TEAMFLY Team-Fly ® HACKER’S CHALLENGE: TEST YOUR INCIDENT RESPONSE SKILLS USING 20 SCENARIOS “ Hacker’s Challenge will definitely challenge even the most technically astute I.T. security pros with its ‘ripped from the headlines’ incident response scenarios. These based-on-real-life vignettes from a diverse field of experienced contributors make for page-turning drama, and the reams of authentic log data will test the analytical skills of anyone sharp enough to get to the bottom of these puzzling tableaus.” —Joel Scambray, Managing Principal of Foundstone, Inc. and author of the best-selling Hacking Exposed and Hacking Exposed Windows 2000 , published by Osborne/McGraw-Hill “ Hacker’s Challenge reads like a challenging mystery novel. It provides practical examples and a hands-on approach that is critical to learning how to investigate computer security incidents.” —Kevin Mandia, Director of Computer Forensics at Foundstone and author of Incident Response: Investigating Computer Crime , published by Osborne/McGraw-Hill This page intentionally left blank. HACKER’S CHALLENGE: TEST YOUR INCIDENT RESPONSE SKILLS USING 20 SCENARIOS MIKE SCHIFFMAN Osborne/McGraw-Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Copyright © 2001 by The McGraw-Hill Companies, Inc. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of thåis publication may be reproduced or distributed in any form or by any means, or stored in a data- base or retrieval system, without the prior written permission of the publisher. 0-07-222856-3 The material in this eBook also appears in the print version of this title: 0-07-219384-0. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales pro- motions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212) 904-4069. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUAR- ANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMA- TION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the func- tions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inac- curacy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of lia- bility shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0072228563 This, my first book, is dedicated to two people: first, posthumously to my father, who kindled my initial romanticism with computers; and second, to my amazing and wonderful girlfriend, Alisa Rachelle Albrecht. If you know the enemy and know yourself, you need not fear the result of a hundred battles. —Sun Tzu About the Lead Author Mike Schiffman, CISSP, is the Director of Security Architecture for @stake, the leading provider of professional security services. He has researched and developed many cutting-edge technologies, including tools such as firewalk and tracerx, as well as the ubiquitously used, low-level packet shaping library, libnet. He has also spoken in front of several institutions and government agencies such as NSA, CIA, DOD, AFWIC, SAIC, and army intelligence. Mike has written articles for Software Magazine and securityfocus.com, and contributed to Hacking Exposed. About the Lead Author vii About the Contributing Authors Mohammed Bagha is known throughout the industry as one of the foremost experts on computer security in the world today. Years of real-life experience compromising sys - tems and solutions thought to be airtight give Mohammed a unique perspective in the field of security architecture and operating system design and internals. He has devel - oped many innovative techniques and tools in the areas of network and host penetration, as well as improving upon existing ones. Mohammed is currently employed by NetSec, Inc. in Herndon, Virginia as a Senior Network Security and Penetration Engineer. Douglas W. Barbin, CISSP, CPA, CFE, is a Principal Consultant for Guardent, Inc. He has been dedicated to incident response, forensics, and investigations his entire career. Starting as a forensic accountant and quickly segueing into high-technology crime and network investigations, he has provided forensic services to Fortune 500 companies and government organizations in a large variety of operating environments. At Guardent, Doug is a practice leader in Incident Management and Forensics, responsible for leading Incident Response teams as well as establishing internal methodologies, procedures, and training. He has managed large efforts, including Internet worms (sadmind, Code Red I and II, and Nimda), employee misconduct, theft of intellectual property, and numerous ex- ternal intrusions. Doug also assists companies in building internal incident management and forensics capabilities. Prior to Guardent, Doug worked in the investigative practice of a Big-Five firm specializing in computer forensics and electronic discovery. Dominique