programming and human factors
by Jeff Atwood
I've already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don't think so. To be perfectly blunt, I wasn't talented enough to be any kind of threat. I'm still not.
There are two classic books describing hackers active in the 1980s who did have incredible talent. Talents that made them dangerous enough to be considered criminal threats.
|
The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage |
Ghost in the Wires: My Adventures as the World's Most Wanted Hacker |
Cuckoo is arguably the first case of hacking that was a clearly malicious crime circa 1986, and certainly the first known case of computer hacking as international espionage. I read this when it was originally published in 1989, and it's still a gripping investigative story. Cliff Stoll is a visionary writer who saw how trust in computers and the emerging Internet could be vulnerable to real, actual, honest-to-God criminals.
I'm not sure Kevin Mitnick did anything all that illegal, but there's no denying that he was the world's first high profile computer criminal.
By 1994 he made the FBI's 10 Most Wanted list, and there were front page New York Times articles about his pursuit. If there was ever a moment that computer crime and "hacking" entered the public consciousness as an ongoing concern, this was it.
The whole story is told in minute detail by Kevin himself in Ghost in the Wires. There was a sanitized version of Kevin's story presented in Wizzywig comix but this is the original directly from the source, and it's well worth reading. I could barely put it down. Kevin has been fully reformed for many years now; he wrote several books documenting his techniques and now consults with companies to help improve their computer security.
These two books cover the genesis of all computer crime as we know it. Of course it's a much bigger problem now than it was in 1985, if for no other reason than there are far more computers far more interconnected with each other today than anyone could have possibly imagined in those early days. But what's really surprising is how little has changed in the techniques of computer crime since 1985.
The best primer of modern – and by that I mean year 2000 and later – computer crime is Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. Modern computer crime is more like the classic sort of crime you've seen in black and white movies: it's mostly about stealing large sums of money. But instead of busting it out of bank vaults Bonnie and Clyde style, it's now done electronically, mostly through ATM and credit card exploits.
Written by Kevin Poulson, another famous reformed hacker, Kingpin is also a compelling read. I've read it twice now. The passage I found most revealing is this one, written after the protagonist's release from prison in 2002:
One of Max’s former clients in Silicon Valley tried to help by giving Max a $5,000 contract to perform a penetration test on the company’s network. The company liked Max and didn’t really care if he produced a report, but the hacker took the gig seriously. He bashed at the company’s firewalls for months, expecting one of the easy victories to which he’d grown accustomed as a white hat. But he was in for a surprise. The state of corporate security had improved while he was in the joint. He couldn’t make a dent in the network of his only client. His 100 percent success record was cracking.
Max pushed harder, only becoming more frustrated over his powerlessness. Finally, he tried something new. Instead of looking for vulnerabilities in the company’s hardened servers, he targeted some of the employees individually.
These “client side” attacks are what most people experience of hackers—a spam e-mail arrives in your in-box, with a link to what purports to be an electronic greeting card or a funny picture. The download is actually an executable program, and if you ignore the warning message
All true; no hacker today would bother with frontal assaults. The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside. Max, the hacker described in Kingpin, bragged "I've been confident of my 100 percent [success] rate ever since." This is the new face of hacking. Or is it?
One of the most striking things about Ghost In The Wires is not how skilled a computer hacker Kevin Mitnick is (although he is undeniably great), but how devastatingly effective he is at tricking people into revealing critical information in casual conversations. Over and over again, in hundreds of subtle and clever ways. Whether it's 1985 or 2005, the amount of military-grade security you have on your computer systems matters not at all when someone using those computers clicks on the dancing bunny. Social engineering is the most reliable and evergreen hacking technique ever devised. It will outlive us all.
For a 2012 era example, consider the story of Mat Honan. It is not unique.
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password and then reset it to do the damage to my devices.
I heard about this on Twitter when the story was originally developing, and my initial reaction was skepticism that anyone had bothered to brute force anything at all, since brute forcing is for dummies. Guess what it turned out to be. Go ahead, guess!
Did you by any chance guess social engineering … of the account recovery process? Bingo.
After coming across my [Twitter] account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.
Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account.
So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.
Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. … First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.
Phobia, the hacker Mat Honan documents, was a minor who did this for laughs. One of his friends is a 15 year old hacker who goes by the name of Cosmo; he's the one who discovered the Amazon credit card technique described above. And what are teenage hackers up to these days?
Xbox gamers know each other by their gamertags. And among young gamers it’s a lot cooler to have a simple gamertag like “Fred” than, say, “Fred1988Ohio.” Before Microsoft beefed up its security, getting a password-reset form on Windows Live (and thus hijacking a gamer tag) required only the name on the account and the last four digits and expiration date of the credit card on file. Derek discovered that the person who owned the “Cosmo” gamer tag also had a Netflix account. And that’s how he became Cosmo.
“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.”
This method still works. When Wired called Netflix, all we had to provide was the name and e-mail address on the account, and we were given the same password reset.
The techniques are eerily similar. The only difference between Cosmo and Kevin Mitnick is that they were born in different decades. Computer crime is a whole new world now, but the techniques used today are almost identical to those used in the 1980s. If you want to engage in computer crime, don't waste your time developing ninja level hacking skills, because computers are not the weak point.
