Zeroday 01100100011010010

A student from UCSB is charged with 4
felony counts in a “Ferris Buller’s Day Off” enactment. 
Ramirez used some crude tactics to change the password of some
professors and then change her grades and the grades of several
others.

A few things here that bother me about using the word
hacking.  She didn’t use any sophisticated means to penetrate
the eGrades system.  She didn’t have the foresight to actually
mask her IP by using a proxy or anonymous WiFi.  Ramirez worked
for AllState insurance and the professors were listed in her
database.  With access to AllState information she was able to
flesh out the DOB and SSN.  This would have been the case if she
had worked at the professors cell phone provider too. 

“Knowing what information you need in order to do the
password reset and gathering that information and then going and
submitting the grade changes — you don’t just trip and
accidentally fall into that,” Schmidt said. “That requires some
specific planning and effort to do that.”

This clearly
shows malicious intent.  The act was planned out and she (and
any accomplices) knew what they were doing.  I imagine that she
was sitting at work and looking up random people that she knew. 
I imagine this is something that is common among ALL workers who have
this type of access.  One has to wonder when companies will be
held responsible for the sloppy dissemination of personal
information.  When she got a hit on her professors information
the idea probably clicked in her mind.  This seems like the most
logical scenario since she actually logged into the eGrades system
from work.  Although there is a feedback system that is supposed
to catch these types of acts I wonder just how well it would have
worked if the two had not gone so far. 

“Ramirez,
who could not be reached for comment after repeated phone calls
Tuesday evening, changed her grade in one class from a B to an A,
Signa said. She also altered the grades of her roommate from an F to
a B+ in one class and from a B to an A+ in another class, Signa said.
Further details about other changes Ramirez made were not available
at press time.”

Had Ramirez left the other grades
alone and changed the F to a D- (which is still passing) it might
have gone unnoticed.  In this type of flagging system I would
imagine that the system notices grade changes that are greater then 1
or 2 points.  So an F to a B+, which is a 3.5 jump, should and
did trigger an alarm.  I am totally speculating at this point so
please let me know if I am way off base here. 

More
importantly, and something I alluded to earlier, is that information
workers have much more access then I think is warranted.  As an
exercise go to your cell phone providers local presence and talk to
the folks at the counter about your account.  The terminals at
their locations are capable of looking up any account, pulling up the
full details of your call history, not to mention all of your
personal details.  With the companies all merging having an
entry level job at one of these stores means you have a one in three
shot at any single persons personal information.  I have a
feeling AllState had no clue that an employee was abusing her system
access until the police came in with a warrant.  This problem is
likely far more pervasive then they would like to admit. 

Computers have supplanted all other forms of media to safe guard our
information.  Computers store everything from banking histories to
recipes.  Combined with the connectedness of the Internet all of this
information is leveraged to guide our decisions and purchase our needs
and wants.  This is just the surface of how deep computing affects our
daily lives however.  Computers control ballast systems that keep
tankers afloat and SCADA systems that regulate the flow of rivers
through dams.  Computers are the most pervasive element of how our
society controls the environment that we live in.  

To state that trust is important is to understate the obvious.
 Trust is a luxury however, and one that we can not afford.  Our
systems are still fragile and susceptible to human malice and poor
programming.  Virii by the millions have emerged into the world of
computing.  They infect computers by the interactions of others.  This
vector of infection is personified by email users who open foreign
attachments.  Even more deadly is the worm, which can infect without
the interaction of a user.  Worm infection is steadily rising with each
passing year.  Code Red alone compromised 250,000 computers in nine
hours.  Control and trust is lost when these infections occur.  

We absolutely need to trust the machines that help run the fabric
of society.  As a society we must constantly add fail-over systems,
monitors and vaccines to computers.  Until this type of trust is gained
systems must be open to the user.  The more transparent the computers
are the more easily a rouge program can be detected.  The quicker the
development process the faster important patches and medicines can be
dispatched to infected machines.  

One of the latest contenders is the “Trusted Computing” platform.
 In this regime manufacturers provide equipment which will certify that
each application before it is allowed to execute.  The cost of this
type of regime is that development is retarded due to a rigorous
certification process.  Even patches will have to undergo certification
and create an even bigger gap between infections and inoculation.  The
benefits are paltry in comparison to this cost.  Certain virii will be
prevented from executing.  Namely those that are sent via email to
unsuspecting users.  However worms would not be deterred since they
generally infect programs that are already running.  These programs
would already certified but contain vulnerabilities, or flaws in the
code, which allow remotely launched programs to exploit them.  The
certification process does not guarantee that the code works well, or
that it even works at all.  It just stipulates that it is from a
certain developer or company.  

A switch to this “Trusted Computing” environment would not solve
the trust issue.  Software and hardware manufacturers are still not
liable for any damages incurred.  Society must stay vigilant in regards
to what computers do and monitor them.  The stakes are far too high to
trust our computers just yet.

What happened here is something referred to in my industry as script kiddies.  One “hacker” finds a loop hole and creates instructions or a program which can replicate this vulnerability.  He feeds it to othersthat are not as skilled and they can “hack” in at the push of a button.  119 script kiddies attacked the ApplyYourself web site trying to find out if they were admitted early.  A rabid user of the Business Week forum posed what seemed to be a repeating, and totally untrue, meme.

“Its easy to speculate on the motives and thoughts of those who did from a safe position, but “not having a link” doesn’t make something confidential”

This is not correct.  Yes, the page was available via the public facing internet.  So are the credit card numbers you enter into Amazon and other e-commerce web sites.  One merely needs to know how to manipulate the database from within the web application.  If you heard that you could access a list of credit card numbers by inputting a “special url” wouldn’t that be unethical?  Actually, that would also qualify as illegal in most countries.

Another simple example would be a web servers password file.  A long time ago directory traversal was a common problem with web servers.  This vulnerability would allow one to “traverse” backwards through directories by inputting “../” into the URL.  On most UNIX based servers the passwords to every users accounts were located in a file in the /etc directory.  So if the server was affected by this bug then

http://www.vulnerablesite.com/../../../../../etc/passwd would display everyone’s username and encrypted password. Tools like John the Ripper would allow the newly purloined passwords to be cracked.  So here is a case where one simply entered a URL to a file that “didn’t have a link” yet I think it’s pretty widely held that this activity would be considered illegal and unethical.

I work as a consultant who is paid to find security holes in web applications (obviously I was never hired by AY) and most of the issues I find could be construed as public files.  Not to belabor the point but when Adrian Lamo, the “homeless hacker”, was arrested for breaking into the NY Times and using their Lexis Nexis account he was accessing via special URL’s too. 

There was a lot of chatter in the Business Week forum about a lawsuit against HBS.  I find it unlikely that an attorney would bother taking up this cause.  One poster asked,

“Does HBS have it anywhere in writing that figuring out to how access the site through changing links is grounds for immediate rejection and did any applicant sign that statement?  Probably not.  Thus, no contract was established that applicants agreed not to use obvious loopholes to access their own files earlier than the set date.”

An interesting argument.  I would imagine that HBS has the authority to deny applicants on whatever grounds it sees fit so long as they don’t violate civil rights.  This issue has nothing to do with race, color, sex, sexual orientation, religion, age, national or ethnic origin, political beliefs, veteran status, or handicap.  It is based on what HBS believes to be an impaired judgment. 

Let’s assume for a moment that one of these future leaders saw a post somewhere that claimed to allow “special access” to a potential clients contract database.  The database was housed in a law firms not so secure website but is not supposed to be viewed by anyone except the law firm and it’s clients.  This future leader enters into the web application to see whether or not he had won the bid and upon seeing that he didn’t calls in a lower price.  Is this illegal?  It’s questionable but I would lean towards yes.  Is this unethical?  Absolutely.

“For all that to be trumped by a poor decision made in the middle of the night is incredibly unfair,”  

This is a very fair statement for all concerned.  It is unfair and unfortunate.  From HBS’s perspective though this incident served as a quick litmus test for one of the biggest traits that I like to see in business leaders.  Ethics.  From what I’ve read about 900 students are admitted to each class.  For those 900 slots THOUSANDS apply each year.  I would imagine that more then 900 are qualified to attend and this puts HBS in the unfortunate position of rejecting perfectly qualified candidates.  These 119 students simply made the task easier.

