Network Jumping Leaves No Trail
Management pays me to get the evidence, neutralize those who break into sensitive systems, and then exit quietly and discretely.
The target site hires me as regular staff. I've posed as a data input clerk, contract programmer and even a computer box cutter. I find the industrial spy, disgruntled employee or cracker from within, using my own software tricks or those they themselves have created. I make them reveal themselves, then I disappear out of the system.
But this system event was different.
It began on a sunny warm spring afternoon with a bright blue sky and just a wisp of white clouds. Not the kind of day you want to spend staring at a computer screen, surrounded by rows of beige cubicles and the sound of computer room cooling fans whirring in the background. Working outdoors with a wireless networked laptop could have been a nice compromise during my break, but the Company does not compromise.
A pager beep interrupted my break. The message was short and terse--See Jake Now. So much for a walk in the sun before returning to the grind. Jake's room was located in an obscure corner of the building near the loading dock, away from the normal traffic flow of people. A small swipe card reader on the nearby wall was the only indication that there was an office within. I swiped my ID card through the slot twice--it rarely works the first time--and entered amidst the clutter.
His office had not changed its appearance in ten years. Books, papers and abandoned software packages were in a state of disarray, piled one above the other. He called it his vertical filing scheme. He motioned to a seat, and I sat down after brushing aside an accumulation of tech support articles, system CDs and vendor demo diskettes.
"Nice job on that last Sendmail case", he said. "Let your tools do the work. Good tools. Good job."
It was not a break-in of the usual sense. The cracker had learned system messages previously e-mailed only to the Root account would now be automatically forwarded to various Directors for their review. A competitor would pay well for those privileged reports.
He had gone into the server room on a pretense, appended his e-mail address to the file of forwarded names, saved the revision and then launched another application. The new program screen obscured the old, so the changes were no longer evident. He intended to spy at leisure. From his own office.
"A simple slip. He forgot to reset the ownership of the file", I replied.
I had been posing as a night shift computer operator. My automatic comparison program had found changes in computer configuration files and signaled the anomaly. Development is so much easier when you've got open source. He had stumbled across my electronic tripwire, part of my stock in trade.
"We have a new task for you, a bit more challenging", said Jake.
"Oh? You know I am scheduled for vacation next week..."
"Not quite yet. I want you to get Mizou."
Jake had previously told me what was commonly known about the person called Mizou. The man or woman (no one was sure) was elusive and dangerous. He or she was fluent in multiple computer operating systems and adept at dozens of dialects. Mizou knew what to retrieve, where to retrieve it and, usually, how to get it with no one being the wiser. A shell master.
If you steal a man's gold he can tell if it is gone. If you copy a file, redirect it, change its name, bury it several directories deep, pipe it to a cache area routinely replicated across network routers to a distant site, and then retrieve it later, it is not so easy to know anything is wrong. There is more to a perfect crime than just not being caught. Sometimes the victim never knows a crime has been committed.
The authorities could not easily profile this agent. What did he eat for lunch? What was the pattern? Where were was the trail? He had gotten the nickname from the mascot of the school where he had first appeared. Or seemed to appear. No one really knew for sure.
There was something more.
No one knew that I was Mizou. Another week at this job, and I would have enough corporate intelligence to quietly disappear--for good.
"Where was he detected?" I asked.
"The Home Office. Go find him.
And change your clothes. Today you doing user support work. We must install several new machine upgrades around the building. It will provide an opportunity to snoop and not draw attention. Watch for anything unusual. Mizou might have slipped and left a clue."
He nodded and returned to his work, ignoring me. I knew it was time to leave. That's just the way he is.
I do not enjoy climbing over desks, pushing heavy furniture blocking network quad plates or snaking cables across a dusty floor. Users do not like their workspaces disrupted and consider it a violation of their personal space. Every knick-knack must be put back precisely where it belonged. Each item is often precariously balanced. So are most of our users.
The first install was a dud. The network port had not been activated. No port, no network access. No e-mail or Internet. Too bad. I swapped the old machine for a new one, plugged it in and moved on.
The next install went smoothly. Then I hit a locked office--no action. Then, one install after another. The tedium was broken up by being occasionally collared in the hallway by the inquisitive user. Sometimes their naive comments were amusing. (I want more RAM in my Megahertz! Why is this new server so stable? The old one crashed a lot.)