People are.
| [advertisement] How are you showing off your awesome? Create a Stack Overflow Careers profile and show off all of your hard work from Stack Overflow, Github, and virtually every other coding site. Who knows, you might even get recruited for a great new position! |
This was a very interesting read.
Yann Bane on September 12, 2012 3:09 AMVery good article.
Here's an interesting approach to dealing with hackers: http://www.youtube.com/watch?v=nHKDeBBbd-U
Please tell me Amazon have fixed that vulnerability now?
finnw on September 12, 2012 3:38 AM"The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside."
Reminds me of the xkcd comic: http://xkcd.com/538/
It is a people error because the system did not decide to display L*ss*y on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision.
James Williams on September 12, 2012 6:06 AMPassword recovery is kind of a paradoxical thing. From a technical point of view it would be easy to say "this account has password X, do not let anyone in unless he knows X", but the objective of authentication is not to verify that you know the password, it's to verify that you are who you say you are, and passwords are forgotten and stolen regularly, so they are ultimately something that's defeated by its own objective. Reminds me a bit of DRM, which wants to prevent people from copying things wile letting them access them.
Maybe Google should have a "disable all password recovery options" mode for paranoid people who think they can handle that?
Bugmethx on September 12, 2012 6:34 AM@James: "It is a people error because the system did not decide to display L*ss*y on its own; people made that decision. The system did not decide to allow users to add credit card information to an account without proper authentication; people made that decision."
The distinction is between how the system functions and prevents intrusion on its own, versus actions that people take that unwittingly give hackers access.
In this example, the system was designed in a vulnerable way. An attack like that is made possible because a hacker can make a frontline assault on the system instead of calling a customer service person or sending the user an email bomb to open.
Brad Rembielak on September 12, 2012 6:45 AMAlso, Happy Programmer's Day.
Andrew on September 12, 2012 7:22 AMI just finished "Ghost in the Wires" it was an amazing book. Reading it confirmed that the weakest link in any security system is the people who use it. The fact remains that 100% security will never be the attainable, simply because of the inherent "trust" we as humans have for each other.
Maybe the companies need to ask for the second to last 4 digits of a credit card. most companies display the last 4, but if the customer service would ask for the second to last 4, this would not be visible. The back end systems could be set to only display this information to the customer service individuals. Still making it secure for the user. It would be similar to a private key that only the user and company would know.
Andyj75 on September 12, 2012 7:27 AMAll of these are definitely must-reads. I'd also add this:
The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen
http://www.amazon.com/The-Watchman-Twisted-Crimes-Poulsen/dp/0316528579
You mentioned Kevin Poulsen as an author, but he also has a book chronicling his hacking.
Jimmy on September 12, 2012 7:38 AMKingpin's Max appeared in an episode of CNBC's "American Greed". He was the main subject of the show.
Alex Vincent on September 12, 2012 7:43 AMYou don't post for over a month, then you blog about hacking. Should we be worried?
Craig Hubert on September 12, 2012 8:05 AMWe are willing to sacrifice security for convenience to be able to do business over the phone easily. Some of the glaring weaknesses that are common in the US, such as using social security numbers, dates of birth, mother's maiden name, or last four digits of credit card as a form of "identification", are rare in other countries where business over the phone is not as common or businesses are more paranoid.
In Mexico, if you want to do almost anything related to your bank/utility/government/etc. account, you have to go to a branch in person and bring photo ID. Sure, you might fake a photo ID, but that increases the barrier and risk greatly compared to fraud over the phone.
(On the other hand, many people in Mexico are victims of bank fraud that are perpetrated by bank insiders, so things are most definitely not perfect there either!)
itub on September 12, 2012 8:41 AMSecurity is never perfect and people are the weakest link by the very fact they are people. The same can be said for lots of things. What's the ratio of auto accidents caused by mechanical failure versus driver error? Pretty low I would guess.
You also have to factor in that there is little value in making it hard for customers to access your services and buy products. How attractive is a store with steel doors and no windows where you have to show ID and answer personal questions?
Tim Madden on September 12, 2012 12:26 PMThis reminds me of the good ol' dumpster diving technique, which along with social engineering is a real powerful way to acquire valuable information from a target.
Gc on September 12, 2012 1:43 PMCuckoo's Egg is one of my favourite books, although I'm not sure I'd describe that hacker as 'incredibly talented', just very persistent.
I think you're missing a big chunk of the picture of the early days by focusing on just the two books mentioned however. I'd recommend this book as a worthy third in the list: http://www.underground-book.net -- I have a print copy, but the full text can be downloaded from that website.
The book includes the stories of several hackers from Europe, the US and Australia, although it doesn't provide their real names (several can be found on Wikipedia now though).
An Australian TV documentary was made about two of the hackers whose stories are included in that book a few years ago. A third Australian mentioned has become relatively well known in recent years. In fact his part of the book has been made into a film that premiered just a few days ago at the Toronto International Film Festival: http://www.hollywoodreporter.com/news/julian-assange-toronto-film-festival-underground-361989
Steven on September 12, 2012 6:23 PMBTW, I can definitely recommend you *don't* read Tsutomu Shimomura's, "Takedown: The Pursuit and Capture of Kevin Mitnick". For some reason he felt compelled to detail his eating habits along the way, and it's hugely distracting.
