Stories

Taking a sip from his second glass, midfr0st just shook his head watching the error page. Too bloody simple, he sighed. Once again midfr0st thanked the W3Schools site for cutting off a few hours of his work day. Although these kinds of blatantly obvious cases of sql injection had become boring of late, midfr0st liked the fact that a lot of people visited sites like the W3School when they were learning to code asp/php/html and such. Sure the site does a service to the public, but why terms like sql injection or input validation didn’t exist (aside from a reference to a php function) was a mystery to midfr0st.

After a few tries he was able to log in to the admin part of the CMS system. Using Quiriths showcase customer, midfr0st played around in the system to get familiar with it.

His neighbors below him had obviously been drinking much more than he had and were now laughing mad. midfr0st left the empty wine bottle outside, I can’t think with that noise. He fired up Sepultura’s Chaos A/D.

It was time to focus on Meriabeck’s internal network. A few days ago he had asked tr0y, an online friend of his, if he had any connections in Meriabeck that could be used. Although tr0y didn’t have anything on the company he was very eager to hear about midfr0st’s plans. Though there was a risk telling others, tr0y could be trusted to not spread the word and when offered $6500 midfr0st just couldn’t turn his friend down.

In the end midfr0st decided to target a sales manager who had his email address on Meriabecks public website. He was going to use an Excel vulnerability he had known about for some time but since it was public now its usefulness would be running out.

To: jake.gordon@meriabeck.com
From: john.houte@hdg-furniture.com
Subject: Chip Inquiry

Hello Jake,

My name is John, my company HDG-Furniture have been looking into the RFID technology to lower our costs related shipping and warehousing. I have read about your reference customers and would like to hear more about your solutions.

Attached you will find a Word document describing what we want to do, in the Excel you have the relevant data.

John Houte
HDG-Furniture

midfr0st had found HDG-Furniture at random, he knew that the company didn’t have an employee named John Houte. midfr0st also knew that hdg-furniture.com didn’t bounce any mails even if the to address was invalid. So when Jake replied to the email he would believe “John” had received it.

He was sure that Jake would open the Excel file, it was just a matter of time. Midfr0st headed out for a smoke, he increased the volume of his speakers which were playing In Flames, Reroute to Remain.

After a few hours midfr0st went to bed, in the morning he had an inbound tcp connection from Meriabeck’s ip range.

Tags: security, stories, fiction, social engineering

midfr0st was enjoying a smoke on his balcony, far below him his neighbors were having a barbeque out in the grass. A world where he could sit out eating with neighbors seemed alien to him, his life had become a digital one. A pretty girl living in the same apartment complex was the only one he greeted if they passed each other. The rest he just avoided, trying to be noticed. This was of course difficult with him being 6′5″, his plan was instead not to make friends with anyone and hope no one would notice if he disappeared. midfr0st had a few exit plans but he wanted to remain himself and all the other plans meant he would have to change his identity.

In his vision he would reclaim the social life he once had, but at this stage it was too dangerous. For now he settled with opening a bottle of red wine and poured himself a glass.

The deadline was crawling closer, still five weeks off he was looking at Meriabeck’s web site. midfr0st had most of the current website memorized and it didn’t interest him anymore, instead he was looking for clues at the Internet Archive. Meriabeck had gotten a new website about a year ago, for the first month the footer had contained the text “Created by Quirith Design”.

Opening up a new tab in his browser midfr0st surfed to quirith.com, as he suspected they were web designers. midfr0st had a sip of his wine while waiting for the flash animations to load.

The company offered web sites starting from just low end static pages to more advanced sites using their own QuirithCMS. In midfr0st’s experience security was just an afterthought for web designers (among others). If they did think about it, it was in the lines of “Yeah sure, we’re using SSL 128 bit encryption!”

The reason why web designers developed their own CMS system was beyond midfr0st, the only reason he could think of was that they could charge their clients more money.

Moving on, midfr0st went to the websites for Quirith’s showcase customers. One of them had a nice little link in the bottom left corner titled “Admin”, the href for the link pointed to /QuirithCMSAdm/.

Opening up a new tab he typed in the url http://www.meriabeck.com/QuirithCMSAdm/. midfr0st was presented with a login form asking for username and password.

Not wanting to warn Meriabeck by tripping on any wires, midfr0st went back to the other customer’s page. He typed a single character in each field and pressed the login button.

500 – Internal Server Error

midfr0st drained his glass and poured himself another one.

Tags: security, stories, fiction

midfr0st had downloaded the website for Meriabeck and was browsing the contents offline, he hardly remembered what it was the company was doing and this knowledge was vital for his plans. There was a lot of material to go through, their website wasn’t too big but there were a lot of pdf reports there. Since it was a publicly traded company there was a lot of information, or rather speculations, to be read in different online forums.