The Human Resource office was the final call of the day. Their manager had left behind a note asking the installer--me--to confirm that all shared drives were fully functional. I lifted and grunted and wired, and the computer was operational in a few minutes.
Check the shared drives.Open the Y drive--it's okay, close it.Open the P drive--it's okay, close it.Open the M drive--it's okay, close it.
What was that? I saw a document with my name on it!
I closed the office door, opened the document and read. I would be dismissed. Tomorrow morning. For unprofessional behavior. The document implied I had connected a server to a workstation and thence to a restricted desktop. Sensitive corporate files had been compromised.
In fact, I had done so, but I also knew that there was no legal evidence. All supposition. Good network jumping leaves no trails.
I would be gone as soon as I finished this job. They were waiting for me. The only opportunity was to act now. Cut my losses and get out tonight. With a twist.
As a precaution, I had installed a simple password grabber on the development server. It was one of those older systems, less robust and less secure, but still widely popular, and it provided me with the system password. When the SysAdmin could not log in, he probably thought he had mistyped the access code, not realizing a bogus program had captured it. He would try a second time and log in, while my grabber would softly self-destruct without a trace. If I used that password now, it would grant me special control privileges. I would become the system wizard. Root. Cower before me.
I was nervous as my fingers typed across the keys.
Get to the command prompt Start a never ending infinite loop Create a hidden directory Move to that hidden directory Repeat
Simple, compact, neat--and lethal.
Now submit the job as slash dot x. Exit. Clear screen. All traces gone.
They might fire me tomorrow, but the system would grind to a halt long before then. There would be tens of thousands of nested hidden directories, each like little boxes embedded within one another. The tree would descend lower and lower through their file structure. A Wizard Tree would do them in. The damage would be invisible, extensive and devastating. They would never know what hit them.
Let them think Mizou did it.
I scheduled the job to the input queue. It would lie dormant for hours and then trigger automatically when I was long gone. A ticking time bomb. I opened the office door and looked around. Five o'clock, quitting time--in more ways than one.
I secured the remainder of the equipment into a locked closet and changed my clothes, tucked my jacket under my arm and walked calmly toward the exit. The guard recognized me and waved me by.
"Sir, you dropped your jacket!" he called out.
I turned around.
It was a ploy.
The guard pointed his gun directly at me. His voice was firm and very steady.
"You are under arrest. The gate behind you is already locked."
It had been a hacker counter-attack, and I had taken the bait. My misplaced slash had done me in. Had I created the logic bomb without it, only one machine would have been affected. The computer would have been dead in the morning, and the Help Desk staff might have re-cloned it from the master copy without a second thought when they could not find anything obviously wrong. Their repair would have inadvertently covered my tracks.
By including the slash in the name, a top-level system directory had become the target. My mighty tree had begun too high. Jake had been waiting patiently for an unknown new job process to enter the job queue and had stopped it before it started. We had played a cat and mouse game between hacker and hacked, and we had exchanged places.
The handcuffs bit hard into my skin.
Access codes do not work well against handcuffs.
Dr. Lee Ratzan is employed as a system analyst at a health care agency in New Jersey. He teaches computer classes at Rutgers University and can be contacted at firstname.lastname@example.org.
|diff -u: What's New in Kernel Development||Aug 20, 2014|
|Security Hardening with Ansible||Aug 18, 2014|
|Monitoring Android Traffic with Wireshark||Aug 14, 2014|
|IndieBox: for Gamers Who Miss Boxes!||Aug 13, 2014|
|Non-Linux FOSS: a Virtualized Cisco Infrastructure?||Aug 11, 2014|
|Linux Security Threats on the Rise||Aug 08, 2014|
- diff -u: What's New in Kernel Development
- New Products
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- Security Hardening with Ansible
- Cooking with Linux - Serious Cool, Sysadmin Style!
- Tech Tip: Really Simple HTTP Server with Python
- Containers—Not Virtual Machines—Are the Future Cloud
- Raspberry Pi: the Perfect Home Server
- Monitoring Android Traffic with Wireshark
- Returning Values from Bash Functions