Preface — For Everyone

Preface

For Everyone

Hack v. To cut or chop with repeated, irregular blows.

When I was a young man, the word hacker had a sinister connotation. Criminal. Breaking into other people’s networks. Stealing information. Buying without paying. Changing your grades. The definition of the word “hack” has evolved, until today there are “avocado hacks”. The word has come to mean any clever trick or use. But, once upon a time, as portrayed in the movies, hacking meant, sitting and working at a computer. Thinking. Programming. Trying this. Trying that. Until, until…you got into someone else’s system. Stole defense contractor secrets. Penetrated the military, FBI or DMV. Like a locksmith or thief, banging away with a chisel. Until the door opened. You figured out how to get into someone’s computer or network without having a legitimate password or account.

Reverse engineering is quite a legitimate pursuit. So long as you don’t violate someone else’s property rights. Picking your own lock or, being a locksmith hired to pick the lock of a car by someone who has locked themselves out, is quite legitimate. Engineers of all kinds have been reverse engineering for centuries. But, hacking was different. Hacking has changed over the years. Hacking has now become an acceptable term which needs qualification. White hat hackers. Black hat hackers. Grey hat hackers.

Like Gandolf the Grey and Gandolf the White, they’re the good guys. White hat hackers are the good guys. “Security professionals” is the new term for “good” hackers. Security professionals protect individuals and companies from the bad guys, by preventing break ins and thefts. Even, by identifying criminals and security holes.

Grey hat hackers. Well, sometimes they help the good guys. Sometimes, they do questionable things. The hacking group “Anonymous”, for example, probably considers themselves the good guys. Yet, they do things of dubious legal nature. While most of us agree, that it is ok for them to hack into Twitter and expose terrorists1 , sometimes it can be argued that their exposures cross the line.

For sure, the authorities have negative things to say about vigilantes, who can act rashly and be hotheads. While human rights activists may feel perfectly fine, with hacking into to a police facility and airing stolen video tapes documenting police brutality2; technically, legal it is not. Although, they may have made some justification, seizing control of a NASA drone3 and crashing it, seems outright malicious to me. (The seizure and/or destruction of the drone is in dispute. NASA denies they lost control of the drone4.]

Such exploits are called “hacktivism”. Political hacking with activism. People’s perceptions and understandings of morality and ethics become blurry in virtual situations. While people accept boycotts as legal and proper; vandalism is not legal.

What about the defacing of a website? You can not legally graffiti a company’s premise.

Denial of Service attack (DoS)? DoS disables a server. If hacktivists make a company’s Internet server unavailable, this means the company can not do business. When Yahoo’s servers are attacked and you can’t get your email, is that right to you? When Amazon’s servers are attacked and you can’t shop, does that feel right to you? If you owned Amazon, how would you feel?

You can boycott an establishment. But, you can not block the door. A Denial of Service attack is blocking the door. Even the hacktivists must concede that, the hacktivits’ goal of a Denial of Service attack is to deny customers access to the website and to prohibit the company from doing business. Yet, such exploits, may be justified by gray hat hackers.

Even Leonardo DaVinci had an art teacher.”

Givon Zirkind

When I was younger, I was in awe of hackers. They knew so much! Such geniuses! I couldn’t imagine I could do such things myself. I couldn’t figure out how they figured such stuff out! Then, I heard a story about a hacker who knew all about the phone networks. Turns out, he learned this by…reading a book! A book published by Ma Bell. This book was sitting on a university library book shelf perchance. The book was a manual full of control codes. Smart guy? Yes. But, he read the book.

Then, I read Kevin Mitnick’s books. Kevin Mitnick is an infamous or notorious hacker. He wrote several books describing his criminal hacking history. Ghost In The Wires, his latest and best rendition, IMHO. These books also include security guides. These are required reading in some universities as part of their cyber security courses5. After reading these books, I didn’t feel so bad. Is Kevin Mitnick smart? Yes. Is that what made him a good hacker? No. Most of his hacking relied on “social engineering”.

Once upon a time, “social engineers” were called con men. I prefer that term. I think it is far more factually descriptive.

