April 2006

n3m0 had the victims lined up, from about 20 companies he was about to single out the “lucky one”. Some of them had their websites at web hotels so they were more or less useless. The administrators of the web hotels would probably notice if some extra 15 Gb appeared on their servers and the customers would have a quota limit of much less than that.

n3m0 was looking for a website hosted in-house by its owners. After a lot of interruptions, some more noodles, searches through whois records and dns queries n3m0 was down to six targets.

The next step was to test the Internet connections of the companies. In the end he settled for one company and had two others as backup if things didn’t go as planned.

Regal-Pens were a company selling fine pencils, pens, ink bottles and other writing tools. n3m0 couldn’t remember when he had used a pencil the last time (not counting the ones in Gimp), he didn’t even know if he had an ordinary pen anymore. Why would anyone want to use those? n3m0 did a search on his hard drive after an mp3 with the Flintstone’s theme, he didn’t find one. The urge to fire up a torrent client was overwhelming but n3m0 managed to stay focused at the task at hand.

With the mark set it was time to set up a test environment. Instead of downloading music he started up VMware Server and began to install a Windows Server guest. While the unattended installation proceeded, n3m0 started to look for a suitable asp script that he could use; ages ago he had written a file called n3m0-was-here.asp. He grabbed the file but renamed it nomad.asp. The script basically downloaded and ran netcat.

*BEEP* *BEEP *BEEP*

n3m0 jumped high in his chair as the alarm clock came alive. It showed 6:45 AM.

Shit, not again. Not for the first time n3m0 had been up all night, it was time to go to his real job. For the last 16 months n3m0 had been employed as a member of a help desk department. The salary was barely enough to live on and the job was painfully boring but the plan had never been to stay on the help desk crew.

n3m0 smelled his arm pit. Oh, bad bad bad, he pulled his nose away in disgust. He grabbed an usb stick and copied the asp script to it. Then he headed for the shower.

There wasn’t any breakfast to speak of in his apartment and he seemed to be out of toothpaste. Looking in the mirror before walking out he saw an exhausted young man staring back at him. It was going to be a long day.

Tags: security, stories, fiction

n3m0 had managed to boil his noodles for fifteen minutes instead of the recommended three; it didn’t improve their taste. Unsatisfied by his meal n3m0 sat down at his computer again. After reading his feeds he got back to work.

He came across an advisory for ShowRoom.Asp 3.4.x, marked with the magic words, System Access from Remote. It had been discovered well over half a year ago, apparently the developers had been quick in releasing a patch and labeled it ShowRoom.Asp 3.5. Good for them, n3m0 thought. After surfing the website where ShowRoom.Asp was hosted he found a downloadable zip file of the vulnerable version, he also downloaded the patched release so he could see what had changed.

According to the Readme file, ShowRoom.Asp was a piece of software made it easy for companies to show their products on their website. It was kind of like a cms but just for a small part of the website. The users could sort their products into different categories and describe their products, upload an image and assign a price to the products.

Coding aside, the design just appalled n3m0. I bet it’s even worse when you view the page in a browser, n3m0 shuddered. As he had guessed the problem was concerning sql injection, the developers seemed aware that they should do input validation but had missed to check it on a request.querystring value.

The impact was that you could log on to the site as admin without using a password, there you added a new product but instead of uploading an image you could upload an asp page of your own choice. In the newer version input validation had been fixed and the upload mechanism only allowed .gif .jpg and .bmp.

A decently configured Windows box should prevent this, n3m0 thought as he was becoming more familiar with the code. On the other hand people who make an effort with the configuration usually don’t leave their systems vulnerable six months after the advisory is issued.

n3m0 had enough to start looking for a victim, he tabbed to his Firefox window and did a Google search; “powered by ShowRoom.Asp 3.4″

Results 1 – 10 of about 120 for “powered by ShowRoom.Asp 3.4″. (0.40 seconds)

Two words popped into n3m0’s mind when he saw the search results; Road Kill.

Tags: security, stories, fiction

While working, n3m0 didn’t think much of hunger. Placebo’s Black Market Music album was going on repeat in XMMS, all thoughts of poker had been replaced by pie charts colored blue and red. n3m0 liked those, mmm, system access. He was browsing through the advisories at Secunia, more specifically the historical advisories. What n3m0 wanted wasn’t a fancy new exploit. A new exploit would give him access but that wasn’t enough; his client would want to stay for a while after setting up the site. No, it’s better with an old ‘sploit, n3m0 thought. Going after the clueless would insure that his client had a better chance of sticking around after gaining access.

n3m0’s irc windows started blinking and immediately caught his attention. As usual n3m0 was distracted from what he was doing, he was seldom able to stick to one task long, there was always a new email, instant message, chat session or rss feed.

