Ogenstad.net

Read Part 2

A smile spread across midfr0st’s face, things were starting to look better. midfr0st had a server he hacked awhile back, he could probably have told Donald to forward the mail there now. However he had to make sure the server was still his to control and then configure it to store the gantern.com emails as well as forward them to mail.gantern.com. The people at Gantern would spot this if they checked their log files, but most people don´t do that regularly and when they do it would be too late. After verifying and configuring the server midfr0st wrote an email.

To: Dae
Subject: Progress

Things are looking bright, I should have a package for you tomorrow. The mail flow will be going to the company instead of from it. Hopefully this will be enough.

midfr0st

For the first time midfr0st started to consider the money he got from Dae as his own. He was probably going to buy an Origami / UMPC but that would only eat a small slice of the $24.000. Feeling content with his work and not being able to sleep, midfr0st considered doing something about the dust puppies, though only briefly. Instead he went out for a pack of smokes and a meal. He had stopped thinking in terms of breakfast, lunch and dinner. For normal people it would be around lunch time. But why call it lunch if you haven’t eaten breakfast or dinner the day before? A coffee is just a coffee regardless of when you drink it.

Tuesday 11:43

Tech support: “Hello this is Brenda how may I help you?”
midfr0st: “Hi, do you have Donald there?”
Tech support: “He is busy on another line, do you mind holding?”
midfr0st: “No, I’ll wait”

After a few minutes Donald came to the phone.

Donald: “Hello Donald here, how may I be of service?”
midfr0st: “Hi Donald this is Dick, we spoke yesterday.”
Donald: “Was it for gantern.com?”
midfr0st: “That’s the one, we have everything ready on our side here and would like to go forward with the move.”
Donald: “Sure, which ip do you want to use?”
midfr0st: “Wait a sec and let me find it. Oh, by the way I’m trying to keep our network documentation up to date. Do you have our contract number there?”
Donald: “Sure do, it’s IBL047-65BT”

midfr0st gave Donald the IP address and thanked him for all the help. Shortly there after mail going to gantern.com was routed through a server under midfr0st’s control.

To: midfr0st
Subject: Re: Progress

The information looks promising, I will keep you posted.

Dae

Three weeks later there was another email.

To: midfr0st
Subject: All done

We have everything we need. Pleasure doing business with you.

Dae

midfr0st called the Anti Spam provider again and told them to point the email flow to gantern.com back to mail.gantern.com. He made sure he didn’t talk to Donald, and when asked for the contract number he provided the one Donald gave him.

Two months later midfr0st came across an article stating that Wiamra Group had won a bid for a building contract worth $88 million. Thinking of his paycheck of $24.000 midfr0st felt he’d been had.

Aftermath:
Dae’s people at Wiamra Group were able to gather enough details from the replying emails Gantern Construction had sent to the Buyer.

The people at Gantern never figured out what happened. After seeing that the Wiamra bid almost mimicked their own they started an internal investigation. They fired a newly hired assistant in the Sales department but never got close to finding out what had really happened..

Please note this is a purely fictional story any name found here are made up. I’ve written this because I like writing, if someone reads it and enjoys it great. If they get more conscious about security, that’s a bonus too.

Related Links:

The SANS Security Policy Project
– http://www.sans.org/resources/policies/

[tags]security, stories, social engineering[/tags]

Read Part 1

midfr0st was never able to sleep during the day, at least not when the sun was shining. Might as well go out and meet with some friends. midfr0st picked up a packet of cigarettes, a lighter and his none work laptop then headed for his balcony. While the laptop was booting up he lit a smoke. Only eight left, might have to leave the apartment today. He double clicked the World of Warcraft icon and inhaled some smoke while the game was loading.

At 10:15 he bid his friends farewell and closed the lid of his laptop. He was getting more tired but knew he couldn’t sleep. midfr0st had never been able to stand the smell of smoke on his fingers and washed his hands obsessively. Having been outside for a while he couldn’t help noticing the sun shining through his windows, making the dust in his apartment painfully obvious. He would love to hire a maid or cleaner but he didn’t want them to see all his computer equipment and gadgets. I need a robot, he thought dreamingly.

midfr0st powered up all his computers, fans and other things which made noise. When he called the tech support of the antispam company Gantern used, he wanted it to sound like he was in a server room. He picked up a cell phone from his rack and inserted a sim card.

