Internal Hacking
by Zenstick
I have seen many articles on hacking machines connected to the Internet. That isn't what intrigues me. I am more interested in the effects of hacking on corporate America.
Case in point: I work for a large software company - let's call it JCN.
The company has a large intranet site and uses Lotus Notes for its internal and external mail. We have highly secure firewalls protecting us from attacks on the outside, and we are allowed almost free reign on the Internet using a group of socks servers. The general feeling is that we have little to fear from hackers, and the reason is that everyone assumes hackers are on the other side of our firewall.
Corporate America is a place full of grudges, backstabbing, and takeovers. Is it any surprise that someone might decide to use their knowledge of computers to take advantage of another worker, team, or even their boss? I shall now describe a purely theoretical hack using our corporate network.
The Hack
Let's say that I am a little concerned with my salary.
I believe that my boss is favoring another development team that he is in charge of. So, since discussion of salaries is verboten, I decide to do a little investigative work of my own. I decide to compare myself with Robert Smith, a member of the other development team, who I think should have a comparable salary to mine.
I look up Robert Smith in the intranet directory and find his office number. I fire up my browser and connect to our intranet site that manages all our IP addresses. I do a search for all IP addresses registered to Robert Smith's office number. The search returns two addresses, SmithLap, and BuildMachine.
Through my amazing powers of deduction I conclude that SmithLap is Robert's laptop, and BuildMachine is the computer he does his development work on. In this case I am interested in his personal machine. The site even says that Robert is running Windows NT on his laptop.
So, connecting with a null session I am able to see the shares on the machine and get a listing of the usernames. Administrator (duh), Guest (probably disabled), and rsmith (bingo!). Next step is to try the net use commands to connect to SmithLap and see if we are lucky enough to have a nice easy password for username rsmith.
First I try a blank password. No dice. Then I try password. Nope. Then the old hacker favorite using the username as the password, and voilĂ . At this point I have total access to his machine due to the fact that rsmith is an Administrator account.
So I look through his hard drive and make myself a copy of his Lotus Notes ID file, and copy a keylogger over to his machine. Now I need to get the keylogger running, so I fire up the Schedule service on my machine and his and add a job to run the keylogger in 5 minutes.
Now it is just a matter of time before Robert types in his Lotus Notes password. So, I go out to lunch and come back to the office an hour later. I check the file the keylogger has created and see that he has probably gone to lunch. This is good news because when he returns he will probably have to type in his password because Lotus Notes will have timed out by then. So I do some work and check back in half an hour and there it is, the key to the kingdom! His password is: donthackme.
Now I need to know what server his mail is kept on. So I fire up Lotus Notes under my ID and do a search for his mail address and it gives me his mail server too. So then I switch to his Lotus Notes ID, enter his password when prompted, and then connect to his mail server and download the entire contents of his mail database.
I am only really interested in his salary, so I quickly open a folder he has called Payroll. Sure enough it contains all his electronic pay statements. I open up the most recent one and find that he makes almost twice as much as me!?!?!. I was right, my boss is favoring the other team. So I forward a copy of the statement to every development team in the organization. Now I know my boss can't tell me everyone gets paid around the same at my next meeting with him.
Epilogue
In this situation some salary information was gathered.
It is all too easy to extend the situation to include much more destructive activities, stalking, fraud, etc. Security is viewed as an inside firewall versus outside firewall scenario, but in today's technology-heavy environment the danger might be just one office over.