The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (15 page)

At the Sheridan prison, Matt found out another inmate was a former executive from Boeing. "He got in trouble for some type of embezzle- ment or white collar crime." It seemed somehow ironic.

Costa and other Boron inmates were frequently driven half an hour across the desert in a steaming prison bus to do menial labor at nearby Edwards Air Force Base. "They put me in an army hangar where they had a VAX server. I wasn't even supposed to be near a computer." He alerted the sergeant. "I told him my story and he's like, `Oh, go ahead.'" Costa wasted no time getting acquainted with the military computer. "I was getting on the IRC every day and chatting away while I was locked up. I was downloading Doom at high speed. It was amazing, great!"

At one point Costa was assigned to clean out a classified communications van filled with sensitive electronics. "I just couldn't believe they were let- ting us do this."

On one level, their prison time sounds like a lark, almost a joke. It wasn't. Every month they spent inside was a month of life wasted, a month of education missed, a month apart from people they cared about and wanted to be with. Every morning a prisoner starts his day wondering if today will bring a fistfight to defend himself or his property. Jail and prison can be terrifying. Chapter 4 Cops and Robbers 87

What They're Doing Today A decade after they were released, both seem to be settled into more tra- ditional lives. Matt is currently working for a large company in San Jose as a Java application developer. Costa has his own company and sounds quite busy, "setting up digital surveillance systems and distributed audio clients (slimdevices) for businesses." He's found work that he's well suited for; people bored with their jobs would be envious that he is, he says, "enjoying every minute."

INSIGHT It seems amazing in today's world that hackers still find it so easy to saunter into so many corporate Web sites. With all the stories of break-ins, with all the concern about security, with dedicated, professional security people on staff or consulting to companies large and small, it's shocking that this pair of teenagers were skillful enough to find their way into the computers of a federal court, a major hotel chain, and Boeing Aircraft.

Part of the reason this happens, I believe, is that many hackers follow a path like I did, spending an inordinate amount of time learning about computer systems, operating system software, applications programs, networking, and so on. They are largely self-taught but also partly men- tored in an informal but highly effective "share the knowledge" tutoring arrangement. Some barely out of junior high have put in enough time and gained enough knowledge in the field that they qualify for a Bachelor of Science in Hacking degree. If MIT or Cal Tech awarded such a degree, I know quite a few I would nominate to sit for the graduation exam.

No wonder so many security consultants have a secret past as a black-hat hacker (including more than a couple whose stories appear in these pages). Compromising security systems requires a particular type of mindset that can thoughtfully analyze how to cause the security to fail. Anybody trying to enter the field strictly on the basis of classroom learning would require a lot of hands-on experience, since he or she would be competing with consultants who started their education in the subject at age 8 or 10.

It may be painful to admit, but the truth is that everyone in the security field has a lot to learn from the hackers, who may reveal weakness in the system in ways that are embarrassing to acknowledge and costly to address. They may break the law in the process, but they perform a valuable serv- ice. In fact, many security "professionals" have been hackers in the past.

Some will read this and put it down to Kevin Mitnick, the one-time hacker, simply defending today's generation of hackers. But the truth is that many hacker attacks serve the valuable purpose of exposing weak- nesses in a company's security. If the hacker has not caused any damage, 88 The Art of Intrusion

committed a theft, or launched a denial-of-service attack, has the com- pany suffered from the attack, or benefited by being made to face up to their vulnerabilities?

COUNTERMEASURES Ensuring proper configuration management is a critical process that should not be ignored. Even if you properly configure all hardware and software at the time of installation and you keep up-to-date on all essen- tial security patches, improperly configuring just a single item can create a crack in the wall. Every organization should have an established proce- dure for ensuring that IT personnel who install new computer hardware and software, and telecom personnel who install telephone services, are thoroughly trained and regularly reminded, if not tested, on making cer- tain security is ingrained in their thinking and behavior.

At the risk of sounding -- here and elsewhere -- as if we're promoting our earlier book, The Art of Deception (Wiley Publishing, Inc., 2002) pro- vides a plan for employee computer-security awareness training. Systems and devices should be security tested prior to being put into production.

I firmly believe that relying only on static passwords should be a prac- tice of the past. A stronger form of security authentication, using some kind of physical device such as time-based token or a reliable biometric, should be used in conjunction with a strong personal password -- changed often -- to protect systems that process and store valuable infor- mation. Using a stronger form of authentication doesn't guarantee it can't be hacked, but at least it raises the bar.

