Lies, Damned Lies and Computer Security
Sep 9, 2004 6:00 AM PT
During a break in a series of discussions on the U.S. Health Insurance Portability and Accountability Act (HIPAA) compliance for Canadian healthcare players, one of the attendees regaled the group with a long brag about how his company's techies had defeated a phishing attack.
According to the story, the company's wizards had discovered a phishing attack based out of Hong Kong, promptly hacked into the phisher's server to retrieve the stolen information, and "shut him down hard."
I almost did a spitter -- you know, the vaudeville sight gag in which someone sipping water is astonished into spraying everyone in sight? Nasty thing to do with hot coffee; I mean, really, this company uses Windows for its Web servers. And besides, how do you meaningfully retrieve stolen bytes?
Marshall, the super tech on the TV show "Alias," could do it, but then he can break into any computer system in seconds, do TV quality two-way videoconferencing using a long distance dial-up line, remotely transfer 40 GB from the bad guy's mainframe to a microdisk in about five seconds, and instantly know exactly how to use a fully embedded real-time system he's just hacked into over 51 Kbps satellite links.
Unfortunately Marshall doesn't work for this guy, so my first thought was that he was spoofing us. He wasn't; he sincerely believed the story and rejoiced in this idea of the bad guy being "shut down hard" -- a phrase I keep hearing from executives who deeply resent being asked what it means.
Market for Lunacy
What it meant to me was, first, that someone had lied extravagantly to him, and more importantly that there's credulous market for lunacy out there in executive land.
Actually breaking into a particular computer system you don't have physical access to and don't know much about is quite hard. It's easy to trash any number of machines at random, or to get at least some victim machines to run applications on your behalf, because those are numbers games. Spray enough attacks around and you're bound to hit some with easily exploited vulnerabilities.
Playing Mr. White Hat hacker for some unsuspecting MCSEs is easy too: just DHCP boot your laptop on the network segment where the servers are and start a promiscuous packet snoop before going off for coffee with the locals.
By the time you get back, you'll have caught somebody's username and password and you can hunt up the Word document they use to store their super secret device names and passwords while they're off checking their e-mail. By the time they get back, you'll be all set. Just show them a few minutes of concentrated hocus pocus, then quietly breath out "I'm in!" before sitting back to accept the applause.
Unfortunately, cracking a machine you don't have access to and know nothing about is a lot harder -- especially if you don't want the target to know you're doing it. For example, cracking whatever's behind signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm without tipping off the person operating it is tricky, not to say nearly impossible to do in a tight time frame.
Marshall can do this kind of thing while Alias girl hangs from a 50th story ledge in a hurricane but, of course, he'd apply "an algorythm" (who writes this stuff?) and magically get complete system control just as her pretty little fingers start to slip. The rest of us, however, have to start by figuring out how to access that target machine, what its software is and what weaknesses in the local set-up might be useful places to dig in our handy digital crowbars -- and do it all without getting noticed.
The most obvious problem is simply that even probing it is likely to tip off the bad guy to your interest, and how do you know that 7308 isn't on one machine while everything else is on another just waiting for you to waste your time on?
In real life, I'd probably start with an imitation Google or Netcraft bot and then go after the penultimate network device on our route to him. That device, particularly if it happens to use IIS as its management interface, can normally be prevailed upon to hand over lots of useful information -- often including the bad guy's own SSH login. Unfortunately, doing that takes time, and most phishers change servers about once every two and half to three days to make sure you don't get enough of it to nail them.
That leaves either the legal process or social engineering. Unfortunately, the phishing attacks I've looked at used servers registered in places like Pusan (Republic of Korea) but run on networks out of Hong Kong or Shanghai. That means either process would take weeks of effort and thousands in expenses just to set up in each target jurisdiction.
So by the time I'd put the coffee safely back on the table, I'd figured out that some of his customers had indeed been victimized, but he'd been ripped worse by his own IT people. The bottom line here is simple: He might want to believe that Marshall works for him, but it's not true. And if they'll lie to him about this, how much credence should he give them on PIPEDA (Canada's privacy legislation), HIPAA and Sarbanes-Oxley?
Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.