September 12, 2012
I've already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don't think so. To be perfectly blunt, I wasn't talented enough to be any kind of threat. I'm still not.
There are two classic books describing hackers active in the 1980s who did have incredible talent. Talents that made them dangerous enough to be considered criminal threats.
Cuckoo is arguably the first case of hacking that was a clearly malicious crime circa 1986, and certainly the first known case of computer hacking as international espionage. I read this when it was originally published in 1989, and it's still a gripping investigative story. Cliff Stoll is a visionary writer who saw how trust in computers and the emerging Internet could be vulnerable to real, actual, honest-to-God criminals.
I'm not sure Kevin Mitnick did anything all that illegal, but there's no denying that he was the world's first high profile computer criminal.
By 1994 he made the FBI's 10 Most Wanted list, and there were front page New York Times articles about his pursuit. If there was ever a moment that computer crime and "hacking" entered the public consciousness as an ongoing concern, this was it.
The whole story is told in minute detail by Kevin himself in Ghost in the Wires. There was a sanitized version of Kevin's story presented in Wizzywig comix but this is the original directly from the source, and it's well worth reading. I could barely put it down. Kevin has been fully reformed for many years now; he wrote several books documenting his techniques and now consults with companies to help improve their computer security.
These two books cover the genesis of all computer crime as we know it. Of course it's a much bigger problem now than it was in 1985, if for no other reason than there are far more computers far more interconnected with each other today than anyone could have possibly imagined in those early days. But what's really surprising is how little has changed in the techniques of computer crime since 1985.
The best primer of modern – and by that I mean year 2000 and later – computer crime is Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
. Modern computer crime is more like the classic sort of crime you've seen in black and white movies: it's mostly about stealing large sums of money. But instead of busting it out of bank vaults Bonnie and Clyde style, it's now done electronically, mostly through ATM and credit card exploits.
Written by Kevin Poulson, another famous reformed hacker, Kingpin is also a compelling read. I've read it twice now. The passage I found most revealing is this one, written after the protagonist's release from prison in 2002:
One of Max’s former clients in Silicon Valley tried to help by giving Max a $5,000 contract to perform a penetration test on the company’s network. The company liked Max and didn’t really care if he produced a report, but the hacker took the gig seriously. He bashed at the company’s firewalls for months, expecting one of the easy victories to which he’d grown accustomed as a white hat. But he was in for a surprise. The state of corporate security had improved while he was in the joint. He couldn’t make a dent in the network of his only client. His 100 percent success record was cracking.
Max pushed harder, only becoming more frustrated over his powerlessness. Finally, he tried something new. Instead of looking for vulnerabilities in the company’s hardened servers, he targeted some of the employees individually.
These “client side” attacks are what most people experience of hackers—a spam e-mail arrives in your in-box, with a link to what purports to be an electronic greeting card or a funny picture. The download is actually an executable program, and if you ignore the warning message
All true; no hacker today would bother with frontal assaults. The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside. Max, the hacker described in Kingpin, bragged "I've been confident of my 100 percent [success] rate ever since." This is the new face of hacking. Or is it?
One of the most striking things about Ghost In The Wires is not how skilled a computer hacker Kevin Mitnick is (although he is undeniably great), but how devastatingly effective he is at tricking people into revealing critical information in casual conversations. Over and over again, in hundreds of subtle and clever ways. Whether it's 1985 or 2005, the amount of military-grade security you have on your computer systems matters not at all when someone using those computers clicks on the dancing bunny. Social engineering is the most reliable and evergreen hacking technique ever devised. It will outlive us all.
For a 2012 era example, consider the story of Mat Honan. It is not unique.
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password and then reset it to do the damage to my devices.
I heard about this on Twitter when the story was originally developing, and my initial reaction was skepticism that anyone had bothered to brute force anything at all, since brute forcing is for dummies. Guess what it turned out to be. Go ahead, guess!
Did you by any chance guess social engineering … of the account recovery process? Bingo.
After coming across my [Twitter] account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••email@example.com. Jackpot.
Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account.
So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.
Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. … First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.
Phobia, the hacker Mat Honan documents, was a minor who did this for laughs. One of his friends is a 15 year old hacker who goes by the name of Cosmo; he's the one who discovered the Amazon credit card technique described above. And what are teenage hackers up to these days?
