The Basics of Trapdoor Hacking

For a programmer, trap doors make sense. If the programmer needs to modify the program sometime in the future, he can use the trap door instead of having to go through all of the normal, customer-directed protocols just to make the change. Trap doors should be closed or eliminated in the final version of the program after all testing is complete, but, intentionally or unintentionally, some are left in place. Other trap doors may be introduced by error and only later discovered by crackers who are roaming around, looking for a way into system programs and files. Typical trap doors use such system features as debugging tools, program exits that transfer control to privileged areas of memory, undocumented application calls and parameters, and many others.

Trap doors make obvious sense to expert computer criminals as well, whether they are malicious programmers or crackers. Trap doors are an easy way to get into a system or to gain access to privileged information or to introduce viruses or other unauthorized programs into the system.

Cases

In 1993 and 1994, an unknown group of computer criminals repetitively broke into systems on the Internet using passwords captured by password sniffers. Once on the system, they exploited software flaws to gain privileged access. They installed modified login and network programs that allowed them reentry even if the original passwords were changed.

In 1996, Philip Myers described the insertion and exploitation of back doors as “subversion” in his MSc thesis at the Naval Postgraduate School.  He pointed out that subversion, unlike penetration attacks, can begin at any phase of the system development life cycle, including design, implementation, distribution, installation and production.

Donn B. Parker described interesting back-door cases in some papers (no longer available) from the 1990s.  For example, a programmer discovered a back door left in a FORTRAN compiler by the writers of the compiler. This section of code allowed execution to jump from a regular program file to code stored in a data file. The criminal used the back door to steal computer processing time from a service bureau so he could execute his own code at other users’ expense.  In another case, remote users from Detroit used back doors in the operating system of a Florida timesharing service to find passwords that allowed unauthorized and unpaid access to proprietary data and programs.

Even the US government has attempted to insert back doors in code. In September 1997, Congress’ proposed legislation to ban domestic US encryption unless the algorithm included a back door allowing decryption on demand by law enforcement authorities moved famed Ron Rivest to satire.  The famed co-inventor of the Public Key Cryptosystem and founder of RSA Data Security Inc. pointed out that some people believe the Bible contains secret messages and codes, so the proposed law would ban the Bible.

More recently, devices using the Palm operating system (PalmOS) were discovered to have no effective security despite the password function.  Apparently developer tools supplied by Palm allow a back-door conduit into the supposedly locked data.

Dumpster Diving

What is Dumpster Diving?

Dumpster diving is a name given to a very simple type of security attack, which is scavenging through materials that have been thrown away, as shown below. This type of attack isn’t illegal in any obvious way. If papers are thrown away, it means that nobody wants them, right? Dumpster diving also isn’t unique only to computer facilities. All kinds of sensitive information ends up in the trash, and industrial spies through the years have used this method to get information about their competitors.

Dumpster Diving in Process

There is another type of computer-related “trash” that we might not consider. In the system itself are files that have been deleted, but that haven’t actually been erased from the system. Computers and users used only to save data, not destroying it, and sometimes some data is saved that shouldn’t be saved. Electronic trashing is easy because of the way that systems typically delete data. Usually, deleting a file, a disk, or a tape doesn’t actually delete data, but simply rewrites a header record. Using MS-DOS, for example, a file can be deleted via the DEL command, however, someone else can retrieve the contents of the file simply by running UNDELETE. System utilities are available that make it easy to retrieve files that may seem to be completely gone.

Although there are methods for truly erasing files and magnetic media, most users who work on large systems do not take the time to erase disks and tapes when they are finished with them. They may discard old disks and tapes with data still on them. They simply write the new data over the old data already on the tape. Because the new data may not be the same length as the old, there may be sensitive data left for those skilled enough to find it. It is far safer to explicitly write over storage media and memory contents with random data and to degauss magnetic tapes.

Cases

One computer company in Texas that does business with a number of oil companies noticed that whenever a certain company asked them to mount a temporary storage (scratch) tape on the tape drive, the read-tape light would always come on before the write-tape light. The ingenious oil company was scavenging the tape for information that might have been put on it by competitors that used the tape before them.