Brezinski works in the Technology group at In-Q-Tel. He helps evaluate companies for potential investment, tracks current technology trends, forecasts tech- nology futures, and works with the CIA to understand current and future areas of technology interest. Prior to joining In-Q-Tel, Dominique worked for Amazon.com. His responsibilities there included intrusion detection, security incident response, security architecture, and guidance on a billion-dollar business line; vulnerability analysis; and secure development training. Prior to Amazon.com, Dominique worked in various research, consulting, and software development roles at Secure Computing, Internet Security Systems, CyberSafe, and Microsoft. David Dittrich is a Senior Security Engineer at the University of Washington, where he’s worked since 1990. He is most widely known for his work in producing technical analy - ses of the Trinoo, Tribe Flood Network, Stacheldraht, shaft, and mstream distributed de - nial of service (DdoS) attack tools. Most recently, Dave has been researching UNIX computer forensic tools and techniques, and led the Honeynet Project’s Forensic Chal - lenge, in which the security community was challenged to complete a detailed forensic analysis of a compromised UNIX system. He has presented talks at multiple security con - ferences including the USENIX Security Symposium, RSA 2000, SANS, and Black Hat. He was a recipient of the 2000 SANS Security Technology Leadership Award for his work in understanding DdoS tools. viii Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios James R. C. Hansen of Foundstone, Inc. is an internationally recognized expert on net - work intrusion investigations, with over 15 years of investigative experience. James served 11 years as a Special Agent with the Air Force Office of Special Investigations, with his final assignment as the Deputy Director of the Computer Crime Program. He di - rectly supervised all network penetrations into U.S. Air Force and select Department of Defense systems. He personally investigated many of the high-profile cases and testified in the United States and internationally. James was a regular guest instructor at the Na - tional Defense University and the Department of Defense Security Institute. He also pro - vided computer crime training to several federal investigative agencies. As a field agent with OSI, Jim conducted counterintelligence and criminal cases, specializing in undercover opera - tions. He has also had extensive experience in economic crime investigation. Shon Harris, MCSE, CCNA, CISSP, is a security consultant and network integrator who is currently in the National Guard Informational Warfare unit, which trains to protect, defend, and attack via computer informational warfare. She was a Security Solutions Ar - chitect in the Security Consulting Group, where she provided security assessment, analy - sis, testing, and solutions for customers. Her tasks ranged from ethically exploiting and hacking companies’ Web sites, internal LAN vulnerability assessment, perimeter net- work vulnerability assessment, security architecture development, and policy and proce- dure consulting. She has worked as a security engineer for financial institutions in the United States, Canada, and Mexico. She also teaches MSCE classes at Spokane Commu- nity College. She is the author of The CISSP All-In-One Certification Exam Guide, published by Osborne/McGraw-Hill. Keith J. Jones is a computer forensic consultant for Foundstone, Inc. His primary areas of concentration are incident response program development and computer forensics. Keith specializes in log analysis, computer crime investigations, forensic tool analysis, and special- ized attack and penetration testing. At Foundstone, Keith has investigated several different types of cases, including intellectual property theft, financial embezzlement, negligence, and external attacks. Additionally, Keith has testified in U.S. Federal Court as an expert witness in the subject of computer forensics. Eric Maiwald, CISSP, is the Chief Technology Officer for Fortrex Technologies, where he oversees all security research and training activities for the company. Eric also performs assessments, develops policies, and implements security solutions for large financial in - stitutions, services firms, and manufacturers. He has extensive experience in the security field as a consultant, security officer, and developer. Eric holds a Bachelor of Science in Elec - trical Engineering from Rensselaer Polytechnic Institute and a Master of Engineering in Elec - trical Engineering from Stevens Institute of Technology. Eric is a regular presenter at a number of well-known security conferences and is the editor of the SANS Windows Secu - rity Digest. Eric is also the author of Network Security: A Beginner’s Guide, published by Osborne/McGraw-Hill. About the Contributing Authors ix [...]