Xbox gamers know each other by their gamertags. And among young gamers it’s a lot cooler to have a simple gamertag like “Fred” than, say, “Fred1988Ohio.” Before Microsoft beefed up its security, getting a password-reset form on Windows Live (and thus hijacking a gamer tag) required only the name on the account and the last four digits and expiration date of the credit card on file. Derek discovered that the person who owned the “Cosmo” gamer tag also had a Netflix account. And that’s how he became Cosmo.
“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.”
This method still works. When Wired called Netflix, all we had to provide was the name and e-mail address on the account, and we were given the same password reset.
The techniques are eerily similar. The only difference between Cosmo and Kevin Mitnick is that they were born in different decades. Computer crime is a whole new world now, but the techniques used today are almost identical to those used in the 1980s. If you want to engage in computer crime, don't waste your time developing ninja level hacking skills, because computers are not the weak point.
[advertisement] How are you showing off your awesome? Create a Stack Overflow Careers profile and show off all of your hard work from Stack Overflow, Github, and virtually every other coding site. Who knows, you might even get recruited for a great new position!
Posted by Jeff Atwood
Some people might think that the lesson of Mat Honan's story is give your phone number to Google, so that hackers don't get to learn your other email. Problem is Google(or any other service provider for that matter) shouldn't be displaying any part of your recovery info for any reason.
What would you think, if your password reminder question was like this:
Your favorite dog?
And kudos to Apple and Amazon for using publicly accessible information as part of their id confirmation questions.
I am sorry but I'm failing to see how this was a "people" error and not a "system" error.
This was a very interesting read.
Please tell me Amazon have fixed that vulnerability now?
"The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside."
Reminds me of the xkcd comic: http://xkcd.com/538/
It is a people error because the system did not decide to display L*ss*y on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision.
Password recovery is kind of a paradoxical thing. From a technical point of view it would be easy to say "this account has password X, do not let anyone in unless he knows X", but the objective of authentication is not to verify that you know the password, it's to verify that you are who you say you are, and passwords are forgotten and stolen regularly, so they are ultimately something that's defeated by its own objective. Reminds me a bit of DRM, which wants to prevent people from copying things wile letting them access them.
Maybe Google should have a "disable all password recovery options" mode for paranoid people who think they can handle that?
@James: "It is a people error because the system did not decide to display L*ss*y on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision."
The distinction is between how the system functions and prevents intrusion on its own, versus actions that people take that unwittingly give hackers access.
In this example, the system was designed in a vulnerable way. An attack like that is made possible because a hacker can make a frontline assault on the system instead of calling a customer service person or sending the user an email bomb to open.
Also, Happy Programmer's Day.
I just finished "Ghost in the Wires" it was an amazing book. Reading it confirmed that the weakest link in any security system is the people who use it. The fact remains that 100% security will never be the attainable, simply because of the inherent "trust" we as humans have for each other.
Maybe the companies need to ask for the second to last 4 digits of a credit card. most companies display the last 4, but if the customer service would ask for the second to last 4, this would not be visible. The back end systems could be set to only display this information to the customer service individuals. Still making it secure for the user. It would be similar to a private key that only the user and company would know.
Kingpin's Max appeared in an episode of CNBC's "American Greed". He was the main subject of the show.
You don't post for over a month, then you blog about hacking. Should we be worried?
We are willing to sacrifice security for convenience to be able to do business over the phone easily. Some of the glaring weaknesses that are common in the US, such as using social security numbers, dates of birth, mother's maiden name, or last four digits of credit card as a form of "identification", are rare in other countries where business over the phone is not as common or businesses are more paranoid.
In Mexico, if you want to do almost anything related to your bank/utility/government/etc. account, you have to go to a branch in person and bring photo ID. Sure, you might fake a photo ID, but that increases the barrier and risk greatly compared to fraud over the phone.
(On the other hand, many people in Mexico are victims of bank fraud that are perpetrated by bank insiders, so things are most definitely not perfect there either!)
Security is never perfect and people are the weakest link by the very fact they are people. The same can be said for lots of things. What's the ratio of auto accidents caused by mechanical failure versus driver error? Pretty low I would guess.
You also have to factor in that there is little value in making it hard for customers to access your services and buy products. How attractive is a store with steel doors and no windows where you have to show ID and answer personal questions?
This reminds me of the good ol' dumpster diving technique, which along with social engineering is a real powerful way to acquire valuable information from a target.
