- Home
- Jeremy N. Smith
Breaking and Entering Page 29
Breaking and Entering Read online
Page 29
Nevertheless, she wasn’t going to take unnecessary chances with her clients’ privacy and security, or her company’s reputation. She’d have to train Luke carefully, and keep a close eye on his work.
Since Alien wanted her own independent space, she moved up a floor in her building, renting two adjacent offices—one for her, one for him—and drilling a hole in the wall between them to share phone, power, and Ethernet. They needed central file storage, she decided, so Alien purchased a Dell PowerEdge server she set up on the MIT Athena model, including strict access controls and encryption. Now Luke could see and do only what she chose to allow. Finally, Alien asked the same attorney who’d helped her incorporate her business to draw up a nondisclosure agreement and other employee documents. These signed, the paid internship, as they called it, officially began.
Elite Defense had made Alien furnish herself with almost everything she needed to do her work for them. She wanted Luke to feel more supported. She purchased an ergonomic office chair for his workspace, sliding it behind a faux-wood desk donated by her landlord. Atop the desk was a telephone and a refurbished ThinkPad, wiped clean and running Linux, connected to a keyboard, mouse, and external monitor. A few feet away, on a long folding table, the file server whirred noisily. Her biggest purchase was a $2,500 black dishwasher-sized commercial shredder, capable of pulverizing a sheet of paper into more than 1,500 impossible-to-reassemble bits, located directly under the whiteboard.
But the main mission was transforming Luke’s aptitude into ability. “I’m going to be setting up a phishing site,” Alien greeted him when he arrived on his first day. “Watch me.”
“Yes!” He was even more enthusiastic than when she’d offered him the job.
“Sit down,” said Alien. It was essential to make clear her own professional values and how they translated into specific methods she expected him to follow.
As her opening instructions, Alien repeated what Jake had told her at Los Alamos: “First, always take the time to get your environment set up right. It’s worth it to invest the time you need at the beginning.”
He nodded, but she wasn’t sure he fully got it. She felt she should explain further. “Hacking takes work. Yes, you have to be cool winging it. But you won’t get any better unless you master your tools and then build up from there.”
As they proceeded, Alien quizzed Luke on his Linux command line skills, which seemed rudimentary but promising. They moved to the text editor.
“This is Emacs,” she said. “Learn all the shortcuts so you can move around as fast as you want. Practice until your fingers can keep up with your mind.”
At first, examining a sample file, Luke inched forward or backward slowly, one character at a time, using the right and left arrow keys. “Control-E—move to the end of the line,” Alien instructed him. “Control-A—move to the front.” The drill continued through a dozen more common Emacs shortcuts: page down, page up, split window vertically, split horizontally, cut, copy, paste, search and replace, and so on.
“Good,” said Alien. What he didn’t know, Luke was picking up quickly. “Excellence comes from planning and practice,” she told him. “If these shortcuts save you five minutes every hour and you work thirty hours a week, that’s one hundred and fifty minutes”—two and a half hours a week, ten-plus hours a month—“you’re working productively instead of wasting time.
“The same thing is true on a project level,” she continued. “A lot of hackers shoot from the hip. It’s true that you need to be flexible. But planning and practice will give you the best results. Line up each domino perfectly beforehand so, as soon as you touch the first, the others fall down in exactly the way you want them.”
Luke rubbed his hands together. “I’m ready,” he said.
On her own laptop, Alien loaded the website for client 0497, another bank, and explained the poll and iPod prize ruse.
“What Web page do you want to mimic?” she asked.
Luke browsed a minute before settling on one with a group photo of smiling employees. Together they chose a fake domain name, one letter off from the one the bank was actually using.
“Great.” Alien switched to the command line, typing one quick instruction to grab a copy of the website, and then another to register the new domain. “It has to be registered for at least five days before the engagement,” she told Luke. “Sites that are too new are called ‘Day Old Bread.’ They get filtered first by spam blockers.”
Another nod. Luke’s eyes narrowed, locked onto the screen. He sat up straighter, ignoring the end-of-day chatter in the outer hallway as surrounding offices let out.
“Okay.” Alien explained as she entered new commands, fingers flying: “Now we need to change the DNS”—domain name system—“so it’s pointing to our Web server. . . . Now we’re going to SSH in. . . . Now we’re going to Apache to set up a new virtual domain. . . . Now we’re going to configure Postfix so we can send and receive email. . . . Now we’re copying the Web page we downloaded, renaming it, and replacing the text with our poll template.”
Together these steps gave the new domain name a working Web address and server, email access, and a set of bogus poll Web pages based on the website of the actual bank.
They decided on a new final poll question—“Would you be able to perform your job better with a company smartphone?”—changed the giveaway item to an Amazon gift card, and updated the accompanying photos, all with a few more keystrokes from Alien.
“{INSERT CLIENT NAME},” the poll template said, among other variables. “Fill those in with search and replace. . . . Save. . . . Change file permissions,” Alien told Luke, demonstrating from Emacs and the command line. “Restart Apache.”
Alien scooted forward. “Let’s test it,” she said.
