[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Hello again! I've been strangely quiet on the list for a week, especially for one as exciting as this has been with so called Heartbleed v2, but this has only partly been due to a truly hellish 7 day bender of 18+ hour consecutive workdays and much more because some little **** managed to game live.com 50% of the way into taking over this email account. I still haven't figured out how, let alone why, they managed it but they somehow got as far as managing to change the fallback recovery email/phone confirmation details to ones they controlled. Stupid Microsoft. To be fair, predictably I declined to provide a real email account, let alone mobile details, to MS when I registered this account so I might have partially brought this on myself but nonetheless when the security details reset procedure is triggered on a live.com account after a few days it will completely lock you out unless you can jump through their hoops. Considering I had submitted null@xxxxxxxx and 01234567890 as my mobile two factor auth details on account creation I suddenly found myself in a bit of a bind when mr.meowski@xxxxxxxx stopped accepting my unique, randomly generated 16 character password string. Bugger. Normally I'd just shrug my shoulders, toss the account and move on but I rather like my comrade meowski alias, and I don't like people messing with my stuff. It took until last night and part of today until I could properly engage with this thanks to work chaos (ironically, mostly dealing with the very same shellshock fallout that turned out to be my unlikely saviour) but finally I uncorked a nice bottle of single malt yesterday, rolled up my sleeves, and turned on full BOFH mode. Note: I'm very tired, profoundly depressed, and have now polished off most of the rest of my bottle of Ardbeg so this is probably going to be a long, rambling post full of grammatical and spelling errors. Feel free to skip the whole lot. It's a damn sad saga. I don't know if any of you had to go through the whole Kafka-esque surreal nightmare of security detail changes on a live.com/outlook.com account before but it's a uniquely painful and bizarre experience. Once it's triggered (say as the valid owner of an account, you want to change the designated backup/reset email account details you initially provided to a different one) a one month count down begins and after apparently two weeks into the reset procedure if you haven't moved on any further into the multiple steps required your original password stops working and the account locks out. Griefers like to game this to effectively DOS people out of their Microsoft accounts (especially vicious if you're a Win8 user who signs into their PC with that user ID). Normally griefers/twats/script kiddies would get this information from one of the increasingly many mass account detail dumps hackers drop on pastebin every other day but I don't know what happened here: I do tend to annoy a lot of people online and have a very long list of enemies at this point but this seemed a bit excessive to me. I don't reuse passwords ever and after that last fiasco with the embarrassingly hacked Yahoo account that I used to use here I've been even more careful than usual. IMAP clients simply stop working at this point, but logging into the live.com portal with your now useless old password will at least let you know that someone has triggered a security detail reset procedure on the account and until it's resolved, you're not getting in. A complex dance of entering information, getting confirmation codes delivered to a designated account, verifying, counter-verifying and generally banging your head against the wall must now be carried through to the bitter end before anyone gets back in, whether that's the original owner or some miserable little **** from 4chan. I could at least tell from the guarded info MS were giving me that the account hijack wasn't completed, and they were apparently stuck at the same stage as me: partial access, but locked out of proper control. Damn. Microsoft star out most of the designated recovery email address so I couldn't read all of the unfamiliar one that had somehow replaced my retrospectively ill-advised entry of null@xxxxxxxx but it did give me enough to take to google and do some digging. Finding the unwisely distinctive although partially obscured email@xxxxxxxxxx string was surprisingly easy once I started using google's inurl:, some regex and a bit of common sense. To my surprise, I found them on a RAT forum: this probably meant the ******* little **** thought I was a girl and was angling for some boobie shots, at the least. This made me very, very angry. I don't mind being mistaken for a girl (has happened a lot: I'm physically not very big and have long hair) but this whole RAT phenomenon is a different level of scummy and pathetic. Time to get serious. Bonus: the enemy was obviously stupid. Even basic research on this list's archives via the very email he was attacking would have told them that I am not a girl and am in fact a scruffy, entirely unattractive and not particularly young male. With a monumentally bad attitude and a vindictive streak a mile