Marshall Doesn't work There

- by Paul Murphy -

During a break in a series of discussions on US HIPAA compliance for Canadian health care players, one of the attendees regaled the group with a long brag about how his company's techies had defeated a phishing attack.

According to the story the company's wizards had discovered a phishing attack based out of Hong Kong, promptly hacked into the phisher's server to retrieve the stolen information, and "shut him down hard."

I almost did a spitter - you know, the vaudeville sight gag in which someone sipping water is astonished into spraying everyone in sight? Nasty thing to do with hot coffee; I mean, really, this company runs Windows for its webservers - and, besides, how do you meaningfully retrieve stolen bytes?

Marshall, the super tech on the TV show Alias, could do it, but then he can break into any computer system in seconds, do TV quality two way video conferencing using a long distance dial-up line, remotely transfer 40GB from the bad guy's mainframe to a microdisk in about five seconds, and instantly knows exactly how to use a fully embedded real time system he's just hacked into over 51KBS satelite links.

Unfortunately Marshall doesn't work for this guy, so my first thought was that he was spoofing us. He wasn't; he sincerely believed the story and rejoiced in this idea of the bad guy being "shut down hard" --a phrase I keep hearing from executives who deeply resent being asked what it means.

What it meant to me was first that someone had lied extravagantly to him, and more importantly that there's credulous market for lunacy out there in executive land.

Actually breaking into a particular computer system you don't have physical access to and don't know much about is quite hard. It's easy to trash any number of machines at random, or to get at least some victim machines to run applications on your behalf, because those are numbers games: spray enough attacks around and you're bound to hit some with easily exploited vulnerabilities.

Playing Mr. White Hat hacker for some unsuspecting MCSEs is easy too: just DHCP boot your laptop on the network segment where the servers are and start a promiscious packet snoop before going off for coffee with the locals. By the time you get back, you'll have caught somebody's userid and password and you can hunt up the Word document they use to store their super secret device names and passwords while they're off checking their e-mail. By the time they get back, you'll be all set: just show them a few minutes of concentrated hocus pocus. then quietly breath out "I'm in!" before sitting back to accept the applause.

Unfortunately cracking a machine you don't have access to and know nothing about is a lot harder - especially if you don't want the target to know you're doing it. For example, cracking whatever's behind without tipping off the person operating it is tricky, not to say nearly impossible to do in a tight time frame.

Marshall can do this kind of thing while Alias girl hangs from a fiftieth story ledge in a hurricane but, of course, he'd apply "an algorythm" (who writes this stuff?) and magically get complete system control just as her pretty little fingers start to slip. The rest of us, however, have to start by figuring out how to access that target machine, what its software is, and what weaknesses in the local set-up might be useful places to dig in our handy digital jimneys - and do it all without getting noticed.

The most obvious problem is simply that even probing it is likely to tip off the bad guy to your interest, and how do you know that 7308 isn't on one machine while everything else is on another just waiting for you to waste your time on?

In real life I'd probably start with an imitation google or netcraft robot and then go after the penultimate network device on our route to him. That device, particularly if it happens to use IIS as its management interface, can normally be prevailed upon to hand over lots of useful information - often including the bad guy's own ssh login. Unfortunately doing that takes time, and most phishers change servers about once every two and half to three days to make sure you don't get enough of it to nail them.

That leaves either the legal process or social engineering. Unfortunately the phishing attacks I've looked at used servers registered in places like Pusan (Republic of Korea) but run on networks out of Hong Kong or Shanghai. That means either process would take weeks of effort and thousands in expenses just to set up in each target jurisdiction.

So by the time I'd put the coffee safely back on the table I'd figured out that some of his customers had indeed been victimized, but he'd been ripped worse by his own IT people. The bottom line is simple: he may want to believe that Marshall works for him, but it's not true - and if they'll lie to him about this, how much credence should he give them on PIPEDA, HIPAA, and Sarbanes-Oxley?

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry.