March 2004 • Vol.4 Issue 3
Page(s) 46-49 in print
Inside The World
Of Real-Life Hackers
Asking how one
hacks a network is like asking how you get a college degree. Sometimes you
start down one path and finish on another. Sometimes the payoff at the end
isn’t what you expected. And sometimes you never even finish.
McAfee’s Visual Trace (formerly NeoTrace) lets
you follow an intruder to the origin.
are practically as many ways to hack a computer system as there are
hackers. Interestingly, the truth is that more network hacks are like the
movie “Wargames” than “Swordfish,” where the initial intrusion is based on
random chance rather than premeditated attack. It’s like a salesman with a
Yellow Pages book in his lap: dial enough numbers, and eventually you’ll
score. Of the hacks that are targeted, the majority succeed through social
engineering rather than brute hacking force from a remote
Social engineering at its most basic means tricking
people into giving up something the hacker needs in order to perform his
exploit. (We’ll use the masculine pronoun here since insiders agree that
the overwhelming majority of hackers are male.) Most articles on hacking
shy away from social engineering a) because it’s too mundane to sound like
an authentic technical topic, and b) it makes people genuinely uneasy to
think that they’re so gullible. But it is, and they are, so realize that
you too are susceptible and be wary.
White hat hacker John Klein
(see our “A Day In The Life” sidebar) was once tapped by a major telecom
company to investigate a possible security breach in its E911 network
operations center, which houses the private, unlisted information for
everyone from the president to Britney Spears to you. Every knowledgeable
security analyst who looked at the company’s network swore it was
bulletproof and impervious to hacking.
Klein donned his “Phone
Boy” costume comprised of work boots, jeans, clipboard, jacket with
embroidered name (not a company logo because that would be illegal), a few
tools in a belt pack, and one of those “stinger” phones that telecom
repairmen use to test lines. The event went down something like
He walked into the main lobby straight up to the
receptionist, clipboard in hand, looked her in the eye, and said, “Where’s
extension 326?” The secretary dutifully asked to see his work order,
whereupon Phone Boy said that his boss had been instructed by the
company’s IT Director Mr. SoAndSo, who’d in turn been told by the
President Mr. BlahBlah, to send someone down immediately to fix the phone
network problem. (Phone Boy, being a thorough hacker, had the names of
these officials ready on his clipboard, having just looked them up online
at the Chamber of Commerce and any other available sources.) The secretary
sent him through to one of the building’s cubicle farms.
Cubeville, Phone Boy then began looking for vacant desks. Every desk on
the floor featured one of those pull-out trays, almost like a cutting
board, right above the top drawer, and on each of these trays was taped a
Post-It note with that terminal’s password. At one point, Phone Boy
spotted a vacant office in one corner that looked promising as a manager’s
office. He went in, sat down at the desk with stinger phone in hand, and
just as he reached for the desk tray, someone popped in and demanded to
know what he was doing.
“Looking for the source of the static
feedback loop hosing up your network,” said Phone Boy. “It’s either this
line or the one next door.” Dubious, the employee asked him to leave.
“Sure,” said Phone Boy. “Just tell me your name so I can tell Mr. SoAndSo
who kicked me out before I fixed his problem.” Immediately, the employee
urged Phone Boy to stay and do whatever he wanted, which Phone Boy
Social engineering tricks like this sound too implausible on
paper to be possible, but they work, and what’s worse is that they work
a lot. According to the anonymous author of the Hacker’s Black Book
( http://www.hackersbook.com/), social engineering
attacks have become most common during chat and IM sessions. Once trust is
established between the hacker and victim, the subject will give up
valuable information ranging from email IDs to even credit card numbers.
Even more insidious, the hacker may offer a screen saver or some other
program hiding a Trojan horse, such as a key logger, which can report back
to the hacker any and all data typed into the system.
No matter how
good the firewall or how reputable the virus scanner, a system or
network’s security is only as strong as the infallibility of those working
The Targeted Remote Hack
down firm statistics in this hush-hush business is difficult, the SANS
Institute ( http://www.sans.org/) notes that about 80% of all
security breaches are conducted by insiders, meaning disgruntled
employees, janitors on the take, and such. But if we just look at the
hackers who pose a risk to the general public, the large majority are
“script kiddies,” usually intelligent, underachieving teens with too much
bandwidth, too little supervision, and even less social
Script kiddies know how to find hacking tools and
exploits on the Internet, although they may lack the knowledge to
customize or adapt exploit scripts in any degree of detail. When it comes
to your home or small business, it’s not the serious black hats you should
worry about but the script kiddies. For them, you are a faceless learning
opportunity to be used and discarded.
To illustrate both the
typical perp and his scan-exploit-abuse methodology, let’s look at a
hitherto unpublicized case buried in the 2003 files of the National
Infrastructure Protection Center, a division of the U.S. Department
of Homeland Security.