wide. And 20 odd years of *nix sysadmin and general hackery under my belt. Google and Shodan let me sniff out more interesting things. The offending email was running on a private mail server on a domain that wasn't registered with any of the many hosting companies that I have a friend at so no easy access, but one of the many throwaway unsavoury "bulletproof" host providers that this particular class of scum tend to use their stolen credit card details to register with. But I did have an IP: recon time. I left my machine running a low and slow probe redirected through some obfuscation methods and retired for the night. Today's resumption got off to a good start: by the time I finally was free to check back in, I could instantly tell everything I needed to know from the results even though it was only half done. Because I spend half of my life security auditing and remotely battering my company's products, I know a not fully updated CentOS box from a mile away. 6.5 with kernel-2.6.32-358.23.2. Outdated sendmail, probably a scripted wizard install. Lazy script kiddie. Judging from the port responses it's running a well known C&C type subsystem, with a whole bunch of hacked up CGI stuff to handle his nefarious activities. I have a collection of tarballs with Zeus and all the usual suspects to hand, and it didn't take me long to figure out which particular tools he'd also bittorrented and half-assedly implemented. Hmm, let me think... An out of date CentOS box. Misconfigued sendmail. Dodgy CGI scripts, apparently not even modified from the (two year old) commonly available and not even very good crimeware bundle. This can mean only one thing, especially considering what has just hit this week. SHELLSHOCK TIME! Rarely have I turned 180 degrees so quickly. After cursing it all week as I scrambled to patch, fix and bandaid our work **** like my life depended on it, I knew I had exactly what I needed right in my lap. Now don't get me wrong: I'm no genius hacker (hell, I'm not a hacker at all, just a sysadmin who likes security stuff) but I do have through work fully paid up Metasploit and Canvas frameworks, and early access to the modules they'll be releasing shortly. Trust me, when you're dealing with this level of moron and you've got even half finished tools like that and a brand new, unpatched vuln as bad as shellshock remote rooting a box isn't exactly rocket science. I did some testing in a VM I mocked up to replicate his system as accurately as I could, enlisted some intrigued friends considerably more talented than me to smooth out some weird issues I couldn't sort out myself and cut it loose. I couldn't initially get root but I did rapidly get in via the dumbass CGI hole, and then Canvas had a privilege escalation exploit that I'd been dying to use anyway that wouldn't have worked if the tard had just run yum update every now and then anyway. But luckily it did. BOOM REMOTE ROOT. Post-exploit is actually my favourite bit anyway. I'm not really skilled enough to engineer the actual 0-days myself but once I'm in I know what I'm doing: reverse TCP stager, injected meterpreter into a suitably juicy PID and cleaned up all the logs and crap I'd already triggered whilst breaking in. Snooping around at my leisure I found gems like a failed attempt at GRSEC'ing the box (haha, really?), SSHD moved to a random higher port but still accepting root and interactive password logins instead of keys (LOL) and the history file was, well, priceless. Less amusingly, even with this level of retardation, his home directory (in this case home = /root: genius) had a surprisingly alarming collection of evidence in it, basically everything you'd expect: lots and lots of porn, cracked windows software, rubbish cams of recent hollywood films, outdated crimeware bundles, stolen credit card/ID lists, you name it. What did really piss me off was despite this shocking level of script-kiddie stupidity, he'd either somehow managed, or much more likely paid for on his RAT forums, genuinely got access to a few "slaves" as they call them. Pics, audio, vids, the lot. He'd accidentally archived his chat logs (forgot to change his IRC programs default settings for gods sake) which proved to be some of the most hair raising things I've seen for a while. What the **** is wrong with some people today? They were pure, deep nastiness. By this point several of my friends are involved, and mostly speaking they're smarter and more skilled than me. With some help, I tore that box apart and readied the traps - access logs already told us when the little **** was likely to SSH in although irritatingly he completely broke habits and actually logged in completely unexpectedly whilst there were about 5 of us still in the machine - initially we thought we were busted but it turned out he was just connecting quickly from a phone over a VPN to bittorrent.... more pron. Good grief. Luckily, he was using a jailbroken iPhone, and an old one at that. My friend had no problems rooting that and dropping an APT backdoor, which made it a lot easier to start doxing him properly. He at least had enough sense to use Tor when he connected via his home PC later which would have been a problem, if by that time we weren't listening to his phone's audio anyway and tapping his GPS location (bizarrely, turns out he lives about 10 minutes away from a friend of mine in Birmingham - genuine coincidence). This is where the ethical dilemmas really kicked in. The one thing that really, REALLY presses my buttons is victimising or abusing people for nothing but sexual titillation, or the power trip. But when it's done with a profit motive as well, to sell on and perpetuate the cycle of abuse like you're selling a damn car or a commodity or something that really makes me go full nuclear. By this point I'd forgotten about the stupid email account hijack that started the whole sorry affair and was arguing for full-on life-ruining. Now we had his facebook, email, twitter and everything, a real ID, place, name and lots and lots of evidence. Blackmail and destroy I was thinking. Let's really, really crush him. And then we finally got into another couple of vulnerable devices (thank you TP-Link and Sony) in the household, dumped everything and discovered he was a 14 year old boy. Shit. That's pretty much the end of this disastrous episode. We had a Very Serious Talk together, and have agreed to wait until tomorrow before acting. I'm on night watch because I like to stay up anyway and the missus is on her usual night shift at the hospital, just to intervene in case of any active RAT attempts or anything like that. We pretty much crippled his box to be on the safe side but as it happens he hasn't even noticed: Meterpreter tells me he's watching the extremely unsavoury pron files he downloaded earlier, the muffled iPhone audio tells me he's probably shagging his strangely soggy pillow. Mercifully, there is no video feed. Two others are bringing the dox up to 100%, consolidating all our findings and evidence and waterproofing everything. Tomorrow, the calmest and most empathetic of us will have everything they need to hand when they stick a one-use only PAYG SIM in a burner phone and calls his parents for another and very different kind of Very Serious Talk. The little ****'s Dad is a parole officer of all things, and his Mum is a part time teacher. At a girls school. They seem like nice, balanced people so god knows what the hell went wrong with the kid - maybe they're the opposite of helicopter parents. It does look like they both work long hours and as an only child, little **** probably gets to spend a lot of time at home with unfettered internet access. It's all a bit out of my hands now as it's passed into an unexpectedly morally ambiguous and confusing realm - I guess we'll gauge the reaction of the parents first, send them any evidence they need and see what they do. The Police don't seem like much of an option considering his age, our anonymity and the slight issue that we probably broke several orders of magnitude more laws than he did by chasing him down and breaking into his digital life with overwhelming firepower. I felt elated when I initially rooted his VPS: got the bugger! Now I know that five highly skilled and motivated professional adults coordinated to hack a single dumb **** 14 year old script-kiddy's dirty little hobby I just feel depressed. I thought my week at work had been bad, but this is one hell of a way to finish it :[ But, I did get my mr.meowski account back, which is how you're receiving this tale of woe. 0-days, misguided kids and sexual exploitation, all connected by the internet. How the hell did it come to this? This took a long time to type because well, it's long, and I've been watching realtime logs and meterpreter with half my attention. And I long since finished that bottle of Ardbeg. Little **** seems to have gone to bed now anyway, and someone else is taking overwatch until morning when the phonecall from hell will take place. "Hello? I am an anonymous hacker. No, not that anonymous, just a person who can hack and whom doesn't want to reveal their identity. Your 14 year old son is an out of control script-kiddy, budding pervert and a total little ****. Amongst other things he likes to spy, manipulate and exploit young girls online. I've already put all the evidence you need to see on the Samsung laptop downstairs in the kitchen, which incidentally you'll need a new password to login to because I changed it last night whilst rooting through your entire life history. Sorry." *sigh* What have I learnt from this? Hacking shit is NOT glamorous. It used to be, but it isn't now. I'm definitely no longer a hacker. Things have changed so much. Teenagers are terrifying*. In every way. The boys are worse. Parents should really, really get their shit together. These days, literally any moron can wreak havoc on the internet.* Using a Microsoft account for anything is insanely stupid.* There can be an upside to 0-days. Who knew? A degree in Philosophy does not help in the horrors of real life.* Ardbeg is my favourite single malt. Peaty. Goodnight everyone. I have rarely felt so miserable in my entire life - I think this is perhaps what they call snatching defeat from the jaws of victory. Pyrrhic victory, at that. mr.meowski@xxxxxxxx * anything marked thusly I knew already -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq