Part I: “Low tech hackers” are nearly impossible to stop

When an organization or an individual has a security or privacy breech from the internet we often assume it was done either by a young male with intimate knowledge of computers and the networks they are on or by a “script kiddie” who got the equivalent of a skeleton key that someone else has made so they can let themselves into your life in some way.  When these people do attack it is often just once and then they are off.  They are best stopped by “locking the doors” because how they get in to where they are not supposed to be is by wandering around and trying doors to see if they have been left open or using old key cards that should have been changed ages ago.

We know about these people.  Books have been written on stopping them.  Businesses have been formed based solely on stopping them.  Software has been written to seek and destroy their tools but yet there are more of them than ever before.  One thing people keep as a secret in the security world is this:

Breaking into computers is fun.

Most of us can thank VMWare and Xen for both keeping our skills up and keeping that money making “white hat” on our heads as we ride off into the sunset having saved the day and taken home a check but we had fun doing it and the person whose work we were mitigating had fun giving us work.  It is like that Warner Brother’s cartoon with Sam and Ralph, with both sheepdog and wolf working for the same company but one to protect the sheep and one to try to eat them.

Not all  hackers have skill.  Not all hackers even know that they can go online to get tools that they need to break in to places.  Not all hackers have fun doing what they do.  They do it for reasons that make computer security people, firewalls and anti-virus software useless.  They do it because they have a compulsion to do it.  They do it because they feel they have to.  They do it because they are often mentally ill.  They are also impossible to stop using conventional methods.

The “low tech” security risk can be especially difficult because often these people have all the time in the world.  When you have an obsession and unlimited free time you can get creative in ways a more technological savvy person will not bother with.

One group I did work for had a problem.  They had a fellow who used their website to send messages to a women he had “fallen in love with” but who had rejected his advances.  He decided that she visited this website (she didn’t..it escalated to the point of me talking with her by phone) and that he would send out communications to try to get her attention.

What he did instead was disrupt the website that he used as a “stalker pulpit”.  He was denouncing the woman and all other forms of injustice against him and slowly turning the focus of the site away from it’s intended purpose to be about him and his failed love life.

Then he started to solicit users of the website to contact the woman through her place of business and that was when I was contacted to stop him.

What logs did I have to look at?  None.  What did he break into?  Nothing at all? But imagine you run a burger place and someone comes in and decides to set use your booth as a space to promote their religion.  If you do not move to stop it, you risk having your customers going elsewhere to get away from being preached to.  In a burger place that is easy, you kick them out, and maybe contact the police if needed.  On a website with open registration that is more difficult.

The first thing I did was try to block the IP addresses this person posted from.  He then moved from his home to cyber cafes.  I even found a cyber cafe with security cameras in their IP block that were open to the internet.  I remember this well because this cafe had a giant tree growing in the middle of it.  So when he would log on from that IP I would type in the IP of the camera with my browser and see him sitting at a computer logging into the website he was banned from.

I then decided I needed more information so I contacted the woman who was the object of his obsession.  She had never met him but she did have a restraining order and he had his own case officer with the RMCP.  She then told me a creepy story about how one night she had heard rustling in the bushes near her house and she thought nothing of it but when she went outside the next day on her porch was a picture of her stalker dressed in an all white suit (like Mr. Roark from Fantasy Island).  I should have kept my mouth shut but I told her that he kept on posting pictures of himself dressed in all white with cryptic messages which must have meant he still thought she read the website.  I should have known this would frighten her.  I had forgotten that to her this was person trying to invade her life but I was seeing everything as just facts and coincidence and forgot myself and I still feel bad about doing that.

She contacted the RCMP case worker (I don’t know what the official title is since I am not Canadian) and suddenly website activity stopped, but six months later it started again.

(more later)

 

 

I once saved my life with social engineering

Normally when someone says something dramatic like the above statement they go on and you realize that they were just speaking metaphorically like “Read this book, it will change your life” and then you read about the book and find out it is written by a smiling man who either wears a tie with no jacket or a jacket without a tie and his words are used in the same manner as his fashion.  He will not change your life at all.  It is just a scam written by the heartless for consumption by the gormless.

When you are in the business of computer security a side project is always tackling scam artists because the twains often meet and sadly you also learn that no matter how poor and desperate someone is, they always have $20 to spend on a book and they always have $200 to spend on a “turn-key” business.

Unlike hucksters, when I say something like this it is really true.  If I had not been a social engineer I would be dead right now.  I suspect my remains would be somewhere in the Port Au Prince bay or perhaps laying in Cite Soliel but I would not be typing this and I don’t want sad and needy people to give me money.

It all started almost ten years ago.  I was at the Gare Du Nord train station in Bucharest Romania.  Gare Du Nord is probably the most notorious train station in Europe and for good reason.  Lots of petty hustlers, large areas of the station are unoccupied and you can quickly find yourself being shaken down by someone with a badge.  In Bucharest, they give everyone at the train station a badge it seems.

Anyway, I got a train ticket to Istanbul and I had to wait a few hours for my train to leave.  I sat with my back to the wall so no one could sneak up behind me and just watched people.  Nature called and I lost my place because I had to pack up all my things and take it to the toilet with me and when I returned I had to stake out a new seat.  I was approached by a man pretending to be a policeman.  He told me that he had to check my money for counterfeit bills.  This meant that the bill he found would indeed be counterfeit and he would give me a receipt for it and then he had 100,000 lie for just the cost of a fake badge.  For some reason I decided to pretend he spoke very poor English.  No matter what he said and how clearly he said it I pretended he had said something else.  He asked for my passport and I offered him a potato chip.  He asked to see my train ticket and I showed him a photograph of my parents.  Finally he stopped speaking and resorted to hand gestures and he made a certain motion with his hand, mouth and head that I took to mean “do you want a prostitute?” but it also looked similar to how one would quickly eat an ice cream cone so I got up and bought one.  He threw up his arms in frustration and left me alone.

That did not save my life really, but it taught me that I always had to the power to cause doubt in people.  He lost his pretend air as an authoritative policeman and quickly degenerated into a stammering, confused man prone to making obscene gestures.  The next time I encountered that was when I went to the Haitian slum of Cite Soliel the next year.

Cite Soliel is a flat outcropping that juts out into Port Au Prince bay and it is the poorest slum in the western hemisphere.  It is not even made out of “land” as we know it, it is made out of shells and detritus.  The shacks there are made of metal and string and when the wind blows you cannot hear anything because the whole place rattles with loose corrugated metal and flattened 55 gallon oil drums.  There are children everywhere.  It is like a “where is Waldo” game but with real people…you stare at any given area long enough and suddenly your eyes adjust and you start seeing children.  Lots of children.  You never see any old people because they are dead.

There are also street gangs.  I hired a gang of pro-Aristide thugs who were followers of a gangster named “Tupac”.  I found it ironic that a real Haitian gangster had himself named after a fake American gangster.  It would be like a real General naming himself after Donald Rumsfeld.  These guys were about 14 to 18 and kept guns in their underwear.  One fellow had the gun go off in his shorts and blew part of his foot off.  My body guards main rival was another Gangster named Billy.  Billy and Tupac were supposed to be brothers in films that are made about them but that is not true, they were foster brothers.  Orphans are numerous in Cite Soliel and their foster mother (I met her, her name is “Mom”) raised them to be gangsters simply because that was her best hope for prosperity.  In Cite Soliel a woman does not take care of others children to be charitable.

At the end of my tour this fellow in a red bandana and riding a BMX bike showed up.  My bodyguard on crutches said “Billy’s soldier!” to me before he started hobbling away.  This was a gang of people whom everyone in Cite Soliel was terrified of, but here they were, clucking like hens about to be eaten by a fox just because a kid on a bicycle showed up.  While my bodyguards were cowering I approached the guy on the bicycle.  I walked up to him and looked him in the eye and said “Hello, my name is Erik.  It is nice to meet you.” and he stared at me, looking at me like I was a pinata and all he had to do is figure out where to hit me to cause candy to come spilling out and said “Gimme da money” and I said “sure” and I reached in my pocket and pulled out a stick of Wrigley’s Spearmint Gum.  As he and I both chewed he had a confused look in his eyes and he said “da money.  gimme da money.” and I gave him another stick of gum and walked away.

I went over to my cowering bodyguards and said “thank you, this money is for all of you to share.” and I gave them about $100 in Gourdes in bills so large that they had to fight over it.  I then jumped into a an old Honda Civic and sped off.  I looked in the mirror and saw that Billy’s Soldier was following me on his bicycle and trying to shoot me.  He missed the car completely thanks to pot holed roads screwing up his aim.

It is very likely I would have been killed had I not distracted him by causing his own doubts about his English ability to surface.

Later that day I was caught in the middle of a gunfight and then briefly kidnapped by a voodoo priest in Petionville.

But that is a story for another day.

Unix interview questions and what is never answered by asking them

Many years ago I was an “anti-globalization” activist.  I hated that term.  I was not anti-globalization at all, in fact I love being connected to the world and I want there to be more connection with others, not less.  I also do not oppose “Free Trade” at all, If Bob from London wants to sell a shirt to Randy in Winnipeg there is no reason at all that Randy in Vancouver should object and try to get Kate in Ottawa to make it more difficult for Randy to buy one of Bob’s shirts. (in my world all Canadians are named Randy and Kate).  What I was opposed to and still am is treaties dealing with commerce.  NAFTA and GATT were so big that people hardly read them.  The Congressmen did not read these because they were huge.  I remember reading that GATT, when printed out, would have required a member of congress to push a wheelbarrow filled with GATT so he could read it and know what he was voting for (which never happened).  We in the United States are obliged by our Constitution to adhere to treaties and anything that takes up a wheelbarrow full of paper is not something designed to set us or anyone else free.

