- Home
- Jeremy N. Smith
Breaking and Entering Page 27
Breaking and Entering Read online
Page 27
Alien was glad she hadn’t brought her laptop with her. Do so and you risked getting an InfoSec education the hard way—as everyone else’s entertainment.
Alien found Aaron in a room intended for two but already occupied by seven male TOOOL members, including him. Skirting beds and sleeping bags, backpacks and pillows, she threw her suitcase open in the bathroom and claimed the bathtub as her spot for the night. If during the wee hours one of the guys had to take a leak in the toilet while she was sleeping in the tub, so be it.
The rest of the afternoon and evening, Alien prowled the conference. In the vast mass of black T-shirts, a woman rocking heels, a dress, and red lipstick stood out like a snowman on the Las Vegas Strip. While she attracted their attention, few of the horde of men surrounding her expected that Alien might share their interests, or that her technical knowledge might equal or exceed their own.
“I’m a hacker,” guy after guy introduced himself.
“Really?” she asked with feigned awe.
That night, drinking by the pool, Alien and the TOOOL crew brainstormed ways to break into safes, suitcases, ATMs, and elevators. Next to them was a guy sketching circuit diagrams on a scrap of paper for another guy, someone setting up a shortwave radio antenna atop a cabana umbrella as others gathered, and another nerd who thought the way he turned the hot tubs purple with industrial dye was the funniest thing ever, though a bikinied woman in one of the tubs, a regular tourist who had made the mistake of booking a stay here during DEF CON, begged to differ.
“Wait until morning,” Aaron said. “By then, all the lobby furniture will be stacked in the elevator.” He laughed. “And the elevator display for what floor you’re on will show some dude’s area code”—a shorthand tag for the location of one’s “home” hacker group.
It was all hacking, all the time, even when hacking wasn’t officially on the agenda. Alien felt like a kid at summer camp, one with few rules and no counselors. At two a.m., a stout bearded TOOOL member named Deviant led the gang on an expedition to crash a Microsoft-sponsored party with an open bar. The cab ride from the Riviera, at the north end of the Strip, to the Luxor, where the party was located, on the south end, took almost twenty minutes. Even in Vegas, the Luxor’s size and shape—a thirty-story gleaming black pyramid—made it one of the city’s most visually arresting structures.
The lock pickers and Alien made their way through the lobby and casino to a two-level nightclub whose décor somehow resembled a cross between a Gothic nave and a medieval dungeon. The entrance was a mix of webbed metal and blood-red lights. In front of it was a milling crowd of disappointed would-be partygoers.
“You have to be on a list to get in, and then once you’re in, they stamp your wrist and you can go in and out as many times as you want,” reported a gangly teenager with a neon-green Mohawk who’d been turned away.
Alien and the others lingered outside the club, trying to talk people up, until Deviant recognized a friend.
“Hey, Blivet!” he called.
He quickly learned that Blivet was on the list. His special status was due to the fact that, while he volunteered as a DEF CON “goon”—the official term for convention staff—his day job was chief information security officer, or CISO, for an important Microsoft customer. Big and beefy, Blivet wore combat boots, camo shorts that revealed thick hairy legs, a black T-shirt, and a goon-only version of the conference badge. His carefully cultivated don’t-fuck-with-me scowl was transformed into a boyish grin as Deviant explained his plan.
He was a goon, but he was their goon. Which offered an opportunity for some social engineering.
After conferring with Deviant, Blivet entered the nightclub and returned right away, stamp ink still fresh on his right wrist. As they had arranged, Deviant pressed his left wrist down on Blivet’s wrist, and then again on his own right wrist. Now the stamp design showed there, too, if only faintly—until he quickly darkened it with a Sharpie. It was far from perfect, but in the crazy lighting it was good enough.
Deviant transferred the “stamp” to Alien, Aaron, and the rest of the lock pickers the same way. And then to the Mohawked teenager and a half-dozen others who’d been waiting with them on the outskirts.
“Drinks on Microsoft!” one of the hackers cried as Alien filed in behind him.
Alien’s bartending interview was scheduled for the Friday after DEF CON. Checking email around five p.m. the night before, however, she was surprised to find a message from the Antidote executive, Bill Rogers. Black hat hackers had just broken into the website of an upstate New York newspaper, infecting online readers with malware—malicious software deliberately written to damage or disable system functions, steal information, or give outside forces control of their computers. The newspaper had hired Antidote to help investigate and respond to the incident.
“Are you available tomorrow?” Rogers asked.
There was no deliberation. Only an adrenaline jolt, as if Alien were about to step from a great height without knowing if she would fall or fly.
She sensed immediately that she was going to do it. But feeling burned—and burned out—by Elite made her aware of the risks. If Alien went back into InfoSec, she would have to do so on her own terms.
She called not Rogers but Elliot, the subcontractor on the Diamond bank case who’d offered her a foot massage. “Hey,” he said warmly.
“Hey,” she answered, and cut to the chase. “You’re an independent consultant, right? I have my first potential client. How much should I charge?”
“Uh . . . that depends,” said Elliot.
Alien explained the situation. “Does two hundred dollars per hour sound right?”
“Oh, sure. Totally,” Elliot said.
A moment later Alien was on the phone with Rogers. Although she now had a figure in mind, she didn’t want to repeat the mistake of her Elite Defense job negotiation, when she had named a number first.
“What do you usually pay?” she asked.
“One hundred dollars an hour, plus expenses,” Rogers said.
“Hmm, I usually do one hundred and fifty. Why don’t we meet in the middle? How about one hundred and twenty-five?” Even if it was less than what Alien had discussed with Elliot, the rate was ten times what she had made just a few years earlier as an MIT student employee. A week of consulting paid more than a month of pouring drafts and mixing mojitos. And if it didn’t work out, she could always find another bartending gig.
“You’re hired,” Rogers answered.
On the floor in front of Alien a few hours later were her laptop and gear suitcase, packed anew with external hard drives, cords and cables, a label maker, and other Micro Center purchases. CD cases held various system boot software and forensics programs. Last were two printouts: an evidence acquisition log and a chain-of-custody form from Antidote.
She pulled her brown-striped black skirt suit out of the closet for the first time since April. There was a tiny hole in the lapel where the Elite spoon pin had been. Alien fingered it for a moment, inhaling deeply.
Leave now and she would make it to her hastily booked hotel room at three thirty a.m. The newspaper expected her on-site at seven thirty.
Half an hour later, Alien was in her Volvo, moving rapidly westward through the darkness along the Mass Pike.
Framed copies of a century of historic front pages—the U.S. entry into World War I, VJ Day, John F. Kennedy’s election, and the fall of the Berlin Wall—lined the walls of the conference room where Alien met the newspaper’s CEO, legal counsel, IT director, and public relations chief the next morning. To judge by the bags under their eyes, their slumped posture, and their wrinkled clothes, it looked as if no one had slept—or changed—since the day before.
“What happened to our computers?” the CEO asked anxiously. “And what do we tell our customers?”
Alien eyed her gear suitcase but reached first for old technology: her Moleskine notebook and a pen. A laptop would make the situation less intimate and interfere with he
r ability to build trust and bond with the client. To listen carefully and reassure them that they were in good hands. That everything was going to be okay.
Alien clicked the pen open. “Let’s back up. Start with what happened,” she said, using her most therapeutic voice. “Tell me who discovered what, and when. Then we’ll help you recover and come up with a plan to prevent it from happening again.”
Legal huddled with the CEO in the conference room afterward. PR drafted a statement to subscribers. Alien had instructed the IT director to reset local administrator passwords and copy any firewall logs for later examination. Those tasks completed, she followed him in her car to a warehouse-sized building fifteen minutes across town. This was a colocation facility, or shared data center, run by the newspaper’s Internet service provider, with separate rows of secure server racks for different large customers in the area.
Alien entered to the familiar sound of cooling fans. She plugged the first of her external drives—wiped, formatted, and labeled, exactly as she’d done for the Elite Defense assignment in Paris—into a computer in the server rack for the newspaper. Next, Alien inserted one of her CDs and found the keyboard that controlled the rack.
She typed at the command prompt:
dd conv=sync,noerror if=/dev/sda of=/media/NEWS-0345-001/0345-001_WINSRVWWW-02.dd
The imaging took almost fifteen hours. Alien “babysat” the process, checking on it periodically to make sure it was moving along. While she was waiting, she worked on the report. Forms filled out and hard drives stacked and packed at last, Alien called Rogers to check in.
Late that night she rang Aaron from her hotel room. She was even more excited than she had anticipated to be back in action, and wanted to tell someone about her day.
No answer.
Alien thought for a moment, and then tried Elliot.
He picked up on the second ring. “How’d it go?” he asked without saying hello.
“The client’s servers were all Windows machines,” Alien told him. “And I had to do a live image”—copying the computers while they were on and being used. “But the most stressful part was knowing I couldn’t call Bruce or anyone else at Elite Defense if I had a problem.”
Elliot cleared his throat. “You can always call me.”
Alien liked the sound of that. “Just maybe I will,” she said.
Alien was eager to nail her first assignment as a freelancer, both out of professional pride and so that it wouldn’t be the last. She returned the next day to Cambridge, where she scanned the imaged server, identified the malware and how to remove it, and ran a file system timeline to determine what had been affected on the server in the interim. Alien called the newspaper’s leadership team to share the basics and then started on the rest of her report, listing specific recommendations about changing passwords, tightening firewalls, blocking ports, and updating software to improve security going forward.
After work every night, she chatted by phone with Elliot. He traveled all the time to teach SCAN classes, but made his home in Parkmont, Colorado, a town of sixty thousand set against the west slope of the Rocky Mountains.
“Come visit!” he urged.
The day after submitting her report, she was browsing Boston-Denver plane tickets in her bedroom. Rogers called. “Nice job on the newspaper case,” he said.
“Thanks for the opportunity,” Alien told him.
“If you want another, we’ve got a social engineering assessment,” Rogers said.
People across the country were being hit by “phishing” attacks from criminals pretending to be working for well-known companies, such as banks, brokers, and online shopping sites. The scammers combined fraudulent emails, websites, and phone calls to garner passwords, credit card numbers, and other valuable information. News reports focused on individual victims. But if a victim was an employee of a large company, the entire business might have been exposed to a major theft, a devastating data breach, or both. Now a rural bank—code name “Barn Door”—wanted to see how vulnerable its own staff was to phishing.
“Can you do that?” Rogers asked. He offered a flat fee of eight hundred dollars—exactly half, he told her, of what the bank was paying Antidote.
Alien grabbed her laptop, still open to the Web page listing flights to Colorado. She imagined Richard and the other Jedis chuckling derisively at such small fry. If she took this job, though, the pay would be enough to visit Elliot and buy new hiking boots when she got to Parkmont. Plus, if past experience was any indication, successfully breaking into one bank client could lead to a lot of other business.
“Send me the contract,” she said. “I’ll squeeze it in.”
One thing Alien had learned from her time with Elite Defense: trying to work in the same room where you sleep ruins both.
That night, in search of a convenient space, she entered a vacant bedroom with a high ceiling off the Fireberry kitchen. Inside was a ten-foot-tall blue-and-black cylindrical metal robot her housemate Keenan had “rescued” from an MIT lab and was planning on fixing up. Nearby was a plastic folding table and chair.
Alien set up the table and chair in the robot’s shadow and then plopped down and plugged in her laptop. Barn Door’s website was BarnDoorBank.com. Using a program called Wget, short for “World Wide Web get,” she downloaded the site’s underlying HTML code—the online equivalent of copying someone’s business card or company letterhead.
But what should her decoy be?
At the command line, Alien typed, “whois BarnDoorBankPoll.com.”
“No match for ‘BARNDOORBANKPOLL.COM,’” her display answered.
She smiled.
Alien registered BarnDoorBankPoll.com as a domain name, selecting a Web server in Parkmont run by an amenable friend of Elliot’s—the head of his local Internet service provider—as her host site. Because of their connection, the friend let Alien record his ISP as the official site owner so that it would be completely anonymous, or at least untraceable to her. In addition, she set up a firewall so that only she—and, later, the people she was targeting—could access the site. Google, government agencies, and others who wanted to see inside would be shut out.
On the real Barn Door site, Alien found an “About Us” page with headshots of the bank CEO and president. Using these and the same page’s fonts and logos, background color, and set of links as a template, she coded a new Web page, titled “IT Poll.”
“Dear employees,” the page began in boldface type. “Barn Door Bank is conducting an important poll. Please help us plan and budget resources for next year.”
Now came a three-item questionnaire: “Do you use Microsoft Office software?” (Yes or No.) “How important is your computer to do your job?” (Very important, Important, or Not important.) “Would you like the option to work from home?” (Yes or No.)
Its brevity would get employees answering quickly, Alien figured. And almost everyone who came to the page would answer “Yes,” “Very important,” and “Yes,” setting a positive mood for the final fields to fill before a Submit button.
Still, some people might be wary. From a shopping site on the Internet, then, Alien copied the red-and-black check-mark “VeriSign Secured” logo, as well as the boilerplate promise “Your access and use of this system is validated and protected using Secure Socket Layer (SSL) and all communication to and from this system is encrypted for your security.”
None of that was true, of course. But they wouldn’t know that.
“Username” and “Password,” Alien asked last—the only information she actually wanted.
Now the emails. How to get people to want to participate? And to respond right away?
Alien went into the kitchen, filled a teakettle with water, and put it on the stove.
How can I get them to bite? What are people really excited about?
As she waited for the kettle to boil, one of her housemates came into the kitchen to grab a USB charger he’d left behind.
“New iPod,” he said
, showing off his music player. “One hundred and sixty gigs.”
Bingo.
She hurried back to the borrowed desk. “Subject: Employee Poll—Win an iPod!” Alien drafted an email.
“Barn Door Bank is conducting a quick internal poll. If you are one of the first twenty employees to help us by responding, you will be entered into a random drawing for a new iPod. Thank you for your participation—and good luck!”
In moments, she had added colorful iPod images, followed by a link to the poll page, the name of Barn Door’s head of IT, and his email address, modified to be @barndoorbankpoll.com rather than the real @barndoorbank.com.
As Alien sat back in her chair, she noticed for the first time the kettle’s loud, impatient whistle.
All week Alien coordinated with her Barn Door contact, making sure he understood and approved her plan. She was to attempt her email phishing scheme on all fifty of their employees, and then follow up with ten of them by phone, trying to get them to download and open a potentially malicious file on their computer. In between those two steps was the Web poll she’d devised.
Click, track, call—con.
Each stage of the scam offered a different category of potential phish. “Cold,” “warm,” and “hot” phish, Alien termed them.
Everyone Alien was targeting started as a cold phish. A cold phish would become a warm phish if he or she clicked the email link and visited the fake website. Last, a warm phish would become a hot phish if he or she completed and submitted the poll form online.