The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (39 page)

THE BOTTOM LINE In our first book together, Bill Simon and I labeled social engineering as "information security's weakest link."

Three years later, what do we find? We find company after company deploying security technologies to protect their computing resources against technical invasion by hackers or hired industrial spies, and main- taining an effective physical security force to protect against unauthorized trespass.

But we also find that little attention is given to counter the threats posed by social engineers. It is essential to educate and train employees about the threat and how to protect themselves from being duped into Chapter 10 Social Engineers -- How They Work and How to Stop Them 245

assisting the intruders. The challenge to defend against human-based vul- nerabilities is substantial. Protecting the organization from being victim- ized by hackers using social engineering tactics has to be the responsibility of each and every employee -- every employee, even those who don't use computers in performance of their duties. Executives are vulnerable, frontline people are vulnerable, switchboard operators, recep- tionists, cleaning crew staff, garage attendants, and most especially, new employees -- all can be exploited by social engineers as another step toward achieving their illicit goal.

The human element has been proven to be information security's weakest link for ages. The million dollar question is: Are you going to be the weak link that a social engineer is able to exploit in your company?

NOTES 1. The remark by psychologist Neidert can be found online at www1.chapman.edu/comm/ comm/faculty/thobbs/com401/socialinfluence/mindfl.html. 2. See Kevin D. Mitnick and William L. Simon, The Art of Deception (Wiley Publishing, Inc., 2002), pp. 266�271.

Short Takes I'm not a cryptanalyst, not a mathematician. I just know how people make mistakes in applications and they make the same mistakes over and over again.

-- Former hacker turned security consultant

S

ome of the stories we were given in the process of writing this

book didn't fit neatly into any of the preceding chapters but are

too much fun to ignore. Not all of these are hacks. Some are just mischievous, some are manipulative, some are worthwhile because they're enlightening or revealing about some aspect of human nature . . . and some are just plain funny.

We enjoyed them and thought you might, too.

THE MISSING PAYCHECK Jim was a sergeant in the U.S. Army who worked in a computer group at Fort Lewis, on Puget Sound in the state of Washington, under a tyrant of a top sergeant who Jim describes as "just mad at the world," the kind of guy who "used his rank to make everyone of lesser rank miserable." Jim and his buddies in the group finally got fed up and decided they needed to find some way of punishing the brute for making life so unbearable.

Their unit handled personnel record and payroll entries. To ensure accuracy, each item was entered by two separate soldier-clerks, and the results were compared before the data was posted to the person's record.

247 248 The Art of Intrusion

The revenge solution that the guys came up with was simple enough, Jim says. Two workers made identical entries telling the computer that the sergeant was dead.

That, of course, stopped his paycheck.

When payday came and the sergeant complained that he hadn't received his check, "Standard procedures called for pulling out the paper file and having his paycheck created manually." But that didn't work, either. "For some unknown reason," Jim wrote, tongue firmly planted in cheek, "his paper file could not be located anywhere. I have reason to believe that the file spontaneously combusted." It's not hard to figure out how Jim came to this conclusion.

With the computer showing that the man was dead and no hard-copy records on hand to show he had ever existed, the sergeant was out of luck. No procedure existed for issuing a check to man who did not exist. A request had to be generated to Army headquarters asking that copies of the papers in the man's record be copied and forwarded, and for guid- ance on whether there was any authority for paying him in the meantime. The requests were duly submitted, with little expectation they would receive a quick response.

There's a happy end to the story. Jim reports that "his behavior was quite different for the rest the days I knew him."

COME TO HOLLYWOOD, YOU TEEN WIZARD Back when the movie Jurassic Park 2 came out, a young hacker we'll call Yuki decided he wanted to "own" -- that is, gain control of -- the MCA/Universal Studios box that hosted lost-world.com, the Web site for the Jurassic Park movie and the studio's TV shows.

It was, he says, a "pretty trivial hack" because the site was so poorly protected. He took advantage of that by a method he described in tech- nical terms as "inserting a CGI that ran a bouncer [higher port not fire- walled] so I can connect to higher port and connect back to localhost for full access."

MCA was then in a brand-new building. Yuki did a little Internet research, learned the name of the architectural firm, got to its Web site, and found little difficulty breaking into its network. (This was long enough ago that the obvious vulnerabilities have presumably been fixed by now.)

From inside the firewall it was short work to locate the AutoCAD schematics of the MCA building. Yuki was delighted. Still, this was just a Chapter 11 Short Takes 249

sidebar to his real effort. His friend had been busy designing "a cute new logo" for the Jurassic Park Web pages, replacing the name Jurassic Park and substituting the open-jawed tyrannosaurus with a little ducky. They broke into the Web site, posted their logo (see Figure 11-1) in place of the official one, and sat back to see what would happen.

Figure 11-1: The substitute for the Jurassic Park logo.

The response wasn't quite what they expected. The media thought the logo was funny, but suspicious. CNet News.com carried a story1 with a headline that asked whether it was a hack or a hoax, suspecting that someone in the Universal organization might have pulled the stunt to garner publicity for the movie.

Yuki says that he got in touch with Universal shortly afterward, explain- ing the hole that he and his friend had used to gain access to the site, and also telling them about a back door they had installed. Unlike many organizations that learn the identity of someone who has broken into their Web site or network, the folks at Universal appreciated the information.

More than that, Yuki says, they offered him a job -- no doubt figuring he would be useful in finding and plugging other vulnerabilities. Yuki was thrilled by the offer.

It didn't work out, though. "When they found that I was only 16, they tried to lowball me." He turned down the opportunity.

Two years later, CNet News.com presented a list of their 10 all-time favorite hacks.2 Yuki was delighted to see his Jurassic Pond hack promi- nently included. 250 The Art of Intrusion

But his hacking days are over, Yuki says. He has "been out of the scene for five years now." After turning down the MCA offer, he started a con- sulting career that he's been pursuing ever since.

HACKING A SOFT DRINK MACHINE Some time back, Xerox and other companies experimented with machines that would do the "E.T., phone home" bit. A copying machine, say, would monitor its own status, and when toner was running low, or feed rollers were beginning to wear out, or some other problem was detected, a signal would be generated to a remote station or to corporate head- quarters reporting the situation. A service person would then be dis- patched, bringing any needed repair parts.

According to our informant, David, one of the companies that tested the waters on this was Coca-Cola. Experimental Coke vending machines, David says, were hooked up to a Unix system and could be interrogated remotely for a report on their operational status.

Finding themselves bored one day, David and a couple of friends decided to probe this system and see what they could uncover. They found that, as they expected, the machine could be accessed over telnet. "It was hooked up via a serial port and there was a process running that grabbed its status and formatted it nicely." They used the Finger program and learned that "a log-in had occurred to that account -- all that remained for us was to find the password."

It took them only three attempts to guess the password, even though some company programmer had intentionally chosen one that was highly unlikely. Gaining access, they discovered that the source code for the pro- gram was stored in the machine and "we couldn't resist making a little change!"

They inserted code that would add a line at the end of the output mes- sage, about one time in every five: "Help! Someone is kicking me!"

"The biggest laugh, though," David says, "was when we guessed the password." Care to take a stab at what the password was that the Coke people were so sure no one would be able to guess?

The password of the Coke vending machine, according to David, was "pepsi"!

CRIPPLING THE IRAQI ARMY IN DESERT STORM In the run-up stages for operation Desert Storm, U.S. Army Intelligence went to work on the Iraqi Army's communication systems, sending Chapter 11 Short Takes 251

helicopters loaded with radio-frequency sensing equipment to strategic spots along "the safe side of the Iraqi border." That's the descriptive phrase used by Mike, who was there.

The helicopters were sent in groups of threes. Before the evolution of the Global Positioning System (GPS) for pinpointing locations, the three choppers provided cross-bearings that enabled the Intelligence people to plot the locations of each Iraqi Army unit, along with the radio frequen- cies they were using.

Once the operation began, the United States was able to eavesdrop on the Iraqi communications. Mike says, "US soldiers who spoke Farsi began to listen in on the Iraqi commanders as they spoke to their ground troop patrol leaders." And not just listen. When a commander called for all of his units to establish communications simultaneously, the units would sign in: "This is Camel 1." "This is Camel 3." "This is Camel 5." One of the U.S. eavesdroppers would then pipe up over the radio in Farsi, "This is Camel 1," repeating the sign-in name.

Confused, the Iraqi commander would tell Camel 1 that he already signed in and shouldn't do it twice. Camel 1 would innocently say he had only signed in once. "There would be a flurry of discussion with allega- tions and denials about who was saying what," Mike recounts.

