Tuesday, February 26, 2008

The Hack without a Hack - Part 1

As a tribute to Security Monkey I am going to start publishing my own "case" files. However, instead of looking through the eyes of an investigator I am going to look through the eyes of an attacker. My goal is to give a different perspective to attacks in order to help understand why some attacks occur as well as how they occur. This first one is called "The Hack without a Hack".

Bill sat at his computer and cursed his job once more. To say he was unhappy was an understatement. Just three months ago he had been the head of the helpdesk of a large transportation corporation. Now, due to "cutbacks", he was the one-man personal help desk for a bunch of whiny traders at a national bank...and making $30,000 less a year. It couldn't get any worse.

His phone rang. He realized it just did.

------------------

Twenty minutes later Bill came back to his desk, swearing under his breath. Stupid traders, he thought. Bill hated the traders but this one, Louis, was the worst. Always having idiotic problems with his computer which wouldn't happen if he didn't download so much crap. This time was no exception.

Louis' computer had frozen and after a reboot he only let Bill look at the computer for five minutes before he had to get back "to the market". Kid was probably 10 years younger than him and made triple his salary. Man, how he would love to do something to him.

Bill had figured out the problem after seeing an icon in the desktop that wasn't supposed to be there. Louis had once again downloaded some new application to stream market reports to him. The problem was it was written poorly and had crashed the machine. Of course, due to the "market being open" Bill was only allowed to get the PC back up and running (a reboot) and then had to leave.

Unbeknownst to Louis, however, Bill had gotten the local administrator password to his machine. It wasn't hard - the company had the same administrator password on every computer. With the password, he could mount Louis' drive remotely to see what else the he had installed. Maybe he could even find something he could anonymously send to internal security to get Louis fired. He smiled at the thought as he began looking around.

Within minutes, Bill found something that piqued his interest. Within the trader's home directory on the system he found the trader's Hummingbird XStart file to the remote trading server.


So, any thoughts as to what Bill could be planning?

No comments: