How Hacking Team Got Hacked
The hacker who hacked Hacking Team posted a lengthy description of how he broke into the company and stole everything.
The hacker who hacked Hacking Team posted a lengthy description of how he broke into the company and stole everything.
simon • April 21, 2016 7:43 AM
If one hacker can do all that, think what the NSA and other state actors will be able to do, going forward.
Clive Robinson • April 21, 2016 9:16 AM
@ Simon,
If one hacker can do all that, think what the NSA and other state actors will be able to do, going forward.
Actualy probably not as much as you may be thinking.
Look at it this way, most of us can talk, some of us can actually sing in ways that are not reminiscent of cats mating, but few of us can sing sufficiently well to sing for two to three hours consistantly, let alone have people pay to listen. And the odds are that nobody who reads this blog can fill a football stadium with people paying $150+ for tickets.
It’s similar with hacking, you need some basic skills even to be a script kiddy, but to get into the upper end of things you need skills that we have not yet learnt to teach people. Bruce calls it “thinking hinky” others give it different names but it’s a skill I suspect people get a feel for before they can talk, and it’s there continuing outlook on life that helps them hone it into a marketable commodity.
It’s why there is a very very distinct shortage of such people available to “the man” and why the likes of the NSA and GCHQ are trying to get them as they become teens via competitions and summer schools etc.
The other problem is if you do have the skills you are not likely to be of the mentality that will want to sit at the bottom end of GS Pay scales… Thus you will do your best to be a rock star, and the drudge of GS is nowhere close to that as a career path.
We’ve seen this before. At one point in time if you had a good brain for maths, you had the choice of become a teacher, GS or academia. However “big data” opened up a new career path with pay better than any of the other paths… Google and Co for some reason don’t appear to have much trouble attracting tallent, the likes of the NSA are waving red flags at the politicos because GS is not getting even a sniff at the best of them. Fame and fortune are what most people want GS gives you neither…
M. Welinder • April 21, 2016 9:38 AM
If one hacker can do all that, think what the NSA and other state actors will be able to do, going forward.
I don’t imagine they can do a whole lot more, but I imagine they can do things a whole lot faster, especially if they are willing to reuse tools and burn zero-day exploits.
The device catalog Snowden leaked suggests they have brilliant ways of getting data out. That’s pointless here with an exiting big, fat pipe. The same catalog says they have ways to gain persistence at the router or harddisk level, but again that’s pointless here.
This hacker had audio and video from the inside, full network access, full backup access, key loggers. I guess they could have bugged the phones and the thermostats, but to what end?
thatsme • April 21, 2016 10:22 AM
that is great, but how much more dirt is under that hacking team hood is making this exploration more like trash exploration.
thiefhunter • April 21, 2016 10:44 AM
Reminds me of the story “Pickpocket Pickpockets Pickpocket Policeman.”
http://bobarno.com/thiefhunters/pickpocket-pickpockets-pickpocket-policeman/
Who? • April 21, 2016 11:33 AM
I love this attack. It is so… nineties.
Seriously, technology evolves but it has the same weaknesses as ever.
Dr. I. Needtob Athe • April 21, 2016 11:55 AM
Gizmodo says “The post is actually worth reading—it’s reasonably intelligible…”
That’s true. I totally understood some of those words.
Daniel • April 21, 2016 12:33 PM
I see another side to this. People are focusing on his skills, and fair enough, but there is also the reality that it takes time and energy to do this. Who was footing his housing and food bills while he was spending all of his time hacking? Most people can’t afford to work for free. This is true not only in pulling off the hack but also in terms of spending the time and energy to learn all the stuff in the first place.
In fact, the more I think about the more I wonder if one individual was truly behind it or if he is just the front for a larger group.
albert • April 21, 2016 12:35 PM
Fascinating stuff. I never read such detail about an exploit (though I don’t study hacking). PP mentioned an investment of 100 hours in the effort, which doesn’t seem like a lot of time, given the crown jewels prize at the end. Also, using a Windows system for company operations (in spite of developing hacking tools for Windows systems) seems to be inherently risky.
What, if anything, could they have done to better secure their system? Can they plug those already publicized leaks?
Inquiring minds want to know.
. .. . .. — ….
Rod • April 21, 2016 1:03 PM
I have a script on my server that does a ps ?? once every 15 seconds. Anything in the list that is not in a process check list file and I get an email. I also MD5 the programs in the list just to make sure that nothing has been changed. I also check the password file for any changes. This may seem somewhat primitive security, but better than nothing. The hacker did have to execute nmap and other programs that I do not run on my server. I wonder if I could package up the few lines of code in this script, add tons and tons of dummy code, and then sell it to governments and companies for millions? Why not? I am sure that it is probably already being done.
David • April 21, 2016 1:34 PM
As far as time goes — this could easily be an individual, if their estimate of time taken (100 hours) is to be believed. I know lots of people who work a full-time job, and yet still find 4+ hours a day to play video games.
Tom Kenney • April 21, 2016 1:37 PM
Also…I noticed that HT ‘gave’ him a big head start by not isolating their SAN on a separate network. That’s a BIG mistake. Were they too cheap to buy the extra hardware needed for segregation? Or did they just not have any infrastructure guys working for them?
Clive Robinson • April 21, 2016 1:50 PM
@ Rod,
I have a script on my server that does a ps ?? once every 15 seconds.
When Dave Cuttler was designibg his “better than Unix OS” for Billy boy one of the many things left out was peoper process control.
Thus under NT you could start a process that you could not see running… nor figure out how much memory it was using. One result of this was that unless you locked the memory things could get out of step and paging/swap would not work correctly and the Blue Screen of Death would result…
Any one else remember that groovy little trick that enabled you to get “system” on a windows box by starting a command shell through it’s equivalent of cron? A mistake that had been fixed in Unix a couple of decades earlier…
Many of the early security faults with unix turned up in NT one way or another, but usually took way way longer to fix. Eventually Billy Boy realised enough was enough and had a spring clean when it came to security.
@Rod,
/proc hacking ring a bell?
Maybe memory parasitism? Process injection?
There’s so much fun to be had with a person’s thoughts… altering a live process is really no different than forcibly changing one’s mind. You can force people to rob banks through kidnapping and extortion. Some of the most heinous crimes are committed through the ephemeral forms of trespass and manipulation.
I had a thought yesterday that at least UEFI can prevent a forced triple fault to a hijacked MBR/bs.
One bit of advice, remove the Linux kernel headers source from your system if it’s there… It can be used to build interfaces back into your subsystem.
Different versions of Linux have different parameters for kernel calls, removing it should limit options for ad-hoc rootkit level persistence.
But you weren’t scanning for rootkits anyways, just typical Windows style binaries.
