True tales of (mostly) white-hat hacking

Stings, penetration pwns, spy games -- it's all in a day's work along the thin gray line of IT security

The second time, a hacker had sent malicious emails to my InfoWorld address in an attempt to take over my computer. I usually investigate these infrequent occurrences if only to see whether the attack is unique or unusual. In this particular case, the hacker had sent me a GIF file, which took advantage of a brand-new zero-day exploit that buffer-overflowed a Microsoft Windows graphics handling file and gave the attacker full control of my system.

I was getting ready to head on vacation, after a few hours of sleep, and was in such a hurry that I didn't take the time to open the email in a virtual environment, like I normally would with an email I knew to be malicious. I also couldn't believe that the attached GIF file could buffer-overflow my system. Many hackers have claimed the ability to do this for nearly two decades, but up until that email, it had never been accomplished in the wild. I was overly confident, perhaps a little cocky, that this malicious graphics file would be like the rest -- harmless.

I was wrong. Immediately upon executing it, I could see it implant a backdoor Trojan and dial home. It took me by surprise. After hitting myself in the head a few times for executing a known malicious file on my personal computer, I disconnected from the Internet and immediately began defanging the newly dropped Trojan.

Within a few hours, I had successfully tracked and documented the new vulnerability. I sent a copy off to Microsoft and a few of my antivirus friends for more analysis and response. I lost any chance of getting any sleep before my vacation, and I remember driving way more tired than I should have.

The incident didn't end there. I contacted the originator of the email and gave him some ill-achieved props. I had noticed he was bragging about his exploit on an IRC hacker channel and spreading his creation to dozens of websites. I told him that Microsoft was working on a fix and all the AV companies were releasing signatures. Needless to say, he wasn't happy.

He then tried to hack my personal computer network, having acquired the IP address from his initial backdoor Trojan. He launched every malicious attack anyone could think of at the time, including DDoS attacks. When he couldn't break into my network, he began attacking people and companies I did business with, using my IP address. For example, the hacker was successful in getting Apple to ban my IP address from connecting to its networks, preventing me from picking up new music from iTunes. No amount of emails with Apple would fix the problem, and eventually I was forced to get another IP address from my ISP.

I investigated the hacker, reading emails he had posted in a few hacker forums and on legitimate websites. What I found was that he was an overly zealous high school kid in the Midwest who thought he was a better hacker than he really was. Even "his" zero day was created by someone else. He just passed it along and claimed credit.

After a few more weeks of computer attacks, I sent him an email asking him to stop. He was surprised I had his email address. I responded with his real name, high school, and mailing address. I politely asked that he stop hacking me. He responded by launching even more attacks and attacking more companies using my new IP address. He was getting annoying. It was time to turn the tables.

I figured out what firewall he used to protect himself. I remembered having seen that it had recently had a remote buffer overflow announced in a public forum. This next step probably isn't legal, but I used the buffer overflow to break into his computer. I created a batch file with commands that would format his hard drive the next time he rebooted, except I remarked out (REM'd) the lines so they would not take affect. I then sent him an email and told him of this "kill" batch file that I had placed on his local hard drive.

He was stunned. I told him that there were lots of smart hackers in this world and he wasn't the only one who knew how to get onto other people's system. I then politely asked that he stop attacking not only my system, but anyone's system, and to turn his curiosity into legal ends. He agreed. As far as I know, he didn't do any illegal hacking anymore.

Afterward, I got emails and IM chat messages from him for years. He went to college, got an engineering degree, and eventually became a midlevel executive at a computer company that got swallowed up by a huge conglomerate. He became fairly rich in the process. He has a wife and a few kids now. I don't know if anyone in his life knows about his hacking teenage years. I can only tell you that it appears one good scare helped turned his life around.

True tale of (mostly) white-hat hacking No. 5: Like spies to a honeypotI had been hired to help implement honeypots. The client, a defense contractor and think tank, had been thoroughly compromised and wanted an early-warning system to detect malicious hackers or insiders and to catch any unknown malware roaming around its network.

Over the next few weeks we created a "honeynet" of early-warning systems, fake Web servers, SQL servers, and SharePoint servers. During any honeypot project, I'm often asked how we'll attract attackers to the honeypots. I always respond that there is no need to advertise; the attackers will find them. This statement is always met with skepticism, but it's held true over the years.

We fired up the honeypots, and sure enough, we immediately discovered malware that had not previously been detected. Better yet, within 24 hours we discovered that an internal employee was also roving around the network and hacking various systems. She was trying to break into the new fake servers, including the Web, SQL, and SharePoint servers.

We weren't sure what type of content the overly zealous employee was looking for or what her intent was, so we created a few different content areas. One dealt with a popular game, which half the users on the IT team seemed interested in. They were going so far as to hack into underutilized servers to host games and use resources. We also created sites centered on Middle East politics (the think tank's focus) and the space shuttle. We downloaded the content from publicly available websites, copied it to folders, directories, and databases that made it appear as if the information was top secret, and used wget to keep the information updated.

The internal intruder went for the serious stuff. She wasn't interested in gaming. We tracked her to an accounting/payroll department -- by coincidence, literally on the other side of the wall from our honeynet team. The accounting department already had a Web camera in the room for payroll security issues.

With it, we watched the employee, a Russian temp, hack several real systems over the remaining week. Examining her computer after she left for the day, we found that she had inserted a wireless network card and had successfully bridged the "air-gapped" secure and nonsecure network. We could tell she was transmitting the data from her computer to someone else hooked into the wireless network. We placed keylogging programs on her computer to record her every keystroke.

We purchased a wireless sniffer to better track the hacker, and when she began transmitting information, we roamed the hallways looking for the illicit partner. We ended up in a nearby conference room that was open to the public. We opened the doors and saw about 200 people, half of them carrying laptops. Try as we might, we could not track the illegal data stream to a particular person. We had a room and a MAC address. Senior leadership would not allow us to stop everyone in the room to locate the specific person. Although I didn't like the decision, it probably was the best legal answer.

It was decided that we would detain the known perpetrator to stop the data loss. I hung out in the background as IT and physical security confronted the employee. The moment the security guards entered the accounting department, the temp pushed away from her PC and claimed that someone was hacking it. She was so adamant and tearful that if I had not watched her expert hacking over the past few days using the Web camera, I would have believed her. She was a wonderful actress.

I never heard whether she was arrested or deported or what happened to her. I was not privy to those details. But I did hear that she was just one employee from a newly engaged temporary placement agency, and all the other employees from the agency were also caught hacking at this same client. The young woman I had helped detain had claimed that she had so few computer skills that the company had sent her to basic keyboarding classes.

It remains the one time in my life where I helped catch a Russian spy.

Related articles

This story, "True tales of (mostly) white-hat hacking," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.

This story, "True tales of (mostly) white-hat hacking" was originally published by InfoWorld.

| 1 2 Page 8
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon