The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (18 page)

small badges, whereas like the Fish & Game Department issues

huge badges. So the power is in reversed proportion. They thought

that was funny. 108 The Art of Intrusion

On their way out, the agents gave Adrian a cursory look, as if just real- izing the young man staring into a cold cup of coffee might have heard things he shouldn't have.

Another time Adrian was able with a single phone call to find out crit- ical information about AOL. While their IT systems are well-protected, he says he exposed a serious vulnerability when he called the company that manufactures and lays their fiber optic cable. Adrian claims he was given all the cyber maps showing where AOL's main and backup cables were buried. "They just assumed that if you knew to call them, you must be okay to talk to." A hacker out to cause trouble could have cost AOL millions of dollars in downtime and repairs.

That's pretty scary. Adrian and I agree; it's mind-blowing the way peo- ple are so loose with information.

These Days In the summer of 2004, Adrian Lamo was sentenced to six months home confinement and two years of supervised release. The Court also ordered him to pay $65,000 in restitution to his victims.4 Based on Adrian's earn- ing potential and his lack of funds (he was homeless at the time, for God's sake), this amount of restitution is plainly punitive. In setting a figure for restitution, the court must consider a number of factors, including the defendant's present and future ability to pay, and the actual losses suf- fered by his victims. An order of restitution is not supposed to be puni- tive. In my opinion, the judge did not really consider Adrian's ability to pay such a large amount but probably instead set the amount as a way of sending a message, since Adrian's case has been so much in the news.

Meanwhile he's rehabilitating himself and turning his life around on his own. He's taking journalism classes at a community college in Sacramento; he's also writing articles for a local newspaper and beginning to do a bit of freelancing.

To me, journalism is the best career I could choose, while remain-

ing true to what makes me tick -- curiosity, wanting to see things

differently, wanting to know more about the world around me.

The same motives as hacking.

Adrian is, I hope, being honest with himself and with me when he talks about his awareness of a new course in life.

I'd be lying if I said I thought people could change overnight. I

can't stop being curious overnight, but I can take my curiosity

and apply it in a way that doesn't hurt people. Because if there's Chapter 5 The Robin Hood Hacker 109

one thing I've taken from this process, it's an awareness that there

are real people behind networks. I really can't look at a computer

intrusion and not think about the people who have to stay up

nights worrying about it any more.

I think journalism and photography for me are intellectual sur-

rogates for crime. They let me exercise my curiosity, they let me see

things differently, they let me pursue tangents in a way that's

law-abiding.

He has also talked his way into a freelance assignment for Network World. They had contacted him, wanting to use him as the source for a story; he pitched them the idea that instead of doing a sidebar interview with him, they'd let him write the sidebar. The magazine editor agreed. So accompanying a piece profiling hackers was a piece by him on profil- ing network administrators.

Journalism is what I want to do. I feel like I can make a differ-

ence, and that's not something you get a lot of from working in

security. Security is an industry that very prevalently relies on

people's fears and uncertainties about computers and technology.

Journalism is far more about the truth.

Hacking is a unique ego issue. It involves the potential for a great

deal of power in the hands of a single individual, power reserved

for government or big business. The idea of some teenager being

able to turn off the power grid scares the hell out of government.

It should.

He doesn't consider himself a hacker, cracker, or network intruder. "If I can quote Bob Dylan, `I'm no preacher or traveling salesman. I just do what I do.' It makes me happy when people understand or want to understand that."

Adrian says he has been offered lucrative jobs with the military and a federal government agency. He turned them down. "A lot of people enjoy sex, but not everyone wants to do it for a living."

That's Adrian the purist ... the thinking man's hacker.

INSIGHT Whatever you think about Adrian Lamo's attitude and actions, I'd like to think you will agree with me about the way the federal prosecutors cal- culated the cost of the "damage" he caused. 110 The Art of Intrusion

I know from personal experience how prosecutors build up the sup- posed price tag in hacker cases. One strategy is to obtain statements from companies that overstate their losses in hopes of forcing the hacker to plead out rather than going to trial. The defense attorney and the prose- cutor then haggle over agreeing on some lesser figure as the loss that will be presented to the judge; under federal guidelines, the greater the loss, the longer the sentence.

In Adrian's case, the U.S. Attorney chose to ignore the fact that the companies learned they were vulnerable to attack because Adrian himself told them so. Each time, he protected the companies by advising them of the gaping holes in their systems and waiting until they had fixed the problems before he permitted news of his break-in to be published. Sure he had violated the law, but he had (at least in my book) acted ethically.

COUNTERMEASURES The approach used by attackers, and favored by Adrian, of running a Whois query can reveal a number of pieces of valuable information, available from the four network information centers (NICs) covering different geographic regions of the world. Most of the information in these databases is public, available to anyone who uses a Whois utility or goes to a Web site that offers the service, and enters a domain name such as nytimes.com.

The information provided may include the name, e-mail address, physi- cal address, and phone number of the administrative and technical contacts for the domain. This information could be used for social engineering attacks (see Chapter 10, "Social Engineers -- How They Work and How to Stop Them"). In addition, it may give a clue about the pattern for e-mail addresses and login names used by the company. For example, if an e-mail address showed as, say, [email protected], this could suggest the possibility that not just this one employee but perhaps quite a number of Times staff members might be using just their first name for e-mail address, and possibly also for sign-on.

As explained in the story of Adrian's New York Times attack, he also received valuable information about the IP addresses and netblocks assigned to the newspaper company, which were a cornerstone of his suc- cessful attack.

To limit information leakage, one valuable step for any company would be to list phone numbers only for the company switchboard, rather than for specific individuals. Telephone receptionists should undergo intensive training so they can quickly recognize when someone is trying to pry information out of them. Also, the mailing address listed should be the published address of the corporate headquarters, not the address of par- ticular facilities. Chapter 5 The Robin Hood Hacker 111

Even better: Companies are now permitted to keep private the domain name contact information -- it no longer has to be listed as information available to anyone who inquires. On request, your company's listing will be obscured, making this approach more difficult for attackers.

One other valuable tip was mentioned in the story: setting up a split- horizon DNS. This involves establishing an internal DNS server to resolve hostnames on the internal network, while setting up another DNS server externally that contains the records for hosts that are used by the public.

In another method of reconnaissance, a hacker will query authoritative Domain Name Servers to learn the type and operating system platform of corporate computers, and information for mapping out the target's entire domain. This information is very useful in coordinating a further attack. The DNS database may include Host Information (HINFO) records, leaking this information. Network administrators should avoid publishing HINFO records in any publicly accessible DNS server.

Another hacker trick makes use of an operation called a zone transfer. (Although unsuccessful, Adrian says he attempted this method in his attacks on both the New York Times and Excite@Home.) For protection of data, a primary DNS server is usually configured to allow other authoritative servers permission to copy DNS records for a particular domain. If the primary server hasn't been configured properly, an attacker can initiate a zone transfer to any computer he or she designates, and in this way readily obtain detailed information on all the named hosts and their associated IP addresses of the domain.

The procedure for protecting against this type of attack involves only allowing zone transfers between trusted systems as necessary for business operations. To be more specific, the DNS primary server should be con- figured to allow transfers only to your trusted secondary DNS server.

Additionally, a default firewall rule should be used to block access to TCP port 53 on any corporate name servers. And another firewall rule can be defined to allow trusted secondary name servers to connect to TCP port 53 and initiate zone transfers.

Companies should make it difficult for an attacker to use the reverse DNS lookup technique. While it is convenient to use hostnames that make it clear what the host is being used for -- names such as database. CompanyX.com -- it's obvious that this also makes it easier for an intruder to spot systems worth targeting.

Other information-gathering DNS reverse lookup techniques include dictionary and brute-force attacks. For example, if the target domain is kev- inmitnick.com, a dictionary attack will prefix every word in the dictionary to the domain name in the form of dictionaryword.kevinmitnick.com, to 112 The Art of Intrusion

identify other hosts within that domain. A brute-force reverse DNS attack is much more complex, where the prefix is a series of alphanumeric characters that are incremented a character at a time to cycle through every possibility. To block this method, the corporate DNS server can be configured to eliminate publishing DNS records of any internal host- names. And an external DNS server can be used in addition to the inter- nal one, so that internal hostnames are not leaked to any untrusted network. In addition, the use of separate internal and external name servers also helps with the issue mentioned previously concerning host- names: An internal DNS server, protected from visibility from outside the firewall, can use hostnames with identifying hostnames such as database, research, and backup with little risk.

Adrian was able to gain valuable information about the New York Times network by examining the header of an e-mail received from the newspa- per, which revealed an internal IP address. Hackers intentionally bounce e-mail messages to obtain this kind of information, or scour public news- groups looking for e-mail messages that are similarly revealing. The header information can provide a wealth of information, including the naming conventions used internally, internal IP addresses, and the route an e-mail message has taken. To protect against this, companies should configure their SMTP (Simple Mail Transfer Protocol) server to filter out any inter- nal IP addresses or host information from outgoing mail messages, pre- venting internal identifiers from being exposed to the public.

Adrian's primary weapon was his intellectual gift of finding misconfig- ured proxy servers. Recall that one use of a proxy server is to allow users on the trusted side of the computer network to access Internet resources on the untrusted side. The user on the inside makes a request for a par- ticular Web page; the request is sent to the proxy server, which forwards the request on behalf of the user and passes the response back to the user.

To prevent hackers from obtaining information the way Adrian does, proxy servers should be configured to listen only on the internal inter- face. Or, instead, they may be configured to listen only to an authorized list of trusted outside IP addresses. That way, no unauthorized outside user can even connect. A common mistake is setting up proxy servers that listen on all network interfaces, including the external interface con- nected to the Internet. Instead, the proxy server should be configured to allow only a special set of IP addresses that have been set aside by the Internet Assigned Numbers Authority (IANA) for private networks. There are three blocks of private IP addresses:

10.0.0.0 through 10.255.255.255

172.16.0.0 through 172.31.255.255

192.168.0.0 through 192.168.255.255 Chapter 5 The Robin Hood Hacker 113

It's also a good idea to use port restriction to limit the specific services the proxy server will allow, such as limiting any outgoing connections to HTTP (Web access) or HTTPS (secure Web access). For further control, some proxy servers using SSL (Secure Sockets Layer) may be configured to examine the initial stages of the traffic being sent to confirm that an unauthorized protocol is not being tunneled over an authorized port. Taking these steps will curtail an attacker from misusing the proxy server to connect to unauthorized services.

After installing and configuring a proxy server, it should be tested for vulnerabilities. You never know if you're vulnerable until you test for secu- rity failures. A free proxy checker can be downloaded from the Internet.5

One other item: Since a user installing a software package may in some circumstances unknowingly be also installing proxy server software, cor- porate security practices should provide some procedure for routinely checking computers for unauthorized proxy servers that may have been installed inadvertently. You can use Adrian's favorite tool, Proxy Hunter, to test your own network. Remember that a misconfigured proxy server can be a hacker's best friend.