Difference between revisions of "Anatomy of a Hack"

This page has been migrated to a document on Free Geek's Google Drive. Information remaining behind may no longer be relevant. MIGRATOR: When you have tagged this page as migrated, please add a link to the new document on Google Drive. (Link to new page immediately below.)

Link

Anatomy of a Hack:

Purpose: This is a class on basic security principles highlighted by real-life events and the consequences of what can happen when you do not attend to the basics of protection.

Hypothetical situations:

• An email arrives from iTunes. It says they found that your credit card number is bad. The email links to a website to go to, to fill out the correct credit card information. It reads in part:

Please click the following link to update your credit card information
and prevent disruption to your service. www.itunes.com

• You receive a phone call: Sam, the head of IT, calls to ask for your password so that he can fix your computer.

• An instant message comes in from a long lost cousin you don't recall, asking for your siblings' email and address.

HBGary

The players:

Anonymous is a group of hacktivists who are responsible for actions that could be considered either good, bad or both. Some of their actions are illegal.

HBGary was a technology security company which sold its products to the US Government (including the Defense Department), information assurance companies (Equifax, et al.), computer emergency response teams and computer forensic investigators. The CEO, Aaron Barr, developed a technique which he thought would unmask the leaders of Anonymous by comparing the timing of Anonymous IRC rooms to social media posts, although his lead programmer criticized his methodology. His intention was to sell the list to the FBI and other law enforcement agencies.

When the Financial Times ran a story on this, Anonymous members attacked within 24 hours.

Chronology of the attack:

SQL INJECTION

SQL injection is an old method of attack via entering portions of SQL statements into web form fields. If the website is vulnerable, the SQL can send statements to the database and get it to dump out users, passwords, credit card numbers and other information.

• A Content Management System(CMS) is a system that allows for creating, editing and publishing content without a need for programming or in-depth knowledge
  • Wordpress, etc
• HBGary used a custom CMS on their site
• No CMS is 100% safe but in this case a custom CMS was used which had gaping security holes in it, leaving it open to SQL injection attacks. If an off-the-shelf product had been used, there could be thousands of users and bug reports. This custom CMS had no one reviewing it and fixing problems.
• SQL injection is a technique often used to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker). http://en.wikipedia.org/wiki/SQL_injection
• This exploit was used to dump the table of usernames and passwords out of the website.
• A plaintext password would appear as password
• Passwords were encrypted using MD5, but because these were not salted a rainbow table could reverse the encryption
  • MD5 is a cryptographic hash function
    • Imagine taking something that makes password into qbttxpse
    • This they did right
  • “Salting” is adding random bits to the encrypted data to make cracking it impossible or impractical
    • qbttxpse becomes something like qb1ttx01ps1e
  • Rainbow tables are used for reversing cryptographic hash functions
    • Because the passwords were not long and they were not salted, the program was able to figure out the hash ( moving everything 1 letter ahead in our example) and reverse it into a plain-text password
• Passwords and usernames were gotten

ROOT ACCESS

Also known as an admin, administrator, or superuser; this account can make system-wide changes not available to other users

• Using the now-cracked passwords, the attackers were able to gain non-root access the server support.hbgary.com
• Root access is full-control or adminstrative access
• Using a known exploit for which the server had not been patched, they were able to take root access and removed gigabytes of information

PASSWORD REUSE

• Among others, high-level employees including the CEO and COO were gotten
• They had exempted themselves from password complexity requirements and used 6 all lower-case letters and 2 numbers
• These passwords were re-used all over the internet from Google to LinkedIn to Twitter.
• Aaron Barr's, the CEO that started this, re-used this password for the companies Google Apps Mail service.
• Because he was an administrator, any accounts could be gotten into simply by resetting their password.
• They did this for the account of a man named Greg Hoglund who founded HBGary and is known in the security world
• Through reading his emails they found out that he and a Nokia employee had SSH access to a server (rootkit.com) as well as possible root passwords for that server.

SOCIAL ENGINEERING

In the context of security, social engineering is getting people to do what you want them to through social/psychological manipulation.

• At this point, Anonymous has access to most of the communications within HBGary. They know that Greg Hoglund is in Europe, two possible passwords to the server root and his security person from Nokia and contact info.
• They send an email from Hoglund's account to this person.