Tech support: “Hello this is Donald how may I help you?”
midfr0st writes down Donald’s name in his notes.
midfr0st: “Hi Donald, I’m calling from Gantern Construction.”
Donald: “Do you have your contract number?”
midfr0st moved closer to the noise.
midfr0st: “What’s that?”
Donald: “Your contract number”
midfr0st: “Contract number haha! That’s a good one! They didn’t even tell me we were using you guys until a couple of days ago. I’ll tell you it’s mayhem down here. The domain we are using is gantern.com. Hold on.”
midfr0st pretended to be arguing to someone in the “server room”.
midfr0st: “Sorry for that.”
Donald: “No problem”
midfr0st: “The domain we are using is gantern.com, can you get it up to your screen?”
Donald: “Hang on… the computer system is very slow today.”
Why do they always say that when your calling support?
Donald: “Here I have it. Are you Richard Burne?”
midfr0st: “Hey, not even my mother calls me Richard. I’m Dick to most people and the e is silent in Burne it’s not Bernie.”
Donald: “Oh, sorry, so what can I do for you Dick?”
midfr0st: “We are changing our infrastructure and will be moving our mail servers. As we have it now you forward all email to mail.gantern.com. What I would need is to change that to an ip address, could you do that?”
Donald: “Ehm, well I guess I could, but why?”
midfr0st: “Time”
Donald: “Time?”
midfr0st: “Yes I want the change to be instantaneous, if I just change the DNS records for mail.gantern.com I have to worry about caching issues. How fast can you do the change?”
Donald: “In minutes but can’t you just lower the…”
midfr0st: “Again time. If it was up to me I would, but you know how it is with management; they tend to live in the past and everything happened yesterday including this conversation. I bet you’ve been there.”
Donald: “Do you want me to change it now?”
midfr0st: “No thanks, I don’t have time to deal with it today. Besides I have to prep the new server first. I’ll call you this time tomorrow. Thanks for your help. Bye!
Donald: “You’re welcome, bye!”

Read Part 3 

[tags]security, stories, social engineering[/tags]

Monday 05:45. The world around him was still asleep, the only sound violating the silence was the occasional bird outside. midfr0st was unaware of this, just as he was unaware of his mp3 playlist coming to an end three hours ago. His eyes had been fixed on his computer screen for the last sixteen hours. His mind had trouble remembering why. The screen was all black except for a line of text in the upper left corner: “follow the white rabbit.”

I’m going nowhere with this, he thought as he erased the text he’d written well over an hour go. Instead midfr0st brought up the network diagram he had been creating. It wasn’t for his own network, rather a network his present client wanted to 0wn.

midfr0st had some history of doing an honest living but had found the illegal path to be more rewarding when it came to making doubloons. Besides I like being my own boss.

At the moment midfr0st was working on a job concerning communication or rather email. His current client, Dae, was so eager to read the emails from Gantern Construction that midfr0st had been paid in advance. This usually wasn’t the way midfr0st worked but his confidence had grown a lot lately and he was positive he could pull it off. After his last contact with Dae he was beginning to regret his early payment.

Dae: How’s our little expedition going?
midfr0st: It’s moving along
Dae: Where is it moving?
midfr0st: I’m still working on it
Dae: I would hope so, when can you have the package delivered?
midfr0st: I don’t know, soon enough. These things take time.
Dae: You sounded a bit cockier when we paid you.
midfr0st: I haven’t spent the money, you can have it back if you want to.
Dae: The money is not important, my faith in you is. You do not want me to loose that faith.

midfr0st wasn’t overly concerned about Dae’s threats. Dae didn’t seem to know too much about Internet security and midfr0st did his best not to leave a trace back to him. Instead midfr0st traced the IP Dae had used in the irc session. He found that the IP belonged to a company called Wiamra Group, which according to their website was into construction. The way Dae could get to midfr0st was through M3m3th who had introduced them. M3m3th was a friend, but you never knew. midfr0st was pretty sure M3m3th wouldn’t be able to track him.

06:31, the dog started to bark. For some time midfr0st had been positive that his neighbors had that freaking dog running on ntp, every morning at 06:31 it started. The walls in his apartment seemed to have been optimized to let sound pass through them unhindered. Once when it was really getting on his nerves he began feeding the times into rrdtool to get some viewable graphs. After two weeks of manually running the update script he got fed up with the manual labor and considered setting up a microphone to record the barking automatically and then feed it to the update script. In the end he decided against it and figured he had better things to do with his time. Besides, during my testing the dog had been off 25 seconds one day and even if it was on ntp it had to be a very poor implementation.

midfr0st realized the music was silent and let a fresh load of mp3s drown the sound of the dog, it was time to get back to the task at hand. He had a lot of nmap scans, information from the Gantern Construction website, he had hacked an ftp site on their DMZ but that hadn’t been of further value. There were quite a few doors into the company but midfr0st hadn’t been able to squeeze through. All the log files and notes had stopped making sense a long time ago.

At 07:05 something finally caught his eye, mail.gantern.com had port 25 open which would be common enough. However the mx records for the domain pointed elsewhere

MX = 10, mail exchanger = gantern.com.in10.antispamprovider.com
MX = 20, mail exchanger = gantern.com.in20.antispamprovider.com
MX = 30, mail exchanger = gantern.com.in30.antispamprovider.com
MX = 40, mail exchanger = gantern.com.in40.antispamprovider.com

Why didn’t I see this earlier? midfr0st began searching through his notes and after a few minutes he verified that mail.gantern.com was in fact accepting mails from the world. I hope this will work and that it’ll be enough. midfr0st checked the time 07:13, it was too early to begin.

Read Part 2

[tags]security, stories[/tags]