In the 90s some of us payed attention to the memory footprint of binaries while loaded, if the known case wasn’t matched there was an in-memory parasite. It can be beaten with forgery (rootkit) and compression/overlays or direct overwriting but you get the idea.
@all,
Is that right guys?
Tom Kenney • April 21, 2016 2:04 PM
@Clive re: Cutler
IIRC, that was one of a few things that Cutler was forced to do to meet MS’ unrealistic timeline for NT. Another was mapping I/O buffers to virtual memory, so you can cause multiplication of disk I/O by attempting to perform disk I/O. WTF?!?!?
Tom Kenney • April 21, 2016 2:06 PM
@me above:
Forgot to mention…longtime VMS user, so a big fan of Cutler’s earlier works! 🙂
Clive Robinson • April 21, 2016 2:10 PM
@ Tom Kenny,
Were they too cheap to buy the extra hardware needed for segregation?
Possibly, but don’t forget the ego thing… The considered themselves “Masters,of the Universe” in their field of endevor… Such egotism is often narcissistic, which means they probably did not even think about it.
The correct mental attitude is “What have I missed?” that you often find in engineers building safety critical systems.
The problem is, having designed both safety critical and secure equipment I know that hard as safety critical design is –and it’s very hard– it’s a stroll in the park compared to security engineering 🙁
The reason, in safety critical design you can work with probability in your favour. Whereas in security engineering you have to assume that you have not nature but an evil entity against you who knows as much if not more than you do…
Andrew • April 21, 2016 2:23 PM
Also a nice lecture for people having a false sense of security by thinking that encryption protects everything (see Truecrypt paragraph).
System can be compromised far easier with a keylogger/admin hash and data can be ex-filtrated while volume is mounted.
@Clive Robinson
It’s why there is a very very distinct shortage of such people available to “the man” and why the likes of the NSA and GCHQ are trying to get them as they become teens via competitions and summer schools etc.
The other problem is if you do have the skills you are not likely to be of the mentality that will want to sit at the bottom end of GS Pay scales… Thus you will do your best to be a rock star, and the drudge of GS is nowhere close to that as a career path.
I think you are romanticizing the typical hacker, no matter his actual skills, and what he would perceive as “cool” or not.
I also think you are greatly underestimating how much resources and project management plays a role in nation states ability to conduct cyber offense operations.
Also:
Possibly, but don’t forget the ego thing… The considered themselves “Masters,of the Universe” in their field of endevor… Such egotism is often narcissistic, which means they probably did not even think about it.
Read the paper author very honest conclusion: he used 100 hours to hack a company that probably spent millions in its security. This is ridiculously low, but not surprising: hacking systems is waaaaay easier in term of time and ressources needed than designing secure systems. It’s easy after the fact to identify the key vulnerability that shouldn’t have been there, but that’s a post-factor observation. In practice, the defense needs to mitigate ALL potential vulnerabilities. This is why it costs so much, and why it’s so easy to make a mistake.
Nick P • April 21, 2016 3:20 PM
@ Bruce
It was a great writeup with detailed references. One reference, which might be misdirection, was to an Italian police attack on a school described here. I was shocked I didn’t see it on the media I watched at the time and didn’t find out until recently. It’s one of the most fucked up things I’ve read in the country post-2000. One commenter on HN that claimed to be there listening to the protests live said you heard people talking, then cops show up, then a solid 20 minutes of screaming/begging, silence, and then sirens/ambulances. Make Abu Ghraib look like they had kiddie gloves on. Basically they’re all free too due to corrupt government.
Unreal…
Jim • April 21, 2016 3:28 PM
@r, @all
is that right?
I believe one person could have done it. You are also correct, they could have automatically hacked him back. He may not have been aware of that. He says nothing about testing his malware against their AV to ensure it would not be caught. Maybe they were using heuristics. Maybe they have other security systems which could have caught him. Likely, they just did not. He was lucky. These things never even occured to him.
Or, he was an insider and already was confident on what defensive systems they employ.
Any details he gives about his own background could include false clues. For instance, he may not be Spanish. He may work at one of those types of places he condemns.
He even mentions in the article that throwing out “false clues” is under his awareness as best practice.
He is very confident he will not be caught. But, this is because he is getting off on taunting behavior. Therefore, his confidence is misplaced.
The more he talks, the more clues he gives. And if his false clues are figured out, those give information about him.
If this was the work of one individual, he has put far more then a mere 100 hours into this, as getting to understand how to work your way around Windows networks clandestinely requires a lot of experience and knowledge.
Knowing how to find zero day vulnerabilities in major vendor products is a very time consuming education.
He was correct, targeting the router was his best chance to break it. So, he is an experienced security bug finder.
He was also correct on employment opportunities in the field. People outside this field do not understand that. He knows it. So, he has worked in that field, and maybe still does. He also knows people in that field. Because that is how he would define employment opportunities.
Hacking his way inside the router is not that much level of effort in terms of past experience. He clearly already had router hacking knowledge. That is how he knew that was the best choice.
It is rare for people to study that, but it is not such difficult material to study these days because of openwrt and play tools like the pineapple.
If he had the tools already ready, that would not count into his time estimate. That would take a lot of time to get ready. Even though he does not claim to have recon’d their security systems. Which could have been anything.
As for time in a day, security folks with those skills often have such time in the day. Many of their jobs available as effectively retainer jobs. They want you around for when they need your expertise. Because their client may need a certain type of vulnerability in the future.
The insider angle, he belies by hacking another group gamma. But, he may have been an insider at either group. Or they are just “like” a group he has worked with where he felt his skills were not appreciated.
It could be a nation state team.
But they would have little value for posting all of their information online. It would be more valuable to keep it and use it. As hacking group effectively targets a lot of countries.
Maybe some organization wanted to just shut them down. Mission accomplished.
That seems like a less likely motive, but it is possible.
Nick P • April 21, 2016 3:34 PM
@ Tom Kenney
In case you didn’t know, a company actually licensed OpenVMS from HP to resurrect it. Page is here. They’re porting it to Xeon right now. I also found this nice guide to disaster prevention/recovery in IT infrastructure with OpenVMS focus. I’m keeping it as it’s still relevant outside OpenVMS and free. However, I posted it on Hacker News as a counterpoint to Dropbox team trying to justify a whole service outage due to networking issues in a single site. Shit that just… didn’t happen with 80’s or 90’s era VMS clusters. 🙂
Tom Kenney • April 21, 2016 3:51 PM
@Nick P re: VMS
(…giggles internally with giddy nostalgia…) Thanks! That’s very interesting news.
Anyway, sorry @all, didn’t intend to hijack the thread with VMS reminiscence.
