Breaking and Entering Page 28
To prime them for the phone calls that would follow, hot phish would be redirected to another Web page decorated with additional iPod images.
“Thank you!” it said. “A caller will let you know shortly if you’ve won.”
To make her own work easier, Alien wrote a computer script to send the initial cold phish emails out, taking as variables her subject line, message body, purported sender, and list of employees to contact. As the script ran, each email added a unique identifier to the poll link. Now her website could track individual warm phish by name whether they submitted the form or not. Further scripting recorded visitors’ Internet addresses and what Web browsers they were using, information added to running warm phish and hot phish logs.
Or at least that was the plan.
Teacup in hand, dressed in her pajamas, Alien launched her attack at ten a.m. the Tuesday after Rogers had called, three days before the flight she’d booked to visit Elliot.
“tail -F warm.txt,” she typed in one screen, calling up the bank’s warm phish log. “tail -F hot.txt,” she typed in another, calling up the hot phish.
Alien watched nervously, counting the seconds since her script had started. Would anyone respond?
Fifteen seconds in, the first warm phish entry appeared onscreen: a Barn Door HR staffer, logging in from the corporate network, using Internet Explorer. At seventeen seconds, a loan officer, working remotely, using Firefox, swam into the net.
By thirty seconds, there were four employees on the site. By forty-five seconds, there were seven. By a minute, there were seventeen.
It worked!
Meanwhile, the first hot phish appeared: a branch manager. “Tue, 02 Sep 08 10:00:32,” the log reported, followed by the guy’s email address and poll answers.
He’d submitted his username and password too, but—unlike a real criminal—Alien did not actually transmit or collect the latter. The point was confirming she could have. And her social engineering assessment still had one more step.
Alien grabbed her phone. She found the branch manager’s number on her employee list, blocked caller ID, and started dialing.
“Hello?” he answered.
Her heart pounded. A familiar rush. How long until some employee called Barn Door’s actual IT department and word spread that it was a scam?
“Hi, this is Elizabeth in IT,” she said. “Congratulations! You’ve won an iPod for participating in our poll! I’m going to direct you to a site to download an Apple Store gift card.”
“Oh!” The guy sounded shocked. “I never win anything! I can’t believe it! Wait—”
Alien paused.
“Can I get the iPod at an actual in-person Apple Store?” he asked. “Or does it have to be online?”
“Oh no,” she riffed. “You can definitely get it at the Apple Store in person. Just print the gift card and take it in and they’ll scan it for you. You should see a bar code.
“Stay with me,” she continued.
The branch manager had already entered his username and password. But the masterstroke would be getting him to put whatever she wanted on his computer, because it would mean she never even needed to log in to probe or attack the bank.
“Open your Web browser.” Alien directed the manager to a final BarnDoorBankPoll.com Web page she’d created, titled “You’ve Won!” When he got there, a button let him download a “gift card” file: gift-card.exe.
“Got it?” she said. “Hit ‘Run.’”
“Uh . . . I got a pop-up,” he said a second later. “Is that okay?”
“Yeah. Click ‘Okay,’” said Alien.
“I did . . . ,” he reported. “Nothing happened.”
Alien grinned. She’d set the file up that way on purpose. But if it were an actual computer program, it could have done anything she wanted it to do, like copy, transfer, edit, or delete files, send email or instant messages, or explore the corporate network. All she needed, however, was its presence on the manager’s machine. This would prove to Barn Door that her ploy had worked, without risking any real damage.
“Hmm,” said Alien, pretending to be puzzled. “I’ll email you the gift card. What’s your address? And what’s your phone number? And do you have an employee number, just in case I need it?”
He told her everything.
“Great, great,” she said. “We’ll get that to you by the end of the day.”
“Thanks!” the manager said.
“You’re welcome.” Score!
The feeling was like taking a flag in the SCAN class competition. Except this time the flag wasn’t a computer file—it was another human.
The call ended. From the other side of the door, Alien could hear and smell sizzling bacon—one of her housemates making breakfast. She looked up at the giant blue robot staring down at her, and then back down to her screen.
Alien paged forward to the next phone number on her hot phish list.
One pwned, she told herself. Nine to go.
14 / /
The Best Around
Alien was in business. Over the next three months, Antidote subcontracted with her to provide twenty-four more social engineering assessments for corporate clients, phishing their employees by email, Web, and phone. As Jake had taught her at Los Alamos, she streamlined her procedures for maximum efficiency. Alien standardized her call script and fine-tuned her computer code to the point where she could quickly compare security vulnerabilities from company to company, branch to branch, with clinical precision.
Her first report, for Barn Door, became a template for those that followed: describe the phishing strategy, generate tables and charts with the number and percentage of employees who fell for each stage, and then suggest appropriate responses. Warm and hot phish should receive additional security training, for example. Cold phish who stayed cold could be rewarded with a genuine gift card raffle. And the entire company would benefit from follow-up assessments annually or even quarterly.
Soon she was running by herself what was essentially a large scamming operation, except that she was working for the employers of the very people she was scamming. And she was doing it all from the spare bedroom of a Cambridge commune.
Until she wasn’t.
Alien and Elliot fell hard for each other during her September visit to Parkmont. They went backpacking, soaked in a remote natural hot spring, and camped, talking InfoSec and trading UNIX jokes under the stars. Elliot was definitely Alien’s type: both an art major in college and the only person she’d ever met who had read the three-volume TCP/IP Illustrated reference books cover to cover. Subsequent visits, Elliot to Cambridge as well as Alien to Parkmont, raised the question: Since she could plug in her laptop and work from anywhere, why not move in with him?
Over the years, Alien had often wavered about whether she wanted a permanent partner, husband or otherwise. But she had always known she wanted kids. Now she was twenty-seven, and in love. It was time.
In late November 2008, Elliot flew east and packed a U-Haul trailer they hitched to the Volvo and drove west together.
Moving to Colorado and thinking about starting a family forced Alien to consider her priorities. She was determined to be able to provide for herself and any future children, no matter what. Once, working had been a way to hack. Now, she saw hacking as a way to work. Stability mattered more than novelty. As soon as she got to Parkmont, Alien hired a local lawyer and incorporated Tessman Security Consulting. The same day, she rented an office in the city’s pretty little downtown.
The space, on the fourth floor of a six-story 1920s-era yellow brick office building, was twelve feet wide and eighteen feet deep and cost three hundred dollars a month. Alien now ran things from a black swivel chair behind a heavy wooden desk that faced a wooden door inset with a classic frosted glass window and shiny brass mail slot. She set a microwave, mini-fridge, red velvet armchair, canvas lamp, and square black side table against the long wall to her left. On the opposite wall were a whiteboard, two wide wooden bookshelves,
and a bedraggled plant left over from the previous tenant, a psychiatrist.
Next door on either side were an acupuncturist and a young attorney.
During one afternoon in Alien’s first week in the new digs, fat snowflakes fell outside, piling up on the street below, causing minor traffic delays as area skiers flocked to the surrounding mountains. Alien opened a care package from her mother: foil-wrapped latkes, traditional Hanukkah potato pancakes.
“I’m sorry these are cold,” the accompanying note said. “They take a while to get to you. If only you lived closer, they might still be warm.”
And then her phone rang. Bill Rogers. Alien had told him that she was opening a “Rocky Mountains” office.
“End of the year is always crazy for us with people trying to check off their security assessment,” he said. “Do you do remote pentests?”
Alien didn’t hesitate. She’d tracked online security holes at Mayflower Hospital and won the capture-the-flag contest in Bruce’s SCAN class, ridden shotgun on the Elite Defense airline pentest case and helped write the report afterward. Yet leading a remote pentest—trying to break into a client’s systems using only your own Internet connection and computer—was the kind of assignment she’d wanted but never gotten at Elite. Now Rogers was handing it to her.
So what if she had never done it before?
“Sure,” she said.
“Great!” Rogers responded. “I’ll send you the specs now. I need it in forty-eight hours—close of business December seventeenth. And it’s twenty-four hundred dollars.”
For that paycheck, she was happy to pull back-to-back all-nighters if need be.
“I’ll get it done.”
As soon as she received from Rogers a signed contract and the addresses to be tested, Alien removed a thick orange three-ring binder from her desk drawer. It held the most recent contracts, statements of work, and other records for each job she had undertaken for Antidote. Given how many assignments she had now, she’d abandoned code names like “Castle” as impractical. Instead, as at MIT, everything had a number, each piece of work being identified by a unique four-digit client code, followed by a three-digit project code.
For example, 0424-003 described her third project for client 0424—Barn Door Bank.
The front page of the binder, which she updated with each new project, summarized the contents of the volume in a six-column grid: client name, project description, contract dollar amount, and the dates on which she had submitted her report, invoiced Antidote, and received payment. The whiteboard on the wall listed the same information for active projects.
Everything else she’d brought was still packed except her black ThinkPad laptop and boxy gray space heater. The former was on the desk, the latter on the floor beside it.
Alien fired up both.
The client, ironically, was another cybersecurity company: Knight Watch. It wanted a penetration test of its primary website, which had a login page to let customers and employees upload, download, view, or edit sensitive files. Alien’s goal was to see if she—and anyone else online—could do the same.
As the sun set, she gave the company code number 0811, added the job to her binder and whiteboard, and started a port scan of Knight Watch network addresses.
In less than two minutes, Alien nabbed the address and port of the company Web server.
Common login flaws included the ability to trick the process into running database or scripting commands, as in Alien’s SQL injection attack at SCAN, or poor management of the connection between the individual browser and Web server, which might be susceptible to retrieval, reuse, or hijacking. Before trying any of these approaches, however, Alien checked the website’s underlying HTML source code. First, she used an automated tool to “spider” through the site, systematically visiting every page, before downloading the entire thing with Wget. Then, with custom command-line scripts, Alien searched for any instances of “password,” “admin,” and other keywords.
Nibbling on a cold latke, she read through the results briefly—and then she leaned forward.
