Unmasked - Ars Technica [20]
Although attackers could log on to this machine, the ability to look around and break stuff was curtailed: Ted was only a regular non-superuser. Being restricted to a user account can be enormously confining on a Linux machine. It spoils all your fun; you can’t read other users’ data, you can’t delete files you don’t own, you can’t cover up the evidence of your own break-in. It’s a total downer for hackers.
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary’s system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
Aaron’s password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company’s mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company’s mail—not just his own. It’s this capability that yielded access to Greg Hoglund’s mail.
And what was done with Greg’s mail?
A little bit of social engineering, that’s what.
A little help from my friends
Contained within Greg’s mail were two bits of useful information. One: the root password to the machine running Greg’s rootkit.com site was either “88j4bb3rw0cky88” or “88Scr3am3r88”. Two: Jussi Jaakonaho, “Chief Security Specialist” at Nokia, had root access. Vandalizing the website stored on the machine was now within reach.
The attackers just needed a little bit more information: they needed a regular, non-root user account to log in with, because as a standard security procedure, direct ssh access with the root account is disabled. Armed with the two pieces of knowledge above, and with Greg’s e-mail account in their control, the social engineers set about their task. The e-mail correspondence tells the whole story:
From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ?
thanks
-------------------------------------
From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed
-------------------------------------
From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public ip and ill ssh in and reset my pw.
-------------------------------------
From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
ok, it should now accept from anywhere to 47152 as ssh. i am doing testing so that it works for sure.
your password is changeme123
i am online so just shoot me if you need something.
in europe, but not in finland? :-)
_jussi