- orin - did he call you?
- n3m0 – yup
- orion – hilarious, sorry for that thought you’d like a laugh
- n3m0 – hehe, yeah he was a bit strange
- orion – no shit, so what did you say?
- n3m0 – I told him I’d do it, you know cash problems
- orion – lol, you must have a serious cash problem
- n3m0 – things have been slow
- orion – but still for $2100 with that time frame you should have told him to get lost
- n3m0 - $2100?!? He said $800 to me.
- orion – lmao!! you crack me up, what you’ve never seen Life of Brian?
- n3m0 – he didn’t seem like the haggling type…
- orion – Did you try? Man you’ve better get your act together
- n3m0 – jesus christ
- orion – lol or the flying spaghetti monster
- n3m0 – har har, where did you find that guy anyway?
- orion – so you’re doing it for $800?
- n3m0 – I need the money
- orion – I didn’t find the guy, M3m3th referred him to me, don’t know where he came from
- n3m0 – how much did he offer to pay M3m3th?
- orion – well nothing, M3m3th told him to piss off, that he didn’t deal with that shit. Funny M3m3th never struck me as someone with a lot of morale
- n3m0 – have any idea of what kind of site this guy is setting up?
- orion – I’m not really sure but it sounded like it was some sort of porn site

Tags: security, stories

“Define ‘considered illegal’”, n3m0 didn’t think much of laws but he was curious by nature.
“You know some people are against freedom of speech. Look at the way things are handled in China, I don’t like that.”
“So you want to free Tibet or what?”
“I’ll be honest with you. I don’t care too much for Tibet.”
“Don’t worry I won’t throw the first stone,” n3m0 didn’t even know where Tibet was let alone cared for what happened there. “But if it’s not Tibet, what kind of files are we talking about?”

“You don’t really want to know, let’s call it entertainment media.”
Yeah right, entertainment media, n3m0 started to think the caller had been right; it might be better not to know.
“Fine, so where do you want your files?” n3m0 asked, ready to type some more notes.
“At the moment the web site is running ASP, so a Windows server would be good.”
“You already have a web site?” n3m0 was confused.

“Well due to the delicate nature of my content I have to keep moving around, you see I’m a bit of a nomad.” n3m0 got the mental picture of someone riding a camel.
“Why don’t you use Perl?” he asked.
“What?” the caller could have sounded confused but n3m0 couldn’t tell with the voice distortion.
“Never mind, it was a joke. What are your requirements and more importantly how much will you pay me?”
“I need a site which has a decent Internet connection, around 15 Gb of storage. And I want it in nine days. I ‘m moving in a fortnight and I want things to be in place. I will pay you 800 dollars.”
“800 bucks, are you mad?” n3m0 couldn’t believe this guy, he used to be paid a lot more.
“Perhaps a bit, but that is my final offer. If you want to haggle the only way I’ll go is down.”

n3m0’s head was filled with thoughts of Ramen noodles and poker. I’ll win this time, I have to.
“So what’s it going to be?” the called pressed.
“I’ll do it.”
“Excellent, so I’ll call you in say five days?”
“Sure, talk to you later” n3m0 hung up the phone. It was time to go shopping.

Tags: security, stories

This isn’t related to computer security, rather unauthorized access or policy problems. I had been planning on washing my car for quite some time, time and other factors (read laziness) had however kept me from doing so. It had come to the point where you tried to avoid your clothes touching the car while stepping into it, I wouldn’t have been surprised if some kid had written on it with his fingers; Dirty!

I could have driven it through a car wash but it wouldn’t have been enough to get it clean. Instead I went to a company where they clean the car for you at a reasonable price 300 Swedish Krona (roughly $39).

Now the problem arises when I’m there to leave my car, they just want my key and say that I pay when I come back. I don’t think there’s anything wrong with the company, others who have used them have been happy and they’ve been around for a while.

However I have trouble comprehending how you could have a system that works that way. What’s to stop someone else walking into the store and pay $39 and then drive off with my car?

I wasn’t expecting to get a digitally signed service order, but some kind of paper would have been comforting. They could have asked to see my driver’s license when I left off and picked up the car.

My car is safe in my garage now but I hope those guys change their policy.

