Stories by MJ

Stories are where memories go when they're forgotten.

The Bank Job: Part 1

I'm reminded of The Bank Job because of the weather. The snow was whipping, a blizzard was on its way, and the wind couldn't decide which way to go. We had been given two days to compromise four sites, and my Man in the Van chose to try and outrun the blizzard. Unfortunately, he timed it incorrectly, and the mountain range pushed it back onto him; it was a giant storm cell.

The previous three sites were easy; I was good to go once I matched the office attire and made a badge at the corner mail depot. The first location was an unexpected victory; I lit a cigarette and stood by the back door, waiting to bow my head and make a hasty entrance. It was bitter cold, but I looked like I was on a smoke break when a friendly person opened the door and courteously held it open for me. I was in! Now, what? I needed intel about the inside of the building, which I didn't have. All I knew was the hum of a nearby data center.

Nearby was a counting room with cash, a bathroom, a break room and closet, and the data center door. They all had the same “L” shaped handle, perfect for reaching underneath the door with a coat hanger I brought in and a small ball of string, a loop wrapped around the end, and the gentle push of the coat hanger under the door to loop the string around the handle and pull it down opening the door. This technique is like playing the toy arm game blindfolded with a limp noodle you can't pull too hard on; otherwise, it'll fall off the hook. Less than three minutes before the nice person who let me in comes by, and wonders why I am on the floor by the server room. I focused on the task, miss. Then another miss. They were followed by more misses and more limp string. Finally, after a few more tries and soaking in sweat, I hooked the handle and rolled into the room.

Seconds later, as I closed the door, I heard the outside door open. Two people were talking about “the new guy who just started,” and having no intel on the location, I correctly assumed that they were talking about me and that I didn't have much time before they asked human resources about the new guy. Luckily I didn't need to pick any locks and got to business quickly. The location was, as most data closets are, a complete mess with tons of opportunities to hide a small device and connect it. All I needed to do was figure out where the network jack was that I needed and some power. All over the floor were power supplies, so check that one off the list; finding the core switch was easy; it's the only one with professional cabling on it. Plugging that in, I called back to my Man in the Van and asked him to check for traffic over the DNS network we were creating. The network admins helpfully provided dynamic addresses, so I immediately got a hot IP. Lo and behold, they also offered DNS entries. If this was a model for every location, this was going to be a very successful week.

Continued in Part 2


The Bank Job: Part 2

After planting the call home box, which is a dumbed-down way of saying an IP over DNS with an overlayed tinc VPN that we made bespoke for this client because they claimed everything was locked down and we needed a backup, which became our primary because why not? We contemplated poking a NAT hole in the network, and we could make a higher quality tunnel, but this worked for what we needed, which was a latency-tolerant call home that asked for a package to run, which started the high latency error prone (yes, we eventually used par2) delivery of instructions.

Device planted, the network being mapped, and I out the back door like an unstoppable ox; I made it back to the truck, and we started off to site two. After a few miles, I pulled over and laughed hysterically at the scenario that had just played out. I could've played it cool for my compatriot, but this job is too fun to not enjoy.

The second site had the same layout as the first one, but they had construction going on, so I tossed on a vest hard hat, and walked through the front door, was buzzed through w/o a second glance, and the data closet was precisely where it was supposed to be. This time I asked politely for the door to be opened “because we're running cables,” and I was given the lock code because they were heading out to lunch and I may need to get back in. Wait... roll that back... “I may need to get back in?” Oh no. Oh Yes! Yes, the back door was the same PIN and the same at the third location.

At this point, I let down my guard a bit but kept focused on the task at hand, “plant a device and get out,” with a secondary of “get whatever information you can on your way to and out.” Unfortunately, the bank manager for the third site didn't recall any construction, and I should've just used my sport blazer and vest.

This complicated things for the fourth site.

Continued in Part 3


The Bank Job: Part 3

Day 2

The fourth site was forewarned.

This was okay, as I was supposed to get caught; this wasn't intended to be a successful engagement but instead a test of their emergency/crisis response system that everyone had just been trained in.

I tried to look as conspicuous as possible to look disarming, but they were on high alert. I had come prepared; the hotel's print/fax/multi-function printer was broken and printing garbled print jobs, but I made a Letter of Authorization just in case something went wrong. Which, of course, this did. When I was asked to “come back in 15 minutes, ” I knew the gig was up, but it was still salvageable.

Driving around the neighborhood and spotted a cruiser parking near the back entrance that I should've just used, and I expected to be led out in handcuffs before the day was through. Instead, I walked back in, gleaming smile, clipboard in hand, writing down names and looking as official as possible. Moments later, I'm in a vice president's office, chastised by the police for “scaring the poor bank manager” as they look over the Letter of Authorization I printed.

At that point, the manager was called in, told I was an auditor, and I gave them the Chief Auditors card, which I took off his desk and was promptly given back to me. At that point, I asked if I could make a call to let them know about the incident and shushed them out of the room, which everyone gladly did.

This left me with two possibilities, do I call this done, or... I took out my netbook and plugged it into the outlet, which had privileged access because it was a Vice Presidents' office, and plugged a second system into the SCTP network from the VoIP phone. This allowed me to connect through their local network to each of the other three network scanners and print out the results from the office I was in. Just for giggles, I also mapped the printer subnet and grabbed some examples from a little printer/cups filesystem mapped with FUSE on top.

Finally, with reams of evidence in hand, I walk out, thank them with a handshake each, and leave out the employee entrance. As I walk out, I'm told, “You can't get out that way. You need the PIN code” I enter the one from the first three buildings and walk out, thanking them for their time.

Lessons learned?

