Chapter 2: The Lagos Creeper Box

Laura19

It all started five years ago ”he was working for an IT security development house, in charge of providing the glue between the developers and project management teams . As a side line hobby to keep the boredom at bay, he slowly became involved in the hacking scene ”writing his own code, tinkering with code he copied from projects at work, hanging out in the right IRC channels, and participating on covert mailing lists. Life was peachy ”with no real concern over who he annoyed with his hacking efforts, he owned systems on a regular basis.

The problems began when he read the mail of girl he met on IRC who called herself Laura19. She studied computer science at the University of Sussen; the same university where he studied electronic engineering. He had seen her on campus and from day one had a thing for her. He suspected that she disliked him, something that irritated him immensely. Having had access to the password file on one of the university s main UNIX machines, he put his machine to the task of cracking her password. It took a while, but after a couple of days Jack the Ripper struck gold - he had it. He proceeded to log in to the host with her password and page through her e-mail. It was seriously spicy ”she was having relationships with two students at the same time and the e- mails they exchanged were hectically sexually charged. One night on IRC, Laura19 was dissing him in the public channel again. He had a couple of beers, was tired and depressed, and wasn t in the mood for getting his ego trampled on again. It was time for revenge . He opened her mailbox and started copy-and-pasting her mail to the public channel. After every paragraph he would add some cheesy comments.

In the end it was she who had the last laugh . The short version of events was this ”Laura19 had a nervous breakdown. She also had very rich (and overly protective) parents. Her dad blamed her nervous breakdown (with good reason) on Charlos and his IRC session, and dragged him to court. The court threw out the case, but Charlos lost his job, and the local newspaper (where her mom worked) had a field day with the story. Now nobody would touch him ”he applied for several jobs but as soon as potential employers recognized his name they would suddenly lose interest. To top it off his girlfriend read the newspaper article and promptly dumped him.

In those days he lived off the money he had accumulated during the previous years. He rented a small flat in a seedy part of town, ate junk food, drank black tea (his milk never lasted since he didn t have a fridge ), and buried himself in his hobby. He cancelled his normal telephone line and his mobile phone contract because the only people he cared to talk to were online and not IRL. He lost interest in anything outside of his Internet connection. When his cash flow got tight he sold his TV and his car ”he could walk to the McDonalds and supermarket . In real life he wasn t going anywhere . He told his family that he was working on a project for Microtech in the East, and mailed them every month from a hotmail address. When his friends (now quite worried) would come over to his flat he would pretend not to be there. Life continued like this for nearly 18 months. Then his cash ran out, the space heater ran out of diesel , and he caught bronchitis.

He was hospitalized and nearly died. When he recovered he had a huge amount of debt. He couldn t sell anything else simply because he didn t have anything else to sell. And there wasn t any money coming in. The turning point in his life came when he was asked by someone on IRC if he could recover a password. The person had a Microsoft Word file that was password protected and lost the password. Charlos normally would do it for free but he was pressed for cash and asked the person $350 to crack the password. To his total surprise the stranger agreed.

He used $50 for food and paid the rest to his debtors. It was the fastest $350 he made in last year and a half. And so it turned out that he registered a hushmail account and posted will break any system ”price negotiable on all the mailing lists where he hung out. There was a flurry of responses, most of them copied to the mailing list, most of them people telling him how ridiculous he was. But two days later he received e-mail from a woman calling herself SuzieQ. The e-mail asked if he could obtain access to a mailbox. It was written in clear wording, and looked as if it was written by a person outside of the hacking scene. It also had a telephone number in the signature.

Charlos phoned the number from a payphone. When a woman answered the phone he asked for Suzie. Suzie said that she heard about his services from a friend; she offered $3000 if he could get access to a mailbox located at a little known ISP in Miami. She clearly wasn t technical ”if he could get access to the mailbox, she wanted him to print out all the mail and fax it to her. Upon receiving the first page she would verify that it held valid content and wire half of the funds. After receiving the rest of the pages she would wire the rest. Charlos agreed ”of course he agreed.

His friends at the telephone company told him that the fax number she gave him belonged to a company called FreeSpeak in Miami. Browsing the FreeSpeak Web site, Charlos found a Suzanne Conzales working in the HR department. The e-mail address he had received from Suzie was antonio.c@lantic.com. Her husband? Perhaps her brother or father? Looking it up, he found Atlantic was a small ISP with a shoddy Web site that seems to specialize in dial-up accounts. It was run by a crowd that was clearly not very security aware. Linked from the main page was a site where you could recover your dial-up password if you could answer some personal questions.

