Black Hat Blues (3 page)

Read Black Hat Blues Online

Authors: Rick Dakan

Tags: #Speculative Fiction Suspense

efforts. Well, that and a couple sessions of text-sex. Meanwhile, c1sman’s

set-up pinged away, enumerating the target network. This enumeration

process revealed the target network’s layout, confirming what kinds of

software the servers were using, how they were set up, and most impor-

tantly what their firewall was like. The firewall was the main bastion

between the target network and the big bad world of the Internet, and

the more they knew about it, the easier their job became. C1sman’s

meticulous port scan managed to find the sweet spot between efficiency

and speed (or so he claimed, Paul had to take his word for it), eventually

producing a network map that not only enumerated the firewall but also

mapped all the individual computers (or “boxes” as c1sman referred

to them) in the network. They also knew the most important piece of

information—which ports accepted connections from the outside and

what those ports were used for. Their particular target, while generally

well defended and maintained, was not breaking any new ground when

it came to usage or security. Like most, it used Port 80 for Web servers

and Port 3306 for MySQL connections to its databases, along with a

few other ports, some of which c1sman felt sure were going to provide

them access through which they could launch an attack.

Launching the final attack was going to have to wait, though. It

needed to be timed with everything else, and everything else wouldn’t

be ready until they’d all got set up in Washington D.C. But there was

one stage left before D-Day, and Paul wanted to make sure c1sman saw

10

Geek Mafia: Black Hat Blues

it through while he was watching. A lot of the basics of network secu-

rity hacking were freely available online, and Paul had done his best to

bone up on them in preparation for his “quality time” in Georgia. But

even with c1sman explaining things as he went along, Paul still only

had a vague idea that things were going as planned. He had hoped to

know enough to double check c1sman’s work, but that turned out to

have been some crazy pipe dream. He’d have to trust c1sman’s word

that things were going to go the way they were supposed to, so Paul

had quickly shifted gears from looking over the hacker’s shoulder to

patting him on it. He’d heaped praise and support on the man, along

with a healthy dose of friendship and camaraderie. Plus he’d paid all the

bills and cleared some of c1sman’s more pressing debt (particularly the

back child support that the unemployed hacker had fallen behind on).

It helped that he actually did like the guy, even if he was pretty dull at

times. Hopefully all that together was enough to ensure that the new

recruit really was being on the up and up with him and Chloe and the

rest of the Crew.

“Most good attacks are designed to get control in some way, but the

real skill comes in taking control without being noticed by the net-

work’s system administrators or intrusion detection software,” c1sman

had explained when they began their ping session. “Finding the exploit

is just the beginning. Retrieving something of value from the system

we’ve penetrated is the whole point. And, yeah, in some cases it’s pos-

sible to just smash and grab, just break into the system and steal what-

ever data you can get your hands on. But there’s no art to that kinda

attack and, really just as important, they’re less efficient. Ideally, we

want to leave no trace that we were ever there. A loud, frontal attack

will alert the network administrator, who will then do everything in

his or her power to boot us off the network. But if we never trip any

alarms, we’ll be able to take our time and find what we want. Plus, you

know, if the target doesn’t know their data’s been compromised, then

they won’t take any measures to minimize damage. Once the network’s

owners realize they’ve lost data they’ll start changing passwords, rewrit-

ing code, and generally covering their losses and all our work won’t

mean crap.”

C1sman had written his own arsenal of exploits that used shellcode

to take advantage of specific vulnerabilities that he’d identified in the

various software and hardware configurations of the target network. He

could have downloaded “off the shelf” code from places like metasploit.

com or shellcode.org, but he preferred to use his own versions since the

target system was less likely to have a defense against them. C1sman had

Rick Dakan

11

identified a few different approaches that he thought might work, but he

decided to go with a traditional buffer overflow attack since he’d found

a few points in the target network where these might work. “I love me

some buffer overflows,” he’d said once he realized he could use them

in this instance. “They’re my ultimate power-up—I can do anything

with them.”

Understanding exactly how a buffer overflow works required several

explanations from c1sman, even though Paul had read all about them

on his own. It was one of those things that was surprisingly difficult

for a non-programmer to understand. C1sman’s simplest explanation

was, “Every program sets aside a certain block of memory to receive the

input of data, right? Like, for example, a database entry might have a

certain amount of memory set aside to receive social security numbers.

As long as the amount of data entered is equal to the amount of data

the program is expecting (enough for nine digits of an SSN) then every-

thing is fine. But in some programs, if you enter more than nine digits

worth of data, the program starts overwriting memory space normally

reserved for other data. This can cause some serious problems in normal

circumstances. But when someone like me finds something like that, it’s

like handing me the house keys and the security code. I can insert my

shellcode right into the space, and BAM! My shellcode overwrites good

data and then gets executed as if it were part of the normal program!

The shell runs, it opens a door for me from the outside and wham, bam,

thank you ma’am, I own the box.”

When Paul had asked him how common it was to find such buf-

fer overflow vulnerabilities, c1sman had shook his head in disgust. “It

shouldn’t happen at all, except people are lazy. It’s entirely possible to

write software that has no buffer overflow vulnerabilities in it. It just

requires the programmers to be very security conscious as they code.

But all the crap today’s so huge and bloated and manager driven, with

the work of multiple software engineers all trying to make their code

work together, it just gets sloppy and messy. Besides, most programmers

aren’t security people and don’t write code that’s good for security—it’s

hard enough to get these things working in the first place without wor-

rying about leaving buffer overflow holes.”

