan bilgisayar hatalar\u0131n\u0131 ve sistem a\u00e7\u0131klar\u0131n\u0131 konu alan hikayeler yay\u0131nlar. Ama uzmanlara g\u00f6re en ba\u015far\u0131l\u0131 hack\u2019ler ve crack\u2019ler, sistem geli\u015ftiricileri veya y\u00fckleyicilerinin basit hatalar\u0131 sonucunda ortaya \u00e7\u0131k\u0131yor.<\/p>\n

Yanl\u0131\u015f bir \u015fekilde yap\u0131land\u0131r\u0131lm\u0131\u015f sistemler her yerde bulunmakta ve bir hacker\u2019\u0131n b\u00f6yle bir sistemi ortaya \u00e7\u0131karmas\u0131 ve sistemin insan zekas\u0131na tamamen teslim olmas\u0131 sadece bir ka\u00e7 saat s\u00fcr\u00fcyor. 2018 G\u00fcvenlik Analisti Zirvesi\u2019nde (TheSAS)<\/a> konu\u015fmac\u0131 olan \u0130srailli ara\u015ft\u0131rmac\u0131 Inbar Raz, konu\u015fmas\u0131nda bu \u00fcz\u00fcc\u00fc ger\u00e7e\u011fi do\u011frulayan bir \u00e7ok \u00f6rnek verdi.<\/p>\n

Bedava kahve<\/h2>\n

Bir\u00e7ok kahve d\u00fckkan\u0131n\u0131n sadakat kart\u0131 \u015fu \u015fekilde \u00e7al\u0131\u015f\u0131r: M\u00fc\u015fteri bir kart al\u0131r, bunu banka kart\u0131 gibi doldurur ve daha sonra kafede \u00f6deme yapabilmek i\u00e7in kullan\u0131r. B\u00fcy\u00fck veya s\u0131k yap\u0131lan al\u0131mlarda bonuslar kazan\u0131r. M\u00fc\u015fteri ne kadar bakiyesi kald\u0131\u011f\u0131na kafenin web sitesine kart numaras\u0131n\u0131 girerek bakabilir.<\/p>\n

Kendisi de bu karta sahip olan Inbar Raz; web sitenin, kullan\u0131c\u0131lar\u0131n\u0131n herhangi bir kart numaras\u0131n\u0131 istedikleri kadar girmesine izin verdi\u011fini belirtti. B\u00f6ylece Raz, yar\u0131m saatte yazd\u0131\u011f\u0131 k\u00fc\u00e7\u00fck bir program\u0131 kullanarak birtak\u0131m farkl\u0131 kart numaralar\u0131 denedi ve i\u00e7inde epey para olan kartlar\u0131 belirledi.<\/p>\n

Kart\u0131ndaki manyetik \u015feriti ucuz bir USB okuyucusu ile okuduktan sonra Raz, karta yaz\u0131lm\u0131\u015f olan rakam\u0131n \u015fifrelenmemi\u015f oldu\u011funu g\u00f6rd\u00fc ve kar\u015f\u0131la\u015ft\u0131\u011f\u0131 tek g\u00fcvenlik \u00f6nlemi, hesaplamas\u0131 kolay olan \u201ccontrol bit\u201d mekanizmas\u0131yd\u0131. Kart\u0131n manyetik \u015feridindeki numaray\u0131 bir \u00f6nceki ad\u0131mda bulunan numaralardan biri ile de\u011fi\u015ftirme ve b\u00f6ylece ba\u015fkalar\u0131n\u0131n paras\u0131n\u0131 kullanma i\u015fi, \u00e7ocuk oyunca\u011f\u0131yd\u0131.<\/p>\n

Ahlaka ayk\u0131r\u0131 olmamas\u0131 a\u00e7\u0131s\u0131ndan Raz, bu konsepti kan\u0131tlarken ba\u015fka bir kart sat\u0131n al\u0131p, para y\u00fckletti ve i\u015flemi ilk karta bunun numaras\u0131n\u0131 yazarak ger\u00e7ekle\u015ftirdi. Y\u00f6ntem i\u015fe yarad\u0131. Teoride, dikkatli bir kafe \u00e7al\u0131\u015fan\u0131 karta bas\u0131lm\u0131\u015f numaray\u0131 fi\u015fteki numara ile kar\u015f\u0131la\u015ft\u0131rarak aldatmacay\u0131 tespit edebilir. Fakat pratikte bu ger\u00e7ekle\u015fmeyecektir. Bu y\u00fczden bu durum esasen hacker i\u00e7in s\u0131n\u0131rs\u0131z bedava kahve ve belki ekstra birka\u00e7 kek demek.<\/p>\n

Uber stili takip<\/h2>\n

K\u0131sa s\u00fcre \u00f6nce Uber, \u00e7al\u0131\u015fanlar\u0131n\u0131n mobil uygulamay\u0131 kamuoyunda iyi tan\u0131nan yolcular\u0131 takip etmek i\u00e7in suistimal ettiklerinin iddia edilmesiyle ilgili bir skandal<\/a> ile g\u00fcndeme geldi.<\/p>\n

Sonunda anla\u015f\u0131ld\u0131 ki di\u011fer taksi hizmetleri, bu olay\u0131 onlar i\u00e7in \u00e7al\u0131\u015fma zorlu\u011funa girmeden yapman\u0131za izin veriyormu\u015f. Inbar Raz, bir taksi online olarak tutultu\u011funda durumunun irtibat telefon numaras\u0131 kullan\u0131larak takip edilebildi\u011fini ke\u015ffetti; \u00fcstelik kahve \u00f6rne\u011finde oldu\u011fu gibi burda da kaba kuvvet (brute-force) metodu ile yap\u0131lan aramalara kar\u015f\u0131 bir koruma bulunmuyor.<\/p>\n