14-year-old’s screen name was “akjabber.” Like most script kiddies,
akjabber found a new exploit to target, picked a wide swath of IP
addresses (four class C ranges to be exact), and let an automated scanning
app run for several days. The exploit in question was a known flaw in
Citrix, an enterprise-level application-access platform. Akjabber’s
scanner came across a server running Citrix that did not have the suitable
patch (which had been out for some time) already installed, and he was in
like flint. The kid thought he’d penetrated just some ordinary business
machine. In fact, he’d breached one of the largest power utility companies
in North America.
We could fill this magazine with similar
flowcharts, each tailored to a different kind of hack attack. This
particular illustration shows the decision chain involved in a
typical Web site defacement attempt on a server running last year’s
Microsoft IIS. You can see that the process involves determining
suitable exploit possibilities for different versions of the
platform. If one approach is unsuccessful, there are plenty of other
options to try.
Akjabber’s first move was to upload an FTP server
into his prey. Then, he uploaded a couple of stray files for his friends
to download. That was all. The system’s log files show that akjabber
disappeared over the duration of Christmas break, an early pointer to the
fact that he was just a kid. Come early January, he returned and got busy.
He uploaded a publicly viewable Web page, complete with graphics, to prove
his hack prowess to all his IRC homies. He uploaded an IRC bounce server
to shield his private identity without considering that the IRC log files
in his host would contain his true ID info for investigators.
script kiddie then carried the pattern to its inevitable conclusion.
Finding that he had a 45Mbps DS-3 connection at his disposal, akjabber
used the power company’s pipeline to start launching denial of service
attacks at anyone or anything that caught his fancy. This roused the
curiosity of the host’s IT staff, who saw their bandwidth getting
clobbered at odd intervals and emails coming in from irate victims.
Akjabber’s last and worst mistake was to accidentally delete one of the
Citrix server’s key system files, which brought the company’s access apps
to a crashing halt.
The power company now knew it had been hacked
and called in information security specialists and other high-level
authorities. Within a few minutes, investigators found the IRC logs and
pinpointed the channel in which akjabber was currently blathering with
four of his buddies. In stepped the white collars, who informed akjabber
that he was well and truly busted. The kid spilled his story and agreed
that juvenile rehab was a worse alternative than staying far away and
never returning. His chat friends looked on and openly ridiculed him all
Be Afraid. Be Careful.
2003, the U.S. Air Force sponsored a year-long study called “Attack ID”
spanning 300 eligible hacker applicants of both the white and black hat
persuasion. All of the participants knew going in was a range of 20 IP
addresses to scan and three goals: visibly alter a Web page, obtain a
secret 15-digit credit card number stored in a SQL database on a Windows
server, and hack the admin account’s email to obtain the secret code in a
certain message. Seventeen participants finished one goal, five finished
two, and only three met all three. The unbelievable star of the group was
a white hat in his mid-20s named “jelly” who completed all three goals in
only 14 minutes. This was against two fully patched Windows 2000 servers
sitting behind a properly configured SonicWALL firewall.
study’s organizers expected to prove that you could determine what a
hacker was thinking and his target based on the type of attack used. What
they found instead was that such inference is impossible because most
hackers improvise their attacks on the fly, finding the tools they need
and crafting scripts as they go.
The fact that if a good hacker
wants to “own” your system badly enough, he probably will unless you’re an
equally good counter-hacker. You’ll get scanned at random for this or
that, and you just have to hope that the hacker isn’t looking for the
vulnerabilities present in your system, or at least that exploiting your
vulnerabilities won’t be worth his time. Don’t make it easy for him. Don’t
run unproven software. Keep your antivirus scanner and firewall current
and impeccably configured. Paying $75 for a fingerprint scanner such as
Digital Persona’s U.are.U. Personal to encrypt all of your system data and
passwords is a sound investment.
And the next time a guy shows up
without paperwork to check your phone, be nervous.
Day In The Life Of A White Hat
“Anyone in the hacking
business is unique,” says John Klein, often known online as Cobras.
“There is no cookie cutter.”
Klein fit the classic hacker
profile as a youth: bright, unmotivated, a loner, easily scoring As
in the few classes that interested him and pulling Ds in those that
didn’t. At the age of 14, he discovered CB radios, and at 16 he
bought his first computer, a Radio Shack CoCo (Color Computer) that
ran BASIC. This would be the first in a long line of upgrades
including such classics as various TRS-80s and the 8088. Klein’s dad
would occasionally take him to the local university where he would
pick students’ brains and learn how to dial into the school network
with his Compaq luggable and a cradle-based 1200-baud modem.
Eventually, Klein found himself in the wrong computer at the
wrong time within one of the country’s biggest credit card
transaction processing centers. As part of the deal made with law
enforcement, Klein agreed to show them how his exploit was done and
help ensure that it couldn’t be easily repeated.
Klein hit upon the idea of turning security and hacking expertise
into a business. Rent-A-Hacker hit the Web, and the phone started
ringing. By 2001, Klein was frustrated at passing up major jobs
because of insufficient resources, so he partnered with Corporate
Technologies, now known as Multiband.
Now 40, Klein is
married with cats; he has eight PCs sporting various OSes, and
maintains an office desk drawer filled with frosted raspberry and
brown sugar Pop Tarts and microwaveable Campbell’s chunky sirloin.