Trashing can have deadly consequences. When some old Department of Justice computers were sold off, they had on their disks information on the whereabouts of witnesses in the Federal Witness Protection Program. Although the data had been deleted, it had not been completely erased from the disk. The DOJ was able to get back some of the computers, but not all, and was forced to relocate the compromised families as a result.

In 1991, spies posed as garbage collectors outside of a U.S. defense contractor executive’s home, dug through trash cans looking for information. One of the collectors was actually France’s consul general and claimed he was collecting fill for a hole in his yard. Upon investigation, the FBI determined that this operation was part of a French secret-searching mission, aimed at finding U.S. military or scientific information.

Then in 1999, two key members of a group called the “Phonemasters” were convicted of theft and possession of unauthorized access devices and unauthorized access to a federal interest computer. This international group of cyber criminals had allegedly penetrated the computer systems of MCI, Sprint, AT&T, Equifax and the National Crime Information Center. The Phonemasters’ skills had enabled them to download hundreds of calling card numbers and distribute them to organized crime groups around the world. Part of their method included dumpster diving and collecting old phone books and system manuals. These tools, combined with social engineering, led to the attacks on the mentioned systems.

In 2000, in a widely publicized case, the CEO of Oracle, Larry Ellison, hired private investigators to dig through corporate dumpsters at Microsoft. This was an effort aimed at finding information about Microsoft’s possible development of grassroots organizations to support it’s side in an anti-trust lawsuit. One of the investigators unsuccessfully tried to pay off a member of the janitorial service in exchange for the garbage of one of these organizations. Ellison held that his actions were a ‘civic duty’, to uncover Microsoft’s secret funding of such groups, but his opponents assert that the incident was distasteful and scandalous.

Microsoft complained that various organizations allied to it have been victimized by industrial espionage agents who attempted to steal documents from trash bins. The organizations include the Association for Competitive Technology in Washington, D.C., the Independent Institute in Oakland, California, and Citizens for a Sound Economy, another Washington D.C. based entity. Microsoft said, “We have sort of always known that our competitors have been actively engaged in trying to define us, and sort of attack us. But these revelations are particularly concerning and really show the lengths to which they’re willing to go to attack Microsoft.”

Saying he was exercising a “civic duty,” Oracle chairman and founder Lawrence J. Ellison defended his company of suggestions that Oracle’s behavior was “Nixonian” when it hired private detectives to scrutinize organizations that supported Microsoft’s side in the antitrust suit brought against it by the government. The investigators went through trash from those organizations in attempts to find information that would show that the organizations were controlled by Microsoft. Ellison, who, like his nemesis Bill Gates at Microsoft, is a billionaire, said, “All we did was to try to take information that was hidden and bring it into the light,” and added: “We will ship our garbage to Microsoft, and they can go through it. We believe in full disclosure.” “The only thing more disturbing than Oracle’s behavior is their ongoing attempt to justify these actions,” Microsoft said in a statement. “Mr. Ellison now appears to acknowledge that he was personally aware of and personally authorized the broad overall strategy of a covert operation against a variety of trade associations.”

During the year 2001, industrial espionage came to light concerning the shampoo market between fierce competitors Proctor & Gamble and Unilever. Private Investigators hired by Proctor & Gamble sifted through garbage bins outside of the Unilever corporation, succeeding in gathering viable information about market analysis, predictions and future products.[16] Upon legal action by Unilever, the two corporations settled out-of-court, because these actions broke Proctor & Gamble’s internal policy on information gathering.

Logic Bombs

What is a Logic Bomb?

Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.

Logic bombs are a malicious programming code that is inserted into a network system or a single computer for the purpose of deleting data or creating other malicious acts on a specified date. A logic bomb works similar to a time bomb because it can be set to go off at a specific date. A logic bomb does not distribute malicious codes until the specified date is reached.

