You’ve Been Hacked! Answers

 

Answers to "You've Been Hacked" Crack the Hacker Challenge

By Ed Skoudis, March 3, 2004

Thank you so much for all of the wonderful entries to our February 2004 challenge.  We had some interesting analysis in several of the submissions.

Before I announce the winners of the challenge, though, here are my own answers to the four questions:

1) Why hadn't the privacy settings in Tom's AIM client or the digital certificate in Meg's client encrypted their connection?

As many of our respondents correctly pointed out, AIM's privacy settings have nothing at all to do with encryption.  The privacy settings determine whether other AIM users can see if you are currently logged into AIM.  They also allow users to identify from whom they'll receive messages.  Even with the strictest privacy settings, your AIM chats are entirely in clear text.  In our little scenario, Meg hadn't limited her privacy settings that much, as Th3R3alShak3sp3ar3 was able to chat with her.

This whole scenario is based on a real-world incident I was handling.  No, there weren't any star-crossed lovers.  In the actual case, a manager of a stock-trading floor contacted me to ask about AIM security.  You see, his brokers were using AIM to communicate with their high net worth customers via AIM, moving millions of dollars around based on nothing more than instructions sent via a friendly AIM chat.  He thought the data was encrypted because each of the brokers on the trading floor had a certificate!  However, none of their customers had certificates, so all data was in the clear.  They even had a process for explaining to customers that they should see the little "lock" icon in their AIM clients to make sure the connection was secure.  That lame AIM lock icon is highly confusing, because it only means that the other side has a certificate.  Unlike the lock icon in your web browser, the icon in AIM does not mean that the connection is encrypted.  OUCH!  The manager of the trading floor was highly upset at this revelation, and now understood why dastardly bad guys were able to see his customer communication.

2) How can Meg and Tom employ an encrypted protocol for communication using AIM?  What other chat programs offer better security features?

If both Meg and Tom get certificates, AIM can encrypt the data going back and forth across their chats.  You can get your very own certificate for AIM for free at this website: http://www.aimencrypt.com/ .  Of course, you have to decide whether you trust the folks behind AIMencrypt.  Alternatively, you can by an AIM certificate from Certificates "R" Us… I mean Verisign.  For $ 14.95 per year, you can be the proud owner of an AIM certificate from Verisign by clicking here: http://www.verisign.com/client/enrollment/aim.html.  They also have a free, sixty-day trial.

Beyond AIM, numerous other chat programs support encryption.  One of my faves is based on the open source, highly interoperable Jabber system.   While many Jabber clients are available, a really nice one that runs on Windows is Exodus, freely available at http://exodus.jabberstudio.org.  If you are using Exodus, make sure you configure it to use crypto, by going to Details-->Connection, and enter Port 5223 and select "Use SSL".  Of course, you'll need to be working with a Jabber server that supports SSL, but there are many of them out there.

3) Given the evidence presented in the narrative above, which system had the attacker most likely compromised: Meg's computer, Tom's computer, a machine on a network sitting between Meg and Tom, or AOL's messaging system itself?  Why?

Now, of these four questions, this one was the toughest.   Of all of our submitted entries, only three got this one right because of a little twist I threw in.  Note that Questions 1 and 2 focused on the weaknesses of the AIM protocol, perhaps making you think that the answer to Question 3 involves snarfing messages from the network on a machine between Meg and Tom.

But, that would be wrong…  Notice that the question says, "Given the evidence presented in the narrative above…"  What evidence is presented in the narrative?  Well, we see that the bad guy is reading messages written by Meg.  There is no indication anywhere that he's reading Tom's messages.  Beyond that, we've also got the Ethereal packet capture from Meg's machine.

If you look at the packet capture closely, you'll see normal AIM traffic, plus a little twist.  Data going to and from 10.1.1.4 (Meg's system) and 64.12.25.109 (AOL's machine) is totally normal.  But look more carefully.  Every time Meg sends a message to Tom, there is another packet that leaves her system, going from 10.1.1.4 to 66.48.76.90, using TCP port 53!  Ethereal renders TCP port 53 and "TCP DNS" in its display.  What the heck is that traffic?  I might understand UDP port 53 for DNS lookups, but this TCP stuff is quite anomalous, used only for zone transfers and long DNS queries and responses.

By doing a little research, you'll quickly notice that 66.48.76.90 is actually a machine registered to NetFirms, the same company that hosts www.counterhack.net .  In fact, that's the IP address of my own website.  Furthermore, if you look at the packet length of the TCP port 53 items, you'll see that they are the exact same length as the number of keystrokes that Meg types to Tom, 42 characters ("I think someone is listening to our chats!") and 37 characters ("Uh-oh!  What should we do?").  Whatever Meg typed was immediately grabbed and sent from her machine to another box across the Internet.

So, the location of Th3R3alShak3sp3ar3's compromised system?  The bad guy included a keystroke logger on Meg's very own machine, using it to grab whatever she typed and sending it to www.counterhack.net.  Doooh!

4) What steps should Meg and Tom take next to deal with the bad guy and eradicate him from their lives?

Given that the attacker was located on Meg's own system, Meg should first run an up-to-date anti-virus scan of her machine, hoping that it will find and remove the keystroke logger.  Additionally, it would be worthwhile to run a spyware detection tool, such as Ad-Aware, available for free at www.lavasoftusa.com.  After cleaning up the system, Meg should double check to make sure there are no additional evil packets leaving her box by using the Ethereal sniffer as shown in the original scenario.  Finally, Meg should make sure that Tom gets a certificate so that their AIM connections are truly encrypted end-to-end, or switch to another chat program like Exodus using SSL over Jabber.  That way, Meg and Tom can resume their AIM intimacy safe and secure.

And now… our winners.  Each of the following folks will get a copy of my book Counter Hack: A Step-by-step Guide to Computer Attacks and Effective Defenses.  Congrats to our winners!

The winners are:

(Drum roll please!!!)

First Place: Jay Swofford…. Folks, not only did this gent have the most thorough and totally correct answer, but also he's a certifiable genius!  Read his response for deep insight and to benefit from his research into secure messaging solutions.  Also, I found the nudity in his response tasteful and integral to the plot.  Just kidding!  ; )

Second Place: Mike Fitzpatrick…  A great and concise answer.  Good work.

Third Place: Dominick Sardina…  Another solid entry.

 

Here are the honorable mentions… (Solid work, but sorry, no books for you gents this time):

Honorable Mention 1: Raúl Siles: Very good research and solid recommendations.

Honorable Mention 2: Gnick: A well-thought-out set of answers.

 

Books will be on their way to the winners shortly.  Congrats to all of our winners!