Someone once said, “It’s not that computers aren’t secure, it’s that people aren’t.” Someone else once said, “If you take a computer, unplug it from the wall, unplug it from the internet, take it deep into the wilderness, dig a very deep hole, put the computer in it and pour concrete on top of it, fill in the hole and never tell anyone where it is; that computer might be secure… but I wouldn’t bet on it.”
This brings us to my other favorite topic (besides botnets): Social Engineering.
Put a human being in front of a computer and nine times out of ten, that computer is no longer secure. Leaving aside the tenth time for the moment, this is because nine times out of ten, the human being is trying to get some work done. The computer is a tool, just like a hammer and like a computer, the only way to keep a hammer from hurting someone, either by banging a thumb, falling off a bench onto a foot or lying in wait for a toe on the floor, is to bury it and put concrete over it and never tell anyone where it is. It’s a people thing.
Add a third person with malicious intent into the mix and you have a catastrophe waiting for a chance to happen. Social engineering is the equivalent of bumping into the hapless hammer wielder just as he starts his downswing. It’s guaranteed to cause chaos, and if you are trying to break into a system, chaos is a good result.
I touched on social engineering in my last post where a judicious bit of timing coupled with a knowledge of human nature allowed me to raise cash from an ATM. This time I want to dig a little deeper into the unsung hero of the hacker’s toolkit.
For my novel Playing God I created a secure floor at the Microsoft like company Universal Software, where the coding of the “world’s most popular operating system” takes place. It’s armed with all the latest anti-hacker goodies and set up with an internet connection that is outbound only (packets from the outside world stopped dead in their tracks unless there are corresponding outbound packets preceding them.) An impregnable fortress, and rightly so, because in the hands of an expert hacker, the source code for an OS would reveal all sorts of things too numerous to get into here. Now I’m sure a lot of you are calculating esoteric attack vectors that could break this fortress, but let’s assume for the sake of fiction that they wouldn’t work. (The reality is that the more obscure the attack vector, the more bored the general public will get reading about it.) So, with all that in mind, how are we to get our protagonist in to steal uncompiled OS code? Enter (stage left) our unsung hero: Social engineering.
Start with a human resources girl who manages to bend the rules for an ex-boyfriend (our protagonist) and give him a brief tour of the secure floor – a major no no. [*note: I could have scripted a seduction scene with a stranger, a blackmail scheme with an older woman, or any number of other ways to get him on the floor.] Then, armed with a thumb drive he’s loaded an outbound trojan onto (That’s a piece of malware that installs itself and then sends packets to a specified IP address – in this case, our protagonist’s computer.) and a sticky note that reads “thought you should see this before the sh#t hits the fan”, our hero appears to stumble, catches a desk to break his fall and drops off the payload on a programmers desk and leaves. His escape is seamless, because there is no obvious break in or crime. Forensics will later reveal him to our villain and set him on our protagonist’s trail, but it’s too late. He has already followed the outbound packets back inside, downloaded the source code and is on the run. Aside from the trojan, pure social engineering top to bottom.
I’ll break all this down in part 2 and discuss the reasons that it’s so difficult to teach social engineering. I’ll also discuss why it’s necessary to find a way to do so.
The talk of the 2010 Black Hat conference was security researcher Barnaby Jack’s presentation on “Jackpotting An ATM” using two little programs he developed called “Scrooge” and “Dillinger”. “Scrooge” is an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) that takes control of an ATM machine and causes it to spit all its money out. “Dillinger” is a program that gathers debit card numbers and passwords from the infected machine and sends it to a remote location for collection.
Since my main character is on the run from both the Police and the Federal Authorities, “Dillinger” is not much good to us. So it is “Scrooge” that we’ll be using. Time to plan a crime.
I got copies of “Scrooge” and “Dillinger” along with an ATM key (all ATM’s are keyed alike believe it or not!) as the beginning of my proof of concept. I was then ready to emulate emptying an ATM machine. Since most of the larger ATM’s, like the ones at the banks, had been patched I rejected them outright. That left me with the smaller ATM’s of the type found in convenience stores. The problem is, a lot of convenience stores are open 24 hours so I couldn’t just write in a staged after hours break in. Besides, this would have been such an inelegant solution and a betrayal of my readers.
