Stings, penetration pwns, spy games -- it's all in a day's work along the thin gray line of IT security
In the mainstream media, hacking gets a bum rap. Sure, the headline grabbers are often nefarious, but all computer professionals are hackers at heart. We all explore the systems we use, often reaching beyond their normal intent. This knowledge and freedom can come through big time in sticky situations.
In my three decades fighting malicious hackers, I've come to rely heavily on that desire to scratch an itch. Improvisation and familiarity with computing systems are essential when combating those who will do almost anything to compromise your network.
[ Verse yourself in 14 dirty IT security consultant tricks, 9 popular IT security practices that just don't work, and 10 crazy security tricks that do. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
Some call it white-hat hacking. I call it a good day's work -- or weekend fun, depending on whether it's at home or business.
Here are five true tales of bringing down the baddies. I can't say I'm proud of all the things I did, but the stories speak for themselves. Got one of your own to pass along? Send it my way, or share it in the comments.
True tale of (mostly) white-hat hacking No. 1: Disney, porn, and XSSCross-site scripting (XSS) continues to be the No. 1 problem plaguing websites, even today. XSS vulnerabilities arise when a website allows another entity to post Web scripting commands that can then be viewed and executed by others.
Oftentimes, these vulnerabilities fly under the radar. Simply offering users the ability to post comments is enough, if your site allows script commands to be posted, viewed, and executed. A malicious party writes a malicious scripting command that is then consumed and acted upon by other visitors to your site.
When asked why you should worry about cross-site scripting attacks, I like to tell the following story, although the XSS scripting part was just one piece of a great week of hacking.
I was working at a well-known computer security company at the time, and we had been hired to perform penetration testing on an IP TV device that a large cable company was considering producing. Our mission was to find vulnerabilities in the set-top box, especially if any of those vulnerabilities could lead to stealing porn for free, posting porn to, say, the Disney channel, or leaking private customer or company information.
Two coworkers and I were set up in a computer room within one of the cable company's remote offices. Our attack targets consisted of two televisions, two cable modems, and two new set-top cable boxes (the intended testing target). We were connected to a cable TV broadband connection in such a way that no one else would know the difference between our setup and any normal customer. We then played porn on one TV and Disney movies on the other.
Three guys sitting in a room, hacking away, watching porn, and getting paid to do it -- life was good. The only thing missing was the beer. In short order, using a port scanner, I had found a Web server running on a high TCP port, in the neighborhood of 5390. I ran Nikto, a Web vulnerability finder, and it came up with a few false positives. But it also identified the Web server as something I had never heard of. A little research told me it was an open source Web server that had stopped being supported nearly a decade before.
I wondered how likely it was that an old Web server was patched against vulnerabilities that were common 10 years ago. My hunch was correct. I was able to access the set-top box using a simple directory traversal attack (such as http://..//..//..//). I was in as root and had complete control of the device. It was running an old flavor of BSD, which was full of vulnerabilities by itself. In short order, we were able to steal porn, steal credit card numbers, and switch the Disney channel out with porn. We had accomplished all our goals, only a few hours in.
Later that week I learned that my success with a directory traversal attack would find its way up to the cable company's CSO and beyond. I was invited to talk about my finding ahead of the official written report. Many of the company's bigwigs flew in for the meeting. When I asked why all the hullabaloo for something they could fix in the new set-top box, I learned that the same Web server and setup was being used in millions of existing cable boxes around the world. I did a scan of the Internet looking for the high TCP port and found tens of thousands of them awaiting anyone's connection and hacking attempt.
That's nothing to say about the hardware mods and component fires we caused during the ensuing days of boredom because we had nothing else to do but wait for our scheduled plane rides back home.
It was pure joy -- and one of the most fun hacking days in my life.
True tale of (mostly) white-hat hacking No. 2: Spamming the persistent porn spammerSome white-hat hacking walks a thin line. Here's a great example of "white-hat hacking" of a vigilante nature gone somewhat awry.
Back in the late 1980s, when I was using an email client called Lotus cc:Mail, my work email address had found its way to a porn spammer, and he began to load my inbox with enticements. After five of them came through in a couple of minutes, I decided to take a look at the email header. Back then, spammers didn't hide as much, and the header revealed the spammer's true domain name. Using a reverse lookup, I found the hacker's name, address, and work email address from his domain's DNS registrar.
I sent a polite email asking to be removed from the spammer's email list. He replied that there's nothing he could do and followed up with 10 more porn spams. This ticked me off, so I created a mailbox rule to send right back at him 100 copies of any porn spam message he shot my way. Naturally, this only incited him to fire off even more spam and a personal email indicating that he was sharing my email address with other spammers.
I used the search engine we all envied at the time, AltaVista, and found not only his personal email account, but those of his wife, daughter, and grandparents. I sent him an email notifying him that every time I received any new spam I would send 100 copies of that spam to his personal email account, as well as those of his wife, his daughter, and his grandparents. Not surprisingly, the new spam suddenly stopped. I even got an email from him notifying me that it might take a day for all spam to stop because he had to remove my name from external lists beyond his control. I never got another spam from him.
I contacted the late, great Ed Foster's Gripeline column at InfoWorld (many years before I began writing for InfoWorld myself) and told him what I did and how I had found a new way to stop spam that anyone could use. I expected him to congratulate me and make me the focus of one of his columns. Instead, he told me that what I did, or proposed to do, including using the daughter's email address in my threat, bordered on illegal, or at least ethical, issues. Bless Ed Foster for making me realize I was walking a line I might not want to tread.
True tale of (mostly) white-hat hacking No. 3: Red-herring sting nabs nefarious fishmongerYears ago I was hired by the CEO of a small fish-selling business. He had a hunch that a former senior executive had hacked his company to get a competitive edge in fish sales to Egypt. A new company, started by the former VP, was suddenly and consistently beating his bid proposals by 1 cent per pound -- just enough to ensure that my client's company went from getting every fish delivery project to getting none. The fishmonger was near bankruptcy when he hired me.
I was a little skeptical of his allegations of computer hacking during our initial visit, but while I was there something odd happened. An Egyptian contact, to whom the CEO had sent bid responses, had received an automatic notice of an email being opened (a read receipt) from an unknown email account in response to an email he had sent my client. The read receipt should have originated from the CEO's email account, but instead it came from a university email account. It looked like, and was later confirmed, that the hacker had forgotten to turn off automated read receipts in his email client, and when he opened email intended to the CEO, his email client sent back a read receipt from his email account.
We quickly figured out that the former VP had discovered the CEO's email password and was using it to pick up copies of bid information between his former company and Egypt. The newly discovered email address linked back to a nearby university, which, coincidentally, both the former VP and I had attended years ago. The school allowed former students to continue to use limited parts of its computer system, including email. Antiquated by today's standards, the university's system had a few interesting features that proved useful in our investigation: You could look up when other people were using the system, and it would let you link email addresses to real names, along with other identifying information.
We contacted the FBI and city police to report the cyber crime. At the time, the FBI had very few computer crime experts, none with real hacking skills. But with their legal assistance, I was allowed to perform, under the FBI's legal authority, some limited forensic investigative techniques.
Sure enough, the hacker was using a university email account that we could trace to the former VP. Using various lookups, we were able to see when the former employee used the university system. The correlation to days when fish bidding was performed was striking.
Of course, we could not conclusively confirm that the former VP was using his old email account, no matter how obvious it seemed. We needed a way to track an opened email back to the former VP's current IP address, which could then be subpoenaed from his ISP. I decided to use a Web beacon.
A Web beacon (aka a Web bug) is a hidden HTML link to a nearly invisible graphic element that when viewed in an HTML-enabled client allows the custodian of that element to track information about the user who has opened it. I modified the CEO's email signature to contain an HTML link to a 1-pixel transparent GIF file located on a Web server that we managed. When anyone opened an email containing the CEO's modified signature, their email client would automatically download the Web beacon, and our Web server logs would contain the viewer's current IP address, along with time, date, and other identifying information.
With our trap in place, we set up a sting. We contacted our Egyptian friend via phone to notify him of our plans. We sent an email discussing a nonexistent bid, along with our Web beacon. Further, we made a bid price that was several orders of magnitude higher than either party normally negotiated and used a fish type that did not exist. Everything about this email screamed fake, if you took the time to research it.
Immediately after we sent the email, the former VP took the bait, sending a bid to our Egyptian exactly 1 cent lower than our extremely high price. I was also able to produce evidence that the former VP accessed the university email system just prior to his response to the fake bid, and our Web beacon worked as planned. We had his IP address, which tracked him to his home. We knew it was his company; we knew it was him; we knew he had been illegally reading emails.
It was an open-and-shut case, although it took years to wind its way through multiple court hearings. Years after the hacking event, I learned that the CEO never changed his email password, proving once again that I understand computers way better than humans.
True tale of (mostly) white-hat hacking No. 4: Hacking comeuppanceI've been actively fighting malicious hackers for three decades and have been hacked only twice -- once, because I knowingly ran an early computer virus on my system but had forget to set up a safe "jail" before executing it.