The Army listeners continued the same pattern with different Iraqi com- manders up and down the border. Then they decided to take their ploy to the next level. Instead of repeating a sign-in name, a U.S. voice, in English, would yell, "This is Bravo Force 5 -- how y'all doing!" According to Mike, "There would be an uproar!"

These interruptions infuriated the commanders, who must have been mortified at their field troops hearing this disruption by the infidel invaders and at the same time appalled to discover that they could not radio orders to their units without the American forces overhearing every word. They began routinely shifting through a list of backup frequencies.

The radio-frequency sensing equipment aboard the U.S. Army copters was designed to defeat that strategy. The equipment simply scanned the radio band and quickly located the frequency that the Iraqis had switched to. The U.S. listeners were soon back on track. Meanwhile, with each shift, Army Intelligence was able to add to their growing list of the fre- quencies being used by the Iraqis. And they were continuing to assemble and refine their "order of battle" of the Iraqi defense force -- size, loca- tion, and designation of the units, and even action plans.

Finally the Iraqi commanders despaired and forfeited radio communi- cation with their troops, turning instead to buried telephone lines. Again, the United States was right behind them. The Iraqi Army was relying on 252 The Art of Intrusion

old, basic serial telephone lines, and it was a simple matter to tap into any of these lines with an encrypted transmitter, forwarding all the traffic to Army Intelligence.

The American Army's Farsi speakers went back to work, this time using the same methods they had used earlier for disrupting the radio commu- nications. It's funny to picture the expression on the face of some Iraqi major or colonel or general as a jovial voice comes booming down the line, "Hi, this is Bravo Force 5 again. How y'all doing!"

And maybe he might add something like, "We missed you for a while and it's good to be back."

At this point, the Iraqi commanders had no modern communication options left. They resorted to writing out their orders and sending the paper messages via trucks to the officers in the field, who wrote out their replies and sent the truck on its way back across the steaming, sandy desert to headquarters. A single query and response could take hours for the round-trip. Commands that required multiple units to act in coordi- nation became nearly impossible because it was so difficult to get the orders to each involved field unit in time for them to act together.

Not exactly an effective way to defend against the fast-moving American forces.

As soon as the air war started, a group of U.S. pilots was assigned the task of looking for the trucks that shuttled messages back and forth between the known locations of the Iraqi field groups. The Air Force started targeting these communication trucks and knocking them out of action. Within a few days, Iraqi drivers were refusing to carry the mes- sages among field leaders because they knew it was certain death.

That spelled a near-complete breakdown in the ability of the Iraqi com- mand-and-control system. Even when Iraqi Central Command was able to get radio orders through to the field, the field commanders, Mike says, "were terrified about these communications because they knew that the messages were being listened to by the U.S. Army and would be used to send attacks against their location" -- especially since, by responding to the orders, the field commander revealed that he was still alive, and could expect his response had allowed the Americans to pinpoint his location. In an effort to spare their own lives, some Iraqi field units disabled their remaining communication devices so they would not have to hear incom- ing communications.

"In short order," Mike remembers with obvious glee, "the Iraqi Army collapsed into chaos and inactivity in many locations because no one was able -- or willing -- to communicate." Chapter 11 Short Takes 253

THE BILLION-DOLLAR GIFT CERTIFICATE For the most part, the following is directly taken from our conversation with this former hacker, who is now a well-established, respected security consultant.

It's all there, dude, it's all there. "Why do you rob banks, Mr.

Horton?" "That's where the money is."

I'll tell you a funny story. Me and this guy Frank from the

National Security Agency -- I won't even give his name, he now

works for Microsoft. We had a [penetration test] engagement

with a company that makes digital gift certificates. They're out

of business, I'm still not gonna mention them.

So, what are we gonna hack? Are we gonna hack the crypto in the

gift certificate? No, [the encryption] was like awesome, very well

done. It's cryptographically secured, it would be a waste of time to

try. So what are we gonna attack?

We look at how a merchant redeems a certificate. This is an

insider attack because we've been allowed to have a merchant

account. Well, we find a flaw in the redemption system, an appli-

cation flaw that gave us arbitrary command execution on the

box. It was foolish, childish, no special skills needed -- you just

gotta know what you're looking for. I'm not a cryptanalyst, not a

mathematician. I just know how people make mistakes in appli-

cations and they make the same mistakes over and over again.