C1sman writing his custom shellcode seemed to Paul like more work

than was necessary. He’d started to suspect that the hacker was delay-

ing, either because he was afraid of breaking the law or didn’t want Paul

to leave. As delays mounted and days passed, Paul grew restless. Chloe

needed his help with other parts of the plan and he was getting sick of

Athens and c1sman. They needed to move. The original plan had been

12

Geek Mafia: Black Hat Blues

for them to insert the shellcode, own the system’s key boxes, and then

sit and wait until it was time to grab the data they needed. C1sman

would chill in Athens while Paul went back to Key West to help make

final preparations before they all went to DC. Except at this rate he’d

have to go straight to DC from here and Lord only knows what would

be missed if he wasn’t on hand to direct things. But c1sman insisted

he wasn’t stalling—that it was hard work and he wanted to make sure

everything worked right. For all Paul knew, he was telling the truth.

What Paul did know was that c1sman needed some extra motivation.

So during the down time, Paul started talking up Key West. The par-

ties, the women, the relaxing atmosphere, the women. While he wasn’t

quite ready to let c1sman stay at the Crew house, he could easily find

someplace for him to stay down there. A little bungalow with a private

pool that was strip club adjacent maybe? And some spending money?

C1sman eschewed the strippers, at least out loud, but Paul’s tempta-

tions were getting to him. Or maybe he just really did happen to pull

his code together the night after Paul promised to take him down to

Key West as soon as they’d cracked the target network and owned the

boxes they’d need to on D-Day. From Paul’s point of view, watching

c1sman work, he couldn’t see the difference from one moment to the

next. Numbers and letters changed on a screen and the hacker hooted

with real, unreserved joy. Paul didn’t think he had it in him to fake that

kind of enthusiasm. They had root. They would be ready to go whenever

Paul said the word.

Now, four weeks later, they were in a mini-suite in the Marriott and it

was time. “All right c1s, you ready?” He dug his hand into the hacker’s

shoulder, massaging some tiny fraction of the tension out of him.

“Yeah. I think I am. Yeah. We’re ready… .” he drifted off as he typed

a few more commands into one of his machines. “OK. Now we’re

ready… Ready now.”

“Your time to shine, buddy,” Paul said. He looked around the room.

Chloe was watching from the corner, wiping some pizza sauce from her

lips. Sandee had looked up from his laptop. Bee kept doing whatever it

was she was doing with her soldering iron, oblivious to the rest of them

in her focus fugue. Chloe smiled and nodded and Paul patted c1sman’s

shoulder three times. “Let’s get started.”

Chapter 2
c1sman
•  before

Chris had a love/hate relationship with hacker cons, but at this point

in his life, any relationship with at least some love in it was worth

clinging to as hard as he could. OK, things weren’t that bad really. He’d

wanted the divorce as much as Jessica had, if not more, and they’d been

separated for almost two years now. What he hadn’t expected was that

she’d take Shawn and move to Arizona to live at her mom’s, or that

Athens without her and their child would be so, so empty. Whereas

before he’d yearned constantly for a little more time for his projects, a

little more privacy and silence so he could just think a problem through,

now that was all he had. His college friends were long graduated and

only slightly less long gone. His family was in Tennessee and, to be

honest, bored him stiff anyway. Then his job had evaporated as well,

leaving him home alone with no one to have a beer or catch a movie

with. Of course his primary social circle on IRC remained as close as

ever, and he was pretty sure that without them he’d have gone insane

in some particularly depressing way. As it was, he could stay in touch

with his friends, trade gossip and exploits, and always find some inter-

esting project to throw a little bit of his coding expertise at. And just as

important, those friends spread out all over the world could throw him

freelance work from time to time, enough to keep him above water and

in burritos and beer at least. Also enough, as a disappointed Jessica had

pointed out, to make him think he didn’t have to go out and find a real

job. But he had a plan—his one-off contracts were starting to blossom

into repeat clients and at this rate he’d have his own little computer

14

Geek Mafia: Black Hat Blues

security consulting company up and running within a year. Two at the

most. He might even be able to hire on some help.

Until then though, the only quality time Chris was likely to get with

any of his intellectual or social peers (i.e., hackers) was at conventions.

But with his reduced available funds, he couldn’t afford to attend any-

thing he couldn’t get to on a tank of gas, and where he had at least three

people to split the hotel room with. That pretty much left CarolinaCon,

one of his new favorites, and then the old warhorse, SECZone, which

he’d been going to since it started. SECZone 5 was over in Atlanta, a

venerable little hacker con that Chris had volunteered at for the past

two years. This year he and a couple other guys were in charge of setting

up the NOC and the con’s wireless network. So right there he’d already

broken his own rules on expenses because that had meant driving over

to Atlanta every weekend for the month leading up to the con in order

to get everything set up in the hotel. In exchange for helping the hotel

upgrade its own network, the owners were allowing this extra access,

and Lor3n, the guy who founded and ran SECZone, was paying Chris

a small fee and comping his hotel room, which allowed Chris to write

the whole thing off as a business expense. He’d have to remember to

actually do that when tax time came. Despite all the perks, all this

preliminary work was part of what he hated about hacker cons. It really

was too much like real work, but he knew it had to be done and there

Other books

The Awakener by Amanda Strong
Kitty Kitty by Michele Jaffe
First Strike by Jeremy Rumfitt
The Mahogany Ship (Sam Reilly Book 2) by Christopher Cartwright