Apparently the company was now creating some sort of RFID chips and there was a lot of talk about a big deal being very close. Backtracking to earlier discussions, midfr0st found out that this had been the situation for the last two years. Perfect, he smiled and inhaled some more smoke from his cigarette. The sun was shining on his balcony and the neighbor’s dog was barking. Business as usual.

midfr0st logged on his Internet bank and signed up for a service which would send a text message to his phone and an email if the stock price for Meriabeck Technologies changed more than 5% in either direction.

Paranoia is good for you, midfr0st mused. He didn’t want it to look suspicious, since he was hardly ever logged on to the bank and hadn’t done any other affairs the last few years, it might look odd if he suddenly managed to sell the stocks during the hours they soared. If the stock crashed a few hours later it would be more suspicious. In reality the amount of stocks he traded would be insignificantly small, but midfr0st prided himself in being careful.

midfr0st obsessed about keeping things organized and had started setting up a project plan for each job he did. At the moment he was using Planner and his task list for the current project contained these entries:

1. Create online rumor
2. Find a respectable company to use
3. Hack Meriabeck
4. Send an official statement from Meriabeck
5. Shutdown Meriabecks access to the world
6. Sell stock
7. Watch stock crash and do the monkey dance

His target deadline was seven weeks away.

Tags: security, stories, fiction

The startup company midfr0st had worked for declared bankruptcy when the stock market crashed. Instead of searching for a new job, midfr0st had entered the hacking business and was now breaking into companies for money. Business was going very well, it had in fact made him rich. Compared to his former financial status he would say it had made him very rich. midfr0st was however facing a little dilemma. All the money he had earned didn’t belong to him, instead it belonged to a few online “identities” he had created or bought.

Up to a certain amount, spending money wasn’t a problem, but he was getting more careful and the thought of getting caught didn’t really appeal to him. His biggest problem was that his real identity didn’t have a job and should have been broke.

midfr0st was still thinking about a long term solution to the problem, the life he pictured for himself was a lot more luxurious that living in a small apartment as he did now.

The short term plan was to make his legal assets grow without causing anyone to get suspicious. The best candidate for the job was the stock market, but although midfr0st was interested in shares and bonds he didn’t feel he had time. midfr0st had found an institute offering private banking services. He had been piling up his legal asset but was still about $35 000 short of the $300 000 needed to open up the account he wanted.

Although he had the money elsewhere he couldn’t just transfer it since that kind of trail was exactly what he wanted to avoid. Aside from the money he had on his bank the only other asset to speak of were some stocks in a company he had bought back in ‘99. The company, Meriabeck Technologies, hadn’t quite shared the fate of the crashed company midfr0st had worked at, but close enough. It didn’t matter.

midfr0st had invested in Meriabeck after a recommendation from a friend, at first the stocks had soared, before they hit rock bottom. During the years to come midfr0st had more or less forgotten about them, so when he finally checked them he was happy to see that they had in fact increased a lot in value and were now worth 13% more than what he had originally paid for them. Unfortunately he still didn’t have enough money for the private banking account.

Another 16%, midfr0st thought. If he could just increase the value of the stocks he would be set to go. A plan was forming in his mind.

Tags: security, stories, fiction, stock market

Aftermath:

Four months later.

Users had been complaining for a few weeks that the Internet access had been very slow. Kyle Donovan, the sysadmin at Regal-Pens, had informed everyone that they shouldn’t listen to Internet radio during work hours. This didn’t solve the problem, but when someone in management complained, there was talk about upgrading the Internet connection so Kyle didn’t think much about the complaints.

Their Terminal Server had also been slowing down of late and Kyle felt that a working Terminal Server was more important than having a fast Internet connection. He had been troubleshooting the server without finding anything.

Kyle had spoken with a geek friend of his, and agreed with his advice:

“You have to reinstall Windows every once in a while, it gets all clogged up in the registry and stuff. I bet not even Microsoft knows what’s going on in there.”

It shouldn’t be a hardware issue, Kyle thought. Not that many people used the Terminal Server, the whole thing seemed very strange. When Kyle was defragmenting the C: drive for the fifth time he saw something odd; the C: drive had used up 31 Gb of space. Strange, Kyle laughed when he saw that the C:\Windows directory consumed 22 Gb, talk about getting clogged up.