Clive Robinson • April 21, 2016 4:10 PM
@ Z,
I think you are romanticizing the typical hacker, no matter his actual skills…
No I don’t think so as I said ” Fame and fortune are what most people want GS gives you neither…” it’s the human condition to be recognised and rewarded for talent. GS is often seen not for those but job security and comfortable pension, which the likes of Trump want to cull.
As for,
I also think you are greatly underestimating how much resources and project management plays a role
It does not matter how big your stack of cash, or how well your project managment team can rearange the deck chairs, you still need domain experts to actually get the work done.
For some reason I can never understand, people always think project managers must be technical domain experts in some way thus also be technical leads. Trust me when I say a project manager has no need to know anything technical about a task. I’ve been a project manager on jobs I’ve little or no domain expertise on and the only thing I actually needed technical input on was sanity checking time estimates and risk, the rest was the same old horse trading to get what resources there were in place at the right time, and holding managers feet to the fire when they were not delivering on what they had promised.
Read the paper author very honest conclusion: he used 100 hours to hack a company that probably spent millions in its security.
I read the paper and the point ‘he’ made was the Sysadmin being as normal the very weak link, by having his PC connected to every network including the Internet… Not exactly a very bright thing to do, after all what price another PC or two?. So I very much doubt they spent millions on security, or anything even remotely close to that. The paper makes HT sound like a man and a dog software startup company, not a security organisation. The author even indicates they were overly –and as it turns out needlessly– cautious in their approach expecting there to be rather more security than was actually there. As for the hundred hours you not they mention replacing firmware on a device and actually testing it thoroughly else where, this probably took up a large chunk of that time….
Nick P • April 21, 2016 4:23 PM
@ Tom
We try to stay on topic but a brief detour on VMS wasn’t bad. The advice and design that came with that style of system and administration might have prevented the hack. I say might as many points of attack exist. We’ll drop it at this point, though.
@Jim, all
Good breakdown, I completely agree that one person could’ve pulled that off (my romantic?/biased view aside) with or without as you say ‘help’. In my opinion most of the people in the software world are standing on giants and I fully believe 100 hours more or less to be reasonable for a somewhat connected individual because to me the r/e and PoC types are of the artisan class: they thoroughly enjoy flexing the one muscle they actively use (creativity) and are always up to a challenge in their free time. I don’t think Clive, Bruce, Wael or Nick P. shy away from a good puzzle, do any of you? This is why segregation and RBAC are a must at a minimum. It’s not rocket science and with current trends things are only getting easier as the black arts are unmasked for public and corporate consumption. It’s going to take a while, but the best offense is a good defense and at least with so much effort in the public light and maybe a little friendly legislation we can begin to see secure programming and systems start being deployed.
Also remember Gamma Group/finfisher was hacked too (2014).
http://www.zdnet.com/article/top-govt-spyware-company-hacked-gammas-finfisher-leaked/
A complete exfiltration of that system was prevented either by encryption or a lack of time/patience on the attackers part. So it is possible to be a small shop, high profile target and still reasonably prepared for these risks; TLA’s aside ofc.
Am I rereading that pastebin wrong? Is the author claiming knowledge/responsibility for the Gamma Group hack too?
The reason why this isn’t a TLA is because the technology would’ve been appropriated silently and then repurposed or cannibalized… Certainly not exposed publicly to reduce efficacy. It also illustrates that this wasn’t a typical criminal organization too, it could still be a competing group I believe though. The groups seemingly operating out of China are great examples of malware repurposing and reuse, the United States probably already had every exploit in their database and by pushing them into public domain they force the vendors to close the holes.
So… not competing company, not gov, not criminal org (thugs, legality aside)… Small group or individual with special interest and resources/talent.
Examining hackback 1 & 2, I don’t think he’s Spanish at all.
Assuming the same author in hb1 point 5) I see only an omitted ‘a’. He seems to be reasonably good at English including using sayings.
Hb2 link is down again, sorry all I have is a mobile Firefox PDF from the initial post.
lurker • April 21, 2016 11:10 PM
@Clive Robinson
It's similar with hacking, you need some basic skills even to be a script kiddy, but to get into the upper end of things you need skills that we have not yet learnt to teach people.
While that may have been true many years ago, I think the problem today is that teaching this sort of trade is illegal thanks in large part to the DMCA (1998) and the CFAA (1986).
The DMCA has provisions that makes merely owning tools that circumvent DRM illegal and the CFAA has this provision:
"having knowingly accessed a computer without authorization or exceeding authorized access"
which in today’s environment has the potential for abuse since manufacturers feel you don’t own the software on the chip (eg: phones) so hacking it even for educational purposes is risky.
Bill B • April 22, 2016 2:04 AM
@rod certainly what you are doing doesn’t hurt.
But keep in mind:
* before a machine is compromised you are likely just to see a spike in packets or CPU usage as a race condition is being one or a buffer overflow explored.
* After a machine is compromised it’s not likely to be show up in ps in any noticeable way. Sure a bash shell might load for 0.1 seconds or something.
* Attackers are very aware that changing disk state is noticeable and stick to memory as much as possible
* md5sum of the filesystem doesn’t do much, if compromised md5sum will return the same values (read file returns normal results), but the exec on the same file will used the compromised version
* changes to /etc/passwd or /etc/shadow is pretty rare these days. Much nicer to have a tweaked /usr/sbin/sshd or similar.
* It’s fairly common to sit in memory and wait for an update/patch/change and then piggyback on those changes.
* Hackers are well aware which parts of the filesystem change too quickly to track (cookies, browser caches, /tmp, package metadata, etc), swap partition, etc.
* It’s not hard to shrink say swap by a few % and use that to minimize noticeable changes.
* I’ve not noticed this yet, but systemd seems like an ideal place to persist, it’s large, complex, and once compromised you are pretty much doomed. It’s running before anything else, and now actually can talk to the network before anything else is even exec’d.
Clive Robinson • April 22, 2016 3:25 AM
@ Lurker,
which in today’s environment has the potential for abuse since manufacturers feel you don’t own the software on the chip.