How Logic Bombs Work

Logic bombs are created by criminals who are well-versed in computer programming and are generally used to perform acts with malicious intent that threaten network security. The criminal acts include setting a virus to be released into a network system or PC at a specified date or other actions such as deleting or corrupting data and completely reformatting a computer hard drive.

A logic bomb works through a code that is inserted into existing software on a network or in a computer where it will lie dormant until a specific event occurs such as a date or time or other command from the computer programmer. When the bomb finally releases the code it can delete files, send confidential information to unauthorized parties, wipe out databases, and disable a network for a period of days.

Why a Logic Bomb is Used

A logic bomb can be used by a disgruntled employee or other IT personnel that has the knowledge of how to program a logic bomb to threaten network security. Other than targeting a specific computer or network system, a logic bomb can also be used to demand money for software by creating a code that makes the software application into a trial version. After a specific period of time the user must pay a specified sum of money to continue to use the software.

Logic bombs can also be used for blackmail and if the demand is not met, the logic bomb will detonate into a computer system or network to destroy data and perform other malicious acts that are included in the command codes.

Logic bombs are fairly easy to create if you have a lot of knowledge in computer programming and they do not replicate like other malicious programs. For this reason, logic bombs are usually targeted to specific victims and will not spread to unintended victims.

A logic bomb can be rather difficult to detect, however you can take security measures such as constantly monitoring the network system for any suspicious activity, using antivirus applications and other scanning programs that can detect any new activity in the data on a network system. The scanning systems should also monitor the entire network and the individual computers connected to the network.

Cases

A former system administrator for UBS PaineWebber, Roger Duronio, was charged in a New Jersey federal court on charges of sabotaging two-thirds of the company’s computer systems. His alleged motive was to undermine the company’s stock price and make a bunch of money in the process. He is alleged to have shorted over 30,000 shares of UBS stock prior to unleashing his attack which means the potential was there to make 30,000 times the amount by which the stock dropped when the media got wind of the attacks. In a recent stock manipulation case involving Emulex, shares fell 50 percent. Based on the trading range of UBS PaineWebber stock at the time of Duronio’s alleged attack, it is reasonable to say his profits could have exceeded half a million dollars.

The flaw in Duronio’s alleged scheme was the obviously unexpected ability of UBS PaineWebber to prevent news of the attack getting out. This was quite a feat on the company’s part because the logic bombs activated on about 1,000 of its nearly 1,500 computers and the malicious programs did actually delete files. Indeed, the company says attack cost it $3 million.

In the end, the federal grand jury charged Duronio with one count of securities fraud and one count of violating the Computer Fraud and Abuse Act. Duronio was hit with up to 20 years in prison and fines of more than $1.25 million.

In September 1990, Donald Burleson, a programmer at the Fort Worth-based insurance company, USPA, was fired for allegedly being quarrelsome and difficult to work with. Two days later, approximately 168,000 vital records erased themselves from the company’s computers. Burleson was caught after investigators went back through several years’ worth of system files and found that, two years before he was fired, Burleson had planted a logic bomb that lay dormant until he triggered it on the day of his dismissal. Burleson became the first person in America to be convicted of “harmful access to a computer.”

In early 2009, Timothy Allen Lloyd was sentenced to 41 months in prison for leaving behind malicious programs that deleted critical data from the servers of Omega Engineering, a high-tech measurement company that claimed the cost of the attack was $10 million.

According to a report in the National Computer Security Association section on CompuServe, the Orlando Sentinel reported in January 1992 that a computer programmer was fined $5,000 for leaving a logic bomb at General Dynamics. His intention was to return after his program had erased critical data and get paid lots of money to fix the problem.

In 1995, a disgruntled computer security officer at an insurance brokerage firm in Texas set up a complex series of Job Control Language (JCL) and RPG programs described later as “trip wires and time bombs.” For example, a routine data retrieval function was modified to cause the IBM System/38 midrange computer to power down. Another routine was programmed to erase random sections of main memory, change its own name, and reset itself to execute a month later.