Security

Fighting fire with fire

Wired reported that on the eleventh of April, on Friday two weeks ago, security expert Joel Eriksson discussed the tools and techniques he uses to crack security on common security cracking software at the RSA Security Conference -- fighting fire with fire, you might say.

Wired reported that on Friday, April 11, two weeks ago, security expert Joel Eriksson discussed the tools and techniques he uses to crack security on common security cracking software at the RSA Security Conference -- fighting fire with fire, you might say.

This was Bitsec AB, CTO Joel Eriksson's first public demonstration of the techniques he uses to crack security on the computers used by malicious security crackers via the very tools they use to compromise others' security. He discovers security vulnerabilities in widely distributed programs used by "script kiddies" -- security crackers who rely on software developed by other people without any real understanding of the underlying techniques and principles. Once he has identified vulnerabilities, using the same sorts of techniques employed by the people who wrote the tools in the first place to discover vulnerabilities in more "legitimate" software, he exploits them to gain access to the computers used by the script kiddies that use the security cracking software.

The Wired article is long on the sensationalistic, "Security Guru Gives Hackers a Taste of Their Own Medicine" angle, but short on certain specifics. My first thought after reading the article was:

Okay, so he gains a foothold on some script kiddie's computer. Then what?

What these script kiddies usually do when they gain access to someone else's computer is use them to launch attacks on other systems, send spam e-mails, and so on. Obviously, doing the same things isn't really appropriate as a countermeasure. Does he just do damage to the script kiddies' operating environments -- corrupt filesystems, crash applications, and otherwise make a mess of things? Vandalism against one target at a time seems fairly inefficient, even ineffective, as a countermeasure in general. A best-case scenario would probably involve collecting information about the individual security crackers and turning that over to appropriate law enforcement agencies.

I think a more likely scenario is that Mr. Eriksson is doing it because it's fun, and because it gives him something to talk about in front of a crowd at RSA.

The romantic notion that comes to mind upon hearing about Joel Eriksson's explanation of taking on script kiddies by exploiting their own tools is one of a sort of poetic vigilante justice, where the wronged can take the fight to the malicious security crackers of the world and hit them where it hurts. The lessons learned from work like Eriksson's may be useful in the fight against them in the future, but it's unlikely to yield any direct results.

Still . . . I wish I'd done it first.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

20 comments
jdclyde
jdclyde

he is admitting to committing the same crime as the people he is going after. While cool, this will not do anything productive.

Jaqui
Jaqui

use the access to send a complete system backup to the local police force. you know, with the logs of criminal activity on the part of the "cracker"

$$$$$$$$$$
$$$$$$$$$$

[b]Make[/b] Symantec, McAfee ... well, scratch that, make effective anti-virus and anti-spyware engines freeware, not via volunteer/hobbyist coders, but via labor paid by the original authors of malware, who are then thrown in prison with drug dealers for a few years and lifetime probation from computers.

BALTHOR
BALTHOR

I log on to my ISP and I want to ruin TR's computer for the pure joy of being evil or even for Landru so what do I do next?Somehow I have to find the TR computer.I can find the site but does the site reside in the TR on property computer or is it in the Federal Torrent like my credit card files?Now I have to break in to TR's computer to install hellware.Do I install the program on their hard drive?My hacker computer is looking right at TR's C: drive.Hackers are at a higher level that we are.They run the OS in the CPU from the BIOS then they tell everybody about overclocking,the 13 root servers and Internet ISP throttling.

apotheon
apotheon

There's something compelling about this sort of "poetic justice" approach to fighting malicious security crackers. On the other hand, it's mostly the people who don't know how to do this sort of thing that end up being victimized by malicious security crackers. What do you think about what Joel Eriksson is doing -- and what would you like to see him do next?

DanLM
DanLM

Like we were saying afterwards, we would have to be very carefull that innocents were not caught up some how... But... I will be truthfull. I am very ethical when it comes to my IT skills. But being able to modify a hacker/cracker/skript kiddies code to display his name and address to the person he is exploiting.. That intriques me... I think I might not be able to resist that one. Dan

DanLM
DanLM

other machines to display a message of their name, address, and phone number which is displayed when the exploit takes over the persons computer. Something like a message box that pops up every time the person logs on. Hi, your computer has been exploited by. Dan Miller. Insert address here. Please contact your local authorities of this expoit. Dan

$$$$$$$$$$
$$$$$$$$$$

Do the on-by-default Windows services include logs that would be useful in such prosecutions? Script kiddies certainly don't have the reputation of knowing how to turn them on, nor off, from whatever state they buy their computers, "out of the box."

apotheon
apotheon

I wonder if working on open source projects as a community service sentencing measure might not be an idea worth exploring. Being introduced into such environments, with an assigned equivalent of a "probation officer" to oversee the offender's coding work, might prove rehabilitative. Among other things, the vast majority of open source developers view malicious security crackers in general (and script kiddies in particular) as lower than worms -- and, under the guidance of a watchful eye, contributing to the efforts of an open source developer community may expose the miscreants to some far more positive outlets for his or her interests. edit: I've been inspired by this to write another article as a follow-up to this one. Expect it in the next few days. Thanks for getting me thinking, [i]Absolutely![/i].

seanferd
seanferd

Trying to get security software vendors to think from a new angle? I really have no good guess as to what this fellow is shooting for, but some automation of his approach may separate the vandals from the criminals in the future.

santeewelding
santeewelding

I think you have the wrong thread for philosophy, self-actualization, and a larger purview.

jdclyde
jdclyde

would be a top priority.

apotheon
apotheon

That might be fun. You have to be careful about how you do it, though, so that you don't accidentally point people at an innocent party whose computer has been compromised and turned into a "middle-man" for attacks on others.

$$$$$$$$$$
$$$$$$$$$$

'Restitution,' if evidence were made sufficiently available to law enforcement, might be attainable. By contrast, in response to an auto for sale ad on Craigslist, I recently received an e-mail that closely followed the format of a 419 scam, with European nations and a midwest US state substituted for foreign nations and non-existent financial rules substituted for non-verifiable & non-falsifiable political turmoil, but the large fraudulent payment in exchange for somewhat less large cash payment fully intact. The icing on the cake was the stated intent to pick up my car -- the following day! I3C referred me to local law enforcement, which in turn informed me that until I lose my own money, they are "too busy" to get involved. I haven't compared my own experience to any statistical studies of police department policies so I don't claim to know that declining to investigate crimes in progress is a widespread problem, but I would be surprised if my experience is anything but common.

DanLM
DanLM

Gains access to the hacker/crackers machine. His home machine where he coordonates the attack from Simplicity start... Registration information on the machine itself held in the registy entries. Get the ip number also of this machine, that can be done also. Shoot, just a browse of the emails. Getting the name of the individual distributing the virus software would not really be that hard once you have access to the hacker/crackers machine. And that, is what this exploit is about that the white hat presented. Once that information is acquired, then upload a modified virus file that this cracker is distributing... Just your modified one... Chuckle, one that displays that message and then cleans itself after infection. The points gained here. 1). You are not destroying the hacker/cracker/script kiddies machine. For one thing, he would just get a new one. 2). By the modified virus script you are uploading to it after you acquire the correct information. a). You are stopping the infection of other machines because you have modified the payload code used by this cracker to clean itself after notification has occured. b). You are providing information needed by the authorities. I know, pipe dream.. Won't happen... And I am sure there are holes in it... I'm not out to hurt innocents, and if there is a chance of that happening... Then I don't want it. Dan

$$$$$$$$$$
$$$$$$$$$$

I don't really know how Dan plans to get the guy's name, though, so I think his above post is a bit of an exaggeration. More realistically, he'd provide the IP address(es) of as many computers as possible on the viewable LAN, and/or at least one IP that he knows to be in the public range, ie not SPAM I3C with a bunch of Class B/C private IP address reports. In summary, I consider your concern valid, but from my reading of Dan's previous contributions, he knows what he's doing and how to report malware to the appropriate authorities without putting significant additional load on infested users' computers, nor falsely implying that those users are themselves the script-kiddiez.

apotheon
apotheon

Automating the process would provide opportunity for the cleverer malicious security crackers to game the system, tricking it into giving out the wrong information, too.

DanLM
DanLM

You know that would happen to. Dan

apotheon
apotheon

Even when something of value is lost, local police are often "too busy" (handing out speeding tickets and launching no-knock raids for consensual "crimes", often at the wrong address) to investigate even physical theft and property destruction. I'm frankly surprised at the number of people I've met over the years who have [b]personally[/b] investigated thefts of their own property, hunted down the perpetrators, dropped a bunch of painstakingly collected and analyzed evidence on a desk in the local police headquarters or DA's offices -- then [b]still[/b] had to fight to get them to do anything about it (like arrest the bastard and recover the stolen property).

Editor's Picks