Black Hat Blues (2 page)

the last month, computers all around the world with software hidden

in their root directories that allowed the Crew to control them remotely

and use them without the owners’ knowledge. Coupled with the new

version of The Onion Router anonymizer network being shown off in

the hotel that weekend and the other precautions C1sman had taken,

their actions should be more than adequately hidden from anyone try-

ing to track them down. Of course with a little luck, no one would

ever realize there was anything that needed to be tracked down until

it was too late.

Rick Dakan

5

“6,328 and counting,” c1sman said, nodding his head slowly up and

down. “More than enough to do the job.”

“Well then,” Paul said, “Let’s get started doing the job, shall we?”

Paul knew exactly what c1sman was going through right now, or

at least he suspected he did. He’d felt it himself often enough: that

stomach sloshing, rising tide of doubt and panic that came when you

were about to do something incredibly illegal for the first time. Or the

second. Or the fifth. Paul had lost count at this point, and for him the

fear now came as less of a tidal shift and more of an intestinal simmer-

ing. Most of the time. Right now he was so much more worried about

all the complicated pieces he’d set in motion coming together in sync

that he had little anxiety left for the potential legal consequences. But

he knew c1sman felt he’d not broken the law in any serious way before.

The RIAA and MPAA would no doubt differ if they could somehow

look at his bit-torrent history, as would the people whose machines he

now owned through what he called his “beasties.” But they were face-

less corporations or clueless losers who weren’t out anything more than

a little CPU processing time or profits they never would have earned

from him in the first place. This time the target was a real person and

the damage would, if all went according to plan, be quite devastating

indeed.

So Paul looked for ways to distract the Crew’s new recruit, keeping

him focused on the area he was most comfortable with in the whole

wide world: hacking. Ever since he’d agreed to come on board as a full

member six months ago, c1sman had been working on this one project

for them. He was a meticulous planner and very careful in his approach

to any problem. Not that Paul found his style conservative. C1sman was

quite inventive and innovative, but he always wanted to make sure that

every little detail was just right before proceeding. So far that cautious

approach had served the Crew’s needs just fine, but now that D-Day

had arrived, Paul doubted that circumstances would allow for such

consistent circumspection.

When Paul and Chloe had revealed the target’s true identity and

crimes to c1sman the previous Fall, he’d been as outraged as they’d

hoped and expected. Then they just turned him loose with the time and

resources he needed. When they checked back in with him a few weeks

later, he’d reported that it was by no means going to be as easy as he’d

hoped it would be. He wondered if there might be an alternate target,

someone less well protected, but that part of the plan wasn’t fungible.

It had to be this target, and it had to happen by February. C1sman

6

Geek Mafia: Black Hat Blues

had grumbled a bit, but only a bit, and got back down to work on his

reconnaissance. Paul decided to “help” him as best he could and took a

couple weeks to leave the Crew’s home base in Key West and drove up

to Athens, Georgia to sit at c1sman’s right hand and watch the master

at work. Paul ended up having more fun than he would have imagined,

and Chloe would have been appalled at the amount of gaming they

indulged in if he’d told her the truth, but mostly he learned a hell of a

lot about how hacking a system works.

Those weeks in Georgia, in the long hours crammed into his tiny

second bedroom they spent between games, c1sman had begun with

what he called Recon on the target Paul had given him. “Before we

even start to actually try and break into a system, we need to find out

as much as we possibly can about our target,” c1sman had explained

to Paul. “Most people make the mistake of thinking only about their

files and how they’re going to keep them out of some hacker’s stealthy

grip. This is not thinking like a hacker. Hackers don’t start with their

focus on the data they’re after, they focus on the applications they can

break. Software is so complicated that the more you have, the more

potential vulnerabilities there are. Kickin butt as a hacker really means

finding out how these applications break and then exploiting them, and

reconnaissance can tell you a butt-load about what software the target

network is running.

“We’ve gotta be as thorough in our Recon as possible. In most cases

reconnaissance should comprise something on the order of 70% of a

hacker’s effort, because the fact is, the more we know about our target,

the less time we’ll have to spend actually hacking their system and

therefore the less likely we are to get nailed. We want to answer as many

questions about the target as we can before we start.” Paul always found

it intriguing to watch c1sman slip in and out of teaching mode. One on

one, most of the time, he was just your average gamer dude. In groups

he quieted down a lot, although still threw in the occasional funny

zinger or useful insight. When he was stressed and working he sounded

scattered and often repeated himself. But when he was in his element,

explaining the facts about something he knew backwards and forwards,

he was as clear-spoken and talented a teacher as Paul had ever seen. OK,

maybe a little pedantic sometimes, but still, he exuded the quiet con-

fidence not of someone boastful of their abilities, but rather someone

who takes their own expert knowledge as a given fact, no more notable

or less true than the sky being blue or the laws of thermodynamics.

When it came to network security hacking, c1sman’s knowledge was

unassailable. Or so Paul hoped.