Raz, numara yakalayan k\u00fc\u00e7\u00fck bir program yazd\u0131 ve bu hizmetteki yak\u0131n zamandaki b\u00fct\u00fcn taksi taleplerinin adreslerini g\u00f6steren kullan\u0131\u015fl\u0131 bir harita elde etti.<\/p>\n

\"\"<\/p>\n

Havaliman\u0131 g\u00fcven(siz)li\u011fi<\/h2>\n

Standart \u015fifresiz Wi-Fi, i\u00e7inde bazen gizli s\u00fcrprizler bar\u0131nd\u0131r\u0131r. Inbar Raz, Do\u011fu Avrupa havalimanlar\u0131ndan birinin birinci s\u0131n\u0131f bekleme salonundayken yerel eri\u015fim noktas\u0131n\u0131n yap\u0131land\u0131rmas\u0131n\u0131 kontrol etmeye karar verdi.<\/p>\n

Buldu\u011fu y\u00f6nlendirici ayarlar\u0131, standart Web adresi \u00fczerinden herhangi bir y\u00f6netici \u015fifresi gerekmeden a\u00e7\u0131labiliyordu. Raz, ayarlar\u0131 inceledikten sonra bunun sadece bir misafir eri\u015fim noktas\u0131 olmad\u0131\u011f\u0131n\u0131, havaliman\u0131n\u0131n hayati da\u011f\u0131t\u0131m ve g\u00fcvenlik sistemlerinin ba\u011fl\u0131 oldu\u011fu ana y\u00f6nlendiricisi oldu\u011funu fark etti. Bu hizmetler, diz\u00fcst\u00fc bilgisayara veya ak\u0131ll\u0131 telefona sahip herhangi biri taraf\u0131ndan etkisiz hale getirilebilirdi.<\/p>\n

\"\"<\/p>\n

Programc\u0131lar ve sistem y\u00f6neticileri, dikkatli olun. K\u00fc\u00e7\u00fck kafenizin (veya taksi hizmetinin, veya havaliman\u0131n\u0131n) hacker\u2019lar i\u00e7in fazlas\u0131yla ni\u015f oldu\u011funu zannetmeyin. Standart ayarlar, \u201cadmin\u201d veya \u201c12345\u201d gibi basit \u015fifreler ve otomatik sald\u0131r\u0131lara kar\u015f\u0131 g\u00fcvenlik kod (CAPTCHA) veya di\u011fer tedbirlerin olmamas\u0131 gibi durumlar en yayg\u0131n g\u00fcvenlik hatalar\u0131d\u0131r ve i\u015fgalciler i\u00e7in de en kolay yoldur. En d\u00fc\u015f\u00fck seviye hacker\u2019lar bile bunlar\u0131 istismar edebilir. Ve Inbar Raz gibi zay\u0131f noktalar\u0131 istismar etmek yerine duyarl\u0131 bir \u015fekilde meydana \u00e7\u0131karan insanlar\u0131n say\u0131s\u0131 \u00e7ok ama \u00e7ok azd\u0131r.<\/p>\n","protected":false},"excerpt":{"rendered":"

Haber siteleri s\u0131k s\u0131k ge\u00e7en y\u0131l d\u00fczenlenen WannaCry ve NotPetya sald\u0131r\u0131lar\u0131 gibi b\u00fcy\u00fck \u00f6l\u00e7ekli sofistike su\u00e7lar i\u015flemek i\u00e7in kullan\u0131lan bilgisayar hatalar\u0131n\u0131 ve sistem a\u00e7\u0131klar\u0131n\u0131 konu alan hikayeler yay\u0131nlar. Ama uzmanlara g\u00f6re en ba\u015far\u0131l\u0131 hack’ler ve crack’ler, sistem geli\u015ftiricileri veya y\u00fckleyicilerinin basit hatalar\u0131 sonucunda ortaya \u00e7\u0131k\u0131yor.<\/p>\n","protected":false},"author":32,"featured_media":4805,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[1566,1578,545,337,333,537,1569],"class_list":{"0":"post-4804","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-thesas2018","9":"tag-etik-hack","10":"tag-hack","11":"tag-sas","12":"tag-security-analyst-summit","13":"tag-tehditler","14":"tag-the-sas-2018"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/small-hacks-sas2018\/4804\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/small-hacks-sas2018\/12792\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/small-hacks-sas2018\/10602\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/small-hacks-sas2018\/14917\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/small-hacks-sas2018\/13230\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/small-hacks-sas2018\/12672\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/small-hacks-sas2018\/15551\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/small-hacks-sas2018\/15194\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/small-hacks-sas2018\/19912\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/small-hacks-sas2018\/21606\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/small-hacks-sas2018\/9097\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/small-hacks-sas2018\/16130\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/small-hacks-sas2018\/9454\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/small-hacks-sas2018\/19896\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/small-hacks-sas2018\/19833\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/small-hacks-sas2018\/19853\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/tehditler\/","name":"tehditler"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=4804"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4804\/revisions"}],"predecessor-version":[{"id":6954,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4804\/revisions\/6954"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/4805"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=4804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=4804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=4804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}