An average workday for Klein goes something like this: 9:00ish a.m.:
After an hour of client calls on his cell phone, Klein rolls into
work. While stuffing himself with Gevalia coffee, he sorts through
the 500 to 1,500 new filtered emails. Colleagues will usually run in
with some crisis or unfinished business from the night before that
needs immediate attention.
10:00 a.m.: Pop
Tarts followed by client meetings.
Client calls intermixed with tasks outside the office.
Klein’s time generally bills out at $175 per hour for consultations,
and he almost never eats lunch. By the time things settle down and
he’s back at his desk in midafternoon, he might dip into the food
drawer for a snack.
2:00 to 3:00 p.m.: Time
to plan out the night’s coming jobs. “An interesting part of this
business is that you can rarely do your job during the day,” says
Klein. “I can’t do penetration testing or vulnerability assessments
during the day because they don’t want their network screwing up or
slowing down because of my scan while they’re trying to do business.
So I’ll schedule the scan with the customer for usually sometime
after 11:00 p.m., and I begin deciding which tools I’m going to use
based on what their network looks like.” There are hundreds of
hacking tools to choose from, and Klein can lean on staff
programmers for any necessary script programming before they go
3:00 to 5:00 p.m.: More phone calls.
When things malfunction at client locations, support calls somehow
seem to back up until the end of the business day. This is also when
Klein drops into exclusive security admin chat rooms and sifts
through his email newsletters on the lookout for breaking security
news. Often, he’ll discover new exploits on “0 Day” and immediately
inform applicable customers. Security bulletins from platform
vendors are likely to follow days to weeks
6:00 to 8:00 or 9:00 p.m.: Home for
“screwing around” on his PCs. This is Klein’s decompression time
spent ploughing through more than 200 personal emails and gaming.
His current fave is MS Flight Simulator, although past hits have
covered Asheron’s Call and EverQuest, and he expects next up will be
Final Fantasy XI.
9:00 p.m.: Wife Deana gets
home from work. The couple eats dinner, watches some tube, and
relaxes. Deana heads to bed around 10:30 to 11:00 p.m. while Klein
gets back to work.
11:00 p.m. to later: Time
to run jobs. “I’ll stay up until at least 1:00 a.m., sometimes 2:00
or 3:00 depending on what I’m doing for clients. If I’m running a
penetration scan, it could be 4:00 a.m. or later because if it
breaks something, I want to know about it . . . and I can’t stand to
just let it run and not see the results.”
|Digital Fortress: No Hack Job This
The site supplied for the hack was a
friendly and happy place.
hat hacker James “Digital Ebola” Lohman was kind enough to volunteer
to take a whack at a site we set up. We’d hoped that he
could dig into the Web server, copy out the graphic of our beloved
editor, and replace it with something, umm, more
Perhaps it wasn’t a fair test. Whereas many Web
sites run on a Windows system with IIS 5, our test config ran Red
Hat 8 with Apache 2.0.40, which is regarded as very secure.
Moreover, the box was current on patches and sat behind a firewall,
all of which, in Lohman’s estimation, made it far more hack-proof
than the bulk of servers on the Internet.
Still, the system
wasn’t a complete brick wall. Lohman used the popular Nmap
open-source scanner to determine the host’s services, OS, and other
characteristics. When the system first went live, only the Web
service on port 80 was open, which is the ideal configuration for a
box like this. You only want to open the barest essentials. However,
the server went down after a couple of days, and following a reboot
the configuration looked like this:
Discovering this much took Lohman two minutes. The open SSH
service (version 3.4 patch level 1) looked like a possible hack
candidate because every version under 3.7 is known to be vulnerable
provided you have the right code tailored for that system’s
configuration. He consulted about 100 different resources for
suitable existing code but came up empty. He is confident that he
could custom write the necessary code, but it would likely take two
full days of work provided he built a nearly identical config on
which to practice his attacks in order to gain an all-rights
exploiting the SSL (443) vulnerability,” says Lohman, “I would be
given the rights of the user running the Apache service. If I could
break that, I’d look at your kernel version because I know the 2.4
series kernels have major vulnerabilities I can gain root with. If
the kernel had been patched, I would turn around and start looking
for every file on the system set for a user ID of root. I would
start banging on those and see if there was exploit code available
for any of them. If not, I would hit each one individually and start
checking for possible buffer overflows that could crash that binary
and dump you out as root.”
While tame compared to most Web site
defacements, we’d hoped to replace our test site’s original
image with something more racy. Another day, perhaps.
Lohman notes that a secure system
today may not be so tomorrow. One possible attack vector in our
machine could be leaving the SSL port (443) wide open for any hacker
to waltz through, except we had it filtered. However, a poorly
executed configuration change in our filtering or failure of our
Linux firewall to start would leave the box very vulnerable.
Additionally, all it takes is one hacker somewhere in the world to
discover a weakness in our software, post it into a forum or site
such as packetstormsecurity.org, and the site could be
hacked within hours. In network security, the word “safe” does not