I’ll leave with this thought.  Of all the analogies I read the best one supposes that “200 students are waiting around in the admissions office when the person behind the desk runs out on an emergency. The filing cabinet behind the desk has a clear label stating ‘Admissions: Acceptance List’.  A few students walk behind the desk and open the cabinet and peek inside.  Little do they know the entire thing is captured on a video camera overhead.  Upon seeing this the review board rejects all the students involved.”

I had actually seen this email a few times in some of my spam catches.  The “come on” is that the FBI has been monitoring the sites you visit and here is a list of the naughty ones.  It had never occured to me that the FBI would have a statement regarding this.  As it turns out the press room issued a statement regarding the monitoring of peoples personal surfing habits.

Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner. 

That didn’t have anything to do with whether they are watching or not.  Of course not because they can and do watch.  The fear of this Big Brother reality likely caused many people to open up the attachement.  It was likely a .zip overflow or a trojan hidden inside the archive file.  The latter seems to be a very popular method of skirting through anti virus devices.  Many companies these days install large devices on the perimeter of the network to capture the virii and trojans before they even hit the mailbox.  This method allows them to smuggle the payload past the inspecting devices by packaging the malicious code in .zip or .rar files.  There is a huge performance issue to consider if every single .zip file is inspected.  Even worse, some of the virii are smart enough to password protect their .zip files and put the instructions to open them in the message itself. 

This is why I believe the advocates of S/MIME and S/POP and other encrypted email standards will face very stiff opposition.  If we encrypt all the email messages then we can’t search them for virii!  This would also create a utopia for spammers since their Viagra laden messages would slip by as well. 

The first reporter on “the scene” was Kevin Poulsen and ex hacker turned journalist.  I had read about the case earlier when the story broke that Operation Firewall was turning up the heat.  Operation Firewall was a seperate operation by the Secret Service to capture identity theft rings.  As they were monitoring certain IRC channels for information they started seeing internal SS documents traded like baseball cards.  This did not bode well. 
The amount of damage to T-Mobile should be massive as far as reputation and security are concerned.  I have a feeling that since the SS was involved and does not want to share in the embarassment that not many will be the wiser.  The only people I know for sure that know about the effects of this massive hack are those who were lucky enough to make it to Paris Hilton’s address book.  One of the major advertising points for the Sidekick is that all the data is stored at the T-Mobile servers in California.  A list, which I have seen with my own two eyes, of every person in her cell phones address book was published to underground sites last week.  I have friends who actually bothered calling some of these numbers.  I mean who wouldn’t want to talk to Anna Kournikova?  Rumor has it her voice mail box filled up fast.  Another rumor holds that the daughter of notorious gangster John Gotti, Victoria, was out on a date the night the numbers were released from their elite private circles.  Since the mother didn’t want her daughter to be out of touch she refused to cancel the service.  Which means she must have answered hundreads of phone calls that night from would be pranksters.  I guess in my old age I’ve lost some of my edge because I don’t think I’d have the balls to prank call the daughter of a serial killer. 
But these are the troubles of the rich and the famous.  What about everyone else?  All the information, including notes taken on the devices, were available for hackers who had access to T-Mobile Servers. 
This could include credit card information, social security numbers, and addresses.  The California notification law SB 1386 is the only reason we know about it.  Even so the SS were able to delay the breach for months (maybe a year??) for it’s ongoing investigation.  As Kevin Poulsen noted, “The Secret Service played both victim and investigator” for this crime.  So my question is this.  When California instituted a no smoking indoors or on public property law, states flocked on board.  When are other states going to pass simliar SB 1386 laws?  Corporation after corporation has had to come to the spot light, tail between it’s legs, and admit to getting hacked.  Without this law who knows how many social security numbers would have quietly found their way into the underground.  Their owners only finding out that they identity was compromised when they applied for a new mortage or car. 
As a side note the pictures of Paris Hilton’s camera were also stored online.  This was more frightening then anything else.  If I’m taking personal photos with my camera, and let’s just say hers were .. intimate, I really would not like them uploaded and stored anywhere. 

[editors note: I am also the editor, this is more like a PS.  I don’t know what an enclosure URL is.  I also think it amusing that Ms Hilton is the focus of so much attention.  I honestly think she loves that her private details were released to the public.  The notes from her Sidekick show a woman who is obsessed with scandal and time in the limelight]
[editors note 3/2005: I changed the anna kournakova link to a more “work safe” image search on google.]