Illuminati-R-Us

[Enzo]

I hear about various systems being hacked more and more lately, so I got to wondering. How does hacking work? I mean how does one go about it? I am not interested in breaking into a system, just an overview of what goes into it. I can watch the computer nerds on NCIS or other detective shows, and they tap like mad on the keyboard, et voila they are into the DOD or some such. But there are recent concerns that someone could hack into the power grid system and cause major shut downs or worse.

Why would our power grid and nuclear powr plants be on the internet anyway? Or the armed forces. Seems less than secure to me. But I sure wouldn't even know where to start if I wanted to get into such a place. Obviously somehow they have to crack a password or two or three. I have to think that the power company doesn't use passwords like "Little Joey 2-13-97". Without inside knowledge to start with, what would they do? Not to mention what to do once you get there.

I have heard of programs that keep banging away with password variations, but that could take ages, and I would have to think that systems are sophisticated enough these days to recognize that a particular place was repeatedly trying variations of passwords. Hell, my credit union will freeze my account if I fail the password three times. My fat fingers found that out the hard way. I had to call them to get it back in shape.

[Мастер]

Why would our power grid and nuclear powr plants be on the internet anyway? Or the armed forces. Seems less than secure to me.

A lot of these places will be on a private network, which is walled off from the big bad internet by a firewall. If you can penetrate the firewall, then . . .

I have to think that the power company doesn't use passwords like "Little Joey 2-13-97".

You can go ahead and think that if you like!

I have heard of programs that keep banging away with password variations, but that could take ages, and I would have to think that systems are sophisticated enough these days to recognize that a particular place was repeatedly trying variations of passwords. Hell, my credit union will freeze my account if I fail the password three times. My fat fingers found that out the hard way. I had to call them to get it back in shape.

Some possibilities.

(a) Harvest passwords which are stored on systems which are already compromised.

(b) Monitor passwords as they are transmitted across a network and transit compromised systems.

(c) Have an insider.

(d) Social engineering - hello, I'm from IT support, we've been seeing some unusual activity, if you can just let me log into your account . . .

(e) Dumpster diving.

Yet another possibility is the classic buffer overflow attack, which does not require a password. The basic idea:

(i) Attempt to access a whole bunch of IP addresses, trying each port. Typically, specific services (email, FTP, HTTP, etc.) are associated with specific port numbers.

(ii) When you get a connection, look at what it tells you. Many systems helpfully respond with a text message informing you of the service being provided, and the name/version of the server program which is providing it.

(iii) Exploit known vulnerabilities, such as buffer overflow. This one involves sending a message to the server for processing (e.g., send a login request with a super-long password, or a super-long email header). The software with a buffer overflow vulnerability copies this input into a memory location without checking to see if the maximum length is exceeded. If the maximum length is exceeded, the input overflows the allocated memory location, and is copied into memory that might possibly already contain the program instructions to be executed.

(iv) If those instructions are to be executed at some point, the excessively long input which was copied there and which overflowed the buffer is now executed instead. This input will typically consist of a whole bunch of "JMP" instructions (you don't really know what instructions your input will overwrite, so you don't know where you will gain control) to the beginning of a piece of code that does what you want.

(v) If the server program which has thus been exploited is running with "root" privileges, the game is over and the hacker has won. Any instructions at all can be executed, including installing a new hidden user account with administrative privileges, modification of the software on the site to hide the presence of the compromise, etc.

There are other typical exploits, on user machines, plant malicious code on a web site and hope that the user browses to it. (Or just send it by email, and hope they click on it.) If the user machine is not running software with known exploits (e.g., programs which will execute programs found on-line without properly restricting access to system resources), you're in.

Some ideas . . .

[Enzo]

Oh... so much of that was over my head already. Thanks though.

I can think of strategies like pretending to be someone on the phone or having an inside guy. Con artist stuff. I just had an image like a bunch of computer geeks sitting around decide "Hey, let's hack Citibank." Or Blue Cross. Or United Airlines. They sit down and...(magic happens)... and there they are.


I know people who work at internet companies, they have passwords that change daily, by the hour, and even some passwords that change with each use. They have some way of knowing what to enter. I must be naive then to assume that power companies and the DOD are not that sophisticated.

[Мастер]

I can think of strategies like pretending to be someone on the phone or having an inside guy. Con artist stuff. I just had an image like a bunch of computer geeks sitting around decide "Hey, let's hack Citibank." Or Blue Cross. Or United Airlines. They sit down and...(magic happens)... and there they are.

I'm not in that club, but I suspect there are a lot of conversations like that. However, the success rate may be relatively low. My impression is they have to be opportunistic, try lots of things, until they find something that works.

Lance may know more about this than I do, but three broad categories of attacks spring to my mind.

(a) password compromises

(b) exploits of bugs in various server software, often (but not always) by submitting input that will overflow the place where they store the input

(c) duping someone into running malicious code themselves, by visiting a bad website or opening an email file

I know people who work at internet companies, they have passwords that change daily, by the hour, and even some passwords that change with each use. They have some way of knowing what to enter. I must be naive then to assume that power companies and the DOD are not that sophisticated.