From: Greg Hoglund <greg@hbgary.com> ISun, Feb 6, 2011 at 1:59 PM
To: jussi <jussij@gmail.com>
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks

From: jussi jaakonaho <jussij@gmail.com> ISun, Feb 6, 2011 at 2:06 PM
To: Greg Hoglund <greg@hbgary.com>
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed

From: Greg Hoglund <greg@hbgary.com> ISun, Feb 6, 2011 at 2:08 PM
To: jussi jaakonaho <jussij@gmail.com>
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.

• Once they had root access to that server they obtained further information and cracked all the poorly guarded username/password combinations again. Jussi had little reason to think he was not dealing with Greg Hoglund. The email came from Greg's account, he knew 2 of the passwords - still, Jussi might have thought to verify but the social want to help and the fact that "Greg" was in a hurry rushed him into doing it without checking.

Aftermath

• Aaron Barr tried to negotiate with Anonymous. He lied to them repeatedly, not realizing they had all his emails and knew the truth.
• Over 40,000 internal emails, many of them containing very sensitive information, were posted to the Pirate Bay
• Over 1 TB of HBGary backup data was deleted
• Barr's iPad was remotely wiped
• All social media accounts for Barr were used to discredit and embarrass him
• HBGary's site was defaced and everything made public to shame them
• Aaron Barr had to shamefully bow out of a high-profile conference where he was to give a presentation about his work in an effort to garner more money.
• Information came out that HBGary and Barr were:
  • Spying on union organizations for the US Chamber of Commerce
  • Had plans to plant fake insiders within those organizations and then have them do something stupid to discredit the unions
  • Planned to create discrediting over-the-top 'humor pieces' on the US Chamber Watch,, the group monitoring USCoC activities.
  • Barr planned to release what he told was flawed information for millions of dollars, information he knew could or would get innocent people arrested.
  • They were working on a presentation for Bank of America who wanted Wikileaks taken down. What they were proposing was mostly illegal. It included numerous cyber-attacks, creating internal strife within the funders of Wikileaks, spreading disinformation and a concerted media campaign to smear Julian Assange. They intended to disrupt all payments to the site and make it impossible to have further submissions.
  • They also were in the process of creating unlicensed Windows games to release into the wild on Asian sites. These games contained backdoors from which they could launch attacks.
  • They planned to put pressure on civil liberties lawyers to make them fearful for their jobs and unwilling to offer more support or open criticism.
  • The USAF sought from HBGary software from which they could control thousands of fake online personas on social media to gather information and spread the illusion of assent with the US government among a large portion of the populace.
• Final results:
  • Everyone distanced themselves from Barr and HBGary.
  • Barr resigned in disgrace
  • HBGary's potential company sale and work disappeared and they went under.

Lessons Learned

• Use tried and tested software. A custom CMS allowed the SQL injection that started this ball rolling. Anything on the web with public access should be secured in the stronges manner in every way possible
• Follow best security practices: This could apply to most of these mistakes in this example. By not salting their MD5 hash, they left their user info open to attacks by Rainbow Tables which has been around since 1980 and for which software is commonly available.
• Apply all the latest updates, especially security ones. If the servers had been patched for a widely known vulnerability, the attack could have been stopped.
• Best password practices:
  • Use long passwords with both upper and lower-case characters plus numbers and non-alpha-numerical characters if possible.
  • NEVER use a common word or password as those are very easily broken with dictionary attacks.
  • NEVER reuse a password across multiple websites.
  • See the Mozilla method for password creation.
• People with more power should have stronger passwords for security not weaker passwords for ease of use because they can object.
• Firewall identities. Aaron Barr used the same password for many sites, including his personal social media sites, email, internal and external servers and personal iPad. [Namechk.com] makes it easy to find the reuse of usernames across sites.
• Social engineering. The hardest to defend against and probably the most common hacking tools. In this case, a sense of urgency was used but they usually appeal to sexuality, greed or the human want/need to help. It is much easier to get information from a human than to hack a computer. Social engineering takes place in most hacking in some form.
  • PFC Manning incident
    • Manning exfiltrated classified information and gave it to reporters and Wikileaks. Data included sensitive diplomatic cables, video of American troops killing reporters, as well as operationally secret military data. Manning used a CD-RW labeled as Lady Gaga to get the information out. Manning would simply knock on the door to the secure area and ask to listen to his CD. He would lip-sync to songs that were not playing while in actuality secrets were copied to the Lady Gaga CD.
    • This was not a technical hack but a human hack. The use of technology was no more than inserting a CD and downloading information. Manning played on their trust and used acting to continue the trust.
  • Social engineering in email
    • Phishing emails use things like fear of having your account terminated, getting in trouble for using a "bogus" credit card, fear that your bank account might have been compromised,etc.
    • Nigerian scam or 419 emails play on your want to help or greed by telling you that you are helping some person in trouble or that you will gain large amounts of money.
    • Spam emails often play on your sexuality (porn, dating), greed (Get rich quick), or fears (Viagra, Rogaine, breast enhancement, weight loss)
  • What Social Engineering looks like
    • It doesn't and that's the point. It comes at you sideways smiling.

Hacking Facebook

The story: A friend and I were both interested in computer security. We were talking about hacking facebook accounts and he gave me permission to try to get into his

At that time, Facebook had a web page where you could reset the password if your email associated with your Facebook account had been compromised and you could no longer access it.

The form had the following fields

• The email you can now be contacted at
• The old email address
• The full name on the account
• DOB
• FB web address of account

I was to assume that all I knew was his full name and city he resided in.

DIGGING

I logged out of Facebook and cleared my cache. I logged back into the password reset page and:

• Gave them my email address created just for this. In real life I would have created a throwaway account through proxies.
• I was able to find his email address because someone other than himself had posted it. I looked up his name and city and found a listing for a hobby group he was the leader for. Someone asked for information and a 3rd party listed his email for them.
• Using the username portion of his email “username@email.com”, I was able to take the standard Facebook format for user profiles and add his username (http://www.facebook.com/username). I confirmed this was him and now had the correct web address.
• I had his name to start with but was able to access available information to get a middle name and was prepared with variations on his name if I did not immediately succeed with that question.

At this point, I could not get his date of birth. I looked at publicly available information as to where my friend had lived in the US. I started searching for his name in conjunction with these cities. I found a city on the east coast where he'd had another public group he was involved with.

I then started looking at relatives and the places they had lived. I searched for their names and cities listed. I found a listing for his dad being involved with a volunteer organization. There was no information listed for contact.

SOCIAL ENGINEERING

I read a newsletter stating his involvement with a certain individual in this organization. Posing as a relative of this individual, I contacted the organization via phone and asked for his contact information. Because I knew his name and some information they probably considered private, they gave me his personal email address. I emailed him stating that I was a friend from that east coast city and knew him through that public group. I said I had a really nice gift for him but had forgotten his birthday. I was so embarrassed because we were good friends and would he please not tell my friend that I'd forgotten his birthday. The last piece of the puzzle was had.

LESSONS

• Firewall identities/Strategically don't re-use identities
• Be careful what you put online
• Insist on being behind a login for group sites
• Don't reuse usernames
• Social engineering – ask people to never reveal your information

RSA Security Tokens

RSA Security owns SecurID which is a security token popular with government and defense companies. There is a seed number within the RSA system that, if compromised, will make those tokens useless. The attackers sent a spreadsheet out entitled “2011 Recruitment Plan” that had a 0-day Flash exploit implanted. Using these infected systems they were able to sniff traffic and find the keystore which they were able to escalate to steal them.

LESSONS

• 0-day exploits and virus creation to definition cycle.
• Heuristic programs
• Spear-phishing/phishing
• Social engineering
• Use administrative accounts judiciously
• Don't re-use passwords
• Patch
• Use 3rd part penetration testing

Stuxnet

STUXNET was a first, a guided missle of sorts... a worm that sought out only Siemans-made Iranian nuclear fuel centrifuges. The machines were air-gapped and so security was probably more lax than normal. The worm would lie in wait until the right times, override the alarms signalling anything being wrong and throw the centrifuges slightly off to ruin them.

• USB trick and history. Curiosity and voyeurism. Social engineering
• 0-day exploits for windows used
• They could have stopped USB use through policy, computer and real-life

OVER-ARCHING LESSONS

• You must be vigilant
• Learn and use best security practices
• People both overestimate their own security and underestimate the abilities of others to flaunt it.
• Don't do anything to piss people off and they won't have a reason to dig
• EVERYONE is vulnerable
• EVERYONE makes mistakes
• No matter how smart you are, you can be socially engineered
• Even if you are perfect, those around you are not