Hamish Campbell on September 12, 2012 6:32 PMThis is one of the best post I've ever seen, you can include some more ideas in the same theme. I'm still waiting for some interesting thoughts from your side in the next post. One thing I just want to say is that your blog is so perfect!
http://www.vimaxpillsfda.com
http://www.vimaxpillsexpert.com
http://www.buyvimaxonline.com
http://www.vimax-singapore.com
http://www.vimax-pills-canada.com
http://www.vimaxnederlands.com
http://www.vigrxplus-online.com
http://www.sizepenisenlargement.com
ahaha these stories are amazing. I didn't think hacking nowadays just needed some insidious intent with a bit of cleverness than legit and hardcore computer knowledge.
Might have to rethink my plan to take over the world. /O\
Lightburst7 on September 13, 2012 6:04 AM@Andyj75: credit card companies do not want retailers to display or store any other digits than the last 4, the last 4 digits are considered OK, they're shown on most receipts etc. The PCI requirements have a lot of very strict rules about how all credit card data must be stored or the retailer risks having their merchant accounts closed. Many retailers like Amazon do store the full details but they do have to follow the strict rules which almost certainly would prohibit sharing them for this kind of verification.
The scary thing about the attach on Mat Honan's accounts was the multiple front attack, they got Amazon, Google and Apple. All three had some set of *almost* reasonable practises but the slight variance between allowed the compromise of one account to lead to the next.
This isn't a "people" problem or a "system" problem, it sounds like a process problem. I remember one company claiming that their practises weren't followed but that is a process problem, not a people problem if it's as frequent as it seems.
It's good to finally have had another blog post after a month, I guess it was the jury duty or something from the look of Twitter? A series of posts about hacking would be interesting.
JPenguinCA on September 13, 2012 8:59 PMHow about Zero Day: A Novel by Mark Russinovich and Howard Schmidt ?
http://www.amazon.com/Zero-Day-Novel-Mark-Russinovich/dp/1250007305/ref=la_B001IGNICC_1_5?ie=UTF8&qid=1347888058&sr=1-5
You don't need to be "Talented" to be a criminal. Is the person who smashes my window with a brick any less of a crinimal than the person who uses a lockpick?
Justin on September 17, 2012 7:46 AM"All true; no hacker today would bother with frontal assaults"
I'll got server logs that say otherwise
Mark on September 17, 2012 10:38 AMif you are looking for training visit http://www.vaayaaedu.com/
VaaYaaEducation on September 17, 2012 12:48 PMThey also mess up the process in other ways.
The other day I called some company. Phone company maybe. They asked for my secret 4 digit code. I have had the account for at least a decade and don't recall any sort of 4 digit code ever being asked for. So I guessed the last four of my SSN and they said that wasn't it. So they tried asking some more things and decided to help me. They came up with a new 4 digit code that I'm supposed to know somewhere in the last 10 years.
They decided recently to start asking for it if you call in. But all the old customers, like me, don't know what they are talking about. The customer support folks want to help us so they go around the security rules to convince themselves that the person claiming to be me on the phone is really me.
The 4 digit code has accomplished nothing.
This way of doing things just makes it that much easier for the bad guy (or girl to be fair) to social engineer their way into my phone account. (I do hope they pay it if they hack in, though.)
Lee on September 18, 2012 2:35 PMMy bank always does security authentication things through snail mail. I always wondered if that really helped the situation, or if it's just that the crackers don't have the patience to wait that long, so they get bored and move on.
Jeffrey Davis on September 20, 2012 7:55 AMcomputer crime increasing day by day.....
http://www.nacmachine.com
Very good reading, thank you.
Pol84_ on September 22, 2012 10:19 AMWonderful information. Good to know this valuable article.
Toilettage chiens
That day I give some companies. The telephone company may. They asked for my secret 4 digit code. My account for at least ten years, and don't remember any form of 4 digit code was asked. So I guess my last four SSN and they say that's not it. So they tried to ask some more, decided to help me. They came up with a new 4 digit code, I should know that in the past ten years, somewhere.
cheap football jerseys
FoxIntel.Com 1 Ups!
Systemsthinking on December 2, 2012 5:16 AM I assumed anyone applying for a job as a programmer had already crossed this chasm. Apparently this is not a reasonable assumption to make. Apparently, FizzBuzz style screening is required to keep interviewers from wasting their time interviewing programmers who can't program. Páginas Amarillas
They asked for my secret 4 digit code. My account for at least ten years, and don't remember any form of 4 digit code was asked. So I guess my last four SSN and they say that's not it. So they tried to ask some more, decided to help me. They came up with a new 4 digit code, I should know that in the past ten years, somewhere free credit reports
I hope one day one of your kids gets told that they shouldn't do something, because they'll probably suck at it. Then you'll get an idea how hard it can be to pull someone out of that hole. NYC Tax Preparation
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |
Posted by: |