You Might Be A Hacker If.....

You want to be a hacker if this scenario sounds like something you would do. I was at work the other day, back in my retail days, at an esteemed retailer known for security breaches. I will start with a bit of background. Can you tell I’m not a writer? I was hired right at the beginning literally as they were pouring the foundation walls and more importantly when they were setting up the server room. The geek that I am, I instantly made friends with the out of town contractors who was setting up the equipment. I must mention that I was a manager of the store at this point, so I did have a bit more access and freedom than a regular worker bee. Anyway, I followed these guys around the store day after day, unbeknownst to them my UNIX/Linux expertise, and watched everything they did. To my amazement, with only a tiny bit of invocation, one of the guys actually gave me his password to the command line! For the record, the UID was 3 characters and the password was, take a guess…. the same 3 characters! Now that is clearly security hard at work. Anyway, I went in to work and being who I am, something caught my eye. I was using the intranet to look up something work related when I noticed that the browser, Mozilla, had a very limited tool bar at the top. This was always the case but for some reason I just noticed it right now. So again being who I am, I immediately began to believe that there was no way that the geeks who set this browser up had any idea what they were doing by way of security so I just knew that the missing tool bar fields were there somewhere, but where? This is a great example of how a painfully simple over site turns into a painfully real vulnerability. By pressing the Ctrl + F10 key, low and behold, several “hidden” options became available to me that were clearly not supposed to be available to me. One the surface you might think, “who cares, what can the ability to open a file in a browser reveal to you…” well plenty if they also forget to lock the new file creation aspect. The ability to open a file was still not realized from the initial finding. The fact that I was allowed to spawn a new instance of the simplistic text editor, big mistake, was the fatal error. This feature enabled me to open a new file and, even I could not believe this, provide full access to every file on the LINUX tree from root down. There was even a check box to show hidden files! To review up to this point, I have access to a “nopriv” user account from the command line, which I had not done anything with currently, but now I have full root access to view all files on the system from within the browser. I had access to the /etc/passwd and /etc/shadow files, which lists all users and password hashes on the system and I could write files to the system from the text editor from within the browser. At this point this certainly told me, as it should tell you, that the system is extremely vulnerable in many ways from minimal probing and thought methodologies. This is what is meant by the ability to think like a hacker, an industry phrase that is tossed around all the time as a concept, but never really explained in this type of detail. This is where you have to always be thinking about how something may be vulnerable, or even not just right. This applies to more than just computer information security. Take for example the fact that this same company left customer credit card applications in a locked file cabinet out on the sales floor. Honestly, who thought that was a smart or secure process? I had nothing to do with credit but I had a key that unlocked everything in the store, including that drawer. The simple fact that it is not a controlled process makes it insecure, how can you validate that the credit apps were actually making it into he locked file cabinet? Or if the associate, yes a non-manager level employee, was not going and retrieving them and making copies of the applications, which contains very sensitive information about a customer. People just do not think about security and this methodology is everywhere, believe me. Of course being that I was a woosie I did not really do anything damaging to the system aside from looking around it and laughing to myself about all of the errors I found, or changing a color on the terminals, or locking up user accounts of people I did not care for. But that is hacking, I didn’t have to destroy anything to get a great deal of satisfaction out of knowing that I found many breaches in the systems security, that was a reward in and of itself. This experience was really the beginning for me in terms of deciding that a career in information security may be a path worth taking. I was not really interested in becoming a criminal and infosec as a profession allows you to do the same things as a criminal in terms of hacking without it being illegal. I perform tests on apps all the time and I test UNIX security measures daily, it is my job. The bottom line is that if you really want to hack for a legitimate living you need to get into security. Or move out of the USA because you will get caught and put in jail for a long time, just like Kevin Mitnick, and what is he doing now? Security consulting. None of the real attacks that I have seen from my professional experience have come from within the USA. That’s not to say that it doesn’t happen, but I have not encountered anything originating from US soil. Aside from disgruntled employees or asset loss, for example a lost unencrypted laptop, everything comes from outside of our country. Why? Because we cannot prosecute these people effectively across borders, we have no jurisdiction and they all know that. Many countries are not interested in assisting us in extradition of these criminal rings. This is really not news to anyone, I hope. But ask yourself this, if you were to hack into a bank and gain access to accounts, where would you transfer the money? Exactly, that is the question. The answer most often includes associations with other groups of people to assist in this process, groups that know how to launder money. You are now stepping into the real world of the FBI, are you ready? I have been to several meetings with local FBI units held in conjunction with various financial institutions that I have worked for/with and they have some very smart officers in their employ, do not be mistaken.