Chris van t Hof - Helpfull Hackers: How the Dutch do Responsible Disclosure

Helpful Hackers

How the Dutch do Responsible Disclosure

Helpful Hackers

Chris van t Hof

Helpful Hackers: how the Dutch do Responsible Disclosure

1st edition 2016

First published in Dutch as Helpende hackers: verantwoorde

onthullingen in het digitale polderlandschap (2015)

Creative Commons 2016, Tek Tok Uitgeverij

Author: Chris van t Hof

Print: Pumbo.nl

Non-fiction

ISBN 978-90-823462-3-7

This work is published under a Creative Commons Attribution Licence, whereby all or any part hereof may be reproduced, redistributed or reused in any form, physical or digital, without the prior written permission of the publisher or other rightsholders, on condition that such reuse is for non-commercial purposes only and that the author is appropriately credited on each occasion.

www.helpfulhackers.nl

www.tektok.nl

Contents

1. Introduction

The costly lessons of @XS4me2all

4 June 2014: Frank Brokken, Security Manager at Groningen University, arrives at the World Forum congress centre in The Hague. It is the second day of a conference hosted by the National Cyber Security Centre, which has brought together over a thousand delegates from all parts of the world. They include the Minister of Security and Justice, the directors of the Dutch National Intelligence Agency and the National Cyber Security Centre, leading researchers and captains of industry. The national High Tech Crime Unit is here, as are their counterparts from the FBI. Needless to say, security is tight. But Brokken is not here to rub shoulders with VIPs. He is here to meet the man who, seven years earlier, hacked his universitys computer systems.

Brokken looks slightly out of place as he joins the throng of men in suits. I spot him immediately: his large grey moustache and shock of hair set him apart from the crowd. I attempt to put him at his ease. Brokken scours the room, looking for the man he has come to meet. The hacker has not yet arrived, but we are confident that he will show himself before long. I have set up a studio and intend to video the two mens first encounter. The world will soon know the real identity of @XS4me2all, otherwise known as the Groningen University Hacker.

It seems strange that @XS4me2all is willing to come here, the lions den as it were, to talk about his hack. After all, he wreaked near havoc, infecting the universitys servers and some 250 computers with malware. The cost of the clean-up operation ran into six figures; the damage to the universitys reputation was immeasurable. The episode could have seen him arrested. In fact, @XS4me2all has already spent time behind bars for another hack. Today, he will wipe the slate clean. He already knows that Brokken feels no animosity: the security manager has publicly expressed his admiration for a damn clever hack, from which he and his organization learned many valuable lessons. The university authorities now take information extremely seriously. Brokken has promised not to press charges, which is why @XS4me2all is now willing to meet him and to speak on camera.

I first met @XS4me2all over a year earlier, soon after I started researching this book. He is now what is known as a penetration tester: someone who tries to break into a computer system with the full blessing of its owner to determine whether security is adequate. He also hacks in his spare time. He sometimes chooses his targets at random but usually works on tips from the hacker community. @XS4me2all has turned over a new leaf. If he does manage to get into a system, he stops. He does not steal data, he does not manipulate data and he does not add data, malicious or otherwise. He simply contacts the sites administrator to report his findings. Only after the problems have been resolved does he reveal what he has done so that others can also learn from the exercise. In the jargon, this approach is known as responsible disclosure.

@XS4me2all was able to tell me about several responsible disclosures, most of which had been reported in the media. But there was one case about which he had remained tight-lipped: the Groningen University hack. We agreed that I would interview him, write the story and check it with him before making any details known to anyone, including the university. I promised not to reveal his name. I set up an anonymous Twitter account, @XS4me2all, through which we could keep in touch. We agreed that his identity would be revealed only if the university gave a firm undertaking that no further steps would be taken in the matter.

At this time, @XS4me2all was still living in a student accommodation on the outskirts of Amsterdam. As a professional penetration tester, he could afford somewhere better. Before long he did indeed move into a real apartment, but for now our meetings were held in the same small, dingy room from which he had perpetrated the hack itself. Its floor was strewn with computer manuals. On the one and only table were various documents bearing the crest of the Ministry of Justice. In 2008, he had been sentenced to eighteen days detention for computer misuse and membership of a criminal organization. We shall return to this episode later. But first, the Groningen University hack.

February 2007: @XS4me2all is twenty years old. He is officially a student but not at Groningen. In fact, it is a long time since he last deigned to attend a lecture. He spends his days and nights trawling the internet, looking for new hacking methods and identifying ever bigger targets. He does it purely for kicks. But he is learning far more than he ever would from classes or lectures. @XS4me2all considers universities to be particularly interesting targets. They have super-fast internet connections, which he can use for his own ends. He decided to explore the Groningen University website.

The first thing he noticed was that the network included an online print server. Although it was protected by an encrypted password, he could see what is called the hash value, the result of the encryption process. There are countless internet sites which publish rainbow tables: lists of hash values which make it possible to recover the original plaintext password. He soon found a match: the password was S4k1nt0s! All he needed now was a username. He tried admin. He had guessed correctly: he could now log in to the server and explore whether admin had access to other online resources. Indeed, he (or she) did: to practically all servers belonging to the same faculty.

Our hacker then repeated the hash and rainbow table trick for other systems, discovering that some admins had access to several different faculty websites. The overlap allowed him to move quickly between them. He noticed that all used the same content management utility: Novells ConsoleOne, which was also accessible online. The system admins could update all systems remotely. By now, so could @XS4me2all. Via TCP port 1761, he could penetrate the deepest recesses of Groningen Universitys network from the comfort of his student accommodation in Amsterdam.

But @XS4me2all was not yet satisfied. Rather than hacking every server and computer individually, which is a very time-consuming process, he decided to target the image and install server. This bit of kit allows the system administrators to upload back-ups or updates to the network. As each user logs in, the updates are automatically installed on his computer. And so is any malware that has been uploaded by a hacker. Each and every computer becomes infected. Within a month, @XS4me2all had full access to every computer, every folder, every file. On a few computers, he installed malware which had all the characteristics of a keylogger, just to see if it would work. But he didnt use it because he didnt have to: he could go anywhere, see anything. He found the Wake-on LAN function particularly entertaining. It allowed him to turn on or wake up any computer on the network automatically, despite being almost two hundred kilometres away. He took to doing so at random times in the middle of the night. Picture the scene the cleaners are working away and suddenly all the computers into life. Great!