Organizations that continue to use only static passwords need to pro- vide training and frequent reminders or incentives that will encourage safe password practices. Effective password policy requires users to con- struct secure passwords containing at least one numeral, and a symbol or mixed-case character, and to change them periodically.

A further step requires making certain that employees are not catering to "lazy memory" by writing down the password and posting it on their mon- itor or hiding it under the keyboard or in a desk drawer -- places any expe- rienced data thief knows to look first. Also, good password practice requires never using the same or similar password on more than one system.

THE BOTTOM LINE Let's wake up, people. Changing default settings and using strong pass- words might stop your business from being victimized. Chapter 4 Cops and Robbers 89

But this isn't just user stupidity. Software manufacturers have not made security a higher priority than interoperability and functionality. Sure, they put careful guidelines in the user guides and the installation instruc- tions. There's an old engineering saying that goes, "When all else fails, read the instructions." Obviously, you don't need an engineering degree to follow that bad rule.

It's about time that manufacturers began getting wise to this perennial problem. How about hardware and software manufacturers starting to recognize that most people don't read the documentation? How about providing a warning message about activating the security or changing the default security settings that pops up when the user is installing the product? Even better, how about making it so the security is enabled by default? Microsoft has done this recently -- but not until late 2004, in the security upgrade to Windows XP Professional and Home editions with their release of "Service Pack 2," in which the built-in firewall is turned on by default. Why did it take so long?

Microsoft and other operating system manufactures should have thought about this years ago. A simple change like this throughout the industry might make cyberspace a little safer for all of us.

The Robin Hood Hacker [Hacking] has always been for me less about technology and more about religion.

-- Adrian Lamo

H

acking is a skill. Anyone can acquire this skill through self-

education. In my personal view, hacking is a creative art --

figuring out ways to circumvent security in clever ways, just like lock-picking enthusiasts try to circumvent locking mechanisms for the pure entertainment value. Individuals could hack without breaking the law.

The distinction lies on whether the owner has given permission to the hacker to attempt to infiltrate the owner's computer systems. There are many ways people can hack, albeit with permission of the "victim." Some knowingly break the law but are never caught. Some run the risk and serve prison time. Virtually all hide their identities behind a moniker -- the online version of a nickname.

Then there are the few like Adrian Lamo, who hack without masking their identity and when they find a flaw in some organization's security, tell them about it. These are the Robin Hoods of hacking. They should not be incarcerated but celebrated. They help companies wake up before some hacker of the malicious type does the company serious damage.

The list of organizations that the federal government says Adrian Lamo has hacked into is, to say the least, impressive. It includes Microsoft, Yahoo!, MCI WorldCom, Excite@Home, and telephone companies SBC, Ameritech, and Cingular.1And the venerable New York Times.

91 92 The Art of Intrusion

Okay, yes, Adrian has cost companies money, but not nearly as much money as the prosecutors claimed.

Rescue Adrian Lamo was not a typical "let's hang out at the mall" kind of teen. Late one night, for example, he and friends were exploring a large aban- doned industrial complex located on some river banks. With no particular agenda in mind, they wandered through a vast, decrepit plant and quickly became lost. It was about two in the morning before they found their way out of the maze. As they crossed a defunct railroad line alongside tomb- stones of rusting industrial machinery, Adrian heard faint cries. Though his friends just wanted to get out of there, Adrian's curiosity was piqued.

Following the plaintive sound brought him to a dirty storm drain. The faint light was just enough to see into its dark recesses, where a tiny kit- ten was trapped in the bottom, yowling for all its worth.

Adrian called directory assistance on his cell phone for the number of the police department. Just then a police cruiser's spotlight blinded the group.

The guys were dressed in what Adrian describes as "urban exploration gear -- you know, gloves and dirty over-clothes. Not the sort of clothing that inspires confidence and goodwill with law enforcement." Adrian also believes that as a teenager, he looked somewhat suspicious, and "We may or may not have had things on us that could have resulted in arrest," he says. Options raced through Adrian's head; they could submit to a long string of questions and possible arrest, run, or ... a plan came to him.

I flagged them down and said, "Hey, there's this kitten in the

storm drain. I could sure use your help." Fast forward two hours

later, none of us has been searched -- the suspicious circumstances

forgotten.