Whoever set up the login portal had left an enormous opening in the password verification system. They’d permanently fixed the administrative username and password, and written them into the source code for the page. Both were listed in a common computer code called Base 64, right in the HTML—like the captain of the guard leaving the key to the palace under a mat at the main entry.
“echo YWRtaW5LVwo= | base64 --decode,” Alien typed at the command line. “echo cGFzc3dvcmRLVwo= | base64 --decode.”
“adminKW,” it returned for the username.
“passwordKW” was the password.
And this is a security company?
Alien logged in. “Woo-hoo!” she shouted.
Alien roamed as she pleased through the files stored on the Knight Watch Web portal, taking screenshots. If KW’s competitors copied her moves, they could see all of the company’s customers. Amateur hackers could deface the website, like graffiti taggers. Pros could sell the information inside, hold it for ransom, or use it for blackmail. And hacktivist groups like WikiLeaks or Anonymous could go public with what they found, exposing everyone—Knight Watch, its clients, and the clients’ clients as well.
Before taking any further steps, Alien phoned Rogers, even though it was after ten p.m. where he lived on the East Coast.
“That was fast,” he said.
“I found a critical vulnerability,” she said. “I thought you and Knight Watch would want to know immediately.”
“I appreciate it,” Rogers said. “And I’m sure they will too.”
Alien worked well into the night to make sure every detail was exactly right on the report, and then sent it before she went to sleep. The next day, she filled out the invoice and submitted it to Antidote. With no small satisfaction, she updated her binder and whiteboard tallies accordingly.
“$3,500, $800, $1,500, $1,600, $1,000, $4,500, $1,800, $4,000, $1,200, $2,400,” read the last ten entries in the binder’s “Amount” column. And there were several more above them.
“Happy Hanukkah,” she said aloud to herself.
In her first quarter as a freelancer she was going to make fifty thousand bucks.
Hacking was half the job for Alien. The other half was managing her relationship with Antidote and the clients it provided. And her schedule. InfoSec was a seasonal industry. Most pentests were booked between October 15 and December 31, to meet end-of-year deadlines, with long lulls the remaining months. To keep up her own bottom line, Alien called Rogers two or three times a week, chatting with him, charming him, soothing his own anxieties, and soliciting additional work through the winter, spring, and summer of 2009.
The reward was a new roof over her head. In early September, little more than a year after her first assignment as an independent consultant, Alien went house hunting with Elliot, upgrading from his one-bedroom bachelor pad on a busy street to a three-bedroom home on a maple-lined cul-de-sac. The good news, in terms of making the hefty down payment and monthly mortgage, was that she was netting two and a half times her old salary at Elite Defense. The bad news was that she was dependent on Antidote for every penny. By the terms of her contract, Alien couldn’t even tell clients that she was a subcontractor, much less ask for direct engagements from them for TSC.
As she was pondering this dilemma, Alien got a call from the head of her local Internet service provider, stalwart host of all her phishing sites. “A kid just came to my office,” he said. “He asked if he could hack my network.”
Alien smiled. “What did you tell him?”
“‘Sorry, no.’ But can I send him your way?”
Alien agreed. Soon after, the kid—Luke, a Parkmont College senior—met her at a coffee shop two blocks from her office. Five eight, medium build, with mussed light brown hair and long swooping sideburns, Luke wore black Nike sneakers, blue jeans, and a black button-down shirt redolent of Abercrombie & Fitch Fierce cologne.
“T
hanks so much for meeting me. I really want to do pentesting,” he said. “And I’ve done it at the college.”
“Done what?” asked Alien.
“I work with the security team,” Luke explained. “I scanned the network there and found lots of vulnerabilities. I keep reporting it to my bosses, but nothing happens. Anybody at the college could steal all the student records.”
His frustration was obvious to Alien. When she nodded sympathetically, he leaned forward. In a whisper, he added, “Like last week—my friend Gus and I were in lecture, and we totally hacked our professor’s computer and made it so that there were sheep walking across his boring PowerPoint.”
Alien laughed. “Cute,” she said. “If you’re going to be a professional, though, you can’t mess around anymore. No more hacking your teachers. Got it?”
Luke’s expression turned serious as he nodded. “Got it,” he said solemnly. “Just show me. I’ll work for free,” he pleaded.
Rather than jump at it, Alien recoiled at his proposal. She found the idea of not paying people for their time unethical. But she had no idea how employing someone would work either, especially when every contract from Antidote came on such short notice, and with no certainty of more to come.
Still. She remembered her own earnest pursuit of Bruce and Elite Defense. He wants to learn, and maybe I could teach him. And maybe it would help me.
Alien took a deep breath.
“I’ll give you a tryout, and we’ll see. And I’ll pay you,” she said. “How much do you make now?”
“Ten dollars an hour,” Luke responded.
“Deal,” Alien said.
An employer in another industry would have seen Luke’s youth and classroom hacking hijinks as liabilities. In information security, they were assets. Alien couldn’t think of a top white hat, from Kevin Mitnick on down, who hadn’t broken the law—or at least the rules of one institution or another—to learn the tricks of the trade. That Luke wanted to explore and break boundaries was part of what qualified him as a potential pentester.