No, I needed a brazen, broad daylight exploit. Time for a little social engineering. There’s a section of route 12 in Fitchburg, Ma. that has a half dozen convenience stores and gas stations within a short 1/4 mile, so this became my target. The first step was a scouting expedition to find the brand names of the ATM’s. Done early in the morning, it allowed for a shift change before I had to go back. Armed with a Macbook Pro, a portable USB printer and a small laminator, it’s an easy matter to take a picture with the built in camera and use Photoshop to combine it with the corporate logos of the manufacturers’ of the machines I’d scouted and then downloaded as jpg’s from their respective websites on the internet. Cutting the results down with a barcode thrown in and laminating them makes a fairly effective*ID badge. With darkness falling, its easy to wait until the clerk of the store is getting slammed. That’s when I begin the attack.
Entering the store, I ignore the line and go right up to the counter. I push my ID in the busy clerk’s face and tell him I’m from the corporate office of the ATM’s manufacturer and I’m here to update the firmware of their unit. 99% of the time, the reaction of the clerk will be: “Whatever. Go do it and stop bothering me!” Now I’m all set. I can open the ATM with my key and can then, if I want to, proceed to insert a small flash drive containing “Scrooge”, collect the bills, and say thanks on the way out.
This attack works so well because very few people know you can get (or used to be able to get) an ATM key quite easily on the internet. Opening the ATM with the key indicates that you are who you said you were, after all, you have a key. Waiting until the clerk is slammed, is an effective way to ensure he won’t be able to describe you later when the crime is discovered. An elegant “hacker” solution to the problem of raising cash when you are on the run from law enforcement. Part of the real fun involved in writing “Playing God”.
*Note – This was all done as a proof of concept and with the permission of a store owner who was grateful for the “heads up” about the need for a patch, and no money was taken.
…’till next time
I know everyone wants me to get to the hacking of the Best Seller List, and I will in a minute, but you have to put the meat and potatoes down before you pour the gravy (otherwise it gets really messy.)
The first step in any good attack, is to examine what’s worked in the past. However, it’s not the only one. A penetration tester also has to understand how the legitimate user (or in this case, book) gets in. Other things to consider are potential attack vectors (point of sale outlets, distributors, etc.) and the reporting methodology, i.e how the lists are compiled.
Okay, now that the meat and potatoes are down, we can pour the gravy. First, it should be noted that most publishing companies, like their record label and art world counterparts, are slime. They are happiest when they can take an unknown, sign them to a multi-year deal that puts most of the profits in their own pockets instead of the artist’s (unknowns are happy just to be there) and push them to the top of a list or chart they can manipulate. They are miserable when they have to write much larger royalty checks to established artists.
Don’t believe me? Read on. No one is exactly sure when the kids first broke into the candy store, but it went on for a pretty long time, “and them that knows ain’t sayin’” (boy did my spell checker hate that one.)
The major publishers concocted the following plan and they were all in on it. They would use their weight to push large amounts of a particular title out to the big distributors. The carrot was that all the books were returnable for credit. So the big distributors grumbled, but they went along with it. Now this alone was not enough to crack the lists, because there were no sales and, for obvious reasons, the publishers aren’t allowed to report sales to the list. So they did the next best thing. They used shell companies to buy back the books in large chunks at a discount. The shell companies would then warehouse them and pass them back to the publishers. The publishers now owned the books again so their overheads were zero on that batch which they pushed back out to the distributors again and repeated the process. When the book hit the best seller list it would get prime real estate at the book stores and people would buy it. (Go into a Barnes and Noble and take a look at the books that assault you as you walk in the door.) Thus, a title that appeared to sell 500k books, really only sold 250k but the publisher broke even on the first half and pocketed all the profits on the second half. Total marketing cost – “0″. Plus, all those shell companies posted nasty losses that were written off at tax time. The distributors were happy as profits were up. and the NY Times was none the wiser. (or were they, they are a big publishing conglomerate…)
Does this still go on? The answer is no. Someone figured it out and now books that sell in large blocks are asterisked like Barry Bond’s home run ball and never make it to the list.
Do the major publishers still hack the list? Well the alternative is that they collectively developed a conscience and are now playing fair and square. (Yes, Virginia there really is a Santa Claus.)
Am I going to try to hack the list with my own novel, Playing God? No, but it was a cool mental exercise.
’till next time.
The trick is to find it. The only exceptions to this rule are death and stupidity. Now, at first blush, stupidity appears no fall under the category of the corollary rule, namely: Most problems will go away if you throw money at them. But I would postulate (follow the recursive logic here) that if you are stupid and hire a bunch of smart people to get around the fact that you are stupid, that makes you pretty smart.
I’m a hacker, thinking outside the box is what I do. Ergo, I, a penniless author (Hey, I have five kids, three of which are teenage boys that play football. My food bill alone would cripple a third world nation) should be able to make it onto the NY Times best seller list.
If you are a new author and and you Google book promotion, here is what they tell you to do: Make your book available. (with millions of books published every year, that puts it at the bottom of a very big pile) Get accounts and engage with readers on Facebook and Twitter. (That will work if you already have hundreds of thousands of friends and followers) Get a video up on You tube. (See: the bottom of a very big pile) Write a blog to get people interested. (A different very big pile) Then be patient and wait. The internet is full of “success” stories from people who did this. They will tell you that after two years, they had sold a thousand books and were now selling at the breakneck clip of 5 or 6 per month!
Correct me if I’m wrong, but at that rate, the best seller list is a mere 10,000 years away! Well, I did everything they told me to do with my novel Playing God, and then I waited. And I waited, and I waited. After about 60 seconds of this waiting nonsense, I’d had enough!
I bet your first reaction is: The best Seller List can’t be hacked. Am I right?
Would it surprise you to know that it already has been? I’ll explain how in part 2.
Don’t get excited, this is not a “how to”. That I covered in my book, Playing God . If you are like me, you grew up with computers. My mother worked for the defense department and, as a very young kid, I remember playing with stacks of punch cards. Looking back, I could have been cutting up any number of cool 1960′s era DOD projects. My mother said she could tell me what they were but then she’d have to kill me. This may help explain a lot of my issues.
I learned my first programming using “basic” coded onto a cassette tape. Remember those? No? Alright then, forget it- you are obviously much younger than me so don’t rub it in.
Then high school happened, and girls happened, and rock and roll happened and suddenly it was desperately more important to wail away on an electric guitar like Eddie Van Halen than it was to continue playing with computers. Then, the eighties happened and suddenly tall thin heavy metal musicians with long dark curly hair were way too popular for their own good. Enough said about my experiences during the eighties, call it the trauma that caused my arrested development as a hacker.
I returned to computers in the 90′s just when things were getting interesting and, among other things, I became a script kidde. (remember when token rings seemed like a good idea?) I had an IBM xt and a Mac IIsi and in-between teaching myself HTML and catching up with programming, I broke into things. Yeah, ok – it took me longer to mature than most.
The safest thing to try newly acquired hacker skills on was porn sites. (Yes Virginia, they really are as old as the internet.) So… I did. The cops were still writing reports on electric typewriters using two fingers, so it was a safe bet they weren’t in a rush to chase blossoming cyber criminals, especially when it was a porn site that lodged the complaint. So, if you made a mistake, or did something stupid you would live to hack another day..
But that is where my interest in security began. After all, if I could break in, somebody must need me to teach them how to properly lock the door. I reformed my ways and left the dark side. However, like a reformed alcoholic, the lure is always there. The dark side always beckons.
I think that is what made writing the sequence where my main character breaks in and defaces a modern porn site so much fun. I got to be a script kidde again and grab the low hanging fruit.
And low hanging fruit was all my editor left me after she heartlessly ripped out all the really complex stuff. Keep it simple stupid, this is not a textbook is what she said. She was probably right, but it was fun writing it anyway.
The Screen Hackers Guild or SHG (pronounced shg, or for those of you mentally challenged individuals that demand a vowel amongst your consonants, shug) is an uber elite organization whose Screen Actors Guild members are 313371337. This is a designation that I’m sure you all aspire to but few if any of you will ever attain. Sadly, most of you will never rise above 1337 status. To be truly 313371337, you must pass the usual Screen Actors Guild qualifications, i.e. physical conditioning, perfectly straight ultra-white teeth, the ability to cry and sweat on cue, etc. Once you have met these rigorous qualifications, you will then need to take the SHG exam. This is an exam that many try to take, but few, if any pass. Its difficulty has been compared to that of working out the very last decimal place of PI in your head while you need to take a pee. Not for the faint of heart, right? I’m going to give you the test in a minute, but I want to caution those of you with fragile egos against even attempting this test. It will hammer home your humble 1337 status and has been known to leave test-takers in tears of frustration and rage. For the rest of you who fail, it will help you come to grips with your 1337 status and allow you the enjoyment of cheering when an SHG member comes onstage in a movie or TV show knowing that they truly are 313371337.
Okay, are you ready? Here’s the test:
You have EXACTLY 30 seconds to complete this test. First, sit in front of a computer terminal. Second, wrinkle your brow and adopt a look of intense concentration (method actors may wish to contemplate intangibles such as why their last girlfriend dumped them or how they ended up with spinach on their teeth at the last red carpet event.) With the clock at 30 seconds, begin typing in rapid fire bursts using all your fingers (playing air guitar is a good practice for this section of the test). When the clock hits EXACTLY 29 seconds, sit up, look to one side and say “I’m in!” Couldn’t do it? You are not alone. Common mistakes are: actually typing something, not frowning hard enough, and finishing before the 29 second mark. Remember, just because you are 1337 doesn’t been you are 14/\/\3.
Till next time.
How many of you have ever broken into the NSA Mega-Server? Raise your hand. THWACK – That was the sound of a ruler cracking down on the knuckles of anyone who raised their hand because you’re lying your ass off. That includes anyone who’s part of an incursion team in Beijing. It hasn’t been done, and most likely, can’t be done. Just trying will earn you a spot in the Federal Penitentiary System. You could probably plead temporary insanity though, because after all, what were you thinking??
So where is this blinding glimpse of the obvious going, you might ask? Straight into a quandary.
Because I had to do it! There was the cursor blinking like a gun to my head while my main character sat in limbo glaring at me for my incompetence. Rather than sit there glaring back, I poked at every NSA reference google had to offer. Then I kidnapped a google spider and tortured it (they get into everything) but it died without giving up anything useful. I carefully disposed of the carcass and then considered my options. I could write to China with something like: Dear fellow world citizen, hows it going? Break into the NSA yet? Care to share? Thanks. I eventually rejected that option as unproductive and moved on. My options at this point looked pretty limited. This wasn’t going well.
To be continued in part 2.
Someone once said that comparing a botnet to a supercomputer is like comparing a bunch of snipers to a nuclear bomb. Whilst I would argue (and I do like to argue) that it depends on how many snipers you’ve got, we’ll leave that aside for the moment. Despite its inherent flaws, the analogy got me thinking: What if Microsoft, under the control of [insert your favorite paranoid theory here-i.e. The Freemasons, the Bilderburgers, The Council on Foreign Relations, etc.] released a really polished operating system with a price so low that they had near universal adoption? What if there was a back door built into the operating system that allowed a central controller to access the spare processing power of each machine? That would be 2.1 billion processors (unweighted for dual processor machines).
Anti virus programs would ignore it because it’s integrated into the system so seamlessly that it’s just another running process. Most people use their computers for mundane tasks like checking emails, updating Facebook, watching porn, etc. Their computer processors aren’t even breathing hard. What if The NSA, at the behest of [insert your favorite conspiracy as above] ran the command and control functions from their megacomputer and programmed an actual operating system for the whole mess? You’d have a secret world wide supercomputer! Node redundancy would be an issue, but a good algorithm could minimize its impact because we’re all creatures of habit. Besides all the new computers are shipping with dual and quad core processors. That’s one of the things that made writing PLAYING GOD so much fun, I got to create and control the worlds largest botnet!
But… what if the government gets wind of this and decides to impose it as a “processor tax” so they can spy on us more effectively????? Just because you’re paranoid doesn’t mean they’re not all out to get you…