ASSIGNMENT: Find an accomplished
ethical hacker for a contract
LOCATION: Woodside, CA
CLIENT: A large
technology company
Note: Parts of this
post have been redacted/changed to obscure certain identifying details. John isn’t
the candidate’s real name. The car wasn’t white. Technology explanations and clarifications
are in square brackets.
SUMMARY: I was tasked
with finding a skilled ‘white hat’ hacker (e.g. an ethical hacker with or without
a CEH certificate) for a specific task, which I can’t disclose. The client was one
of the most affluent, influential senior executives on the U.S. West Coast. The
track down and reference checking took a month and compensated skills proofing (e.g.
“find the data files that pertain to X project at this physical address [a distant,
client owned complex]”) took another couple of weeks. Three candidates were short-listed; this is the
one that eventually got the gig, which was difficult and lucrative. This was the
second day of the face-to-face interview and getting to know him had been fun. The
first morning, after showing me how he detected a foreign company had installed
a backdoor on his client’s server, he secretly turned on the notebook microphone
in the rival COO’s office so we could hear a meeting going on (“This is trivial
and don’t judge. It’s his own medicine!”). After the demonstration he described
how the weirdest thing he ever hacked was an in situ anesthesia device. Acknowledging
my alarmed expression over this he shrugged and grinning, said, “Hey, come on, it
had an Internet connection! I couldn’t just ignore it!” A genuinely scary point.
Funny guy though.
***
The white Lamborghini coasted to a stop. The young driver, John,
looked over at me and said, “Well, that didn’t sound good!”
It was a vast understatement. A few moments before we had been
screeching along Skyline Boulevard above Palo Alto, California. The day was beautiful.
No traffic. The sound of the ridiculously expensive car was intoxicating.
Then the fun stopped with a loud POP, a weird screech followed
by eerie silence. We were going fast enough that we were able to coast off Skyline
and down a side road surrounded by massive redwoods. It was mostly dark and moist
with pools of light on the narrow lane.
A minute later we were standing behind the low car looking down
into the opened rear engine compartment. The engine was making a cracking sound
as it cooled off. It was smoking and smelled
bad. We weren’t going anywhere.
John looked up at me with his boyish face, “What do you think?”
All I could do was nod and say, conclusively, “Expensive.”
He pulled out a phone. In two days I hadn’t seen this one. It
was an old flippy, almost an antique (and therefore devoid of a GPS chip). In a
resigned voice he said, “Yeah. I figured. I’ll call him.” He walked a short distance
away into a shaft of light between the tall trees and called the car’s owner. As
he walked back he looked as normal as any mid 20’s kid could look. Nikes, jeans,
a t-shirt with a snowboard brand on it. “He’s
sending a flatbed,” he said, closing the phone.
“Is he pissed?” I asked.
“Nah. He just wanted to know who was driving. I told him it was
you,” he answered laughing and sporting a prankish grin.
“Gosh, thanks,” I said not knowing whether to believe him.
We leaned against the inert car.
“So, where were we?” he asked.
“The most fun you’ve had with a hack.” He had been thinking this
over when the Lamborghini’s monstrous V12 engine decided it had had quite enough.
“That’s hard to say because I try to make them all ‘fun’. Even
the state-sponsored stuff which can be creepy. But, from a pure amusement perspective,
I’d have to say my first paid gig which came from an acquaintance of a professor
at school. It wasn’t hard because the target was fairly careless but the hunting,
discovery and kill thrills were certainly there. I miss that rush. It was primal.”
“Who was it for?” I asked.
He looked over and laughed. “Really?”
I had to laugh too, but at myself for asking. “Ok, tell me what
you can.”
He thought a few moments then said, “I was hired by the CEO who
was fairly certain somebody just below the C-suite was passing on the goods to a
competitor in Europe.”
“How did the CEO know?”
“The IT guys had discovered an unusually clever backdoor [a way
into the servers that bypassed security] which they immediately patched. In retrospect
they should have left it, and watched it, but by policy, they simply killed it.
It was mentioned nominally later in a weekly memo to the corner offices.”
“This was the heads up to the CEO?”
“Well, that’s the thing. It was routine and he didn’t give it
much thought. Then the next week as he was walking down the hall to a conference
room when he stopped into somebody’s office to ask a question. Unfortunately, or
fortunately, depending on your perspective, the guy was in the restroom. As the
CEO waited he noticed the dude’s notebook screen was displaying the TOR browser
screen. The CEO had heard about TOR and had the presence of mind to check the browser’s
bookmarks for .onion sites and the only thing bookmarked was TOR mail.” John paused
a moment then asked, “You ever use the dark web?”
I nodded.
“Under what circumstances?” he asked.
“I’ve taken a couple assignments to locate and participate in
hidden deep and dark web sites where pissed off employees were selling or swapping
various forms of inside information.”
“You ever use bitcoin?” John asked.
[Explanation: Bitcoin is a pseudo-anonymous digital currency
often used to pay for goods and services on the deep web. If something is illegal
to own, use your imagination here, you can probably buy it with bitcoin. Same with
services. That said, plenty of legitimate companies are adopting it due to its natural
security and low friction transfer properties.]