It’s not just the chip, atleast one vehicle manufacture has claimed that it applies to the whole vehicle –a tractor– and thus it would be illegal for anyone appart from themselves to make changes, such as say making an adaptor for their “custom” PTO fitting such that it can be used with existing or other manufacturers equipment…
Inkjet printer manufacturers have likewised claimed the DMCA protects their cartridges, so refilling them is a crime… In the EU various legal people apprised them of the EU recycling legislation –that is the model for many non US aligned nations inclusing China– and said that the DMCA is not applicable outside of US juresdictional waters. Which might account for their intense support and lobbying for Obamas Trade Treaties with their exceptionaly dangerous Inter State Conflict Resolution clause, that in effect gives bad US legislation supremacy over other nations soverign law…
But the worst aspect by far is the abuse that Obama has sanctioned that the DOJ can use both pieces of legislation to give “little fish” citizens extrodinarly disproportionate punitive judgment, whilst letting “big fish” corporates off of any abuse they might inflict on others. It used to be the norm that criminal punishment was kept out of contractual disegreement, and that terms in contracts be not just fair but free of the likes of compulsion and traction. Now corporates are free to pursue criminal prosecution on what is in effect a whim, whilst citizens have not just no equitable redress but no redress. Thus many years of “fair use” “first sale doctrine” and “ownership rights” are gone, and replaced with the “Might is right” argument of rent squatting corporates pushing a doctorrine of “we say you are a criminal thus you shall rot as an example for others to fear”. Jeremy Bentham would have been mortified by the way his Panoptican idea has been perverted from that of “correction of criminals” to that of “corruption of society”.
It can fairly easily be shown that such moral degradation is as a result of “The market knows best” lunacy that alows profit to be diverted to the purchasing of legislation by nest feathering politicos and their cronies.
John • April 22, 2016 5:15 AM
Isn’t it time for SQUID FRIDAY?
Clive Robinson • April 22, 2016 6:32 AM
@ John,
Isn’t it time for SQUID FRIDAY?
Not yet.
Bruce sort of has a convention, that he posts a regular security post every morning (US time, late lunch UK time) Mon-Fri, and on a number of days if there is sufficient of interest in the news etc a second post in the afternoon.
On Fridays the Squid page is the last post of the day, which would be afternoon on a single post day and late afternoon / early evening on a two post day.
Exceptionaly there may be a high ibterest / very news worth post at the weekend.
However Bruce for all our jokes otherwise is human and can suffer from jet lag, illnesses and even the odd day off etc. Thus he may post at other times.
But as the old saying has it “A watched pot never boils” so go away for a couple of hours to do something else and drop by later.
As the terrible advert in the UK has it “Simples”.
Show Me The Money! • April 22, 2016 10:30 AM
The Money Shot from our hacker friend:
1) Encrypt your hard disk
I guess when the police arrive to seize your computer, it means you’ve already made a lot of mistakes, but it’s better to be safe.
2) Use a virtual machine with all traffic routed through Tor
This accomplishes two things. First, all your traffic is anonymized through Tor. Second, keeping your personal life and your hacking on separate computers helps you not to mix them by accident.
You can use projects like Whonix, Tails, Qubes TorVM, or something custom.
3) (Optional) Don’t connect directly to Tor
Tor isn’t a panacea. They can correlate the times you’re connected to Tor with the times your hacker handle is active. Also, there have been successful attacks against Tor. You can connect to Tor using other peoples’ wifi. Wifislax is a linux distro with a lot of tools for cracking wifi. Another option is to connect to a VPN or a bridge node before Tor, but that’s less secure because they can still correlate the hacker’s activity with your house’s internet activity (this was used as evidence against Jeremy Hammond).
Me So Horny. Now if our friend will only hack Greenwald so we can get all the NSA docs dumped before 2050. Bloody celebrity journalists milking this shit for all it’s worth…….
Jim • April 22, 2016 11:53 AM
@r, @attribution
I would not throw any possibility away.
It is very possible this could have been a group effort.
It could be a setup of bona fides for someone, for instance. He puts there an email address to communicate with him on. He could go around hacker circles and use those bona fides to gain trust.
Usually when law enforcement does that, they fake the crimes they do. Or they are petty crimes they have some jurisdiction over in the first place. Hacking Team and Gamma are real groups. If they are not, then they were setup to dig into the market. Which would have value.
In most ways this would play out, no criminal case would come directly from such work. Instead, intelligence would be gathered and other people’s bona fides riding on his bona fides. Networks would be set up, and targets searched for, found, and focused on.
If you think every company out there, regardless of how authentic and “not government” it may appear is “for real”, you would be very mistaken. The same is true for individuals.
Usually, this is easiest done simply by piggybacking authentic companies, such as having one team or one division, that just happens to be undercover Someone Else.
Someone could say, “but they helped these bad actors”. You have to have legitimate traffic of some kind to sustain a cover.
If these companies did not help those bad actors, someone else would have.
Bona fides are difficult to get and are very powerful. That is what you have to do to get access to upper level folks. Lower level folks don’t have much of a bar for trust. You just have to agree with them on their beliefs.
You can become a friend with anyone just by figuring out what their preferences are and then reflecting them. They will believe whatever you say, if you know what they want to believe.
But to get more powerful people, you have to have those bona fides to really get into their confidence.
They know what they look like.
You can’t get close to a major drug supplier, and get them to see you as equals or superiors, unless you have those bona fides that you are as accomplished as they are.
For instance.
Lower level folks do not even know what bona fides really look like.
Higher level folks know all about it. It is a core part of their social language. Does not matter if they are a nuclear scientist or seasoned security researcher. If they are extremely wealthy or if they are very good at car mechanics. They know the language their experience and accomplishments have given them, and they use that to figure out if people are equals or superiors or less.
They use it to gauge how they should trust the person.
If this guy is an individual, then he is certainly an ex-security researcher. He certainly would have worked at an organization “like” gamma or hacking team. If he did not work directly there. He attacked what he was comfortable with. He attacked a strawman of his anger.
He is not so impatient to have just hacked anywhere. He is very up on security news and trends, and that at a high level. He was able to organize the trends into meaningful data points.
For instance, he could point out that phishing is the way in. He was able to assess he did not feel comfortable with phishing for this type of target. He was able to point out where most in the field with his level of expertise worked, and he did so very succinctly.
He was aware of the fact that the router vendor had not yet fixed the bug, and that it would be bad professional practice to release details prematurely.
He was willing to wait about a year before releasing details, which speaks to his likely age. He is older, probably in the 30-50 range.
He really did not gloat in many ways he could. He could have overplayed his own expertise and underplayed theirs. Usually more junior folks do that, being relatively noob, and not having much seasoned experience with the realities of the other side of security.
He carefully kept track of his hours. He wrote a very polished report.
All of that speaks of an advanced security researcher who worked for a consultancy.
Navigating the windows network, doing the recon, recompiling some attack binaries… none of that is what defines him. Those are relatively low bar achievements.
What defines him is he was able to find zero day in just about any application. His description of how he saw his limited choices and made his choice, that was describing his confidence. He knew he could break any of the choices before him, and made an assessment on which would have taken the least time. He was confident in his assessment and confident he could break any of the possible choices.
There really just are not all that many who can do that. That is a much more rarefied sector of computer security.
