CPU Magazine Article

Spotlight

Spotlight March 2004 • Vol.4 Issue 3 Page(s) 46-49 in print issue
Hack Anatomy Inside The World Of Real-Life Hackers

McAfee’s Visual Trace (formerly NeoTrace) lets you follow an intruder to the origin.

Asking how one hacks a network is like asking how you get a college degree. Sometimes you start down one path and finish on another. Sometimes the payoff at the end isn’t what you expected. And sometimes you never even finish.

There are practically as many ways to hack a computer system as there are hackers. Interestingly, the truth is that more network hacks are like the movie “Wargames” than “Swordfish,” where the initial intrusion is based on random chance rather than premeditated attack. It’s like a salesman with a Yellow Pages book in his lap: dial enough numbers, and eventually you’ll score. Of the hacks that are targeted, the majority succeed through social engineering rather than brute hacking force from a remote computer.

Social engineering at its most basic means tricking people into giving up something the hacker needs in order to perform his exploit. (We’ll use the masculine pronoun here since insiders agree that the overwhelming majority of hackers are male.) Most articles on hacking shy away from social engineering a) because it’s too mundane to sound like an authentic technical topic, and b) it makes people genuinely uneasy to think that they’re so gullible. But it is, and they are, so realize that you too are susceptible and be wary.

A Classic Social-Engineering Probe

White hat hacker John Klein (see our “A Day In The Life” sidebar) was once tapped by a major telecom company to investigate a possible security breach in its E911 network operations center, which houses the private, unlisted information for everyone from the president to Britney Spears to you. Every knowledgeable security analyst who looked at the company’s network swore it was bulletproof and impervious to hacking.

Klein donned his “Phone Boy” costume comprised of work boots, jeans, clipboard, jacket with embroidered name (not a company logo because that would be illegal), a few tools in a belt pack, and one of those “stinger” phones that telecom repairmen use to test lines. The event went down something like this:

He walked into the main lobby straight up to the receptionist, clipboard in hand, looked her in the eye, and said, “Where’s extension 326?” The secretary dutifully asked to see his work order, whereupon Phone Boy said that his boss had been instructed by the company’s IT Director Mr. SoAndSo, who’d in turn been told by the President Mr. BlahBlah, to send someone down immediately to fix the phone network problem. (Phone Boy, being a thorough hacker, had the names of these officials ready on his clipboard, having just looked them up online at the Chamber of Commerce and any other available sources.) The secretary sent him through to one of the building’s cubicle farms.

Once in Cubeville, Phone Boy then began looking for vacant desks. Every desk on the floor featured one of those pull-out trays, almost like a cutting board, right above the top drawer, and on each of these trays was taped a Post-It note with that terminal’s password. At one point, Phone Boy spotted a vacant office in one corner that looked promising as a manager’s office. He went in, sat down at the desk with stinger phone in hand, and just as he reached for the desk tray, someone popped in and demanded to know what he was doing.

“Looking for the source of the static feedback loop hosing up your network,” said Phone Boy. “It’s either this line or the one next door.” Dubious, the employee asked him to leave. “Sure,” said Phone Boy. “Just tell me your name so I can tell Mr. SoAndSo who kicked me out before I fixed his problem.” Immediately, the employee urged Phone Boy to stay and do whatever he wanted, which Phone Boy did.

Social engineering tricks like this sound too implausible on paper to be possible, but they work, and what’s worse is that they work a lot. According to the anonymous author of the Hacker’s Black Book ( http://www.hackersbook.com/), social engineering attacks have become most common during chat and IM sessions. Once trust is established between the hacker and victim, the subject will give up valuable information ranging from email IDs to even credit card numbers. Even more insidious, the hacker may offer a screen saver or some other program hiding a Trojan horse, such as a key logger, which can report back to the hacker any and all data typed into the system.

No matter how good the firewall or how reputable the virus scanner, a system or network’s security is only as strong as the infallibility of those working on it.

The Targeted Remote Hack

While pinning down firm statistics in this hush-hush business is difficult, the SANS Institute ( http://www.sans.org/) notes that about 80% of all security breaches are conducted by insiders, meaning disgruntled employees, janitors on the take, and such. But if we just look at the hackers who pose a risk to the general public, the large majority are “script kiddies,” usually intelligent, underachieving teens with too much bandwidth, too little supervision, and even less social conscience.

Script kiddies know how to find hacking tools and exploits on the Internet, although they may lack the knowledge to customize or adapt exploit scripts in any degree of detail. When it comes to your home or small business, it’s not the serious black hats you should worry about but the script kiddies. For them, you are a faceless learning opportunity to be used and discarded.

To illustrate both the typical perp and his scan-exploit-abuse methodology, let’s look at a hitherto unpublicized case buried in the 2003 files of the National Infrastructure Protection Center, a division of the U.S. Department of Homeland Security.

We could fill this magazine with similar flowcharts, each tailored to a different kind of hack attack. This particular illustration shows the decision chain involved in a typical Web site defacement attempt on a server running last year’s Microsoft IIS. You can see that the process involves determining suitable exploit possibilities for different versions of the platform. If one approach is unsuccessful, there are plenty of other options to try.