Rick Dakan

7

The goal of their Recon Mission was to answer as many questions

about the target as they could, starting with such simple things as

figuring out what operating system its servers were running, which

patch level they’re at and so forth. C1sman pointed out that the biggest

source of security holes is human errors, especially not keeping software

updated with the latest security patches from the manufacturers. If they

could find information about which version of the software the target’s

using without having to directly probe the target network, then they’d

know where to start looking for likely vulnerabilities.

Paul had been surprised to see that c1sman’s starting tool of choice

was Google. As far as c1sman was concerned, the best place to start

looking is Google, which he referred to half-jokingly as an “uber leet

hacking tool.” But c1sman was talking about the skillful use of Google

to its fullest capabilities, not just typing the target company’s name

into the main search page and seeing what comes up (although that’s

in fact what he did to start). As he explained it to Paul, there’s a vast

potential reservoir of useful data waiting in places like Google Groups,

where there are various tech support and software discussion groups.

Company employees often post requests for help solving technical prob-

lems they’re having with their networks and applications. Such posts

sometimes include info about what version of software they’re running,

what problems they’re having and even things like user IDs and pass-

words. Google is also a source for locating branch offices, information

about the company’s officers and executives, and other hints that might

lead you to a weak spot in the company’s security. The security at the

corporate HQ might be top notch, but if the CEO is logging into

the network from his unsecured home wireless network, an informed

hacker can take easy advantage of the situation.

C1sman didn’t find any obvious, easy to exploit holes in the target’s

security through Google, but he hadn’t expected to. He got some of

the information he needed about what software the target network ran

and some especially juicy info about what patches they had installed in

a few cases. He cross-referenced those with several databases of known

exploits, but didn’t come up with anything he could use right away.

C1sman also used perfectly legal and passive (and therefore undetect-

able) tools to map out the Domain Name System (DNS) of the target’s

various websites. Searching through corporate records, openly available

DNS registration info and using tools like samespade.org, they were

able to uncover the full extent of the various sub-pages and hidden sec-

tions of the target’s site that they otherwise wouldn’t have found just

by browsing the company website. These records provided c1sman with

8

Geek Mafia: Black Hat Blues

several dozen new possible points of entry when it came time to finally

try and hack into the target network.

The searching took days, mostly because c1sman liked to leave no

stone unturned and wanted to give his own mind time to refresh and

come up with new search strategies after he’d had some time to go

over the results he’d already gathered. Paul missed Chloe and Key

West, and would have liked to go out and at least see some of the sites

of Athens, Georgia, but c1sman was more of a stay at home and drink

beer kind of fellow. So Paul improved his Halo and Call of Duty skills

and in turn introduced c1sman to the online game he’d helped create,

Metropolis 2.0. Paul still played the game, despite the painful asso-

ciations he felt, because it was a good game. Which is not to say that

when c1sman suggested a few possible hacks that might allow them

to exploit the game, Paul’s interest wasn’t piqued. But that was for

later—right now he wanted all c1smans skills focused on the primary

target.

In the second week, they started breaking laws. Everything so far had

been both passive and legal—there was no way the target could know

that they’d been investigating it because they hadn’t done anything

intrusive or possibly illegal. But now it was time to cross the Rubicon

and start actively probing the target’s network, and that was why Paul

had spent all this time with c1sman. Although he’d done this exact

thing before, most of the time it had either been out of curiosity with

no other malevolent intent or, more rarely, on behalf of someone who’d

given him permission to test their network’s security. Paul had feared

his new recruit might back out, but no, he was too excited to follow up

the leads he’d found during Recon and more than ready to start doing

some real hacking.

With all that build up, Paul was a little let down when he realized

how small and simple and, well, boring, that initial shift into criminal

territory was. C1sman’s first step had been a single “ping,” a super short

message sent from one computer to another to see if a particular port

on that network is active. He assured Paul that the ping was “totally

one of the most underestimated tools in the hacking arsenal.” A series

of pings would tell them about what servers were live and working

on the network as intended, but it could also reveal data about the

operating system type, the existence of firewalls, and other vital data.

A Traceroute command (which traces the route the ping takes through

the internet) gave them an idea as to where in the US the target net-

work was physically located by calculating how long the packets took

to travel. Although there were many tools that he liked for this task,

Rick Dakan

9

c1sman described himself as “old school” and liked to use the classic

hacker tool nMap for his personal pinging needs.

“The thing about port scanning,” c1sman explained to Paul, “Is that,

since the whole point is to send out packets and see how the target net-

work responds, the target obviously knows it’s getting pinged. A sudden

series of rapid pings across the network is a sure sign that something

fishy is going down, and a good sys admin will know something’s up.

Lots of firewalls and other security software packages are triggered

based on the timing of events and will automatically respond to such

scans.” In order to avoid this fate, they did what amounted to stealth

port scanning. C1sman set nMap to run a very slow scan, allowing their

probing pings to get lost in the general background noise of regular

Internet activity. They also coordinated their scan from several differ-

ent computers using different scanning techniques so that there was no

discernible pattern for the target’s security programs to pick up on.

All this pinging took a patience-trying long time. Paul burned

through four different disposable phones keeping in touch with Chloe

while she and Sandee were still following up on their own recruiting