It is actually really difficult to be able to do that. That is equivalent to him not just being a doctor, but a heart surgeon.
He is narcissistic, however. He believes he can write a whole lot, and won’t give away any damning clues, or open any doors to his vulnerabilities. He even left an email open for people to contact him with.
This says he thinks he is really smart. And he is getting off on it.
He did not make a very persuasive case for “raising the troops”. He could have. I really do not find his “just cause” or “anti-‘The Man'” sentiments authentic or deep. He did not come off as if he was a True Believer.
Someone who is a True Believer would have gone on and on and on about the ‘how’s’ and ‘why’s’ of their belief system. Here he is, he has the stage, he would say something that “needs to be said”. And what he said was really light and generic. It could fit all sorts of belief systems.
Such sentiments probably are loosely held by him to tell himself he is not doing this merely because he is indirectly responding to people in his past.
Some group like gamma or hacking team probably made him feel bad, powerless. And this is his way of saying he is powerful and better then them.
Nobody is shedding a tear because either group was hacked. They certainly richly deserved to be. If those who do bad deserve to have that very same bad done back to them.
But being motivated enough to really do that is something else.
There a lot of evil in the world, so not like those groups stick out to anyone not intimate with that kind of group.
And normally, activists attempt to focus on lawful messages. That way they can make themselves accessible and continue to push the message. Nevermind that the whole problem is you do not fight fire with fire.
Jim Morganson • April 22, 2016 12:29 PM
@Clive Robinson, @discussion on sec researchers
Many true and good points there. I lol’d at the pay grade statement.
DMCA, security researchers have a caveat for. You can be in app sec, you can work at a consultancy, you can be a bug finder. You certainly do have a legal right to own and use those tools.
If this was the work of an individual, my potentially disparaging remarks above, aside, he would be on the very elite scale of things. That is what really strikes him out as so different for me. That is your equivalent of Navy Seal or British SBS/SAS. Brain or heart surgeon.
Contrast to Sabu. Sabu was a low level consultant who could just find zero day in web applications. That is very junior work.
Contrast to Jester. Jester has performed some clever tricks, like inserting a web bug into a major post to detect his readership. But, his work has been largely very low level. He has shown some beginner level coding skills.
A lot more politics and BS with those sorts then actual time spent working, training.
This guy, he is like a friggin Agent 47. He did everything himself, and he did it very well.
I have socialized among security researchers. Because I have had the bona fides. Once you have those, they come to you.
But it is also easy to immediately get deep rapport when you plausibly have them and can quickly prove it.
Fame and fortune, a lot do go for. You see those mostly hitting security conferences on a regular basis. It is for both.
But, there are also a lot of security researchers who are extremely secretive. They know just how bad things are, and play as if they are not the only ones.
There are, however, much better tracks they could take for fortune. So, there is more to it then just that. Usually, these are folks who, as you intimate, just think certain ways which are different. They find themselves talented at this, and it is fun.
For them.
Because they are good at it.
I rarely meet any, however, or rarely have met any, who have any kind of saccharine laced political belief system. They tend to be much more cynical and down to earth then that.
Also, as they are really researchers, they don’t tend to buy easily into badly sourced material that comprises extreme political beliefs.
In order to learn and figure out all sorts of technical mysteries, you have to be very accurate in your research. That is a large part of what they do.
That is not the hallmark of extreme political belief systems. The very opposite of it.
Nick P • April 22, 2016 12:37 PM
@ Jim
Many on Hacker News in pentesting and I got the opposite impression: he’s doing what any skilled pentester could do. It’s all straight-forward stuff you’d see in Red Team exercises or even a CEH certification. The one exception is finding the flaw in the router or whatever it was. That means he has reverse engineering skills on top of regular hacking skills. So, a bit more skilled than most but nothing elite or anything.
If anything, Hacking Team is special for being a company focused on hacking but obviously not doing a single, pen-test on their own security. Especially funny given the value of the I.P. and secrets they protect.
Jake • April 22, 2016 12:57 PM
I’m a bit skeptical about this story. I mean how do you so easily find 0days in a router? Sure there are vulnerabilities in some models, but this isn’t automatic. Also, references that he included are basic guides to metasploit and known command injection through web interface.
Finally, it seems odd that no vendors are mentioned, but it is said that vulns are still unpatched. This is hardly responsible. It’s also hard to believe that someone runs a router web interface on the internet. Ssh is more likely, and there are only brute force attacks against that.
Jim Morganson • April 22, 2016 1:36 PM
@Nick P
I loved the old HackerNews, but that was by Count Zero. 🙂
Not saying there are not good security people there. I run across some of those posts, from time to time. Some are very good.
I agree that the other stuff is not very high bar, and said as much. Though, there is a big difference between some noob doing network security penetration tests and someone who worked in CND in the military for eight years.
If you were starting a research team, as a manager, where the task was to find security vulnerabilities in every manner of product… would you hire someone who has never done that before? And would you consider how often they have done that, and how well?
I know I would.
And finding someone with that skillset is very difficult to do.
Finding some noob in the field who has found and published some vulnerabilities in some rarely used products by a minor vendor, is one thing.
Finding someone who has a long list of major applications with extensive security which they found critical vulnerabilities is something else altogether.
I do believe that is exactly the sort this guy is. I think had he not had one of the embedded systems to target, he could have targeted Joomla. And I think he could have honed in and successfully found a critical vulnerability in any of the other systems. None of which was likely to have been some crap product.
Circumstantial evidence. Hearsay. But he did implicitly express professional confidence and approach in his description of his targeting the systems for finding zero day.
That is really hard to fake.
You might believe such security researchers are a dime a dozen, but that is certainly not the case. And it is far, far harder to do. I very often see those in security, but not in that area, make other assumptions. But, they could never do it.
It seems easy enough. So, if you have never done it, I could see thinking it is so easy.
As for Hacking Team, I don’t disagree with Clive Robinson, that they are narcissistic, lol. This is common, however, for security consultancies, security vendors, and so on. To be focused too much on their own awesomeness, and other people’s products. And not be pointing those uncanny eyes of insight back right onto their own.
They did tap down a lot of ingress points, but it does sound like they had extremely poor segmentation, as some others pointed out. It certainly looks like they had very poor defense against zero day vulnerabilities and zero day attacks in general.
You can buy that COTS these days, so no excuse there.
So, yeah, I would hear out someone who wants to de-anonymize themselves and link to their resume about how they know all about finding significant zero day.
But, either they have, or they haven’t.
Might as well be claiming to be Navy Seals or British SBS, online, lol.
Like this guy:
http://www.rollingstone.com/politics/news/the-rise-and-fall-of-a-fox-news-fraud-20160126
No, he never worked for the CIA, and it took two seconds for a real CIA case officer to figure that out.
Ben Morganson • April 22, 2016 2:09 PM
@Jake
I’m a bit skeptical about this story. I mean how do you so easily find 0days in a router? Sure there are vulnerabilities in some models, but this isn’t automatic. Also, references that he included are basic guides to metasploit and known command injection through web interface.
Finally, it seems odd that no vendors are mentioned, but it is said that vulns are still unpatched. This is hardly responsible. It’s also hard to believe that someone runs a router web interface on the internet. Ssh is more likely, and there are only brute force attacks against that
He’s a professional security researcher, is how. That is what defines him.
I would not be surprised if they left a web interface open. But, there were some other devices he could have targeted instead.
From some other details, it sounded like he got on the router. But, that is not sure.
They may have used the same credentials as what he would have found on the other embedded system.
He actually is being a responsible discloser. He did not disclose the vulnerability. Who but a security researcher would do that.
He did not even name the vendor or model.
Some of that may have been because he is relying on the security vulnerability he found. Maybe that is his only true motive for doing it. But, he did describe he was cognizant of the responsible disclosure path.
It isn’t like he targeted a human rights group, either.
He probably has some principles.
His writing and general approach expressed in writing does show someone who has strict principles of some kind.
As he was very disciplined about the presentation of details.
Which shows he was keeping a variety of organized frameworks in his head, and sticking to them.
None of this means that he did not throw in substantial “false clues”. He surely would have done this. Though, what law enforcement agency would put much time on gunning for a vigilante.
Problem is, he probably is doing other stuff that is driven more from his sense of powerlessness.
Not saying I believe it was necessarily a ‘one person job’, and this could not be a very clever and amusing cover for a very sophisticated operation.
Just taking it at surface value.
Ben Morganson • April 22, 2016 4:10 PM
@Jake
I forgot to mention:
So, you have a router with only one ingress point and that is SSH. What do you do. 🙂
And this is what he was talking about, was my take, in finding a bug in the firmware. So, you know the model you know the make, you buy it and then shell in there and pull it out.
You also do this so you have a safe environment to craft your exploit code.
So, you have no source for the firmware, you have to work at it in asm.
Now, there is another ingress point for a router.
That is all that traffic it is routing. And all of that includes a lot of source for processing that. In that processing is where the bug would be found.
End up with an attack like you send a single poison packet, and boom, you are in. Exploited a stack based buffer overflow.
There are quite a number of such vulnerabilities which have been found in routers, stretching back to the 90s.
Jake • April 22, 2016 8:44 PM
Fine, he is a professional security researcher and I am a professinal scientist. So, I’m used to concrete conversations, not vague philosophy, and
always ask to show the math…
“Found a 0day exploit in an embedded device” is hardly detailed (and at least naming it is responsible). Here is a practical question: I maintain multiple machine both at home and at work with internet-visible SSH. I’d really love to know if it’s possible to work some magic and somehow break in. I couldn’t find such way so far…
@nick p,
Sorry gotta retype this… Low memory phone (no swap?)
Sooooo… reverse engineering is no longer a prerequisite for being a hacker? So CS/IT/IS courses really are just teaching punters these days… No CRACKMEs-101? Sad.
That would explain why when I did that sit-in at a ‘hackathon’ (mislabeled?) sixish months back the professor asked me what a reverse engineer was.
My response? “Not a hacker, that’s for sure.”. Good to know I have the right response.
Maybe he would’ve understood if I replied “international arms dealer” ??? JOKING, of course but on a more serious note…
https://www.digitalbond.com/blog/2013/10/22/call-yourself-a-hacker-lose-your-4th-amendment-rights/
Lo, the shame.
@Jake,
As a scientist… If you were a biochemist and discovered a clean burning fuel would you publish the recipe for the good of humanity or find a way to market it?
If you were a geneticist and re engineered w a crispr(?) an ssrna virus to cure some high profile disease would you patent it or go open source?
I’d public domain alot of things but he may have an advantage for the meantime and then there’s also the issues of both national and public security. Hopefully he let the vendor know at least but who knows it might be squandered and you can almost bet if it’s both new and novel somebody somewhere saw it when he used it… Unless it was wirelessly exploitable.
Anon10 • April 22, 2016 11:32 PM
@Clive
You bring up an interesting point on government recruitment. However, the government can offer one job that Google can’t: the freedom to legally hack other people’s systems. Sure, there are jobs in red teaming. However, those are usually very constrained and artificial either because the client doesn’t really trust the red team, doesn’t want to do anything that could jeopardize actual business operations, are afraid that any exploits created by the red team would end up exploited by others, or are more interested in cost cutting than security and don’t want to know about vulnerabilities that are costly to fix or mitigate.
Jake • April 23, 2016 12:09 AM
@r:
Well, regardless of what I did, I would need to provide an evidence that the process is reproducible. So, in this case, I don’t ask for a working exploit, but at least some description. Otherwise, I consider this guy an insider who simply leaked material he had access to, and then came up with a romantic fairy tale.
Ben Morganson • April 23, 2016 1:40 AM
@Jake
Fine, he is a professional security researcher and I am a professinal scientist. So, I’m used to concrete conversations, not vague philosophy, and
always ask to show the math…
“Found a 0day exploit in an embedded device” is hardly detailed (and at least naming it _is_ responsible). Here is a practical question: I maintain multiple machine both at home and at work with internet-visible SSH. I’d really love to know if it’s possible to work some magic and somehow break in. I couldn’t find such way so far…
Like I noted, you can search out router bugs published in the past. Most of these do enter through some external service, typically the web interface.
That kind of router bug is much, much easier to find then one in the network processing.
I do not believe, however, he could have found such a router bug in two days.
So, either it was through the web interface of the router, or it would have been in one of the other embedded systems.
I couldn’t find such way so far…
I am not sure what you mean. You mean you are a scientist but want to learn how to find security vulnerabilities in your routers?
Your best start is to go and read every router bug ever published. Be sure you have the original disclosure paper.
Finding a network traffic handling security issue in an embedded device you do not have source code for is far from an easy task.
You will have to find network traffic handling areas of the code, and there look for security vulnerabilities in the disassembled assembly language. You likely won’t be sure, so you will need a custom fuzzer to help in testing.
Your best bet would be to start out with an openwrt and using the source code to try and see where network traffic is being processed. Then, dig in there to start finding security vulnerabilities.
How do you find security vulnerabilities in source code?
Or in disassembled assembly? (And remember, it probably won’t be an intel processor, in case that is where you are most practiced at coding in assembly.)
Those would be your research starting points.
Ben Morganson • April 23, 2016 2:00 AM
@r
you can almost bet if it’s both new and novel somebody somewhere saw it when he used it… Unless it was wirelessly exploitable.
Government is big on hacking routers, so they may already know all the security vulnerabilities in the major systems.
They could have detected that way.
Zero day detection systems have come a long way. But, there is no way to catch all zero day attacks from just the wire. Especially without limited context which COTS zero day protection systems focus on. For instance, a system designed to detect behind the perimeter hacker behavior on the wire. That is a very limited context. It is relatively fixed.
To detect the fraud, the malicious exploit, you would have to be up with what is normal. Both the latest normal, and the average, and the legacy. For all types of protocols. Then, you can start to look for the exceptional.
I just really don’t think anyone anywhere is close yet, at least, if the limited context is removed and you are talking about anything unencrypted coming across the national perimeter.
Clive Robinson • April 23, 2016 6:18 AM
@ Abon10,
However, the government can offer one job that Google can’t: the freedom to legally hack other people’s systems.
Nope they most certainly can not do that…
All they can actually offer is that their branch of Gov won’t prosecute you, and that they will try and sheild you from other prosecutions and civil actions.
As an example of the way it works, the US Gov are prosecuting in their abscence various foreign nationals and seriously exprect the Chinise Gov to hand them over…
Russia on the other hand, have laws about extrajudicial punishment, upto and including execution.
Russia has actually used those laws to send a hit team to the UK and execute someone (look up Polonium 210).
The US has sent a drone to execute an alledged hacker, and there were collateral casualties…
As the US has started this stupidity because they assume there brass ones are steel, sooner or later they will find that some other nation has titanium ones and will up the stakes in the pi55ing contest the US has rather stupidly started…
And remember even in the US LEO’s and other Fed employees are not immune from civil action, if someone decided to push it hard enough, and sooner or later someone will and prove the point brass is realy quite soft.
@Clive,
I wasn’t aware of the extra national executions… But what you say is kind’ve curious considering the statements behind the annexation of Crimea.
@Clive,
I wasn’t aware of the extra national executions… But what you say is kind’ve curious considering the statements behind the annexation of Crimea.
We do know now that killing US citizens abroad is current practice so o guess either way there’s precedent.
Jake • April 23, 2016 11:03 AM
@Ben:
“I am not sure what you mean. You mean you are a scientist but want to learn how to find security vulnerabilities in your routers?
Your best start is to go and read every router bug ever published. Be sure you have the original disclosure paper.”
I have only practical interest in finding said vulnerabilities. The problem is that… none of the published bugs apply to us, because when I say router, I really mean a multihomed archlinux or a rhel box, not a bastardized openwrt (do they have pkg signing yet, btw). No web interface. So, none of the issues those guys mention at devttyS0.com apply. From the story I figured, all it takes to get into our network, is a dedicated lone hacked with backtrack Linux DVD. But I can hardly believe that I have exploitable 0days.
Phishing one of the users might work, but tho is hardly hacking…
Anon10 • April 23, 2016 11:46 AM
@Clive
I think it’s implied when you say something is legal that you mean it’s legal in a particular jurisdiction. I really doubt China is going to hand over PLA members to the US for extradition. Litvinenko was a Russian citizen and former FSB, so isn’t really a comparable situation to someone working for GCHQ.
Ben Morganson • April 23, 2016 2:19 PM
@Anon10
To do anything really interesting is very rare in government. It is extremely difficult to get there. You have to be very talented and able to do things no one else can do, and you have to be able to handle the mind bending stress.
The very best jobs you really have to be born into.
Otherwise, the environment can be even more strict then in corporate.
And a lot of the most interesting jobs? Will be in corporate. Whether you are working for a hush-hush defence contractor, or whether you are working undercover.
In military, it is mostly practicing, signal ops, and CND. In law enforcement, most of the good jobs are in consultancy firms which you don’t call them, they call you.
Intelligence, it is really a lot of the same thing.
In professional, governmental hacking:
One person finds the vulnerability, and that by assignment. Someone else will use it. Everything is well planned and maintained. It is always a team effort. Someone else tells the team who to hack. Other people entirely look over the product result from the surveillance.
Even in the lowest jobs, you can’t ever tell anyone anything. Even after you have left.
I disagree about corporate. In corporate, at the application security level of experience, anyway, you do get to hack stuff. If you work in application security, all you will be doing all day is finding zero day and working with developers to get them fixed and otherwise mitigated.
When you red team, you very often have to keep it as real as possible.
I think the choice is more about ‘what are you working for’.
If you want real excitement, real challenge, your best bet is not thinking hacking is the route.
Hacking is a support role, even at its’ most glorified state.
The day to day is extremely boring. In fact, I think that is the main trait (not ‘hinky thinking’) which divides good hackers from poor. You have to have inhuman levels of patience.
It certainly challenges your will, your intellect, your inner strength and capacity for patience.
But it is nowhere near the really interesting stuff.
Ben Morganson • April 23, 2016 2:39 PM
^^ clarification on ‘patience’ over ‘hinky thinking’:
They do both go hand in hand. Also, you have to be self-motivated.
All of this stuff is incredibly hard to train, if not impossible. You have to start with the right material.
Invariably, the sort who can find meaningless zero day, are also the sort who you can drop down into a foreign nation, and in ten years they will have mastered the culture and language and be in a position of power.
Ala, assassins of old.
They figure out what they have to do to accomplish their objectives, and they make as straight of a line towards their objectives as possible. And they accomplish them.
This sort of bar doesn’t exist when you are just trying to navigate a network, or memorizing previously disclosed bugs. It does not exist when you are just analyzing malware. It barely exists for low hanging fruit areas, like web applications. (Except for the extremely hard to find and exploit web app bugs.)
But, for very significant vulnerabilities, it is an extremely exhaustive technical task.
If you can self teach yourself a foreign language, or how to fly a jumbo jet, I think you could make the grade.
Otherwise, no.
And none of that means anything you do would be really interesting. It would not be movie worthy or even television show worthy.
Ben Morganson • April 23, 2016 3:09 PM
@Jake
Thanks for the clarification of what you were talking about. Does not surprise me, and actually would make the job much easier to find or have zero day in.
From the story I figured, all it takes to get into our network, is a dedicated lone hacked with backtrack Linux DVD. But I can hardly believe that I have exploitable 0days.
Phishing one of the users might work, but tho is hardly hacking…
‘The more complicated a system, more likely it will have faults.’ Software, definitely fits that bill.
Everyone says there is no zero day before it is published, unfortunately.
It is a purely empirical science. At least in terms of hard proof for results.
I believe the best attitude to have in regards to one’s technical device security, is to not only assume (rightly) a lot of potential zero in your systems’ software code. But, to believe one is already compromised.
And work at that as baseline security.
