Part 3: How Do They Do It?

Case Study: How Boris Met Anna's Need for Art Supplies

ANNA was a 22-year-old Russian artist who spent most of her summer days touring the Russian countryside painting oil landscapes on canvas. Her paintings were modest, but she used bold and brilliant colors that resembled some of Monet's work her idol. She had inherited a studio when her father died two years earlier. There she displayed her artwork and invited locales to view them.

At the time, Russia was struggling politically and economically and purchasing art was considered a luxury. She had sold only one painting in the past month and for only a few rubles. Anna's best opportunity to make money was in minor commissions from people who wanted a specific scene or portrait to be painted. But she didn't even have enough money to purchase the necessary paints and brushes to do a single painting. As a result, and for the first time, Anna was worried about feeding herself and her two-year-old daughter. She had never been this poor.

Boris, Anna's childhood friend, was a computer technician who in his spare time dabbled in the underground world of computer hacking. He rarely spoke of it with Anna, but she knew. Boris liked his job, because it paid the bills, but his true passion was in the world of cyberspace, hacking company Web sites for fun and showing off for his friends. He had one particular skill that was considered "elite" at the time: He could purchase products online for significantly reduced prices, and he never got caught.

Boris knew that Anna was having a hard time and would often stop by her studio on his way home.

"Hello Anna. Any bites today?" asked Boris as he made his way up the two flights of stairs.

"Yes," Anna responded somberly. "An old man came to the studio today and wanted me to paint a hillside near his home. He offered $500 in hard currency ." Anna's tone was controlled, almost without emotion despite the price being as much as she had ever hoped to be offered for one of her paintings. "But I don't have the paint or canvas to complete it." Boris responded, "Don't worry Anna, I have a plan." He asked softly, "What exactly do you need to do the man's painting?"

"I need oils and an 80 cm by 55 cm canvas. I need at least 30 tubes of various colors. And I need more cleaning solution for my brushes. Why?"

"Never mind that," Boris said curtly. "What colors exactly?" Anna proceeded to write down the colors for him. She then specified the type of cleaning solution she needed. Boris had helped her in the past, but never to this degree. She was concerned about what he was going to do but was desperate for help.

"How will you get them, Boris?" asked Anna.

"Don't worry about it. I will have them within the week," promised Boris.

Boris rushed home from Anna's studio and fired up his laptop computer, his weapon of choice. He searched for a small online art store in the United States. He knew that small stores were less sophisticated and had few controls in place for catching fraud. So he started poking around, viewing the source code of each page, looking for a particular flaw he found useful in these situations. In less than ten minutes of searching, he found it: a common design flaw using HTML hidden tags that had existed for almost a year that allowed an attacker to alter the price of items online. For example, a book's posted price of $39.99 could be changed to $3.99 or $0.99 or even a negative number. Many Web designers were getting smarter, putting back-end checks in the code to confirm the price of items being submitted for payment by users. But on this particular Web site the attack worked.

Boris got to work, picking the supplies that Anna needed and adding them to his shopping cart. Then he downloaded the HTML source code and proceeded to change the price of each item in the shopping cart: $20 to $2, $50 to $5, and so on. When he was done, he had a shopping cart full of Anna's items, originally priced at $250, for only $16. He punched in the credit card number of Helena Slutskaya, some poor executive who, just that morning, had had her credit card stolen and sent out to Boris's hacker group. Then he hit the Submit button and it was done.

Seven days later, Boris showed up at Anna's door.

 



Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net