Alien added Luke’s new company email address to her target list. With two more commands, she opened the Web server firewall and launched the phishing script. Then Alien slid him the laptop.
“Check your email,” she said.
Luke did. “Employee Poll + Amazon Giveaway!” the top message subject said.
“Open it,” said Alien. “And follow the link.”
Luke clicked. Poof—like magic, the new website loaded, exactly like the original bank’s, but with Tessman Security Consulting’s new poll questions and the Amazon gift card images above the smiling employees. Simultaneously, Luke’s email address and other information appeared on the warm phish log onscreen.
“Whoa!” Luke said. He double-blinked.
Alien smiled. What had taken her a week to set up for Barn Door now took five minutes. “Win first. Then do battle,” she quoted Sun Tzu.
“What now?” Luke asked her.
Alien patted the desk and pointed up at the whiteboard. “Your turn,” she said. “Do the next one. I’ll sit with you and walk you through it.”
Luke brought fresh energy to the office. He loved learning from Alien, eagerly taking on new tasks. As he got up to speed with each one, she could delegate routine assignments to him and spend more time negotiating and reviewing contracts. By the end of 2009, there were so many current projects the company needed a second whiteboard.
“Can you hire my friend Gus?” Luke asked Alien. “He’s super-talented.”
Alien thought about it. The slow season would start again soon. Who knew if she would have enough work to pay even one intern? But she also wanted TSC to conduct and present original research projects, like Elite Defense, and run its own hacking conference contests, like TOOOL. In both cases, keeping up with—and then one-upping—current trends was a way to stay at the leading edge of the industry. And having an influential audience of other insiders hear them speak, or play a contest they designed, was the best possible form of self-promotion.
“Okay,” she said. “But you have to help me make a place for you guys to test new hacking ideas.”
“You got it,” Luke said.
In January 2010, Alien rented the former break room of an insurance compan
y across the hall that had gone belly-up. She dubbed it the TSC “Playlab,” and she and Luke set about rewiring her business to integrate the addition. They created a network map for the lab, together cramming in close to twenty old desktop computers and other eBay purchases they could use to simulate—and then attack—almost any home or workplace setup. Together they cooked up ToneDef, a pun-filled, story-based, seven-part hacking challenge, to pitch as a DEF CON contest.
Soon after, Alien interviewed and hired Gus, a husky blond junior from Colorado cattle country, and another undergrad, Cheryl, a freckled redhead and accounting major, as interns. Punctilious Cheryl treated the position like a test she’d fail if she ever stopped studying. Gus and Luke, though, who shared a mischievous streak, started “icing” each other—hiding individual Smirnoff Ice bottles, which, when found inadvertently (say, atop the paper stack inside the printer), had to be opened and drunk immediately.
Hustling back and forth between configuring software in the Playlab and answering client email on her work computer one evening in mid-April, Alien heard “You’re the Best Around,” the mid-eighties synth-pop song made famous by the final fight sequence of The Karate Kid, blasting in Luke’s office.
And then it played again. And again. And again.
She walked over and found Gus seated on a big beige beanbag chair, surrounded by a half-dozen Smirnoff Ice empties.
Gus was holding his head in his hands. He moaned softly and then spoke with slurred words. “My head hurts . . . ”
Luke stood between the printer-copier and a full-sized refrigerator that had supplanted Alien’s original mini-fridge, looking on, laughing. Cheryl sat primly behind the desk in the room. She tried to ignore both guys, focusing instead on the screen of her laptop.
“What happened?” Alien asked, as if it weren’t obvious.
“Cheryl got me,” Gus said. “I went for one of the apples in the fruit bin of the fridge and found a six-pack.”
Cheryl cringed awkwardly. “I’m really sorry,” she told Alien. “It wasn’t on purpose. I was just going to use one. I tried to put the six-pack where no one else would find it.”
Gus slumped. “I had to drink it,” he said, slurring again. “It’s the rules.”
Alien toed the empty bottles on the floor. She turned the speaker off. The office looked more like a frat house than any normal place of business. Yet tomorrow morning the four of them were phishing employees of client 6110—a global law firm with more than a billion dollars in annual revenue.
“Guys, you’re professionals now,” Alien said sternly. After years of working under other people, being an authority figure felt weird to her. But the company’s existence was on the line with this—and every—contract.
Alien saw the interns as peers as much as employees. Having a beer while they were working late was fine, if it didn’t hinder what they were doing. But a drinking game like this was out of the question.
She had to discipline them, but not stress them out so much that they lost confidence in themselves or TSC.
“Gus—go home,” she ordered. “Luke—give him a ride and make sure he’s okay. Cheryl—thanks for holding down the fort.
“Get some rest. We were going to go over scripts tonight, but instead we’re going to meet earlier tomorrow. Be here at six thirty a.m., or I’m going to put you through our very expensive shredder. Which would be a shame.” She paused before continuing. “Because then I’d have to get another one.”
Everyone gathered again in the interns’ office early the next morning. The bottles were gone, Alien noticed, and the beanbag chair had been pushed back into a corner. Luke brought in a ten-cup cardboard coffee container from a local café.
