True tales of (mostly) white-hat hacking
Stings, penetration pwns, spy games — it’s all in a day’s work along the thin gray line of IT security
In the mainstream media, hacking gets a bum rap. Sure, the headline grabbers are often nefarious, but all computer professionals are hackers at heart. We all explore the systems we use, often reaching beyond their normal intent. This knowledge and freedom can come through big time in sticky situations.
In my three decades fighting malicious hackers, I’ve come to rely heavily on that desire to scratch an itch. Improvisation and familiarity with computing systems are essential when combating those who will do almost anything to compromise your network.
[ Verse yourself in 14 dirty IT security consultant tricks, 9 popular IT security practices that just don’t work, and 10 crazy security tricks that do. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld’s PDF guide. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]
Some call it white-hat hacking. I call it a good day’s work — or weekend fun, depending on whether it’s at home or business.
Here are five true tales of bringing down the baddies. I can’t say I’m proud of all the things I did, but the stories speak for themselves. Got one of your own to pass along? Send it my way, or share it in the comments.
True tale of (mostly) white-hat hacking No. 1: Disney, porn, and XSS
Cross-site scripting (XSS) continues to be the No. 1 problem plaguing websites, even today. XSS vulnerabilities arise when a website allows another entity to post Web scripting commands that can then be viewed and executed by others.
Oftentimes, these vulnerabilities fly under the radar. Simply offering users the ability to post comments is enough, if your site allows script commands to be posted, viewed, and executed. A malicious party writes a malicious scripting command that is then consumed and acted upon by other visitors to your site.
When asked why you should worry about cross-site scripting attacks, I like to tell the following story, although the XSS scripting part was just one piece of a great week of hacking.
I was working at a well-known computer security company at the time, and we had been hired to perform penetration testing on an IP TV device that a large cable company was considering producing. Our mission was to find vulnerabilities in the set-top box, especially if any of those vulnerabilities could lead to stealing porn for free, posting porn to, say, the Disney channel, or leaking private customer or company information.
Two coworkers and I were set up in a computer room within one of the cable company’s remote offices. Our attack targets consisted of two televisions, two cable modems, and two new set-top cable boxes (the intended testing target). We were connected to a cable TV broadband connection in such a way that no one else would know the difference between our setup and any normal customer. We then played porn on one TV and Disney movies on the other.
Three guys sitting in a room, hacking away, watching porn, and getting paid to do it — life was good. The only thing missing was the beer. In short order, using a port scanner, I had found a Web server running on a high TCP port, in the neighborhood of 5390. I ran Nikto, a Web vulnerability finder, and it came up with a few false positives. But it also identified the Web server as something I had never heard of. A little research told me it was an open source Web server that had stopped being supported nearly a decade before.
I wondered how likely it was that an old Web server was patched against vulnerabilities that were common 10 years ago. My hunch was correct. I was able to access the set-top box using a simple directory traversal attack (such as https://..//..//..//). I was in as root and had complete control of the device. It was running an old flavor of BSD, which was full of vulnerabilities by itself. In short order, we were able to steal porn, steal credit card numbers, and switch the Disney channel out with porn. We had accomplished all our goals, only a few hours in.
Later that week I learned that my success with a directory traversal attack would find its way up to the cable company’s CSO and beyond. I was invited to talk about my finding ahead of the official written report. Many of the company’s bigwigs flew in for the meeting. When I asked why all the hullabaloo for something they could fix in the new set-top box, I learned that the same Web server and setup was being used in millions of existing cable boxes around the world. I did a scan of the Internet looking for the high TCP port and found tens of thousands of them awaiting anyone’s connection and hacking attempt.
That wasn’t even the highlight — at least to our penetration-testing team. While attacking the set-top box, we found it contained an HTML firewall log, which had an XSS vulnerability. The log would record all Web packet content details after we raised its debug level. Then we crafted an attack packet containing malicious JavaScript and called the cable company’s tech support number.
Posing as a regular customer, we complained that we thought someone was attacking our cable box and asked if the technician could take a look at our device’s firewall log to confirm. A few minutes later up popped the technician’s shadow and passwd password files. When executed, our encoded malicious JavaScript packet would look for various password and configuration files and, if found, send them back to us. The technician had viewed the firewall log, the XSS had launched, and we ended up with the company’s enterprise-wide root password. All of this hacking occurred in about six hours. In less than a day we had fatally compromised the set-top box and pwned the whole company.