For some reason police were really afraid of us.  We never hurt anyone.  Many people were vegans or “strict vegetarians” and they did not want to hurt anything that breathed at all.  I can therefore say that the Police, the FBI and all of those people did very poor work simply because they did not know what to ignore.  They treated everything as a “job” and that included harmless people who didn’t eat meat and whose biggest crime was refusing to wear deodorant in my rental car.  If they had ignored us perhaps they would have noticed men in flight schools across the United States wanting to learn how to fly, but not caring if they learned how to land, but they didn’t.

I thought about this scenario when doing phone screens for my job hunt.  Phone screens are needed as they filter out the fakers in the tech world but lately the questions have not been “what do you do in this situation?” which a real IT professional will be able to rattle off real anecdotes and examples, instead they want to know commands.  Unix and Linux have a lot of commands.  I have used commands for years, then not used them for a year and completely forgotten them.  This is fine when I am at a keyboard because all I do is enter “man -k” or “apropos” and then the topic of what I am looking for  and do a quick scan and then see something that triggers my memory like:

“man -k duplicate”

chkdupexe (1)        – find duplicate executables
dup (2)              – duplicate a file descriptor
dup2 (2)             – duplicate a file descriptor
dup3 (2)             – duplicate a file descriptor
FcPatternDuplicate (3) – Copy a pattern
FcStrCopy (3)        – duplicate a string
msguniq (1)          – unify duplicate translations in message catalog
strdup (3)           – duplicate a string
strdupa (3)          – duplicate a string
strndup (3)          – duplicate a string
strndupa (3)         – duplicate a string
wcsdup (3)           – duplicate a wide-character string

I would then remember that I used chkdupexe once to halt two executables from running at the same time and causing the CPU to be running at 99% and 100%.  My fingers are faster than my phone voice.  I can concentrate better when I am not taking an oral examination that requires specific answers.  If this question was asked on the phone and it required an exact answer from memory I would have hemmed and hawed and that would have been followed by failure.  If I was asked “how do you handle a race condition?” then I could talk on the many details of this subject and fill it with boring anecdotes.  But this is not a common problem. If a data center had to deal with race conditions all day long to the point where their IT staff had memorized how to handle this situation they would have much bigger problems looming in their future.

One question I would like to see asked everywhere is “How do you decide what to ignore?”.  Choosing to ignore something seems like an anathema since admitting you actively choose to ignore things is akin to sloth, but we ignore things all the time and all day long.  Right now I am ignoring my carpet and my sink, but that is passive ignoring.  If the doorbell rang now I would actively ignore it.  Not to be rude but because I know that the only people who ring my doorbell at this hour are members of this strange church who only speak Spanish and think that “Laying of hands” will cure me of my monolingualism.  I have better things to do than to open my door and have old women touch my face.

So twelve years ago we had law enforcement paying attention to terrorists who were not terrorists while ignoring the terrorists who really were terrorists and we probably also have people being hired in data centers who just know how to do well on tests but do not know how to work in a data center.

 

A dissemination of “comment spam”

Many years ago I was managing the website of comebackalive.com which is owned by my friend Robert Young Pelton.  We were running a phpbb forum and for about one year when it seemed that “comment spam” started happening.

I was curious about this.  A few years before I had tracked down a Romanian hacker and eventually became friends with him (Eastern European Hackers used to be really easy to catch since they always provided their photograph and their address and phone number on whatever website they frequented under their nom de guerre ) and in 2003 I visited him and his family in Cluj Napoca and had a wonderful time (we went fishing and I used maggots for bait)  I asked my hacker friend what the deal was with this comment spam and he told me that he did not know much about it except that it was from the Ukraine.

I eventually started doing research and I found out that most of it was from a guy named Alex from Sebastopol on the black sea.  Later “Alex” would write the comment spam program called XRumer.  I still never found out the last name of Alex and it has always bothered me that I did not pursue this with more vigor because I surely had time back then.

Now XRumer is a mainstay of spam.  It is now run like a Multi Level Marketing scheme in Eastern Europe that I like to call “Spamway”.  It produces annoyances here and makes people think that by investing a few hundred dollars “over there” that they stand to become rich.

 

About my campaign contributions in 2008

If you google my name “Erik Solomonson” you will eventually see a link that says I donated $1000.00 to the Republican Party.

This is true.  I did this.

But what I also did was donate $1000.00 to the Democratic Party.

But this does not show up for some reason.

I was and still am opposed to any war the United States has that is not self defense and in 2008 I thought the only two people who shared my beliefs in that were Ron Paul and Dennis Kucinich so I gave them money.

My logic then was that no matter what the policies of the candidates  any mistakes could be corrected but one can never correct the mistake of death, especially sending people overseas to die for what turned out to be a massive lie.

So I gave $2000.00 for peace and now I am on every wack job mailing list known to human kind.  So my advice is never, ever donate money to campaigns.

A little noticed bit of computer security

A while back this very strange thing happened.

A few men with beards entered the United States, shaved, went to a strip club and then flew airplanes into buildings.

I know this happened because I saw it from sixth avenue somewhere between West 4th Street and Houston.  People who did not see this sometimes try to tell me it was some sort of conspiracy but I am very sure I saw this because this is one of those things that is impossible to forget.  My perception was a bit off though because I thought people jumping out of the North tower were birds and I almost wish I still believed that today, but I do not.

Anyway, things were weird after that. People walked around with this expression on their face that looked like they could either burst into tears at any moment or that they were going to start screaming until someone gave them Haldol.  During this time of contorted faces there was also a time where self styled “Internet Vigilantes” would target Muslims, people who opposed targeting Muslims, and “Liberals” (said by people who use the term liberal like they use the term faggot; not meaning a bundle of sticks).  It was quite revolting but the climate was such that it was very difficult to do anything.  I once got a death threat online for opposing the use of Neutron bombs to wipe out Muslims (in hindsight that was a discussion where I should not have tried to use calm, collected facts).  Some of the people doing this targeting were self described “hackers” and so some friends and myself went to work opposing them but we did so in secret.  Like most bullies, these people had no problem asking authorities to back up their menacing and the environment we were in then made it so the authorities would most likely help them.

So, we had a team together.  I am not even sure what you would call us but perhaps it is something that is best not to be named.  I did research and tracking, another friend of mine found and then baited the targets to attack and another fellow, named Kevin Bacon (not the actor but he used his famous namesake to make sure he never appeared on a google search) did damage control by use of his law enforcement connections to realize that the people carrying out the cyber attacks and harassment were more akin to terrorists than American Muslims and anti-War activists. (I use Kevin’s name because he is no longer with us.  He died sometime in 2010 but it is hard to get the information since googling “Kevin Bacon” and “Died” does not produce anything useful).

One group we did (not naming names though I can via private correspondence) took us about four years to end.  It was simply because we were patient and not that we were slow or clueless.  Many of these kinds of people have such short term memories that they assume if they were not arrested right after the incident then that meant they were safe.  This group of hackers actually had only one skilled hacker who, for some reason willingly did illegal things but he was terrified of the consequences.  I caught him by contacting a System Administrator at a University in Singapore that was a favorite proxy of the group.  At first he was a bit cocky with me, denying the existence of the proxy and then admitting he set it up for “friends only” and when I named dropped a school administrator who would have been his supervisor he became incredibly cooperative.  I was delivered log files for the proxy for the times of the attacks I was researching.  I gave the IP of the user to Kevin, and Kevin called up an ISP after one of his Law Enforcement contacts called the ISP and told them to expect Kevin’s call.

So we got a name tied to four years of death threats and four years of various cyber attacks.  When you contact someone like this they go through a “Stages of Death” like Elizabeth Kubler Ross wrote down so many years ago.

1. Denial & Anger (lots of threats ranging from violence, lawsuits, and police involvement)

2. Bargaining (there is one word you can say..for this one is was “Singaporean Proxy Logs” that gets them to calm down and try to negotiate)

3. Depression (when you inform them that the only way nothing will happen to them is to do exactly as you say…this really bums them out)

4. Acceptance. (they agree to your terms and become happy because it is inevitable)

This fellow gave up and paid restitution (plus interest that we set at 10%) to those we tracked down and he ratted out all of his friends and told us everything about them.

All this because of 9/11 and I am certain there were similar groups doing similar attacks then too…..But that was a lot of fun.  I love doing this sort of work but it is really difficult to put in a resume.

 

 

I hope to cause some confusion but not very much.

I admit that my clever Latin saying  “Mutum cogitationes ex homo intelligens” to some might appear that I have participated in a “Pray Away The Gay” type seminar as they might only notice “ex homo” but it really means “dumb thoughts by an intelligent man”.

I do hope this causes confusion though because sometimes seeing confused people is enjoyable, though I mostly hope to prevent it.

–Erik

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

 

—-edit—-

This is an automated first post so I have decided to edit it.  They say “blogging!” with such enthusiasm but really I think it is sort of like saying “Multi-Level Marketing!”