Kyle was sure he would share a laugh with his friend over this. He began by deleting all the blue $NTUninstall$ directories but it didn’t help, so the investigation continued. Finally he found a directory named:

C:\WINDOWS\system32\clients\faxclient\system\w95\

The name didn’t mean much to Kyle but its size was 18 Gb; at first Kyle was very puzzled. The directory held a great amount of pictures and asp files, and as he opened the first one his curiosity was replaced by an uneasy feeling in his stomach. Kyle felt the color withdrawing from his face, after seeing some more he got the taste of warm saliva in his mouth.

He didn’t make it all the way to the toilet but caught some of the puke in his hand, some of it he might have swallowed again but it didn’t stay down there for a long time anyway.

While washing his hands he realized that the pictures were still open on his screen for all to see. Panic seized him and on shaky legs he rushed back to the computer.

Kyle closed all the pictures and deleted the entire faxclient directory, his whole body was shaking. The thought that he might have been to rash crossed his mind, but it’s too late now. A long time after the incident Kyle was still worried that someone would come asking questions about the pictures that had been served on that server. He didn’t want to be accused of destroying evidence, or worse, but no one came.

After getting some coffee and calming down a small bit, Kyle hunted down his installation media for Windows and reinstalled the server. He had problems focusing and the reinstallation took the better part of the night.

During the coming week users thanked Kyle and said that what he’d done had fixed the Internet problem.

Kyle told management that the server had been hacked, but he didn’t mention the rest. Management asked how this could happen and the result was that they purchased a new firewall, which didn’t really solve anything.

The view on IT security that Kyle and his company had was a common one; we have no secrets, who would want to hack us?

Please note this is a purely fictional story, any names found here are made up. I’ve written this because I like writing, if someone reads it and enjoy it: great. If they get more conscious about security, that’s a bonus. If you have feedback or comments on the story please share them.

Links of Interest:

Computer Security Awareness videos

Security Awareness for Ma, Pa and the Corporate Clueless

Tags: security, stories, fiction, security awareness

After having made sure everything worked in his demo site, n3m0 issued the sql injection and uploaded his nomad.asp script. For n3m0 the results were like hearing a beautiful song.

C:\WINDOWS\System32

0wned, the feeling still made n3m0 feel giggly, though this time it might have been because of lack of sleep. After penetrating the walls his focus went on to control. n3m0 began documenting the network, it had three servers. One Exchange server running IIS with OWA, this was the server he had first gained access to through the ShowRoom.Asp application. The second server was a Domain Controller which also acted as a file and print server. n3m0 chose the third server to host the website, it was a Windows Server 2003 box acting as a Terminal Server.

The server had 3 Gb of RAM, two 73 Gb SCSI disks set up in a RAID 1 mirror, only 13 Gb were used. Perfect, n3m0 found a suitable directory where his client would place the files and verified that the directory wasn’t part of any backup selection.

Regal-Pens used a firewall with a web interface, n3m0 was able to gain access with the help of a default password list. Later he also found the password in a text file located in kdonovan’s home directory; kdonovan was a member of the Domain Admins group which had prompted him to take a look. n3m0 opened up a random port for the web access and one to manage the server.

After some cleanup work he bid the network farewell and closed his connections.

Two days later the phone rang again.

“Hello” n3m0 answered.
“Why hello there,” said the distorted voice, “how are things progressing?”
“It’s done” n3m0 said.
“Excellent! What a good boy you are.”
“Uhm, what? Yes, I’m pretty good. So when will I get paid?”
“How do you want to transfer the money?”
“What, you’re not going to give them to me personally?” n3m0 asked.
“That’s not likely to happen, no.” The caller didn’t sound impressed.
“You don’t by any chance play online poker?”
“I guess I could learn.” n3m0 smiled.

Tags: security, stories, fiction

n3m0 arrived at work a bit late, 8:18 AM. Only 18 minutes, that’s not bad. No one seemed to care anymore when he showed up so he was usually late. When he started at the company things had been really busy but the last few months things had been quite slow which gave n3m0 the opportunity to work with on his own projects.

“Whoa, what happened to you?” Thomas asked with a perky voice. I can’t imagine how he can sound so happy when working here, n3m0 thought. He knew from experience that if he ignored Thomas he would just press on.
“I was playing World of Warcraft again,” n3m0 muttered.
“Didn’t catch the hockey then?”
“No”
“Pity, was a great game.”
“No, I missed it.”

After a few more questions Thomas found someone else to bother. n3m0 unlocked his computer, checked the work email and opened the Help Desk application used by the company. Boring, boring, he scanned through the requests, nothing important, he thought. The requests could wait until later, one of them was so stupid that he laughed out loud.