This is a con: You call the secretary at the front desk, tell her you were just hired. You don’t have the phone number for the computer room. Could she please give you the number? You just started and can’t seem to log in. You have to get this report done! (Sound frantic.) You don’t want to lose your job. You really need this job. The receptionist gives you the number. Don’t forget to thank her profusely for saving your job. Otherwise you would be homeless for sure. … Then, you call the computer room and tell them, “This is Joe, in accounting. … Oh, you don’t know me because, I just started Monday. I can’t log in. Please reset my password. What?! You can’t find my account?! Please, make me a new one now!!! I have to get this report done for my supervisor. If I don’t, I’ll be fired before I even get started!” With some sniffing and crying, possibly get a young lady accomplice. That helps too. The computer operator gives you an account and a “temporary” password which, you will reset immediately.

You and your lady friend can share the account. Just don’t log in together at the same time. After being so smart, you don’t want to get arrested by doing something stupid do you? Someone might notice someone unauthorized is logged in and investigate. Even if authorized, one person can’t be in two places at once, right? Then, they’ll find out that neither of you belong there! Both of you are trespassing. The end of your glorious hacking career.

Yes, that scenario of some hackers being caught by logging in at the same time from 2 places at once, did happen.

Back to Kevin Mitnick. Using that kind of con, did Kevin Mitnick get a login to the system? Yes. Did he hack the system? Well…

He certainly went where he shouldn’t have. He got behind a locked barrier. He didn’t tunnel. He didn’t pick a lock. He didn’t grapple down the back way and into a window. He conned the guard.

Now, that is a talent. It takes a certain personality and mindset. But, these are not technical skills. This was not a technical route in. This is not reverse engineering.

Yes, Kevin Mitnick conned an engineer to give Kevin Mitnick a copy of SCO Unix. Then, Kevin Mitnick was able to read the source code and look for weaknesses to exploit. Then, Kevin Mitnick could write fake patches and updates. Then, con some more people into installing these malicious updates. That, is a lot more like hacking! But, still, there is a lot of conning.

But, technically, this was not a technical route in. This is not reverse engineering.

It’s not like Kevin Mitnick wrote or used a decompiler to reverse the Unix machine code. Then, read it and make sense of it.

Reverse engineering is when you take something apart and figure out how it works.

If you do that to a security system, then, if need be, you can pick the lock.

There are more legitimate routes to hacking than the route Kevin Mitnick took. To be fair, these routes did not exist when Kevin Mitnick did his hacking but, they do exist today. There is lots of open source software that needs debugging and security research. There are lots of companies who are now crowdsourcing debugging and security research. Companies are hiring freelancers to find bugs, security weaknesses and vulnerabilities, in their software. Companies hire freelancers with rewards.

Going after a reward can be disappointing. I personally have lost out on such an adventure6. However, others luck out. Sometimes, they strike it big7.

I will devote some time to discussing who is offering what and provide lists, web sites, etc. Google for one. Firefox, Ubuntu, Uber, United Airlines (free miles) and others. As I am writing this book, the Pentagon8 has jumped in, is starting to use the crowdsource model that Google is using and is now offering bounties to U.S. citizens who hack Pentagon sites. [Details in the chapter ‘Being a Security Researcher’].

You can set up your own test networks and practice. Then, try to hack into companies putting up bounties to see how secure their systems are. Usually, by hacking your own account. You can quite legitimately, be a hacker, an ethical hacker and make money too. If you prefer, you can be a “security researcher”. If you want to sound really glamorous, you can be a “cyber security researcher”. You could even write a book about your exploits. 😉

Strategy & Tactics. Reverse engineering requires a strategy and tactics. Both strategies and tactics are plans or methods for doing something. In our case, reverse engineering software. The difference between a strategy and a tactic is that a strategy is a global, all encompassing, over arching idea or philosophy that will permeate, be a part and parcel, of what you do to achieve your goal. Ex. Know your target. A tactic, on the other hand, is a specific action or maneuver to achieve a specific goal, a way to win, this battle. Ex. Bugging a phone, of a target, is a specific way, to know your target.