This sort of industry attitude is not just something that sound good on paper, but really did not work. But, is based in strong data put into good math.
Ben Morganson • April 23, 2016 3:14 PM
@Jake
Ah, forgot to mention. The “responsible disclosure” phrase me and r were having, was not about something unfixed. It is a slang phrase common in our sector of the industry with a rich history.
So, you can find a wiki document “responsible disclosure” or on “full disclosure”.
Both are lists of ‘best case behavior practices’ worn out by work in the field, and by wide peer analysis and consulting via open forums.
Both have widespread agreement, and continue to.
Ken • April 23, 2016 10:13 PM
“No I don’t think so as I said ” Fame and fortune are what most people want GS gives you neither…” it’s the human condition to be recognised and rewarded for talent. GS is often seen not for those but job security and comfortable pension, which the likes of Trump want to cull.”-Clive Robinson
Presumably, it takes a rare combination of talent, integrity, and ideology, oh and the smarts. Dedication that demand no recognition, and for the most part remaining anonymous.
“I also think you are greatly underestimating how much resources and project management plays a role in nation states ability to conduct cyber offense operations.”-Z
The money have in recent decades shifted from pension plans to stock options, because everyone who wanted a fair share of the loot figured that the rate at which money prints is far greater than, and thanks to Greenspan, the rate of interest returns. We’ve also seen the same thing happening in private space where the likes of Bell Labs were sliced apart and redistributed both talent-wise and in terms of intellectual assets.
This streamlined process had benefitted the likes of big fives and new media, as the new economy is further streamlined into a service oriented model/architecture. Thanks (and no thanks) to Snowden this will further exert the talent pull away from government space where the talented are being attracted into private space away from the rank-and-file and into the influence of money/equity underwriters.
@daniel
“…but there is also the reality that it takes time and energy to do this. Who was footing his housing and food bills while he was spending all of his time hacking?”
Idk about everyone else but I spent my downtime as a sysadmin playing with wmic and remote pushing and pulling so that I didn’t have to visit the users’ desk or interrupt their work. Nothing better than instant uninstallation of huge programs with a one line command.
As far as a nation-state team being used to do the hack, I would say that would be totally wasteful. The guy had a nice repository of tools to save him a ton of a time. 100 hours is entirely feasible for even the 5 year veteran of Windows administration with the same toolset – perhaps double without. I guess the wildcard is the combination of luck and how much time an organization spends reviewing logs. A little pen testing would have served them well, but who actually pays for that?
Idk maybe I’m oversimplifying a jordan-esque performance? He certainly made it look easier than I thought.
Daniel • April 25, 2016 11:59 PM
@all
Looking back my post reads like more of a whine than I intended. All I’m really trying to say is this: extraordinary claims require extraordinary evidence. Calling his performance “Jordan-esque” or likening him to a Leonardo De Vinci isn’t evidence, it is merely restating the claim. There is no actual evidence to buttress his claim other than a general appeal to the community that of course a guru or a whiz kid could pull this off. Of course, to be fair, I have no evidence to contradict him either. I’m simply skeptical of the claim because it seems to me like the kind of claim people want to be true (there’s a hero, a white knight) but which usually isn’t true.
Jeff Home • April 27, 2016 12:36 AM
@daniel
I hear you. People are not superheros.
You need superpowers for that.
All of this is just one distraction on a whole heap of other distractions.
Rick Taggard • April 28, 2016 2:48 PM
@Daniel
You have to look at the product, not what may or may not have transpired between A to Z.
The product is a lot of bad nations had their bad actions thrown to the world. That is with the gamma hack and with the hacking team hack.
Assuming the guy taking credit for this did it, is naive. Assuming he is at least a “face” for the hacking is not naive.
Neither group pushed back. He would have been smart enough to provide forensic data “only the attacker would know”, which is why they did not push back and deny his claims.
Anyone here can make that assessment.
As for whether he is a vigilante or whether this was “government”, I believe the later.
For various good reasons.
No one else would, so does not matter to say.
sh4d0wman • June 4, 2016 11:09 AM
As some posters were wondering how he could detect and exploit a zero-day let me try to write something about that. I am a self-taught vulnerability researcher so if anything in this text does not make sense feel free to correct me.
Off we go:
His three options:
A 0day in Joomla
A 0day in postfix
A 0day in one of the embedded devices:
– a couple of routers
– two VPN appliances
– a spam filtering appliance
My first step would be the same as his: validating that both Joomla (+plugins) and postfix contain no public vulnerability.
So we landed at embedded devices. Here it gets tricky because we do not know the hacker his background/skills. For me as average vulnerability researcher I would first look after the spam appliance
(For sake of simplicity I work on the assumption that none of these devices expose a web-service or any api’s. Just SSH and bare minimum daemons e.g. mail functionality / vpn /etc.)
Why did I chose the spam appliance? It has the largest attack surface. You could trigger an exploit by crafting a network packet, malformed e-mail or e-mail attachment. None of this require any user interaction. Brief attack surface overview:
What could gain him root in 2 weeks?
The first challenge he had was obtaining the device or firmware.
– As said before, a virtual system is often available for download as trial.
– Many vendors put the firmware up for download, this could be unpacked to gain access to the filesystem. Note he uploaded a modified firmware so this is a likely scenario which also cost lest effort than obtaining a real device.
– He could have purchased the device but that would be a last resort. Once received the debug port (JTAG etc) could be used to pull of the firmware.
There are some differences between auditing firmware or a running device for vulnerabilities.
In firmware he could look for:
– Hidden accounts / commands (e.g. hidden “support” account with root privs)
– Magic packets / commands (e.g. a crafted network packet might spawn a daemon granting temporary root access or a specific url gives debug functionality)
– Cryptographic key disclosure (for example a static private RSA key for SSH)
On a running device or through emulation of binaries extracted from firmware he could look for:
– Memory corruption: this process can be automated through so called fuzzing, prime candidates would be the ssh/ike or other VPN type daemons, mail daemon of the spamfilter, parsers for spam/virus, network driver.
– Injection attacks: javascript injection on the spamfilter appliance?
Any of these could be done in two weeks time if you have all your tools setup and are not doing this for the first time. However memory corruption would no doubt be the hardest method. It’s the most likely candidate to yield an RCE bug in well designed (secure) software. It could also be a chained bug, something like gaining access with a test / guest or debug account and exploiting a known local vulnerability to escalate to root.
That’s just my 2 cents. Stay safe 🙂
“Being a hacker does not say what side you are on. Being a hacker means you know how things actually work and can manipulate the way things actually work for good or for harm. “
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
John • April 21, 2016 7:34 AM
The paste bin link is still up at:
http://pastebin.com/raw/0SNSvyjJ