Oh, that may be - there used to be (and still are) these little devices with an LCD window displaying a number which changed every thirty seconds, if you didn't have the password plus the constantly changing code, you didn't get in. But even in a lot of cases where good password security is observed, you can have problems - if someone accesses the system from the buggy, virus-infested shitty computer in the lobby of the Motel 6, it might have spyware which logs the key strokes.

I've installed Linux systems myself (nothing too serious, just messing around), and for a couple of years, I stood exposed with nothing between me and the internet. As far as I know, my systems were never compromised, but of course you never really know that for sure. And if they weren't, it probably wasn't so much because I was such a great systems administrator, but because I hardly installed any networked services on my computers - just the bare bones, only what I needed. You get a Linux system, it comes with hundreds of software packages, each one of them has a different way of being configured, you can't possibly be an expert in all of them - all it takes is one careless mistake, one misconfigured server program, and you have an open door into your system. It's hard to run a feature-rich system with no vulnerabilities. Especially if you are understaffed :)

I have no direct experience with these things, but I think some of the super-secure places have totally separate networks for their secured systems. So the guy in the missile silo doesn't use the same computer to fire the missile and to browse porn. But any connection at all between the secured network and the public network is something that could potentially be subverted. Even if they are totally separate, you still need to do things like install software on the computers on your secured network, so some files must be brought in from the outside world - if any of them are subverted, well . . .

Maybe Lance knows about these things :)

[Enzo]

Well, missle silo is a good example. I first started considering all this when the CIA or whoever hacked into the Iran nuclear program and somehow got their centrifuges to not work... or something like that. And I thought then, why would the Iranians connect their nuclear centrifuges to the internet?

[Lance]

You've covered it pretty well, Mactep. Social engineering is a biggy these days.

[Мастер]

Well, missle silo is a good example. I first started considering all this when the CIA or whoever hacked into the Iran nuclear program and somehow got their centrifuges to not work... or something like that. And I thought then, why would the Iranians connect their nuclear centrifuges to the internet?

I don't know if they did, or if the mode of infection was from movement of USB sticks or other such things to computers which were connected to "Iran Centrifuge Net" or whatever it is called.

[Мастер]

The Wikipedia page, http://en.wikipedia.org/wiki/Stuxnet, has a very brief section describing the mechanism of infection. It apparently used several methods to infect non-internet-connected computers. (USB sticks, etc.)

[Lance]

Yeah, and once it got on the private network it would propagate that way.

[Мастер]

Enzo, thinking a bit more about this (and purely speculatively, having no direct experience with this), I am trying to imagine what it is like to run something like Iran's centrifuges.

These are machines, running some some embedded software, and they (the machines and presumably also the software) are produced by Siemens. They need to be controlled somehow - unless you are going to walk up to each one and push some buttons on it manually, they have to be networked together and computer controlled, and you probably need to do that anyway for monitoring purposes. Even if the computer doing the controlling is on a totally isolated network, it has to run some operating system. Windows, Linux, whatever. This operating system has to be installed; once it is installed, you can either do the updates (which requires it to be updated by an external source somehow), or not. If you want to do any kind of analysis (even something as simple as just copying the production figures into a spreadsheet), you either have to do it on a computer connected to the centrifuge network, or you have to do it on a separate network. If you do it on the centrifuge network, then the software to do it has to be imported somehow, or developed entirely on centrifuge-net, in which case the development tools would have to be imported (or themselves developed in-house on-net). If you do the analysis off-network, then the data has to be transferred from centrifuge-net to an off-net computer. How will this be done? Someone can sit, full-time, round-the-clock, and read the information off the screen of the on-net computer, and type it into the off-net computer. Or maybe just periodically read a log-file from the net-based computer and type it into the off-net computer manually Or you can transfer it, which requires a network, a USB stick, or something like that. Siemens may produce a bug-fix version of the embedded software for the controllers, which then has to be downloaded and installed.

And so on. It seems to me, you must have some connection between centrifuge-net and the outside world, or you basically must replicate the efforts of the entire software development industry on-net.

[Lance]

I read a bit about this yesterday. Apparently the controllers are normal PCs running Windows with the addition of some Siemens software. They were networked but not externally accessable. The worm was designed to install itself from USB flash drive and then infect the private network via RPC.

http://en.wikipedia.org/wiki/Stuxnet

[MM_Dandy]

I'm pretty sure that the monitoring systems were likely PCs running windows, which were networked to the Siemens PLCs. Stuxnet also infected the PLCs in order to disrupt the normal operation of the centrifuge motors, and to hide the fact from other, possibly uninfected monitors. At any rate, since the systems were not networked to the outside world, Stuxnet was transmitted to the centrifuge systems via USB stick or similar means.

[Enzo]

Duh, it never occured to me to look that up.


OK, I admit my vision of hacking was TV kids going to their room, logging online, tapping a lot of keys, and getting in there. Of course it makes a lot more sense if someone left th back door open or some other subterfuge. Or worse yet, some sort of Jeff Goldblum, install the virus into the alien computer sort of thing. I suppose as someone in show business I ought to know that the appearance of something is not necessarily the reality of it.

Centrifuge subterfuge.

[Lance]

Centrifuge subterfuge.