Two police cruisers and one animal control vehicle later, the bedrag- gled kitten was lifted to safety in a net at the end of a long pole. The police gave the kitten to Adrian, who took it home, cleaned it up, and named it "Alibi." His friends called it "Drano."

Later, Adrian reflected on the encounter. As somebody who doesn't believe in coincidence, he's certain they'd all been exactly where they were meant to be at the moment. He views his "almost transcendental" computer experiences the same way: There are no accidents.

It's interesting that Adrian also sees the kitten ordeal as a parallel to what hackers do. Words like "adapt," "improvise," and "intuition" come Chapter 5 The Robin Hood Hacker 93

to mind, all critical ingredients to successfully negotiating the many traps and dead ends lurking in the Web's back streets and alleyways.

Roots Born in Boston, Adrian spent most of his childhood moving around New England before the family settled in Washington, DC. His father, a native Colombian, writes children's stories and does Spanish/English transla- tions; Adrian considers him a natural-born philosopher. His mother taught English but now manages the home. "They used to take me to political rallies when I was a little kid. They raised me to question what I see around me and made efforts to broaden my horizons."

Adrian doesn't feel he fits a specific demographic profile, even though he sees most hackers as falling into what he calls "white-bread middle- class." I once had the honor of meeting his parents and heard from them that one of the reasons their son got involved in hacking was because he had several favorite hackers who inspired him. It wasn't mentioned, but I get the impression from Adrian that one of those individuals might have been me. His parents probably wanted to wring my neck.

At the age of seven, Adrian began fooling around on his dad's computer, a Commodore 64. One day he became frustrated with a text adventure game he was trying to play. Every option seemed to lead to a dead end. He discovered that while loading a program on the computer, and before executing the Run command, there was a way he could instruct the com- puter to generate a listing of the game's source code. The listing revealed the answers he was looking for and he promptly won the game.

It's well known that the earlier a child begins learning a foreign language, the more naturally he or she acquires it. Adrian thinks the same is true about starting early on a computer. He theorizes the reason may be that the brain has yet to become "hardwired," with the neural net more mal- leable, faster to acquire and accommodate, than it will be in adulthood.

Adrian grew up immersed in the world of computers, seeing them as an extension of reality and therefore readily manipulated. For him a com- puter was not something one read about or poured over lengthy manu- als to understand. It was not an external device, like a refrigerator or a car, but a window -- into himself. He decided that he organically processed information the way a computer and its internal programs do.

Midnight Meetings Of the corporate computer systems Adrian has hacked into, he considers Excite@Home his ultimate "cloak-and-dagger" experience. The epic started on a whim when somebody suggested he check out the @Home 94 The Art of Intrusion

site. As the clearinghouse for all cable Internet services in the United States, Adrian was sure it was well protected and wouldn't be worth his time. But if he could successfully hack in, he would have access to key information about every cable user in the country.

Hackers are discovering these days that Google can be surprisingly help- ful for uncovering likely targets of attack and revealing useful information about them. Adrian kicks off a lot of his hacking forays by googling a set of keywords that often lead to sites with some flaw in their configuration.

So he plugged his laptop into an open network jack in the student lounge of a Philadelphia university and called up the Excite@Home Web page. The student lounge was a familiar kind of setting for him: Any loca- tion used by lots of people, or a public Internet kiosk, or an open wireless access point -- connecting online from places like these provides an easy, effective way for a hacker to mask his or her location. Uncovering the true identity of someone who randomly uses public Internet access points is extremely difficult.

Adrian's mindset is to get into the thought processes of the person who designed the program or network he's attacking, using his knowledge of the patterns and standard practices that network architects commonly use as his initial crutch. He is quite adept at exploiting misconfigured proxy servers -- dedicated computer systems that pass traffic between the inter- nal network and "untrusted" networks like the Internet. The proxy examines each connection request according to the rules it's been given. When a network administrator botches the job of configuring the com- pany's proxy servers, anyone who can connect to the proxy may be able to tunnel through to the company's supposedly secure internal network.

To a hacker, such an open proxy is an invitation to mayhem because it allows him to look as if he's originating requests just like any legitimate company employee: from inside the company's own network.

From that university student lounge, Adrian discovered a misconfig- ured proxy that opened the door to the internal Web pages for various departments of Excite@Home. Under the Help section of one, he posted a question about trouble logging in. The response that came back bore the URL address of a small part of the system designed to assist in resolv- ing IT problems. By analyzing this URL, he was able to access other divi- sions of the company that used the same technology. He was not asked for authentication: The system had been designed on the assumption that anyone who knew to call up addresses to these parts of the Web site must be an employee or other authorized person -- a shaky premise so wide- spread that it has a nickname, "security through obscurity."

For the next step, he visited a site popular with cyberspace explorers, Netcraft.com. Adrian randomly entered partial domain names, such as Chapter 5 The Robin Hood Hacker 95

Netcraft returned a list of Excite@Home servers, showing them as Solaris machines running the Apache Web server software.

As Adrian explored, he discovered that the company's network opera- tions center offered a technical support system that allowed authorized employees to read details of customers requesting assistance -- "Help! I can't access my account," or whatever. The employee would sometimes ask the customer to provide his or her username and password -- safe enough because this was all behind the corporate firewall; the information would be included on the trouble ticket.

What Adrian found was, he says, "eye-opening." The treasures included tickets that contained login and password information for cus- tomers, details on the process for handling trouble tickets, and com- plaints from internal users about computer problems they had been having. He also found a script for generating an "authentication cookie" that would allow a technician to authenticate as any account holder, to troubleshoot a problem without requiring the customer's password.

One memo on a ticket caught Adrian's attention. It showed the case of a customer who more than a year earlier had asked for help with refer- ence to personal information, including credit card numbers, stolen by someone on an Internet Relay Chat service. The internal memo stated that the "techs" (technicians) decided it wasn't their problem and didn't bother responding. They basically blew the poor guy off. Posing as a company technician, Adrian called the man at home and said, "Hey, I'm not really supposed to be working this ticket, but I was curious if you ever got a response from us." The man said he'd never heard a single word. Adrian promptly forwarded him the correct answer and all the internal documentation and discussion regarding his unresolved ticket.

I got a sense of satisfaction out of that because I want to believe

in a universe where something so improbable as having your

database stolen by somebody on Internet Relay Chat can be

explained a year later by an intruder who has compromised the

company you first trusted to help you.

About this time, the open proxy that had given him access stopped working. He wasn't sure why, but he could no longer get in. He started looking for another way. The approach he came up with was, in his words, "entirely novel."

His first toehold came from doing what's called a reverse DNS lookup -- using an IP address to find out the corresponding hostname. (If you enter a request in your browser to go to the site for www.defensivethinking. com, the request goes to a Domain Name Server (DNS), which translates the name into an address that can be used on the Internet to route your 96 The Art of Intrusion

request, in this case 209.151.246.5. The tactic Adrian was using reverses this process: The attacker enters an IP address and is provided the domain name of the device that the address belongs to.)

He had many addresses to go through, most of which provided noth- ing of interest. Eventually, though, he found one with a name in the form of dialup00.corp.home.net, and several others that also began "dialup." He assumed these were hosts used by employees on the road, for dialing in to the corporate network.

He soon discovered that these dial-up numbers were being used by employees still working on computers running older versions of the oper- ating system -- versions as ancient as Windows 98. And several of the dial- up users had open shares, which allowed remote access to certain directories, or the entire hard drive, with no read or write password. Adrian realized that he could make changes to the operating system startup scripts by copying files to the shares, so they would run commands of his choosing. After writing over particular startup files with his own ver- sion, he knew he would have to wait until the system was rebooted before his commands would be executed. But Adrian knows how to be patient.

The patience eventually paid off, and Adrian moved on to the next step: installing a Remote Access Trojan (a "RAT"). But to do this, he doesn't reach for any of the commonly available hacker-developed Trojans, the kind other intruders use for malicious purposes. Antivirus programs, so highly popular these days, are designed to recognize common backdoor and Trojan programs, and quarantine them instantly. As a way around this, Adrian finds a legitimate tool designed for use by network and sys- tem administrators -- commercial remote-administration software, which he modifies slightly so it's invisible to the user.

While antivirus products look for the kinds of remote-access software known to be used by the hacker underground, they do not look for remote-access software developed by other commercial software compa- nies, on the assumption that these products are being used legitimately (and also, I suppose, because the Developer X software company might sue if the antivirus software treated its product as malicious and blocked it). Personally I believe this is a bad idea; the antivirus products should alert the user to any product that could be used maliciously and let the user decide whether it has been legitimately installed. Taking advantage of this loophole, Adrian is frequently able to install "legitimate" RATs that subvert the detection of antivirus programs.