The 14-year-old’s screen name was “akjabber.” Like most script kiddies, akjabber found a new exploit to target, picked a wide swath of IP addresses (four class C ranges to be exact), and let an automated scanning app run for several days. The exploit in question was a known flaw in Citrix, an enterprise-level application-access platform. Akjabber’s scanner came across a server running Citrix that did not have the suitable patch (which had been out for some time) already installed, and he was in like flint. The kid thought he’d penetrated just some ordinary business machine. In fact, he’d breached one of the largest power utility companies in North America.

Akjabber’s first move was to upload an FTP server into his prey. Then, he uploaded a couple of stray files for his friends to download. That was all. The system’s log files show that akjabber disappeared over the duration of Christmas break, an early pointer to the fact that he was just a kid. Come early January, he returned and got busy. He uploaded a publicly viewable Web page, complete with graphics, to prove his hack prowess to all his IRC homies. He uploaded an IRC bounce server to shield his private identity without considering that the IRC log files in his host would contain his true ID info for investigators.

The script kiddie then carried the pattern to its inevitable conclusion. Finding that he had a 45Mbps DS-3 connection at his disposal, akjabber used the power company’s pipeline to start launching denial of service attacks at anyone or anything that caught his fancy. This roused the curiosity of the host’s IT staff, who saw their bandwidth getting clobbered at odd intervals and emails coming in from irate victims. Akjabber’s last and worst mistake was to accidentally delete one of the Citrix server’s key system files, which brought the company’s access apps to a crashing halt.

The power company now knew it had been hacked and called in information security specialists and other high-level authorities. Within a few minutes, investigators found the IRC logs and pinpointed the channel in which akjabber was currently blathering with four of his buddies. In stepped the white collars, who informed akjabber that he was well and truly busted. The kid spilled his story and agreed that juvenile rehab was a worse alternative than staying far away and never returning. His chat friends looked on and openly ridiculed him all the while.

Be Afraid. Be Careful.

In 2003, the U.S. Air Force sponsored a year-long study called “Attack ID” spanning 300 eligible hacker applicants of both the white and black hat persuasion. All of the participants knew going in was a range of 20 IP addresses to scan and three goals: visibly alter a Web page, obtain a secret 15-digit credit card number stored in a SQL database on a Windows server, and hack the admin account’s email to obtain the secret code in a certain message. Seventeen participants finished one goal, five finished two, and only three met all three. The unbelievable star of the group was a white hat in his mid-20s named “jelly” who completed all three goals in only 14 minutes. This was against two fully patched Windows 2000 servers sitting behind a properly configured SonicWALL firewall.

The study’s organizers expected to prove that you could determine what a hacker was thinking and his target based on the type of attack used. What they found instead was that such inference is impossible because most hackers improvise their attacks on the fly, finding the tools they need and crafting scripts as they go.

The fact that if a good hacker wants to “own” your system badly enough, he probably will unless you’re an equally good counter-hacker. You’ll get scanned at random for this or that, and you just have to hope that the hacker isn’t looking for the vulnerabilities present in your system, or at least that exploiting your vulnerabilities won’t be worth his time. Don’t make it easy for him. Don’t run unproven software. Keep your antivirus scanner and firewall current and impeccably configured. Paying $75 for a fingerprint scanner such as Digital Persona’s U.are.U. Personal to encrypt all of your system data and passwords is a sound investment.

And the next time a guy shows up without paperwork to check your phone, be nervous.

by William Van Winkle

A Day In The Life Of A White Hat

“Anyone in the hacking business is unique,” says John Klein, often known online as Cobras. “There is no cookie cutter.”

Klein fit the classic hacker profile as a youth: bright, unmotivated, a loner, easily scoring As in the few classes that interested him and pulling Ds in those that didn’t. At the age of 14, he discovered CB radios, and at 16 he bought his first computer, a Radio Shack CoCo (Color Computer) that ran BASIC. This would be the first in a long line of upgrades including such classics as various TRS-80s and the 8088. Klein’s dad would occasionally take him to the local university where he would pick students’ brains and learn how to dial into the school network with his Compaq luggable and a cradle-based 1200-baud modem.

Eventually, Klein found himself in the wrong computer at the wrong time within one of the country’s biggest credit card transaction processing centers. As part of the deal made with law enforcement, Klein agreed to show them how his exploit was done and help ensure that it couldn’t be easily repeated.

In 1994, Klein hit upon the idea of turning security and hacking expertise into a business. Rent-A-Hacker hit the Web, and the phone started ringing. By 2001, Klein was frustrated at passing up major jobs because of insufficient resources, so he partnered with Corporate Technologies, now known as Multiband.

Now 40, Klein is married with cats; he has eight PCs sporting various OSes, and maintains an office desk drawer filled with frosted raspberry and brown sugar Pop Tarts and microwaveable Campbell’s chunky sirloin. An average workday for Klein goes something like this: 9:00ish a.m.: After an hour of client calls on his cell phone, Klein rolls into work. While stuffing himself with Gevalia coffee, he sorts through the 500 to 1,500 new filtered emails. Colleagues will usually run in with some crisis or unfinished business from the night before that needs immediate attention.

10:00 a.m.: Pop Tarts followed by client meetings.

11:00 a.m.: Client calls intermixed with tasks outside the office. Klein’s time generally bills out at $175 per hour for consultations, and he almost never eats lunch. By the time things settle down and he’s back at his desk in midafternoon, he might dip into the food drawer for a snack.

2:00 to 3:00 p.m.: Time to plan out the night’s coming jobs. “An interesting part of this business is that you can rarely do your job during the day,” says Klein. “I can’t do penetration testing or vulnerability assessments during the day because they don’t want their network screwing up or slowing down because of my scan while they’re trying to do business. So I’ll schedule the scan with the customer for usually sometime after 11:00 p.m., and I begin deciding which tools I’m going to use based on what their network looks like.” There are hundreds of hacking tools to choose from, and Klein can lean on staff programmers for any necessary script programming before they go home.

3:00 to 5:00 p.m.: More phone calls. When things malfunction at client locations, support calls somehow seem to back up until the end of the business day. This is also when Klein drops into exclusive security admin chat rooms and sifts through his email newsletters on the lookout for breaking security news. Often, he’ll discover new exploits on “0 Day” and immediately inform applicable customers. Security bulletins from platform vendors are likely to follow days to weeks later.

6:00 to 8:00 or 9:00 p.m.: Home for “screwing around” on his PCs. This is Klein’s decompression time spent ploughing through more than 200 personal emails and gaming. His current fave is MS Flight Simulator, although past hits have covered Asheron’s Call and EverQuest, and he expects next up will be Final Fantasy XI.

9:00 p.m.: Wife Deana gets home from work. The couple eats dinner, watches some tube, and relaxes. Deana heads to bed around 10:30 to 11:00 p.m. while Klein gets back to work.

11:00 p.m. to later: Time to run jobs. “I’ll stay up until at least 1:00 a.m., sometimes 2:00 or 3:00 depending on what I’m doing for clients. If I’m running a penetration scan, it could be 4:00 a.m. or later because if it breaks something, I want to know about it . . . and I can’t stand to just let it run and not see the results.”

Digital Fortress: No Hack Job This

The site supplied for the hack was a friendly and happy place.

White hat hacker James “Digital Ebola” Lohman was kind enough to volunteer to take a whack at a site we set up. We’d hoped that he could dig into the Web server, copy out the graphic of our beloved editor, and replace it with something, umm, more interesting.

Perhaps it wasn’t a fair test. Whereas many Web sites run on a Windows system with IIS 5, our test config ran Red Hat 8 with Apache 2.0.40, which is regarded as very secure. Moreover, the box was current on patches and sat behind a firewall, all of which, in Lohman’s estimation, made it far more hack-proof than the bulk of servers on the Internet.

Still, the system wasn’t a complete brick wall. Lohman used the popular Nmap open-source scanner to determine the host’s services, OS, and other characteristics. When the system first went live, only the Web service on port 80 was open, which is the ideal configuration for a box like this. You only want to open the barest essentials. However, the server went down after a couple of days, and following a reboot the configuration looked like this:

ORT	STATE	SERVICE
22/tcp	open	ssh
80/tcp	open	http
111/tcp	open	rpcbind
113/tcp	filtered	auth
123/tcp	filtered	ntp
161/tcp	filtered	snmp
162/tcp	filtered	snmptrap
443/tcp	filtered	https
1993/tcp	filtered	snmp-tcp-port

Discovering this much took Lohman two minutes. The open SSH service (version 3.4 patch level 1) looked like a possible hack candidate because every version under 3.7 is known to be vulnerable provided you have the right code tailored for that system’s configuration. He consulted about 100 different resources for suitable existing code but came up empty. He is confident that he could custom write the necessary code, but it would likely take two full days of work provided he built a nearly identical config on which to practice his attacks in order to gain an all-rights account.

While tame compared to most Web site defacements, we’d hoped to replace our test site’s original image with something more racy. Another day, perhaps.
“After exploiting the SSL (443) vulnerability,” says Lohman, “I would be given the rights of the user running the Apache service. If I could break that, I’d look at your kernel version because I know the 2.4 series kernels have major vulnerabilities I can gain root with. If the kernel had been patched, I would turn around and start looking for every file on the system set for a user ID of root. I would start banging on those and see if there was exploit code available for any of them. If not, I would hit each one individually and start checking for possible buffer overflows that could crash that binary and dump you out as root.”

Lohman notes that a secure system today may not be so tomorrow. One possible attack vector in our machine could be leaving the SSL port (443) wide open for any hacker to waltz through, except we had it filtered. However, a poorly executed configuration change in our filtering or failure of our Linux firewall to start would leave the box very vulnerable. Additionally, all it takes is one hacker somewhere in the world to discover a weakness in our software, post it into a forum or site such as packetstormsecurity.org, and the site could be hacked within hours. In network security, the word “safe” does not apply.