Tags: security policy, grand theft auto, security awareness

“I was told you could handle things discreetly.” n3m0 was already getting annoyed at the callers distorted voice. He considered making his voice silly himself but decided against it, this was after all a business call.
“That’s what I do best”, at least when it suits me, n3m0 chuckled to himself.
“Excellent!”

“So who are you anyway?”
“I was told you didn’t ask questions,” the voice sounded like when you play a record at too slow speed.
“Fair enough I guess. Can I ask you what you want me to do?”
“But of course, I want you to find me a web hotel”
What the fuck? n3m0 looked up at his editor window, his notes of the conversation so far consisted of a single word; Mental.

“Have you heard of a little something called Google?” n3m0 asked.
“Well yes but I haven’t found anything suitable.”
“A bit picky are we, I get,” n3m0 did a quick search “300 million hits, did you check them all?”
“Maybe not the whole lot, but I’ve checked a good few. Unfortunately most of them don’t quite meet my needs.”

He want’s me to go power surfing? n3m0 started to wonder why the caller was distorting his voice. “What’s wrong with the ones you’ve been looking at?”
“I’m having trouble with their Terms of Service documents”.
Is this guy for real? “I never read those.”
“Yes but that could lead to trouble down the road.” The strange voice finally struck home. n3m0 had worn a black hat to work before and this guy sure as hell wasn’t looking for a web hotel.

“You want me to find a web hotel that doesn’t know it’s a web hotel.”
“Now we’re on the same page,” the caller seemed amused.
You could have just told me, n3m0 thought. He had a pretty clear picture of what the caller wanted and wrote down some more notes in his editor, though he kept the word ‘mental’ there.
“Would you mind telling me what part of the ToS that didn’t agree with you?”
“Some of the material I’m putting up could be considered illegal”

Tags: security, stories

eWeek has published an interesting article about cyber crime.

“Based on all the evidence gathered over the last two years, Dunham is convinced that groups of well-organized mobsters have taken control of a global billion-dollar crime network powered by skillful hackers and money mules targeting known software security weaknesses.”
-
“If you become a known hacker and you start to cut into their profits, they’ll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this,” Dunham said.

Apparently there’s no honor among thieves on the Internet.

Tags: cyber crime

Not for the first time n3m0 realized he had been killing a few hours at del.icio.us. Hunger had started its pull some time ago but the only food he had at home was Ramen Noodles. God I’m sick of those, he thought. He had been browsing “Get Rich Quick” links and poker strategy. He knew he was fooling himself regarding the get rich quick schemes, but he was getting desperate and too little sleep was affecting his brain. n3m0 had started playing online poker four months ago, the feeling that he was James Bond had vanished when his winning streak had ended abruptly. Confident of his abilities, he hadn’t missed a beat; instead he kept on playing and he was loosing big.

His car was quite old and he hadn’t used it much of late so that had been one of the first things to go. I was going to get a new car anyway, n3m0 tried to defend his decision. Some days he fooled himself, other days he banged his head into the wall to punish himself. Wouldn’t be able to pay for the petrol anyway, at least not now, sometimes he caught himself just laughing hysterically. The profit he should have gotten from selling the car were nowhere to be seen. Not having any other assets he wanted to part with, he found the perfect solution - a quick loan.

It was so easy to dial the number, the people at the mortgage institute didn’t even ask what the money was for. It had lasted for ten days.

His computer speakers started their familiar buzzing, n3m0’s eyes found his cell phone and sure enough it started to ring. n3m0 sighed and answered the phone.

“Yeah”.
“Hello there”. n3m0 didn’t recognize the voice; it sounded strange somehow.
“Hello?” he asked, trying to focus his eyes on the computer clock. It was too blurry.
“Who am I speaking with?” the caller asked. There was a lot of static on the line, n3m0 had some trouble hearing him.
“You called me, who the hell are you?”
“Someone who needs your help.” The caller was using something to distort his voice. “Are you n3m0?”
“Where did you get this number?”
“From someone who said you were low on cash.”
Among other things. Damn. n3m0 opened up a text editor.
“So what do you want?”

Tags: security, stories

Bruce Schneier is announcing a “Movie-Plot” Threat Contest

From his blog:
Judging will be by me, swayed by popular acclaim in the blog comments section. The prize will be an autographed copy of Beyond Fear. And if I can swing it, a phone call with a real live movie producer.

I already have the book but it might be fun to come up with something to post.

Tags: security, movie plot