“I’ve been paid with them a couple times plus I ran an early
mine. I’ve seen company secrets for sale priced in bitcoin. The dark web is a crazy
place. It’s the Wild West in there. Huge and spooky,” I said.
“Exactly. So why would this guy be playing in there? Especially
when he later insisted he simply stumbled across TOR.
I laughed. “Nobody simply ‘stumbles’ across TOR," I said.
"Obviously he was up to something. The CEO probably made him right there with
the BS.”
“Well, at least there was now a possible explanation for some
things a competitor had done,” John said.
[Explanation: The TOR browser is used for anonymous web browsing
and allows access to hidden parts of the web that most people don’t even know exists
called the “deep web”. Used properly TOR provides near perfect anonymity while browsing
by encrypting and bouncing your web page calls through servers all over the world.
Along the same lines, TOR-based e-mail is almost impossible to trace back to its
source if you stay in the TOR environment. Anti-regime political activists (e.g.
Arab Spring) commonly use these tools as do criminals, disgruntled employees, etc.]
“Who owned the employee’s computer?” I asked.
“The company.”
“Why didn’t they just take it and have a look? If it’s clearly
the company’s property there is no realistic expectation of privacy.”
“True but that would be too obvious. The CEO didn’t want the
guy to know he was being looked at until the right moment. That’s when I came in
because he couldn’t task anyone in his company since it might get back to the well-liked
guy and he would just try and destroy the evidence.”
“So, what did you do?”
“I dropped some nice malware onto the computer and remotely had
a look. The only thing suspicious was an encrypted volume that was hardly hidden
and had an innocuous name. But you have to ask yourself, if the contents are innocuous
why go to all the trouble to encrypt the file container? Why not just use a good
password on the individual files. So I tried to brute force the container open but,
of course, that’s tough and can take a while. So with the client’s permission I
crashed the notebook hard enough so that after a couple days of trying to fix it
himself the guy left it with the evening IT crew to fix, which they did. After they
delivered it to the guy’s office afterhours the CEO’s trusted assistant picked it
up and brought it into her office where I was waiting. And this is when it got seriously
fun.”
“How so?”
“Because it turned out this guy was a lot smarter than the CEO
gave him credit for. When I took out the Vaio’s battery there was a sticky note
stuck to it. It said ‘If found call such and such number’. Sure enough, with some
jiggling of the spaces, that was the pass phrase that unlocked the file container.
Initially I thought it was pretty lame…or really smart. I called the client and
we reviewed the two files I found. Important design IP but not something you would
protect beyond physical control of the notebook plus a decent password. But I had
a hunch. I started looking everywhere for something else. I KNEW there had to be
something else on the encrypted drive but I couldn’t see it. It was driving me nuts.”
“Maybe it was on a thumb drive someplace else. I’ve recovered
locked USB drives and they can be a bitch and that’s assuming you can even find
them in the first place.”
He smiled and pointed to me. “Close! What I figured he had done,
or was done for him since it's tricky, was make the real files invisible. You know,
make another container, a hidden one, within the one I had just busted open.”
I nodded. “’Plausible deniability’. Nice!” I said, impressed.
“’Nice’? Are you kidding me? Back then I was a noob and thought
it was freak’n awesome! Even if the guy was confronted by his boss all he had to
do was give up the password to the in plain sight folder that everyone could see.
Same thing in court under subpoena. You give up the passwords to files that are
only ‘just a little’ embarrassing. It can be impossible to prove the real stuff
even exists. It’s just noise on the disk.”
“What did you do to find the hidden volume? I thought that was
impossible without the password?”
He laughed. “It pretty much is but I was on a roll and the guy
was, in fact, an idiot. So on a hunch I did another brute force starting with the
pass phrase he used to lock the first container. With the head start it was a trivial
break and the files just suddenly appeared on the screen. I thought it was the coolest
thing I had ever seen. I felt like a rock star. I learned later it was just his
daughter’s cell phone number. He just substituted it. Dumb. I was out of the place
by 4AM. I had a great breakfast with the assistant. Best twelve hours of my life!”
I thought about this a moment then said, “Talk about being a
noob. There were a hundred ways to do it better. He should have just put the stuff
on an encrypted thumb drive and stashed the thing in his wife’s lingerie draw. What
was in the files?”
“Pretty much the company’s DNA. He was the COO in perpetual waiting
for the top spot. So he had everything and he was pissed.”
“What happened to him?” I asked.
“After quietly signing a very long statement he was made available
to other employers and, naturally, he went directly to work for the company he was
piping the IP to.”
I smiled. “Right. Let me guess who he REALLY works for.”
John laughed, “Yep! You gotta love this valley. We’ve got more
Bournes running around than Amazon!
I knew there was a lot more to the story but obviously it was
a waste of time to ask. I leaned back against the car and looked up at the cerulean
sky and the puffy clouds coming up from the coast. This had been fun.
A while later we headed down Woodside Road in the tow truck and
had the driver drop us off at famous Buck’s of Woodside for lunch.
Interesting day. Perfect
Day.