Cuckoo's Egg is one of my favourite books, although I'm not sure I'd describe that hacker as 'incredibly talented', just very persistent.
I think you're missing a big chunk of the picture of the early days by focusing on just the two books mentioned however. I'd recommend this book as a worthy third in the list: http://www.underground-book.net -- I have a print copy, but the full text can be downloaded from that website.
The book includes the stories of several hackers from Europe, the US and Australia, although it doesn't provide their real names (several can be found on Wikipedia now though).
An Australian TV documentary was made about two of the hackers whose stories are included in that book a few years ago. A third Australian mentioned has become relatively well known in recent years. In fact his part of the book has been made into a film that premiered just a few days ago at the Toronto International Film Festival: http://www.hollywoodreporter.com/news/julian-assange-toronto-film-festival-underground-361989
BTW, I can definitely recommend you *don't* read Tsutomu Shimomura's, "Takedown: The Pursuit and Capture of Kevin Mitnick". For some reason he felt compelled to detail his eating habits along the way, and it's hugely distracting.
ahaha these stories are amazing. I didn't think hacking nowadays just needed some insidious intent with a bit of cleverness than legit and hardcore computer knowledge.
Might have to rethink my plan to take over the world. /O\
@Andyj75: credit card companies do not want retailers to display or store any other digits than the last 4, the last 4 digits are considered OK, they're shown on most receipts etc. The PCI requirements have a lot of very strict rules about how all credit card data must be stored or the retailer risks having their merchant accounts closed. Many retailers like Amazon do store the full details but they do have to follow the strict rules which almost certainly would prohibit sharing them for this kind of verification.
The scary thing about the attach on Mat Honan's accounts was the multiple front attack, they got Amazon, Google and Apple. All three had some set of *almost* reasonable practises but the slight variance between allowed the compromise of one account to lead to the next.
This isn't a "people" problem or a "system" problem, it sounds like a process problem. I remember one company claiming that their practises weren't followed but that is a process problem, not a people problem if it's as frequent as it seems.
It's good to finally have had another blog post after a month, I guess it was the jury duty or something from the look of Twitter? A series of posts about hacking would be interesting.
You don't need to be "Talented" to be a criminal. Is the person who smashes my window with a brick any less of a crinimal than the person who uses a lockpick?
"All true; no hacker today would bother with frontal assaults"
I'll got server logs that say otherwise
They also mess up the process in other ways.
The other day I called some company. Phone company maybe. They asked for my secret 4 digit code. I have had the account for at least a decade and don't recall any sort of 4 digit code ever being asked for. So I guessed the last four of my SSN and they said that wasn't it. So they tried asking some more things and decided to help me. They came up with a new 4 digit code that I'm supposed to know somewhere in the last 10 years.
They decided recently to start asking for it if you call in. But all the old customers, like me, don't know what they are talking about. The customer support folks want to help us so they go around the security rules to convince themselves that the person claiming to be me on the phone is really me.
The 4 digit code has accomplished nothing.
This way of doing things just makes it that much easier for the bad guy (or girl to be fair) to social engineer their way into my phone account. (I do hope they pay it if they hack in, though.)
My bank always does security authentication things through snail mail. I always wondered if that really helped the situation, or if it's just that the crackers don't have the patience to wait that long, so they get bored and move on.
Very good reading, thank you.
That day I give some companies. The telephone company may. They asked for my secret 4 digit code. My account for at least ten years, and don't remember any form of 4 digit code was asked. So I guess my last four SSN and they say that's not it. So they tried to ask some more, decided to help me. They came up with a new 4 digit code, I should know that in the past ten years, somewhere.
cheap football jerseys
I assumed anyone applying for a job as a programmer had already crossed this chasm. Apparently this is not a reasonable assumption to make. Apparently, FizzBuzz style screening is required to keep interviewers from wasting their time interviewing programmers who can't program. Páginas Amarillas
They asked for my secret 4 digit code. My account for at least ten years, and don't remember any form of 4 digit code was asked. So I guess my last four SSN and they say that's not it. So they tried to ask some more, decided to help me. They came up with a new 4 digit code, I should know that in the past ten years, somewhere free credit reports
I hope one day one of your kids gets told that they shouldn't do something, because they'll probably suck at it. Then you'll get an idea how hard it can be to pull someone out of that hole. NYC Tax Preparation