When interviewed afterwards the first three sites were unaware anything untoward was going on. It wasn't until the slip with the unscheduled maintenance that the situation was revealed and all of the sites were alerted. From a defensive perspective the communications channels were exemplary once the detection was made. This emphasizes that prevention is nice, but detection is imperative if an attacker is going to be stopped.


A Study in Magenta

The day started like any other one; rolling over and falling out of bed, hitting my head on the nightstand as I did so. This has happened more times than I would like to admit. However this time it was accompanied by a small voice coming from a little flat box seemingly asking “Hello? Are you there?” to which I snapped into Incident Response mode and answered “Yes, how may I help you?” while grabbing a pen and paper as a headache started to creep in.

The voice on the other end of the little flat box told me a heartbreaking story about data loss, bad USB drives, and vacation photos followed by: “I was told if anyone could recover them, you could.” “Oh, that's nice, who should I thank for the compliment?”

We agreed to meet at a nice cafe nearby and she would bring all the drives she needed to be recovered, I would bring a short contract, and they would pay 50% upfront plus any expenses capped at $1K with no guarantee as data recovery is difficult. They agreed.

I brought with me some static protection bags, some stickers, and a felt tip pen. They brought a pink USB rust drive, a pink SD thumb drive, and a pink nail polish-covered SDHC card from her pink camera in her pink bag. Unsurprisingly they were also wearing a pink faux fir blazer, pink pants, pink sneakers, and a retro P!NK tour shirt. Also, a pink pen for signing the contract and drive seals.

So started the Study in Magenta. At first, the data recovery effort was like any other, a custom USB cord with the write pins snipped and making sure the write block was enabled on the SDHC card. I decided up front that the SDHC card was going to be the last because of the gunked-up nail polish on it which would need to be cleaned off before it was read. The SD thumb drive I estimated would take the shortest time. So it was time to give that good ol' rust drive a workout.

Plugging the drive into the forensics workstation was uneventful as it didn't power up. The disk didn't spin and a quick test from the voltmeter confirmed power was making it to the plug but after that, on the circuit board, the readings were erratic and inconsistent. Simply, the board was bad and I wasn't going to make any progress until I had a functioning spinning drive. So to make her drive work, I bought another of the same brand, model, and specs, and placed her spindle case into the new drive.

Surprisingly, the first time, it worked and the drive was live. I immediately started imaging the drive and went to work on the SDHC card.

The SDHC card was a slightly different beast, after cleaning off the card I was able to see the problem, it had part of a fold in the middle and a small crack in the outside of the card frame. This time however I wouldn't be able to swap in a new board, I had to come up with some other way. So again, I bought a replacement card, and this time I took it apart to understand how it worked and where the damage was. The SDHC card was made up of two IC chips in the back and a wiring harness up front. Luckily, the wiring harness was what was damaged and both of the chips appeared fine, so I started the process of repairing the wiring harness.

This is as much fun as it sounds, trace two sides of a wire and bridge them with a combination of foil and solder. Half a day later I have a readable SDHC card but it now doesn't fit in any slot because it's put together Frankenstein style. So I grab the new SDHC card and make a series of bridges from its connectors to the old connectors and plug it in.

Voila! So my imaging process begins the magenta drives survive and I arrange a meeting to drop off the retrieved files.

In walks a woman that loves magenta. I hand her the drives all professionally wrapped in electrostatic bags, an invoice for the replacement hardware, and hold onto a third drive containing the results and plug it into my portable workstation, and motion for her to start looking at the retrieved files. Her expression was fantastic, happy to get her memories back.

A slight sly look on her face and a question:

“So the names can't you get the names back?” “No, unfortunately, that part of the drive wasn't recoverable” “So can you organize these for me?” “We never look at the data recovered, principle and rule sorry.” “Probably for the best.”


ᴙoᴙᴙim | mirror: Part One

Few things are as scary as data loss due to encryption failure within the information security realm. So frequently, we plan for it, test it, use it, and eventually, bitrot sets in, and it fails. This is why your RAID needs constantly rotating disks, especially when a checksum failure or S.M.A.R.T. error pops up.

No one could be as happy as an engineer with a RAID 15 (1+5) environment where every service is duplicated, any work processes can fail, and your site has procedural queries for everything. Even better, you have a tokenization solution that guarantees you never store credit card information in the clear. The nice thing about tokenization is that it is a rather ingenious use of encryption and hashing; the not-lovely thing about it is that it has a key vault for all the little secrets. Unfortunately, the vendor didn't know how to mirror the servers properly, and they were coming out of sync. This is a problem when you're dealing with time-based key-value stores that weren't matching the key assigned to them. You can see where this is going; my phone rings.

It's the “Under Pressure” opening ringtone, which means it's my mentor and something went wrong. She emails me to schedule anything and texts if it's routine, which means if she's calling from her desk from the caller I.D., there are suits surrounding her looking for a solution, and she's calling me. I answer.

“Hey, how's it going?” “Another beautiful day in paradise; how's the farm?” “Doing great, the horses are happy. We'll have hay to throw again soon.” “Sounds like a great time; what can I do for you?”

We constantly banter like this at the beginning of calls; it drives anyone listening crazy, and we have our little games.

“So, we've got a tokenization system, as you know, for our card processing,” she reminds me to benefit those around her. “Yeah, the system I spec'ed out last year,” I reply “Yeah, it's been performing great,” she hints “Until...” I give in “This morning” Ah fuck. “I'm already on my way, coming from Uptown.”

I pack up my laptop and signal to my waitress that I'm running out, and the approximate amount is on the table. I make it a generous tip; they give me power, caffeine, and company. Plus, it's basically my office away from home.

Continued... soon.