Plans & Methods. You need a plan to reverse engineer. Your plan should be methodical. Reverse engineering does involve a lot of intuition. You will have “Eureka” moments.9 You should let the Force flow and go with your instincts. But, you also need a standard method to follow for when you do not intuit solutions. Here is my recommendation and how I would go about this.

  1. State your objective.
  2. Devise a general plan for understanding / learning the technology involved.
  3. Identify critical areas of the design that must be understood / known.
  4. Use / exhaust all known conventional methods of attack.
  5. If no conventional methods of attack work, contemplate the goal.

For example, at the time of the writing of this book, Google has offered a reward for a hack. This is called a bug bounty. The details of the hack are stated. Using the teaching axiom of putting it into your words, rewrite the bug bounty.

Objective: To gain access to the system, especially admin [administrator] access through the guest account. Then, to be able to either make significant alterations to the system and/or download data, especially email & password data.

This isn’t exactly the full statement, or all inclusive of the full statement by Google. However, this objective does crystallize for me, in my mind, what it is that I have to do. Which is a subset of the bug bounty.

The plan for learning the technology:

  • We need some software.
    • We need a working copy of the operating system to play with.
  • We need some hardware.
    • We need a computer that runs on this operating system.
  • We need as much documentation as we can get.
    • We need the source code of the operating system.
    • We need as many copies of past exploits as we can get.
  • We need to actually read the source code of the operating system.

The plan for identifying the relevant, critical modules.

  • The Login module
  • Any encryption modules
  • Any access right modules
  • We need to identify the Internet access modules.
    • We need to learn if & how Internet transmissions can be used to write to the [computer’s] disk.
  • We need to identify the user & password files by name and location in file system.
  • We need to identify how the user & password information is stored, encrypted, etc.

An operating system is BIG. We don’t need to know the whole operating system. But, there are parts that we do need to know.

The plan for using / exhausting previous attacks.

  • Study any previous hacks on Chrome OS, esp. guest account access or account privilege escalation.
  • Study the flaw in Microsoft Windows that allowed cracking of the password file through the guest account. See if this can be duplicated.
  • Google and study any other similar successful attacks.
  • Research Carnegie Mellon and CERT for any similar successful attacks.

If none of this effort generates a successful, review what we have learned. Review what did not work. Review what we know. Contemplate. Think.

1Ex. NY Post, Anonymous Attacks ISIS Supporters Online, February 10, 2015; http://nypost.com/2015/02/10/hacking-group-anonymous-attacks-isis-supporters-online/

2Ex. ANONYMOUS Final Warning Message to Torrance Police – YouTube; youtube.com/watch?v=hkAQCC9l2hw

6AFIS data compression: an example of how domain specific compression algorithms can produce very high compression ratios, Givon Zirkind, ACM SIGGRAPH Computer Graphics, v.41 n.4, November 2007; http://dl.acm.org/citation.cfm?id=1331103&CFID=609724636&CFTOKEN=77692863

8FYI: I registered for the program. Filled out the W9. Never got an invitation. Was told my email is not the system. Verified that I could sign in with my email. Wrote them that I was able to sign in, so my email is in the system. They responded, they will check it out and get back to me. I am still waiting. With such inefficiency, we need not wonder why their websites and networks are lacking in security.

9 There is a famous story about Archimedes, a Greek mathematician and genius. The king posed a problem to Archimedes to weight a huge amount of gold. While Archimedes was taking a bath and noticed the rising water level, he realized that he could use that there was a law of physics and that he could use that law to solve his problem. Allegedly, he jumped up from his bath and then ran through the streets nude screaming, “Eureka”, “I found it” in Greek. He then wrote a book about specific gravity and how to find the center of gravity. That book is titled. “Floating Bodies”. “Floating Bodies” involves some Greek math and written in the same style as Euclid. If your read Euclid and the Method you should begin to see the corollary in the logical format used by the ancient Greeks. Dover Publications is noted for their publications of Euclid and Archimedes. Also, you can find digitized copies at “onlinebooks.library.upenn.edu”.

Reference to the famous story: https://en.wikipedia.org/wiki/Eureka_(word)