The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Sunday, September 19, 2004

Notes from a Gibsonian novel

From: "SERIOUS SITUATION" <[fake email address]>
To: sean@conman.org
Subject: Referencing: http://boston.conman.org/2004/09/14.1
Date: Sun, 19 Sep 2004 01:18:21 -0500

Sean,

My apologies if any of your time, sanity, peace, or data was lost due to the event. But surely I will clarify any of your doubts with some information about the attacks.

It was a hired job. I was sent to take down the majority of XXXXXXXXX's servers/content and actually infiltrated the XXXXXXXXX network physically. I flew to XXXXXXXXXX, and social engineered my way onto client machines. From there I essentially attained enough credentials that left me able to access the companies client database(s), affiliation(s) database(s) … oh and logins to your servers.

… However, your swift.conman.org (or Mark's rather) was running gentoo with some modifications including tighter suid access on vulnerable binaries on the system, and common misconfigurations through the system was also fixed. Finally, using a kernel attack to sniff the memory of a recent “su” execution, root was caught. As I looked around and tried to asses the situation, I suppose Mark witnessed (from another location perhaps) my SSH login attempts to servers he had access to. In any case, switch.conman.org [sic] was unnessesary but I'm glad Mark's paranoia took it down, because it would have left much more work for me to do on game day. By the way, I still had access to swift.conman.org even after it was patched, I had all known system credentials plus there was a kernel entry using portknocking. so if the server was fixed up and left on, even during Mark's paranoia it still would have been a successful attack on my part. So yes, the compromise of swift.conman.org and the other servers are related. I was sloppy, and Mark is paranoid … I guess I lost that one.

I certainly wasn't expecting this.

There was more, including details about the company we're hosting the sites for, even more details about the attack (but really, when it's an inside job, it's all the more harder to prevent) and some details about harding servers to prevent such an attack from happening (like a link to grsecurity.net which I have to check out, but most of the other stuff is common sense). But this does answer a bunch of questions about the past few weeks of cracking activity.

And how do I know for a fact that is guy is telling the truth? He also included the passwords to several accounts on swift.conman.org. To me, that's pretty conclusive evidence.

A new thing I've learned though—portknocking, something else to look into.

Anyway, I'm typing this as I sit across the street from a cybercafe so note not to waste your time backtracing. This is my job, don't take it personal.

sincerely and respectfully.

It's tough not to (especially since all this went down while three hurricanes were headed our way) but I guess that's what I get for living in a Gibsonian novel these days.

Update on Thursday, September 23rd, 2004

Just to clarify one last detail: the cracker did not social engineer his way into the colocation facility in Boca Raton or the NAP of the Americas in Miami. The physical access mentioned was the corporate network of the company (which is not located in South Florida) who's sites were hosted on the servers in Boca and Miami.

Just in case there might have been any confusion on the matter.

Obligatory Picture

[Here I am, enjoying my vacaton in a rain forest.]

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

http://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2017 by Sean Conner. All Rights Reserved.