That caught Thomas attention and he started walking over with his do-you-have-a-joke-to-share face. Thomas turned when n3m0 picked up the phone and pretended to make a call. Instead he opened up Notepad++ and loaded the asp file from his usb stick.

n3m0 was so tired that his ability to code suffered and it took a lot of coffee and close to two hours to get the script to work as he wanted. Not wanting to hack from work he figured he could take care of a few requests. He reprogrammed his telephone so he wouldn’t be unavailable anymore and tabbed to the Help Desk application.

Even though n3m0 only did any actual work half of the time he was there, he still was the guy in help desk who closed the most requests.

During the afternoon the only thing that kept n3m0 from falling asleep was the phone which kept ringing.

When the work day was over and n3m0 finally came home, he was still tired but since he had waited all day he figured he could sleep later.

n3m0 surfed to the Regal-Pens website. Time for some hacking.

Tags: security, stories, fiction

n3m0 had the victims lined up, from about 20 companies he was about to single out the “lucky one”. Some of them had their websites at web hotels so they were more or less useless. The administrators of the web hotels would probably notice if some extra 15 Gb appeared on their servers and the customers would have a quota limit of much less than that.

n3m0 was looking for a website hosted in-house by its owners. After a lot of interruptions, some more noodles, searches through whois records and dns queries n3m0 was down to six targets.

The next step was to test the Internet connections of the companies. In the end he settled for one company and had two others as backup if things didn’t go as planned.

Regal-Pens were a company selling fine pencils, pens, ink bottles and other writing tools. n3m0 couldn’t remember when he had used a pencil the last time (not counting the ones in Gimp), he didn’t even know if he had an ordinary pen anymore. Why would anyone want to use those? n3m0 did a search on his hard drive after an mp3 with the Flintstone’s theme, he didn’t find one. The urge to fire up a torrent client was overwhelming but n3m0 managed to stay focused at the task at hand.

With the mark set it was time to set up a test environment. Instead of downloading music he started up VMware Server and began to install a Windows Server guest. While the unattended installation proceeded, n3m0 started to look for a suitable asp script that he could use; ages ago he had written a file called n3m0-was-here.asp. He grabbed the file but renamed it nomad.asp. The script basically downloaded and ran netcat.

*BEEP* *BEEP *BEEP*

n3m0 jumped high in his chair as the alarm clock came alive. It showed 6:45 AM.

Shit, not again. Not for the first time n3m0 had been up all night, it was time to go to his real job. For the last 16 months n3m0 had been employed as a member of a help desk department. The salary was barely enough to live on and the job was painfully boring but the plan had never been to stay on the help desk crew.

n3m0 smelled his arm pit. Oh, bad bad bad, he pulled his nose away in disgust. He grabbed an usb stick and copied the asp script to it. Then he headed for the shower.

There wasn’t any breakfast to speak of in his apartment and he seemed to be out of toothpaste. Looking in the mirror before walking out he saw an exhausted young man staring back at him. It was going to be a long day.

Tags: security, stories, fiction

n3m0 had managed to boil his noodles for fifteen minutes instead of the recommended three; it didn’t improve their taste. Unsatisfied by his meal n3m0 sat down at his computer again. After reading his feeds he got back to work.

He came across an advisory for ShowRoom.Asp 3.4.x, marked with the magic words, System Access from Remote. It had been discovered well over half a year ago, apparently the developers had been quick in releasing a patch and labeled it ShowRoom.Asp 3.5. Good for them, n3m0 thought. After surfing the website where ShowRoom.Asp was hosted he found a downloadable zip file of the vulnerable version, he also downloaded the patched release so he could see what had changed.

According to the Readme file, ShowRoom.Asp was a piece of software made it easy for companies to show their products on their website. It was kind of like a cms but just for a small part of the website. The users could sort their products into different categories and describe their products, upload an image and assign a price to the products.

Coding aside, the design just appalled n3m0. I bet it’s even worse when you view the page in a browser, n3m0 shuddered. As he had guessed the problem was concerning sql injection, the developers seemed aware that they should do input validation but had missed to check it on a request.querystring value.

The impact was that you could log on to the site as admin without using a password, there you added a new product but instead of uploading an image you could upload an asp page of your own choice. In the newer version input validation had been fixed and the upload mechanism only allowed .gif .jpg and .bmp.

A decently configured Windows box should prevent this, n3m0 thought as he was becoming more familiar with the code. On the other hand people who make an effort with the configuration usually don’t leave their systems vulnerable six months after the advisory is issued.

n3m0 had enough to start looking for a victim, he tabbed to his Firefox window and did a Google search; “powered by ShowRoom.Asp 3.4″

Results 1 – 10 of about 120 for “powered by ShowRoom.Asp 3.4″. (0.40 seconds)

Two words popped into n3m0’s mind when he saw the search results; Road Kill.

Tags: security, stories, fiction