The Loyal Nine (12 page)

The Zero Day Gamers, like seasonal hunters, might spend days or weeks searching for their prey, without meeting success. But once a hacker discovered an initial compromise opportunity, the entire team looked for a foothold in the computer network. Once a foothold was established, a hacker team consisting of a coder and a programmer escalated privileges within the network until they reached an administrator’s status or higher. Once in place, the hacker could navigate the entire system, making changes. Then the game began—the zero-day game.

The term
zero day
was used because the system programmer had zero days to fix the flaw. A patch for the vulnerability was not readily available. Over the past several years, an underground gray market had arisen, where a hacker contacted the system administrator and made them an offer they couldn’t refuse—pay us to leave you alone, or we will sell our information about your vulnerabilities to the highest bidder. Buyers included Fortune 500 firms, foreign intelligence services, terrorists and even the United States government. Payment was non-negotiable, and the consequences of nonpayment were strictly enforced.

Lau looked up at the chalkboard on the back wall of the Hack House. The
end game
, the mission statement of the Zero Day Gamers, was succinct:

One man’s gain is another man’s loss; who gains and who loses is determined by who pays.

Lau applied the same philosophy to his employees. The Gamers were paid handsomely for their efforts—and to buy their silence. The students came to Zero Day Gamers for a number of reasons. Some needed the money and were trying to monetize the in-class research they conducted for others. Some participated for the thrill and feeling of compromising another’s private world. Others simply enjoyed “sticking it to the man.” There were similar operations to the Hack House all over the world. Underemployed techies looking for lucrative paydays and a chance to have their talents recognized among their peers. They were located in Russia, Eastern Europe, the Middle East, North Korea and especially China. Hunting for software holes was grueling drudgery, but it was the most lucrative security job available to them. Symantec or McAfee might start a new technology graduate at eighty thousand dollars. At the Hack House, an employee could make that in a day, if they played the right “zero-day game.”

“I’m in!” exclaimed one of the Gamers, holding his hands high over his head.

Lau snapped to attention and turned his Red Sox cap backwards.
Game on!

“Talk to me,” said Lau.

“I’ve been pen testing these guys on and off for days. My gut told me there was an opening, so I kept trying,” said Herm Walthaus, an MIT grad student.

Lau had not been particularly impressed with Walthaus thus far. His best hack was entering the Applebee’s Restaurant servers. They were unable to secure any funding from Applebee’s, and eventually settled for scrambling their computerized register system known as Squirrel. Within an hour of being denied payment, and finding no interested buyer for the vulnerability, Lau settled for changing all of their menu items to some form of nut. Applebee’s Burgers became Walnut Burglars. Sizzlin’ Fajitas became Spoiled Veruca, paying homage to Willy Wonka. The restaurant chain was forced to close their doors for days. The economic impact to the company was reportedly in the millions and hammered their stock on the NASDAQ.
They should have paid us something.

Pen testing was just what it sounded like—a test to see whether you could penetrate a network. Pen tests had huge value when done correctly. Even if done incorrectly, pen testers enjoyed the thrill of the hunt. If thwarted, the hackers could disrupt a system using denial-of-service tools—DoS. These tools might simply fire off an attack on the system, causing internal reactions to seal network vulnerabilities, which resulted in the unintended consequence of destabilizing the entire network. At a minimum, a visitor to a website might receive a “Page Cannot Be Displayed” error message. At worst, the entire network misfired, requiring a reboot and repairs of possible network damage.

“Okay, Walthaus, settle down,” reassured Lau.

Walthaus was sweating, and his face was getting red from excitement. The extra weight crowding his waist didn’t complement the scene. The last thing Lau needed was a heart attack victim at the Hack House. He calmly placed his hands on the young man’s shoulders.

“Tell us what you have going on. Slowly,” said Lau.

“Professor, I have breached the firewall of TickStub,” said Walthaus.

Lau leaned over and surveyed the screen. It appeared TickStub utilized a Windows-based RRaS server—routing and remote access server. This was not uncommon. Windows servers were the most widely used, a piece of cake for a novice hacker. Walthaus was well beyond the RRaS firewall, having penetrated the TickStub ordering system. Step one, the initial compromise was complete; now Lau needed to evaluate what was exposed. Once he gained a foothold in the system, he could expand his perusal of the network later.

The screen read:

Welcome to the TickStub ordering system.

You must login to start.

Username:

Password:

The room was deathly quiet. All keyboard activity had ceased, and full attention was upon Walthaus and Lau. Lau stood upright and adjusted his cap.

“Listen up, everybody,” said Lau. “As you know, we have a limited time frame now. Once we start this process, it’s rock-and-fuckin’-roll, got it?”

A few
yes, sirs
were audible over the tension.

“I’m going to let Walthaus take the lead on this one. He’s done a good job so far. But everyone will play a role in the next critical steps. I will be giving a lot of direction, and the requests will come to you fast. Pay attention, do your jobs and, above all, learn. This is a classroom, remember,” said Lau.

His subtle joke eased the tension, and he could feel himself exhale a little.

“Malvalaha, I want you to coordinate the DDoS attacks on my
go.
Once we’re in, we need to confuse the network to think they’re receiving heavy volume,” said Lau. “Use the Russian handlers, they’ll get the blame. Sorry, Malvalaha.”

“I don’t care, I was born in Brooklyn,” said Malvalaha with a shrug.

DDoS, or distributed denial of service attacks, were used to temporarily or indefinitely interrupt a web server’s ability to connect to the Internet. The common method of attack saturated the target network with external communications requests to the point it could not respond to legitimate web traffic. The result was server overload and an excellent distraction while Lau conducted the rest of his “business.” A DoS, denial of service, attack generally involved one attacker. In order to truly overload a system, the DDoS attack was preferable. Lau had established multiple servers throughout the world to act as
handlers.
The handlers were accessed remotely by the computer systems located in the Hack House. Each computer station controlled multiple handlers, and each handler controlled multiple compromised private computers. On Lau’s signal, if necessary, the entire handler system would be activated to attack the targeted web server at TickStub.

“Fakhri, have your group on standby for research,” said Lau. “As we begin to elevate our privileges, we may need to implement our password-cracker tools.”

“On it,” said Fakhri. “I’ll have my guys searching the web to learn all we can about their IT people. We always find them on forums and techie blog sites. It doesn’t take long to put two and two together.”

“Here we go,” said Lau. “First, now that we’re past the firewall, we’re going to bypass the web server and leave the domain alone. Our first stop will be the database—the SQL server.”

“Walthaus, initiate an SQL injection. Let’s see how well their coding techniques are. Their DBMS, database management system, may reject the query, but it will return legitimate data in response.”

Walthaus immediately began entering keystrokes and sat back in his chair to observe the results. Lau watched intently.

“Now, let’s introduce some cross-site scripting to compromise the DBMS server. In the username field, enter
foo’ OR 1=1;--
followed by admin in the password field,” said Lau. The screen changed and now read:

Welcome to the TickStub ordering system foo’ OR 1=1;--

“Excellent!” exclaimed Lau. “Now we can use an injection vulnerability to send commands to their back-end database server in order to elevate our privileges. This will allow the DBMS server to run commands for us. It’s time for the next step.”

Lau knew the web-based server controlling the domain and its web traffic was fully secure and had its necessary patches in place. Most IT departments placed all of their focus on the web server because it was utilized by the public via the Internet.

“Most likely the web server is secure. Why beat our heads against the wall trying to crack its code, when we can simply give ourselves administrative access by elevating our internal user privileges, right?” asked Lau, playing the role of professor.

“Let’s pull out our toolbox and make our job easier, shall we?” asked Lau, clearly in his element. “Walthaus, upload Netcat to the DBMS server.”

Walthaus dutifully complied.

“Now enter
Xp_cmdshell
into the command field and we’ll see how complex their administrative system is,” said Lau. Lau watched as the screen changed, providing him the c-prompt he anticipated.

“Okay, everyone, Netcat has enabled us to attain our first foothold, and we are well on our way to overtaking the network. We are no longer an anonymous user. We are now an insider,” said Lau.

A few claps were heard from the team.

“Class, we need a name; who am I?” asked Lau.

“Whoami,” said Walthaus. “You know like the old Abbott & Costello routine—’Who’s on First?’ Our username should be
whoami
.”

Lau laughed heartily. It was perfect.

“Absolutely, Walthaus, whoami it is,” said Lau. “Okay, Mr. Whoami, run an ipconfig on the system so we can determine the lay of the land. Let’s see what our new system is made of.”

Lau watched as the server IP addresses scrolled down the screen, including their internal Ethernet connections. He instructed Walthaus to screen-cap everything and print it for reference.

“We now have effectively taken over the web server. From what I can see here, we have complete connectivity between the web server and the SQL server, which gives us total control over the domain—TickStub.com.

“Before we go for the big prize, the database, let’s pull another tool out of the toolbox. Dump a Trojan in the web server so we can come back in the front door in the event an administrator busts us and we have to run out the backdoor,” said Lau.

The Trojan would install a credential manager, which allowed the creation of usernames and access privileges at the highest levels.

“Final step. Fakhri, how’d you do?” asked Lau.

She approached him with a printout of potential user names and passwords derived from their Internet search. Lau handed the same to Walthaus and gestured to give them a try.

“Bingo. I’m in the back-end data center, which contains all of the usernames, passwords and stored credit card information. I went ahead and tried this combo on the TickStub corporate server and succeeded there as well. We have full access to employee files, W-9s, retirement plans and health care records,” said Walthaus.

Lau took a deep breath and looked around the room. He could feel what they were thinking—big potential payday. He studied the wall for a moment, once again reciting the words in his mind:

One man’s gain is another man’s loss; who gains and who loses is determined by who pays.

“Malvalaha, run this by Bogachev’s people in Russia. Fakhri, contact SEA, the Syrian Electronic Army. Discreetly put the word out. This company does nearly half a billion dollars a year in revenue. It’s time for Mr. Whoami to make the call.”

Chapter 14

January 5, 2016

Steps of the Massachusetts State House

Boston, Massachusetts

“
We are coming to you live from the front steps of the Massachusetts State House in Boston, where we are waiting for first-term Senator Abigail Morgan to announce her bid for reelection to the United States Senate. The announcement comes as no surprise to anyone; however, it does come with its share of controversy. Senator Morgan ran as an independent six years ago, but has consistently caucused with the Republican majority since 2014. Some have accused her of hypocrisy, but as we know, in Washington, hypocrisy is in the eyes of the beholder. Massachusetts Democrats have made it clear; should Senator Morgan be tapped as a possible vice presidential nominee on the Republican ticket, which is a good possibility, then she will receive a stern challenge to her senatorial candidacy. Back to you, Chris
,” said the CNN reporter.

Abigail Morgan stood behind a backdrop featuring the United States and Massachusetts state flags, listening to the reporter’s introductions to her remarks. She was accustomed to this challenge and didn’t give it much thought. She had bigger plans than senate reelection.
Why should she settle for number two on the ticket?
The present occupant of the White House was a freshman senator when he ran for the job.
Why couldn’t she do the same?

Abbie, as she was called by family, friends and constituents, was a rock star within political circles. When she ran for senate six years ago, she chose to run as an independent, touting her libertarian leanings. Getting elected on a statewide ballot as a Republican had been extremely difficult in Massachusetts, even in an anti-incumbent year like 2010. She campaigned hard during her first election cycle, espousing her core beliefs centering on free markets, limited government, peace through strength and individual self-reliance. Her stunning appearance, strong ability to articulate the issues, and the support of a very wealthy donor base made Abbie a Tea Party darling and a viable alternative for the center left.