... intentionally left blank INTRODUCTION HACKERS VICTIMIZE CAL-ISO June 09, 2001, By DAN MORAIN, Los Angeles Times Staff Writer SACRAMENTO—For at least 17 days at the height of the energy crisis, hackers mounted an attack on a computer system that is integral to the movement of electricity throughout California, a confidential report obtained by The Times shows The hackers success, though apparently limited,... using China Telecom, hackers entered the system by using Internet servers based in Santa Clara in Northern California and Tulsa, Okla., the report says James Sample, the computer security specialist at Cal-ISO who wrote the report, said he could not tell for certain where the attackers were located Copyright 2002 by The McGraw-Hill Companies, Inc Click Here for Terms of Use xxi xxii Hacker s Challenge:... summer of 2001, a simple query at cnn.com over a three-month time period revealed articles with titles such as M Aggressive new worm threatens users I Hacker forces bank to cancel Visa debit cards I New virus spreads using Adobe Acrobat files I Russian hackers arrested I Who’s reading your instant messages? I Pentagon says it is under daily computer attack I Analysts: Any website can be a hacking target... chewie .hacker. fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/ / /winnt/system32/cmd.exe /c+dir+c:\ 200 730 484 3 1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:01 chewie .hacker. fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/ / /winnt/system32/cmd.exe /c+dir+d:\ 200 747 484 3 1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:02 chewie .hacker. fr... www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0; +Windows+98) 03/03/2001 4:02 chewie .hacker. fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /‘mmc.gif - 404 3387 440 0 www.victim.com Mozilla/4.0+(compati 5 6 Hacker s Challenge: Test Your Incident Response Skills Using 20 Scenarios ble;+MSIE+5.0;+Windows+98) 03/03/2001 4:02 chewie .hacker. fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /mmc.gif - 404 3387 439 0 www.victim.com... 03/03/2001 4:03 chewie .hacker. fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/ / /winnt/system32/cmd.exe /c+dir+d:\wwwroot\ 200 4 113 492 47 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Window s+98) 03/03/2001 4:03 chewie .hacker. fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /buzzxyz.html - 200 228 444 16 www.victim.com Mozilla/4.0+(com patible;+MSIE+5.0;+Windows+98) 03/03/2001 4:03 chewie .hacker. fr W3SVC1... incidents involved mischief; anti-American slogans were scrawled on government Web sites The attack on the Cal-ISO computer system apparently had the potential for more serious consequences, given that the hackers managed to worm their way into the computers at the agency’s headquarters in Folsom, east of Sacramento, that were linked to a system that controls the flow of electricity across California The... there was no connection between the hacking and the outages, which affected more than 400,000 utility customers After the attack was discovered, the report says, investigators found evidence that the hackers apparently were trying to “compile” or write software that might have allowed them to get past so-called firewalls protecting far more sensitive parts of the computer system —Courtesy of the Los.. .Hacker s Challenge: Test Your Incident Response Skills Using 20 Scenarios Timothy Mullen is the CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting solutions Also known as Thor, Timothy was co-founder of the Hammer of... (and was likely the impetus for) Challenge 2, ”The Insider.” T Friday, March 02, 2001, 21:00 AM FL Y Late one Friday evening, the 24-hour help desk got a phone call It was a frantic end user stating that hackers had apparently attacked the company’s Web site Pete, the help desk employee, checked out the Web site and found that it had indeed been defaced The message read: **** SCRIPT KIDZ, INC**** You, . security work, Nicholas was a Web designer and programmer proficient in ColdFusion and PHP. Nicholas recently spoke at DefCon 2001 in Las Vegas on the topic of Mac OS X Security. x Hacker s Challenge:. Team-Fly ® HACKER S CHALLENGE: TEST YOUR INCIDENT RESPONSE SKILLS USING 20 SCENARIOS “ Hacker s Challenge will definitely challenge even the most. Investigating Computer Crime , published by Osborne/McGraw-Hill This page intentionally left blank. HACKER S CHALLENGE: TEST YOUR INCIDENT RESPONSE SKILLS USING 20 SCENARIOS MIKE SCHIFFMAN Osborne/McGraw-Hill New