That’s nothing to say about the hardware mods and component fires we caused during the ensuing days of boredom because we had nothing else to do but wait for our scheduled plane rides back home.
It was pure joy — and one of the most fun hacking days in my life.
True tale of (mostly) white-hat hacking No. 2: Spamming the persistent porn spammer
Some white-hat hacking walks a thin line. Here’s a great example of “white-hat hacking” of a vigilante nature gone somewhat awry.
Back in the late 1980s, when I was using an email client called Lotus cc:Mail, my work email address had found its way to a porn spammer, and he began to load my inbox with enticements. After five of them came through in a couple of minutes, I decided to take a look at the email header. Back then, spammers didn’t hide as much, and the header revealed the spammer’s true domain name. Using a reverse lookup, I found the hacker’s name, address, and work email address from his domain’s DNS registrar.
I sent a polite email asking to be removed from the spammer’s email list. He replied that there’s nothing he could do and followed up with 10 more porn spams. This ticked me off, so I created a mailbox rule to send right back at him 100 copies of any porn spam message he shot my way. Naturally, this only incited him to fire off even more spam and a personal email indicating that he was sharing my email address with other spammers.
I used the search engine we all envied at the time, AltaVista, and found not only his personal email account, but those of his wife, daughter, and grandparents. I sent him an email notifying him that every time I received any new spam I would send 100 copies of that spam to his personal email account, as well as those of his wife, his daughter, and his grandparents. Not surprisingly, the new spam suddenly stopped. I even got an email from him notifying me that it might take a day for all spam to stop because he had to remove my name from external lists beyond his control. I never got another spam from him.
I contacted the late, great Ed Foster’s Gripeline column at InfoWorld (many years before I began writing for InfoWorld myself) and told him what I did and how I had found a new way to stop spam that anyone could use. I expected him to congratulate me and make me the focus of one of his columns. Instead, he told me that what I did, or proposed to do, including using the daughter’s email address in my threat, bordered on illegal, or at least ethical, issues. Bless Ed Foster for making me realize I was walking a line I might not want to tread.
True tale of (mostly) white-hat hacking No. 3: Red-herring sting nabs nefarious fishmonger
Years ago I was hired by the CEO of a small fish-selling business. He had a hunch that a former senior executive had hacked his company to get a competitive edge in fish sales to Egypt. A new company, started by the former VP, was suddenly and consistently beating his bid proposals by 1 cent per pound — just enough to ensure that my client’s company went from getting every fish delivery project to getting none. The fishmonger was near bankruptcy when he hired me.
I was a little skeptical of his allegations of computer hacking during our initial visit, but while I was there something odd happened. An Egyptian contact, to whom the CEO had sent bid responses, had received an automatic notice of an email being opened (a read receipt) from an unknown email account in response to an email he had sent my client. The read receipt should have originated from the CEO’s email account, but instead it came from a university email account. It looked like, and was later confirmed, that the hacker had forgotten to turn off automated read receipts in his email client, and when he opened email intended to the CEO, his email client sent back a read receipt from his email account.
We quickly figured out that the former VP had discovered the CEO’s email password and was using it to pick up copies of bid information between his former company and Egypt. The newly discovered email address linked back to a nearby university, which, coincidentally, both the former VP and I had attended years ago. The school allowed former students to continue to use limited parts of its computer system, including email. Antiquated by today’s standards, the university’s system had a few interesting features that proved useful in our investigation: You could look up when other people were using the system, and it would let you link email addresses to real names, along with other identifying information.
We contacted the FBI and city police to report the cyber crime. At the time, the FBI had very few computer crime experts, none with real hacking skills. But with their legal assistance, I was allowed to perform, under the FBI’s legal authority, some limited forensic investigative techniques.
Sure enough, the hacker was using a university email account that we could trace to the former VP. Using various lookups, we were able to see when the former employee used the university system. The correlation to days when fish bidding was performed was striking.
Of course, we could not conclusively confirm that the former VP was using his old email account, no matter how obvious it seemed. We needed a way to track an opened email back to the former VP’s current IP address, which could then be subpoenaed from his ISP. I decided to use a Web beacon.
A Web beacon (aka a Web bug) is a hidden HTML link to a nearly invisible graphic element that when viewed in an HTML-enabled client allows the custodian of that element to track information about the user who has opened it. I modified the CEO’s email signature to contain an HTML link to a 1-pixel transparent GIF file located on a Web server that we managed. When anyone opened an email containing the CEO’s modified signature, their email client would automatically download the Web beacon, and our Web server logs would contain the viewer’s current IP address, along with time, date, and other identifying information.
With our trap in place, we set up a sting. We contacted our Egyptian friend via phone to notify him of our plans. We sent an email discussing a nonexistent bid, along with our Web beacon. Further, we made a bid price that was several orders of magnitude higher than either party normally negotiated and used a fish type that did not exist. Everything about this email screamed fake, if you took the time to research it.
Immediately after we sent the email, the former VP took the bait, sending a bid to our Egyptian exactly 1 cent lower than our extremely high price. I was also able to produce evidence that the former VP accessed the university email system just prior to his response to the fake bid, and our Web beacon worked as planned. We had his IP address, which tracked him to his home. We knew it was his company; we knew it was him; we knew he had been illegally reading emails.
It was an open-and-shut case, although it took years to wind its way through multiple court hearings. Years after the hacking event, I learned that the CEO never changed his email password, proving once again that I understand computers way better than humans.
True tale of (mostly) white-hat hacking No. 4: Hacking comeuppance
I’ve been actively fighting malicious hackers for three decades and have been hacked only twice — once, because I knowingly ran an early computer virus on my system but had forget to set up a safe “jail” before executing it.
The second time, a hacker had sent malicious emails to my InfoWorld address in an attempt to take over my computer. I usually investigate these infrequent occurrences if only to see whether the attack is unique or unusual. In this particular case, the hacker had sent me a GIF file, which took advantage of a brand-new zero-day exploit that buffer-overflowed a Microsoft Windows graphics handling file and gave the attacker full control of my system.
I was getting ready to head on vacation, after a few hours of sleep, and was in such a hurry that I didn’t take the time to open the email in a virtual environment, like I normally would with an email I knew to be malicious. I also couldn’t believe that the attached GIF file could buffer-overflow my system. Many hackers have claimed the ability to do this for nearly two decades, but up until that email, it had never been accomplished in the wild. I was overly confident, perhaps a little cocky, that this malicious graphics file would be like the rest — harmless.
I was wrong. Immediately upon executing it, I could see it implant a backdoor Trojan and dial home. It took me by surprise. After hitting myself in the head a few times for executing a known malicious file on my personal computer, I disconnected from the Internet and immediately began defanging the newly dropped Trojan.
Within a few hours, I had successfully tracked and documented the new vulnerability. I sent a copy off to Microsoft and a few of my antivirus friends for more analysis and response. I lost any chance of getting any sleep before my vacation, and I remember driving way more tired than I should have.
The incident didn’t end there. I contacted the originator of the email and gave him some ill-achieved props. I had noticed he was bragging about his exploit on an IRC hacker channel and spreading his creation to dozens of websites. I told him that Microsoft was working on a fix and all the AV companies were releasing signatures. Needless to say, he wasn’t happy.
He then tried to hack my personal computer network, having acquired the IP address from his initial backdoor Trojan. He launched every malicious attack anyone could think of at the time, including DDoS attacks. When he couldn’t break into my network, he began attacking people and companies I did business with, using my IP address. For example, the hacker was successful in getting Apple to ban my IP address from connecting to its networks, preventing me from picking up new music from iTunes. No amount of emails with Apple would fix the problem, and eventually I was forced to get another IP address from my ISP.
I investigated the hacker, reading emails he had posted in a few hacker forums and on legitimate websites. What I found was that he was an overly zealous high school kid in the Midwest who thought he was a better hacker than he really was. Even “his” zero day was created by someone else. He just passed it along and claimed credit.
After a few more weeks of computer attacks, I sent him an email asking him to stop. He was surprised I had his email address. I responded with his real name, high school, and mailing address. I politely asked that he stop hacking me. He responded by launching even more attacks and attacking more companies using my new IP address. He was getting annoying. It was time to turn the tables.