Charlos phoned Suzie, took a chance and asked her if she knew what her husband s mother s maiden name was. The shock and confusion in her voice told him that he was right; she was checking on her husband s e-mail account. After getting the necessary details from her he told her that she should get the wire transfer ready and keep the fax line open .

It was easy money, like shooting fish in a barrel. Charlos was totally amazed by the ignorance of normal people. He was amazed at how easily he could obtain information, mostly without any technical l33tness. Life was getting better; he paid off his debt, was eating well again, and was doing ultimately exciting work. Life was peachy; that is, until Antonio Conzales s goons showed up one day on his doorstep and proceeded to knock him unconscious.

Events and timelines quickly blurred as he awoke to find himself on a yacht, looking up at the barrel of a 9mm pistol .

So kid, you like spying on people? the voice said above him.

Charlos mind was rolling, trying to see through the fog of a concussion and blinding headache to the shadow of a man standing before him. He quickly tried to evaluate his situation. He didn t know where he was, or who held the gun, but he did know that the 9mm was moments from going off if he didn t do some talking.

Listen, I don t know who you are, man.

My name is Antonio Conzales, you hacked into my e-mail, and I don t take too kindly to that as you can see. Normally you would be dead already, but I wanted to make sure it was my wife that hired you and not anyone else.

It spun back to Charlos quickly. He tried to look past the muzzle of the gun to the man that was holding it. Making sure to steady his voice, he said,

Yeah, just your wife, I don t know what you re about, I didn t see anything, I was just hired to deliver some information to her.

Charlos could see Antonio was more than just a little angry at him for breaking into his mailbox, and angry at his wife for hiring Charlos to do just that. Antonio seemed to be the type of guy who was very sensitive about his privacy, and as Charlos began to find out, he had good reason.

Well, that s good to know. He said as the gun slowly lowered , But I have a couple more questions I want to ask you before we decide what to do with you.

Antonio Conzales turned out to be into high tech, busty blondes, killing people and throwing them off his boat, and smuggling huge amounts of cocaine into America. The porn (featuring said busty blondes) that he was posting to various mailing lists in fact contained stego-encoded messages to his couriers throughout the country. Naturally paranoid when Charlos hacked into his business, he was also keen to pick up on a potential money-maker when he saw one. Antonio was a dirty player, but not stupid; he saw that Charlos had a talent that could be exploited and he was in a situation where he couldn t say no.

He grilled Charlos on the extent of his hacking capabilities before offering him an ultimatum. For having stuck his nose where it didn t belong, Charlos could either work for him, or sleep with the fishes. For Charlos, the choice was simple: live another day.

Antonio became Charlos s agent after he consulted for him on his network security and set up an international network between various dealers, all communicated via images of naked women. Antonio quickly found himself in a new role as information broker, taking a 20 percent cut of his projects. With Antonio s extensive network of contacts, many in shady places, Charlos would get to do all the fun work and take 80 percent of the contract value.

Over the years Charlos got tired of the whole hacking scene ”the geeks and nerds that call themselves hackers would spend months trying to bypass a firewall, get RAS credentials, or deliver a logic bomb via e-mail. He still had his hacking skill set but now his focus was more on getting the job done on time and less on the technical thrill of a perfectly cool hack. He found that hacking with real criminal intent was much more effective if you walk into a corporation with a suit and tie, sit down at an unoccupied cubicle , plug in a notebook, and walk out without a trace. And going physical always had that extra rush ”he pushed the envelope to the point of having technical staff log him into their routers and security staff opening server closets.

Once inside he would map the network via SNMP (as most companies never set community strings on internal routers) and use his gentle asyncro portscanner to find boxes open on juicy ports such as 1433 (Microsoft SQL) or 139/445 (Microsoft RPC). Using standard ARP cache poisoning he would try to sniff credentials going to POP3/IMAP servers, hashes of credentials to domain controllers, or even just good old Telnet passwords going in the clear. Most companies never patch their internal boxes; in his toolbox Charlos would have a bunch of industrial strength exploits. Armed with a network map, some credentials, and this toolbox he walked out of many large corporations with minutes of meetings, budget spreadsheets, confidential e-mails, and in the case of the job in Stockholm, even source code. Although such a semi-physical attack worked wonders, he still saw the merits in a methodical, covert approach. In fact, his current project started a month ago, back in the United States.