The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (26 page)

I knew their network better than anyone there knew it. If they

were having problems, I could probably have fixed them for them Chapter 8 Your Intellectual Property Isn't Safe 165

better than they could. I mean, I seriously knew every part of their

network inside and out.

Not There Yet What Erik now had, at last safely downloaded on his computer, was the source code for the server software . . . but not yet in a form he could open and study. Because the software was so large, the developer who stored it on the backup server had compressed it as an encrypted ZIP file. He first tried a simple ZIP password-cracking program, but it failed to make a dent. Time for Plan B.

Erik turned to a new and improved password cracker called PkCrack, which uses a technique called the "known plaintext attack." Having knowledge of a certain amount of plaintext data that is part of the encrypted archive is all that's needed to decrypt all the other files within the archive.

I opened the ZIP file and found a "logo.tif" file, so I went to their

main Web site and looked at all the files named "logo.tif." I

downloaded them and zipped them all up and found one that

matched the same checksum as the one in the protected ZIP file.

Now Erik had the protected ZIP file and an unprotected version of the "logo.tif" file. PkCrack took only five minutes to compare these two ver- sions of the same file and recover the password. With the password, he quickly unzipped all the files.

After hundreds of long nights, Erik finally had the full source code he had been hungering after.

As for what kept him sticking to this task for so long, Erik says:

Oh, easy, it's all about being sexy. I like having a challenge, and

I like not being detected. I like doing things differently, and very

quietly. I like finding the most creative ways to do something.

Sure, uploading a script is easier; but my way was soooo much

cooler. F___k being a script kiddie if you can avoid it -- be a

hacker.

And what did he do with the software and key generator? The answer is that he and Robert, the hero of the following story, both follow much the same routine as each other, the routine that is common among many of the world's crackers. You'll find the story in the section called "Sharing: A Cracker's World" near the end of the chapter. 166 The Art of Intrusion

ROBERT, THE SPAMMER'S FRIEND In far away Australia there lives another of those upright gentlemen who are respected security professionals by day and become a black-hat hacker by night, honing the skills that pay their mortgage by hacking into the most resilient software companies on the planet.

But this particular man, Robert, can't be easily pegged into a category. He seems too complex for that -- one month hacking for some software for his own amusement and to satisfy his need for a challenge and the next month taking on a project for money that will mark him for some people as what he himself terms "a dirty spammer." Not dirty, you will discover, just because he has occasionally worked as a spammer; dirty because of the kind of spamming he has done.

"Making money by hacking," he says, "is quite a concept." Which may be self-justification, but he had no qualms about sharing the story with us. In fact, he brought it up unprompted. And made light of it by coin- ing a term: "I guess you could say I'm a spacker -- a hacker that works for spammers."

I was contacted by a friend of mine who said, "I want to sell some

hard-core bondage porn to thousands of people. I need to have

millions upon millions of email addresses of people who want

hard-core bondage porn."

You or I might have run from the suggestion. Robert "thought about it for a while" and then decided to take a look at what might be involved. "I searched all these hard-core bondage sites," he says, admitting that he did this despite its being "much to my girlfriend's disgust." He conducted the search in a perfectly straightforward way: with Google, as well as another search portal, www.copernic.com, that uses multiple search engines.

The results provided a working list. "The only thing I want from these [sites] is who likes their bondage porn, who wants to receive updates from them, who has the interest in this shit." If Robert was going to help create spam, he had no intention of going about it "like the usual cast of idiots," sending hundreds of emails to everyone and his brother whether they had ever shown any interest in the subject or not.

Getting the Mailing Lists Many of the bondage Web sites, Robert discovered, were using a major application for managing subscription mailing lists that I'll call SubscribeList. Chapter 8 Your Intellectual Property Isn't Safe 167

Just by using Google I had found someone who had ordered a copy

of [SubscribeList], and had it on the Web server. I think it was a

Web site in Taiwan or in China.

The next step was even easier than he could have anticipated:

Their Web server was configured incorrectly. Any user could view

the source [code] of the software. It wasn't the latest version of the

software, but a reasonably recent version.

The mistake was that someone had carelessly or accidentally left a com- pressed archive of the source code on the document root of the Web server. Robert downloaded the source.

With this program and names he would capture from existing sites, Robert figured:

I'd be able to send out emails saying, "Come back to my site, we're

having a special on whipping and it's half price."

A lot of people subscribe to these things.

So far, though, he had mailing-list software but still no mailing lists.

He sat down to study the source code of SubscribeList, and at length discovered an opportunity. The technical explanation is complicated (see "Insight" at the end of the chapter).

Similar to the way the cracker in the previous story used the "&" sym- bol to trick a program into executing his commands, Robert used a flaw in "setup.pl." This shortcoming, called the "backticked variable injection flaw," is based on the lightweight installer program, the setup.pl script, not adequately validating the data passed to it. (The difference is in oper- ating system. Erik's method works with Windows; Robert's with Linux.) A malicious attacker can send a string of data that would corrupt a value stored in a variable in such a way that the script could be tricked into creating another Perl script used to execute arbitrary commands. Thanks to this programmer oversight, an attacker could inject shell commands.

The method fools setup.pl into thinking that the attacker has just installed SubscribeList and wants to do the initial setup. Robert would be able to use this trick with any company running the vulnerable version of the software. How did he find a bondage company that fit the description?

His code, Robert says, is "a bit of a mind bender, really a bitch to write." When his script had finished, it would clean up after itself and 168 The Art of Intrusion

then set all the configuration variables back so no one could tell anything happened. "And as far as I'm aware, no one has caught on to it."

No thoughtful hacker would have these files sent directly to his or her own address in a way that could be traced.

I'm a really big fan of the Web. I love the Web. The Web is anony-

mous. You can go on from an Internet caf� and no one knows who

the f___k you are. My stuff is bounced around the world a few

times and it's not direct connections. It's harder to trace, and

there will only be maybe one or two lines in the [company's] log file.

Porn Payoff Robert had discovered that many of the bondage sites use the same mailing- list software. With his modified program, he targeted their sites and grabbed their mailing lists, which he then turned over to his friend, the spammer. Robert wanted it understood that "I wasn't spamming people directly."

The campaign was incredibly effective. When you're spamming directly to people who you already know "really like this shit" (to use Robert's colorful phrase), the rate of response was record-breaking.

You're usually looking at [a response rate of] 0.1, 0.2 percent.

[We were] getting 30 percent at least by targeting. Like 30 to 40

percent of people would buy. For a spamming rate, that is

absolutely phenomenal.

All up, I must have brought in probably like about $45, $50,000

U.S., and I got back a third of that.

Behind the success of this sordid story lies the success of Robert's effort in gathering the mailing lists of people willing to shell out money for this kind of material. If the numbers he reported to us are accurate, it's a sorry measure of the world we live in.

"I got," he said, "between 10 and 15 million names."

ROBERT THE MAN Despite that episode, Robert insists that "I am not some dirty horrible spammer; I'm a very upstanding person." The rest of his story supports the claim. He works in security for a "very religious and upstanding company" and takes on outside projects as an independent security con- sultant. And he's a published author on security topics. Chapter 8 Your Intellectual Property Isn't Safe 169

I found him particularly verbal in expressing his attitudes about hacking:

I really like to be challenged against a system and I like to fight

the system on a configurational level and a social level, rather

than a strictly technical level -- a social level, meaning getting

into [the head of] the person behind the computer.

Robert has a long background in hacking. He mentioned a friend (an American hacker whose name he didn't want revealed) who used to have a game with Robert.

We both used to [hack into] a lot of development companies, like

people who were creating Active X controls and Delphi controls,

and little cool tools for programming. We would find a magazine

on the subject and there's an ad on every other page of these new

products. And we would see if we could find someone we hadn't

hacked. Especially games.

He has "wandered around" the internal networks of major gaming soft- ware companies and gotten source code to a few of their games.

Eventually, he and his hacker buddy began to find that "we had actu- ally broken into practically everyone who was advertising every new product out there. `We've done this one, this one, this one . . . We're still trying to get into here, but got this one.'"

Still, for Robert, one area held special interest: software products for what's called "video post production" -- in particular, the products used to create the animation used in movies.

I love the mess involved in what these people do. There's some

geniuses that make these things. I like to read it and know how it

works, because it seems so alien when you look at it. I mean when

you watch [the animated movie] on TV you probably go, "Holy

f___k, this is really something."

What he finds especially intriguing is looking at the code, at a pure mathematical level -- "the equations and the functions, and the mindset behind the people that create these things. It's phenomenal."

All of this set him up for what he sees as his most memorable hack.

Software Temptation In 2003, Robert was reading through a product announcement in a soft- ware magazine and came upon a new product for doing "digital video 170 The Art of Intrusion

effects, cool lighting stuff -- making light look real, with textures [that] were amazingly smooth."

The whole selling point of this product was that it was used on a recent major animated feature film -- one of the designing, modeling, and ren- dering tools they used.

When I heard about it, it looked really cool. And some people from

the circles I've been around, like on the Net, had been very interested

in the software. A lot of people wanted to get their hands on it.

Everyone wants to get this application because it's hard to get, it's

really expensive -- as in maybe two or three hundred thousand.

It's used by, like, Industrial Light and Magic, and there's proba-

bly, like, only four or five other companies in the world that have

bought it.

Anyway, I was really keen on getting this software and I set out

on casing the company. I'll just call them Company X. Is that

okay? Company X was fully based in America and their entire

network was centralized.

His goal wasn't just to get the software for himself but to share it where it would be available to millions of Internet users worldwide.

He found the company had "a firewall out front, and a tight little net- work. They had a lot of servers, and multiple Web servers. I guessed from this that they probably had maybe 100, 150 employees."

Discovering Server Names Robert has a standard strategy when he's trying to break into a corporate network that's of significant size. He "goes after how they take care of the need for people to be able to get into their network. A large company has a much greater challenge in this than a small one. If you have five employees, you can send them an email, right? Or, you can see them all and say, `This is how you connect to your server from home, this is how you get your email from home.'"

But a large company will usually have a help desk or some external resource that people can go to when they're having a computer problem. Robert figures that a company with a significant number of employees will have a set of instructions somewhere -- most likely from its help desk -- explaining how to access files and email remotely. If he could find those instructions, he could probably learn the steps for getting onto the network from outside, such as what software is needed to connect to the internal network over the corporate VPN. In particular, he was hoping to Chapter 8 Your Intellectual Property Isn't Safe 171

find out what access points the developers used to access the develop- ment system from outside, because they would have access to the much- coveted source code.