Once he had the program decompiled, Robert examined the code to see whether the helpdesk application was susceptible to “SQL injection,” an attack method that exploits a common programming oversight. A security-conscience programmer will sanitize any user query by including code that, among other things, filters certain special characters such as the apostrophe, quotation mark, and greater-than and less-than symbols.
Without filtering characters such as these, the door may be left open for a malicious user to trick the application into running manipulated data-base queries that may lead to a full system compromise.
In fact, Robert had realized that the helpdesk application had indeed made the proper sanitation checks to prevent someone from using SQL injection. Most hackers would have just upload an ASP script to the Web server and be done with it, but Robert was more concerned with being covert than exploiting a simple vulnerability to compromise his targets.
I thought, “That’s quite fun, that’s quite cool. I’m gonna enjoy this.”
I thought to myself, “Well, I’m gonna enable SQL injection by screwing up the validity check.” I found the string of where the invalid characters were kept and I changed them all to, I think it was a space or a tilde (~) or something else that I wasn’t gonna be using, but at the same time it wouldn’t affect anyone else.
In other words, he modified the program (using a hex editor to
“break” the routine designed to verify user input) so that the special char-acters would no longer be rejected. This way, he could secretly perform SQL injection without changing the behavior of the application for any-one else. Another added bonus was that the administrators would not likely check the integrity of the helpdesk application, since there would be no obvious signs it had been tampered with.
Robert then sent his modified version of the helpdesk application to the Web server, replacing the original version. The way some people collect stamps, postcards, or matchbooks from places they’ve been, hackers some-times keep not just the spoils of their break-ins but the code they used as well. Robert still has a binary compiled copy of the executable he created.
Since he was working from home (gutsy, and not recommended unless you want to get busted), he uploaded his “new and improved” version of the helpdesk application through a chain of proxy servers — which are servers that act as a mediator between a user’s computer and a computer he or she wants to access). If a user makes a request for a resource from computer A, this request is directed to the proxy server, which makes the request, gets the response from computer A, and then forwards the response to the client.
Proxy servers are typically used for accessing World Wide Web resources from inside a firewall. Robert increased his security by using several proxy servers located in different parts of the world to lessen the likelihood that he could be identified. So-called “open proxies” are commonly used like this to mask the origin of a cyber attack.
With his modified version of the helpdesk application up and running, Robert connected to the targeted site using his Internet browser. When presented with an input form requesting username and password, he launched a basic SQL injection attack, as he had planned. Under normal circumstances, once a user enters a username and password — say,
“davids” and “z18M296q” — the application uses these inputs to gen-erate a SQL statement such as the following:
select record from users where user = ‘davids’ and password = ‘z18M296q’
If the user field and the password field match the database entries, then the user is logged in. That’s the way it’s supposed to work; Robert’s SQL injection attack went like this: In the username field, he entered
‘ or where password
like’%--For password, he entered the identical statement
‘ or where password
like’%--The application used these inputs to generate a SQL statement similar to the following:
select record from users where user = ‘’ or where password like ‘%’ and password = ‘’ or where password like ‘%’
The element or where password like % tells SQL to return the record if the password is anything at all (the “%” is a wildcard). Finding that the password did meet this nonsense requirement, the application then accepted Robert as a legitimate user, just as if he had input authentic user credentials. It then logged him in with the credentials of the first person listed in the user database, usually an administrator. That turned out to be the case here. Robert found himself not only logged in, but logged in with administrator privileges.
From there, he was able to see the message of the day that an employee or other authorized user sees after successfully logging in. From a series of these messages, he gleaned information on dial-up numbers for calling into the network and, in particular, hyperlinks for adding and removing users from the VPN group under Windows. The company was using Microsoft’s VPN services, which is set up so that employees use their Windows account names and passwords to sign in. And since Robert was logged in to the helpdesk application as one of the administrators, this gave him the ability to add users to the VPN group and change user pass-words for Windows accounts.
Making progress. Yet, so far, he was just logged in to an application as an administrator; that didn’t get him closer to their source code. His next goal was to gain access to their internal network through their VPN setup.
Just as a test, through the helpdesk menu he tried changing the pass-word of what appeared to be a dormant account, and added it to the VPN users and administrator’s group — which meant that his activities would be less likely to be noticed. He figured out some details of their VPN configuration, so he could then “VPN in. This is good, but it plays a bit slowly.”
I got in at about 1:00 a.m. their time. With me being in the Australia time zone is very nice. It can be 1:00 a.m. in America, but during the working day here. I wanted to go in when I was sure the network was empty, I didn’t want anyone logged in or people to notice this. Maybe they have active reporting of everyone who’s going in. I just want to be sure.
Robert has a sense that he understands how IT and network security people work, and it’s not all that different from everyone else in the working world. “The only way for them to notice [my going online]
would have been going through the logs actively.” His view of IT and security people isn’t very flattering. “People don’t read logs every morn-ing. When you get to your desk, you sit down, have a coffee, read some Web sites of personal interest. You don’t go in and read logs and see who changed their passwords yesterday.”
One of the things he had noticed in his hacking efforts, Robert says, is that “when you change something on a site, people will either catch it right away, or they won’t catch it at all. The change I made to that Web application would have been noticed if they’d been running something like Tripwire,” he said, referring to an application that verifies the integrity of systems programs and other applications by doing a crypto-graphic checksum and comparing it against a table of known values.
“They would have noticed that the executable had changed.”
At that point he felt reassured, citing the now-familiar term about
“M&M security” — hard on the outside but very soft and chewy on the inside. “No one really cares if someone looks around their network because you are inside the premises.” Once you’ve managed to penetrate the perimeter security, you’re pretty well home free.” (The phrase means that once an attacker is on the inside and using resources like any author-ized user, it’s difficult to detect his unauthorauthor-ized activity.)
He found that the account he hijacked (changed the password to) through the helpdesk application allowed him onto the network through the Microsoft VPN service. His computer was then connected to the company’s internal network, just as if he were using a computer physi-cally plugged into the network at the company’s premises.
So far, he had been careful to do nothing that would create log entries a conscientious systems administrator might notice, and he was sailing free.
Once connected to the company’s internal network, Robert mapped Windows computer names to their IP addresses, finding machines with names like FINANCE, BACKUP2, WEB, and HELPDESK. He mapped others with people’s names, apparently the computers of individual employees. About this, he reiterated a point made by others in these pages.
When it came to names of the servers, someone in the company had a whimsical sense of humor familiar in parts of high tech. The trend started at Apple Computer in its early boom days. Steve Jobs, with his creative streak and his break-all-the-rules approach, decided that the conference rooms in the company buildings wouldn’t be called 212A or the Sixth Floor Conference Room or anything else so everyday and boring.
Instead, the rooms were named after cartoon characters in one building, movie stars in another, and so on. Robert found that the software com-pany had done something similar with some of their servers, except that with their connection to the animation industry, the names they chose included the names of famous animation characters.
It wasn’t one of the servers with a funny name that attracted him, though. It was the one called BACKUP2. His search there produced a gem: an open network share called Johnny, where some employee had backed up a lot of his or her files. This person appeared to be someone feeling pretty comfortable and not very concerned about security.
Among the files on the directory were a copy of an Outlook personal file folder, containing copies of all saved emails. (A network share refers to a hard drive or a part of a drive that has been intentionally configured to allow access or sharing of files by others.)