The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (23 page)

I see people writing emails to their wife or something. You can

actually move their mouse in the screen. Pretty funny.

Once I got on a guy's computer and started moving his cursor. He

opened a notepad file. I typed in "Hey."

Naturally, a hacker who wants to take over someone's computer ordi- narily chooses a time when no one is likely to be around. "I usually do that after midnight," Gabriel explained, "to be sure there's no one there. Or I just check on their computer screen. If the screensaver is running, that usually means no one is at the computer."

But one time he misjudged and the user was at his machine. The words, "I know you're looking at me!" flashed across Gabriel's screen. "I logged off right away." Another time, some files he had stashed were found. "They deleted them and left me a message -- `WE WILL PROSECUTE YOU TO THE FULLEST EXTENT OF THE LAW.'"

The Bank Break-In When Gabriel's wandering around the Internet brought up details about IP addresses of the Dixie bank, he followed the trail, discovering that it was no small-town bank he'd stumbled onto but one with extensive national and international ties. Even more interesting, he also found that one the bank's servers was running Citrix MetaFrame, which is server software that allows a user to remotely access his or her workstation. A lightbulb went on because of something that Gabriel and a friend had realized from their earlier hacking experiences.

This friend and I had discovered that most of the systems running

Citrix services don't have good passwords. They deliver them

already enabled, but leave the end user without a password.

Gabriel went to work with a port scanner, a hacker tool (or auditing tool, depending on the user's intent) that scans other networked com- puters to identify open ports. He was looking specifically for any systems with port 1494 open, because that's the port used to remotely access the Citrix terminal services. So any system with port 1494 open was a poten- tial system he could successfully "own." 146 The Art of Intrusion

Each time he found one, he'd search every file on the computer for the word password. It's like panning for gold. Much of the time, you come up empty-handed, but occasionally you discover a nugget. In this case, a nugget might be a reminder that someone had stuck in a file, maybe read- ing something like, "administrator password for mail2 is `happyday.'"

In time, he found the password to the bank's firewall. He tried con- necting to a router, knowing that some common routers come with a default password of "admin" or "administrator," and that many people -- not just clueless homeowners but, too often, even IT support professionals -- deploy a new unit without any thought of changing the default password. And, in fact, that's what Gabriel found here -- a router with a default password.

Once he had gained access, he added a firewall rule, allowing incoming connections to port 1723 -- the port used for Microsoft's Virtual Private Network (VPN) services, designed to allow secure connectivity to the corporate network for authorized users. After he had successfully authen- ticated to the VPN service, his computer was assigned an IP address on the bank's internal network. Fortunately for him, the network was "flat," meaning that all systems were accessible on a single network segment, so that hacking into the one machine had given him access to other com- puter systems on the same network.

The hack into the bank, Gabriel says, was so easy it was "pretty dumb." The bank had brought in a team of security consultants, who provided a report when they left. Gabriel discovered the confidential report stored on a server. It included a list of all the security vulnerabilities that the team had found -- providing a handy blueprint of how to exploit the rest of the network.

As a server, the bank was using an IBM AS/400, a machine Gabriel had little experience with. But he discovered that the Windows domain server stored a complete operations manual for the applications used on that system, which he downloaded. When he next typed in "administrator" -- the default IBM password -- the system let him in.

I'd say 99 percent of the people working there used "password123"

as their password. They also didn't have an anti-virus program

running in the background. They ran it maybe once a week or so.

Gabriel felt free to install Spy Lantern Keylogger, his favorite in the cat- egory primarily because of the program's unique ability to record infor- mation simultaneously from any number of people logging in to the Citrix server. With this installed, Gabriel waited until an administrator logged in, and "snarfed" his password. Chapter 7 Of Course Your Bank Is Secure -- Right? 147

Armed with the right passwords, Gabriel hit the jackpot: a full set of online training manuals on how to use the critical applications on the AS/400. He had the ability to perform any activity a teller could -- wiring funds, viewing and changing customer account information, watching nationwide ATM activity, checking bank loans and transfers, accessing Equifax for credit checks, even reviewing court files for back- ground checks. He also found that from the bank's site, he could access the computer database of the state's Department of Motor Vehicles.

Next he wanted to obtain the password hashes from the primary domain controller (PDC), which authenticates any login requests to the domain. His program of choice for doing this was PwDump3, which extracts all the password hashes from a protected part of the system reg- istry. He got administrator access locally on the machine, then added a script to execute PwDump3 as a shortcut in the startup folder, disguising it as something innocuous.

Gabriel was laying in wait for a domain administrator to log in to the target machine. The program operates much like a booby trap, springing when triggered by a particular event -- in this case, a system administra- tor logging in. When that administrator logs in, the password hashes are silently extracted to a file. The PwDump3 utility is run from the admin- istrator's startup folder. "Sometimes it takes days [for a domain adminis- trator to log in]," he says, "but it's worth the wait."

Once the unsuspecting domain administrator logged in, he unknowingly extracted the password hashes to a hidden file. Gabriel returned to the scene of the crime to obtain the password hashes, and ran a password- cracking program using the most powerful computer he was able to access.

On such a system, a simple password such as "password" can take less than a second to break. Windows passwords seem to be particularly easy, while a complicated password that uses special symbols can take much longer. "I had one that took me an entire month to decrypt," Gabriel recalled ruefully. The bank administrator's password consisted of only four lowercase letters. It was cracked faster than you could read this paragraph.

Anyone Interested in a Bank Account in Switzerland? Some of the items Gabriel found made the rest of the haul seem like small potatoes.

He also found his way into one of the most supersensitive parts of any bank's operation -- the process for generating wire transfers. He found the menu screens for initiating the process. He also discovered the actual 148 The Art of Intrusion

online form used by the select group of authorized employees who have the authority to process transactions for withdrawing funds from a cus- tomer's account and sending the funds electronically to another financial institution that might be on the other side of the world (in Switzerland, for example).

But a blank form doesn't do any good unless you know how to prop- erly complete it. That, it turned out, wasn't a problem either. In the instruction manual he had earlier located, one chapter proved particularly interesting. He didn't need to get very far into the chapter to find what he needed.

20.1.2 Enter/Update Wire Transfers

Menu: Wire Transfers (WIRES)

Option: Enter/Update Wire Transfers

This option is used to enter non-repetitive wires and to select

repetitive wires to be entered and sent. Non-repetitive wires are for

customers who only send a wire occasionally or for noncustomers

who want to initiate a wire. Through this option, incoming wires

can also be maintained after they are uploaded. When this option

is selected the following screen will be displayed.

Wire Transfers

Wire Transfers 11:35:08

Outgoing

Type options, press Enter.

2=Change 4=Delete 5=Display Position to...

Opt From account To beneficiary Amount

F3=Exit F6=Add F9=Incoming F12=Previous

When this option is initially taken there will not be any wires listed.

To add, press F6=Add and the following screen will be displayed.

An entire chapter spelled out step-by-step the exact procedures for sending a wire from that particular bank, transferring funds to some per- son's account at another financial institution. Gabriel now knew every- thing he needed for sending a wire transfer. He had the keys to the castle.

Aftermath Despite such widespread access to the bank's system and an enormous amount of unauthorized power at his disposal, Gabriel to his credit kept his hand out of the till. He had no interest in stealing funds or sabotag- ing any of the bank's information, though he did play around with the idea of improving the credit ratings for a few buddies. As a student Chapter 7 Of Course Your Bank Is Secure -- Right? 149

enrolled in a security program at a local college, Gabriel naturally assessed the weaknesses in the bank's protective measures.

I found a lot of documents on their server about physical security,

but none of it was related to hackers. I did find something about

the security consultants they hire every year to check on the servers,

but that isn't enough for a bank. They're doing a good job on phys-

ical security, but not enough for computer security.

INSIGHT The bank site in Estonia was an easy target. Juhan noticed the flaw when he viewed the source code of the bank's Web pages. The code used a hid- den form element that contained the filename of a form template, which was loaded by the CGI script and displayed to users in their Web browser. He changed the hidden variable to point to the server's password file, and, voil�, the password file was displayed in his browser. Amazingly, the file was not shadowed, so he had access to all the encrypted passwords, which he later cracked.

The Dixie bank hack provides another example of the need for defense in depth. In this instance, the bank's network appeared to be flat; that is, without significant protection beyond the single Citrix server. Once any system on the network was compromised, the attacker could connect to every other system on the network. A defense-in-depth model could have prevented Gabriel from gaining access to the AS/400.

The bank's information security staff was lulled into a false sense of secu- rity in having an external audit performed, which may have unreasonably raised the confidence level in their overall security posture. While per- forming a security assessment or audit is an important step to measure your resilience against an attack, an even more crucial process is properly managing the network and all the systems that are on it.

COUNTERMEASURES The online bank site should have required that all Web application devel- opers adhere to fundamental secure programming practices, or require auditing of any code put into production. The best practice is to limit the amount of user input that is passed to a server-side script. Using hard- coded filenames and constants, while not eloquent, raises the level of assurance in the security of the application.

Lax network monitoring and poor password security on the exposed Citrix server were the biggest mistakes in this case, and would likely have 150 The Art of Intrusion

prevented Gabriel from roaming through their network, installing key- stroke loggers, shadowing other authorized users, and planting Trojan programs. The hacker wrote a little script and put it into the administra- tor's startup folder so when he logged in, it would run the pwdump3 program silently. Of course, he already had administrator rights. The hacker was lying in wait for a domain administrator to log in so he could hijack his privileges and automatically extract the password hashes from the primary domain controller. The hidden script is often called a Trojan or a trapdoor.

A partial list of countermeasures would include the following:

Check all accounts for password last set time on system serv-

ices accounts like `TsINternetUser' not assigned to personnel,

unauthorized administrator rights, unauthorized group rights,

and time of last login. These periodic checks may lead to iden-

tifying a security incident. Look for passwords that were set

during strange hours, since the hacker might not realize he or

she is leaving an audit trial by changing account passwords.

Restrict interactive logins to business hours.

Enable login and logout auditing on all systems that are exter-

nally accessible via wireless, dial-up, Internet, or extranet.

Deploying software like SpyCop (available at www.spycop.

com) to detect unauthorized keystroke loggers.

Be vigilant in installing security updates. In some environ-

ments, it may be appropriate to download the latest updates

automatically. Microsoft is actively encouraging customers to

configure their computer systems to do this.

Check externally accessible systems for remote-control soft-

ware such as WinVNC, TightVNC, Damware, and so on.

These software programs, while they have legitimate uses, can

enable an attacker to monitor and control sessions logged in

to the system console.

Carefully audit any logins using Windows Terminal Services

or Citrix MetaFrame. Most attackers chose to use these serv-

ices in preference to remotely controlled programs, to reduce

the chance of being detected.

THE BOTTOM LINE The hacks in this chapter were trivial. based on taking advantage of the companies' poor password security, and vulnerable CGI scripts. While many people -- even people knowledgeable about computer security -- Chapter 7 Of Course Your Bank Is Secure -- Right? 151