I figured out what firewall he used to protect himself. I remembered having seen that it had recently had a remote buffer overflow announced in a public forum. This next step probably isn’t legal, but I used the buffer overflow to break into his computer. I created a batch file with commands that would format his hard drive the next time he rebooted, except I remarked out (REM’d) the lines so they would not take affect. I then sent him an email and told him of this “kill” batch file that I had placed on his local hard drive.
He was stunned. I told him that there were lots of smart hackers in this world and he wasn’t the only one who knew how to get onto other people’s system. I then politely asked that he stop attacking not only my system, but anyone’s system, and to turn his curiosity into legal ends. He agreed. As far as I know, he didn’t do any illegal hacking anymore.
Afterward, I got emails and IM chat messages from him for years. He went to college, got an engineering degree, and eventually became a midlevel executive at a computer company that got swallowed up by a huge conglomerate. He became fairly rich in the process. He has a wife and a few kids now. I don’t know if anyone in his life knows about his hacking teenage years. I can only tell you that it appears one good scare helped turned his life around.
True tale of (mostly) white-hat hacking No. 5: Like spies to a honeypot
I had been hired to help implement honeypots. The client, a defense contractor and think tank, had been thoroughly compromised and wanted an early-warning system to detect malicious hackers or insiders and to catch any unknown malware roaming around its network.
Over the next few weeks we created a “honeynet” of early-warning systems, fake Web servers, SQL servers, and SharePoint servers. During any honeypot project, I’m often asked how we’ll attract attackers to the honeypots. I always respond that there is no need to advertise; the attackers will find them. This statement is always met with skepticism, but it’s held true over the years.
We fired up the honeypots, and sure enough, we immediately discovered malware that had not previously been detected. Better yet, within 24 hours we discovered that an internal employee was also roving around the network and hacking various systems. She was trying to break into the new fake servers, including the Web, SQL, and SharePoint servers.
We weren’t sure what type of content the overly zealous employee was looking for or what her intent was, so we created a few different content areas. One dealt with a popular game, which half the users on the IT team seemed interested in. They were going so far as to hack into underutilized servers to host games and use resources. We also created sites centered on Middle East politics (the think tank’s focus) and the space shuttle. We downloaded the content from publicly available websites, copied it to folders, directories, and databases that made it appear as if the information was top secret, and used wget to keep the information updated.
The internal intruder went for the serious stuff. She wasn’t interested in gaming. We tracked her to an accounting/payroll department — by coincidence, literally on the other side of the wall from our honeynet team. The accounting department already had a Web camera in the room for payroll security issues.
With it, we watched the employee, a Russian temp, hack several real systems over the remaining week. Examining her computer after she left for the day, we found that she had inserted a wireless network card and had successfully bridged the “air-gapped” secure and nonsecure network. We could tell she was transmitting the data from her computer to someone else hooked into the wireless network. We placed keylogging programs on her computer to record her every keystroke.
We purchased a wireless sniffer to better track the hacker, and when she began transmitting information, we roamed the hallways looking for the illicit partner. We ended up in a nearby conference room that was open to the public. We opened the doors and saw about 200 people, half of them carrying laptops. Try as we might, we could not track the illegal data stream to a particular person. We had a room and a MAC address. Senior leadership would not allow us to stop everyone in the room to locate the specific person. Although I didn’t like the decision, it probably was the best legal answer.
It was decided that we would detain the known perpetrator to stop the data loss. I hung out in the background as IT and physical security confronted the employee. The moment the security guards entered the accounting department, the temp pushed away from her PC and claimed that someone was hacking it. She was so adamant and tearful that if I had not watched her expert hacking over the past few days using the Web camera, I would have believed her. She was a wonderful actress.
I never heard whether she was arrested or deported or what happened to her. I was not privy to those details. But I did hear that she was just one employee from a newly engaged temporary placement agency, and all the other employees from the agency were also caught hacking at this same client. The young woman I had helped detain had claimed that she had so few computer skills that the company had sent her to basic keyboarding classes.
It remains the one time in my life where I helped catch a Russian spy.
Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com