She watched while “Cheryl in IT” practiced calling Gus, who posed as a 6110 employee. Gus practiced calling Luke. Luke practiced calling Cheryl. Then all three called Alien.
“I hate surprises,” she told them. For all the fast-talking she’d had to practice, Alien’s model hacker was the mastermind who anticipated in advance where the conversation might go rather than the pure improviser. “Anything they say to you, you should be ready to respond.”
First, to warm up her charges, the boss played nice in her responses: “I won? Really? Oh, thank you!” Alien enthused. Next, mimicking an inexperienced user—the “grandma,” pejoratively—she asked, high-voiced, “How do I click on that? Where’s the address bar?” Finally, Alien threw curveballs: “Cheryl in IT? There’s no Cheryl in IT!” As necessary, they stopped, edited the call script, or discussed how best to respond.
Afterward, Alien sent everyone links to the phishing site and the location on the TSC file server of the final call script and initial cold phish list with each employee’s name, position, email address, phone number, and geographic location. Different spreadsheet tabs divided the targeted employees among the interns, with additional columns for the date and time called, whether they reached the person, if he or she followed their instructions, and any other notes. “Look at the column labeled ‘ID’ for each person,” Alien said. “That’s the code I’ll send you if someone on your list turns hot. Trade only if you get overloaded. And remember to check their region first so you know which location you’re calling.”
Luke, Gus, and Cheryl flipped their laptops open.
“Oh—and don’t forget to block caller ID,” Alien said. “They’re going to catch on to us eventually. And when they do, we don’t want them to call us back.”
At five minutes to launch time—ten fifteen a.m.—Alien checked her watch.
“Get ready,” she said.
Alien walked back to her own office. She opened the cold phish spreadsheet and an IRC chat window alongside the command line on her laptop. Until you fell for one, it was easy to make fun of phishing schemes, and assume the people behind them were small-time crooks. But what followed was as closely coordinated as a military missile strike.
At the command line, Alien typed:
sudo iptables -n --line-numbers -L | less
sudo iptables -I INPUT 40 -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT 40 -p tcp --dport 80 -j LOG
sudo iptables -I INPUT 40 -p tcp --dport 25 -j ACCEPT
sudo iptables -I INPUT 40 -p tcp --dport 25 -j LOG
“Opening firewall to allow access,” she wrote in the IRC window. “Confirmed firewall port 80 open. Confirming external access successful. Opening firewall port 25.”
At the command line, Alien typed:
./phish-script-1.1.sh -v config.txt
“Sending test email,” she wrote in the IRC window, “config.txt” being the configuration file containing a pointer to her cold phish recipient list—for test purposes, the email addresses of Alien and her team.
“Test email received,” replied Cheryl.
“Received,” Luke confirmed.
Alien opened two new terminal windows for her warm and hot phish logs. In the first, she typed:
tail -F warm.txt
In the second, she typed:
tail -F hot.txt
“Checking user tracking,” she wrote. “Click your links.”
They did—and the warm phish log updated accordingly. When each of them filled out and submitted a poll, the hot phish log updated too.
“Confirmed user tracking working properly,” Alien wrote. “Loading target list. Launching emails in thirty seconds.”
The others waited. In Emacs, Alien updated her cold phish recipient list to include the email addresses of their actual targets, the employees of client 6110. Again, she typed:
./phish-script-1.1.sh -v config.txt
Hitting the Enter key to put the phishing expedition in motion was the hardest part. In spite of all her experience, it was dreadful every time. There was no way to know just what would happen, except that there was no going back.
Milliseconds later, in some of the most well-appointed law offices across the country, people’s computers beeped.
New message!
Out-of-o
ffice replies came first—a good sign. Their messages were getting through. And the information about who was out, for how long, and whom to contact in their absence would let the TSC team customize calls with inside references: “Is Margot back from Hawaii yet?” “Dave gave me your name.” “Yeah—Ben mentioned that before he went to Philadelphia.”
Still, Alien was antsy as she waited for the first click-throughs. At ten seconds in, she counted two warm phish. Twenty seconds later, she had five. Another fifteen seconds and she had ten.
“Warm phish incoming . . . ,” she typed. Alien held her breath, waiting for a submitted poll, like a general holding out for the first word back from the front.
Then their first catch appeared on the hot phish log. One of 6110’s billing coordinators, based in Dallas and assigned to Cheryl.
Alien exhaled.
“Cheryl—hot phish,” she typed. Alien copied and pasted his ID.
“Hi,” she heard a moment later through the thin office walls. “This is Cheryl in IT. Congratulations! You’ve won the Amazon gift card for participating in our poll! I’m going to direct you to a site to download it . . .”
Two more followed almost immediately—an East Coast marketing associate, assigned to Gus, and a West Coast lawyer, assigned to Luke.
Alien directed each their way.
“Hi,” she heard. “This is Gus in IT. Congratulations! . . .” “Hi! This is Luke in IT. Congratulations! . . .”
The round-robin, cross-country phishing chorus continued for almost fifteen minutes.