A New Day - A New Dollar

A New Day ”A New Dollar

Sitting in his chair Dex plots, a pot of coffee brewing and the bag of M&Ms on his desk ensure prolonged mental stability. His agenda for the day is empty, boring, and blank. Having just spent a week traveling around with friends he is keen to get back into it all.

What s been going on? he wonders while he begins logging into IRC and various news Web sites, eager to find out what new exploits have been released or what scandals have occurred.

God, what a letdown. I may as well have been gone for another week, nothing fucking happened , a few minor exploits in some random Perl application, why bother, he mumbles to himself.

Long gone was the day when a major flaw was detected in a mainstream daemon such as IIS, SSHD, or BIND every month. Man, those days were great! He thought, Always a new (easy) way to get into a server.

It was more of a challenge trying to stay awake long enough to break into all the companies than it was actually getting in! These days it s a whole new story, with worms exploiting every new security flaw that came out, and the media fish frenzy around every new worm, the general public is exposed to much more information. This has a huge effect on them as they install firewalls and virus scanners , and check regularly for patches and updates from vendors .

By no means does this make hacking hard, but it does remove the trivially easy hacks ”the hacks where you don t actually have to try, and you almost feel guilty. The added attention to security also spills even more cash into the ever- saturated world of IT security consultants , breeding more security experts and commercial white-hat wannabe hackers.

Dex goes back to plotting, What to do, what to do. I need money, how?

He thought to himself, Now there are a few marketing companies, mostly spammers, to whom I sell information. They pay top dollar for contacts of people whom they know buy certain products or services, drugs (Viagra, xennax), online casinos, or fatsos who need weight loss products. Any product that can be spammed really, and it s big money for them. Although I don t like the idea of making someone else money, I hate having to send spam myself .

It actually wasn t that easy to send out 10 million e-mails at once, especially with embedded links to hosted pictures contained within. It takes a lot of effort. These days people hated spam so much, and it wasn t an annoyed hate, it was a hateful death-wishing hate, the kind they take very seriously. Out of 10 million e- mails you could expect at least 100,000 complainers, any ISP, upstream provider, or even DNS provider easily could crumble under so many people griping to them.

Personally, I don t see what all the fuss is about. I get a lot of spam too, I don t get all worked up about it, he thought. No, it s much easier just to sell user demographic data, get your cash, and leave the spammer to deal with the angry public.

Dex decides to fire off a few e-mails to some friends at online marketing companies and see what their demand is at the moment; money is money at the end of the day. And he really needed some right now.

 Hey Ralph, Been a while hasn't it? I have some spare time now, was wondering if I could help in obtaining some customer contacts for certain high quality products you promote. My usual rate and usual high quality of course. Flick me an e- mail with some desired target audiences if you're keen. Dex 

I love working with people like this, they are on my level of ethics, he thought. If I gave them a few million contact details and told them that they all have bought weight loss products in the last year, they will ask no questions and pay top dollar on the spot. I hate questions so much.

He hoped they needed some work done, he was starting to get a little stressed, with a bad habit of spending far too much money on stupid trivial items. Plus, his rent was due in two weeks.

Oh well, fingers crossed.

Dex wanders over to the coffee pot and pours himself another cup of brown silky sludge, Hopefully a response should come soon, these people don t sleep very much. They probably can t sleep from fear that some irate customer will hunt them down and murder them in their beds for receiving their spam. Well, that s what I hope anyway.

A reply.

 Dex, Yes I would actually be really interested in some marketing audience for a new product we are trying to push (without too much success I might add). I'll give you a bit of background on this product and you see if there is any audience you know of who might be interested in this. It's basically a fuel tune-up liquid; you pour it into your engine and it decreases wear and tear and increases fuel efficiency. It's cheap too, about half the price of the stuff advertised on TV and it actually works! (I even use it.) Ideally we are looking for car owners, who have bought a car product in the last year over the Internet with their credit card. Let me know what you can do. By the way, how's the weather there? Ralph 

Car tune-ups, well it s something new, that s for sure. Sounds like fun, though, I guess, he thought.

 Ralph, I have just the perfect audience for you. Give me a week and I'll get you a few million contacts with full demographics, no worries. Dex 

Well at least I know what I am doing today, and every day for the next week.

Now, he needed to make sure that every person he sold met these requirements; they couldn t just be random people. No, he sold only quality goods; these had to be car owners who had bought a car product over the Internet in the last year with their credit card.

This means that they had to come from legit car product e-commerce Web sites; this brought up a possible interesting problem since he had only a week to do this.

The best, most efficient way to spend my time would be to focus my attack on a few large Web sites that will give a substantial yield of contacts, he thought.

However, big Web sites usually mean big income, and that results in them taking some security precautions ”firewalls, pseudo-smart server administrators, etc. This isn t always the case, but in this day and age with the marketplace seemingly flooded with security experts, money can easily buy some form of decent security.

No, my hack has to be clean and fresh, he thought.

The best way to do this would be to find a new, previously unpublished flaw in some common component of an auto part e-commerce Web site. This way I can be sure that I control who knows about the flaw, and when they will be told that a patch or update is available. It also makes trying to detect the hack much harder as there will be no IDS signatures or published text on the exploit available.

The worst thing about working with a published security flaw is the fact it s published. Even a secret unpublished exploit is still known to a select few. More people always find out, and you have no control of when they might start upgrading, patching, or reading logs to see if anyone has tried to exploit them yet.

By far the best way is to be in control, find the flaw yourself, tell no one, exploit it as much as possible, and gain as much from it as you can. Then, once finished with it, alert the developer of the possible flaw and publish an advisory about the exploit to warn users to upgrade. By that stage you have already hacked any major site using it, and once they are aware of an existing flaw, they patch themselves , filling the security hole for other possible hackers.

It s a win “win situation, really.

Right now he probably needed to target some Web-based software that would be found on a site that sold car products, preferably PHP-, Perl-, or ASP-based. He preferred it to be running on a UNIX system, though, since he didn t feel like hacking windows today. It was just a personal choice.

I ll focus this attack on a Web application because it opens the most scope for the attack. If I were to choose a separate daemon running on a port other than 80 I would have to rely on there not being a firewall or router blocking access to that port. I know every Web server will allow me to talk to them on port 80, it s just a matter of turning the Web server into an entry point for attack.

Dex suddenly stopped as a crashing sound at the door penetrated his train of thought. He wandered over and opened the solid wooden door.

Paul. it was his landlord, no one else calls him by that name anymore. Some strange -looking guy was poking around your door last week while you were gone. When I asked him what he was doing he just took off. You haven t noticed anything missing have you?

No, seems all in place, Paul replied.

Well, I ll keep an eye out for him, he looks like trouble.

Hmm, who on earth could that be, someone poking around my door? I can t think of anyone who might want to break in, hell there isn t much here to steal anyway. Odd, I ll have to keep my eyes open , he thought .

Dex sits at his computer again and begins the hunt for attackable scripts.