Mister Mean the Hacker

"Social Engineering System Administrators on the Internet" 

by Peter V. Radatti
Copyright May 1997

Permission to copy is granted provided the document is presented whole without modification and with the copyright notice. 

The reason that I have written this paper is because so many system administrators panic when they receive a message from someone saying that they are being attacked. Panic upsets lunch and makes everyone cranky in addition to wasting resources and money. Hopefully, this paper will help people deal with "social engineering" attacks which are a common event on the Internet.

For those of you who do not know what social engineering is, the simplest and most blunt definition is that it is a way of obtaining a goal by means of lying or deceit. This may sound easy to detect but for some reason when combined with technology people seem easy to fool. It is very effective.

The following exchanges took place during May 1997. The user id of the person sending me the email was changed to MrMean and I removed most of the email headers since I see no reason to harm whoever this person is. They were unable to harm me and revenge is only sweet if there is something to revenge. I have not changed the user text in any way except to hide who sent it.

This is the first message received. Notice that the user sent the message to web master not root or postmaster. It is most likely that they browsed our web site and hit the web master reply button.

From MrMean@aol.com Tue May 20 21:14:41 1997
To: webmaster@cyber.com
Subject: hackers
Status: OR

 I am a hacker and if you want to get a program to keep us out of places we can't get in to you will never see your web master program will never be there again you ass from MrMean and i am MrMean's Pal by

The first message was intended to strike fear into the system administrators. I believe that this was just social engineering. Why tell me that you are a hacker and that you can do nasty things to me when a real hacker wouldn't want to be found and would just do whatever he wanted? In addition, the systems were all running fine. I decided to draw the "hacker" out and find out just what he was up to. On the other hand, If he is a real hacker then my offer to admit he is better than me should be as sweet as honey and he might tell me where my security hole, if any, is. Finally, the "hacker" is an AOL user. AOL being a commercial Internet Service Provider certainly should know who is using this account and that information can be obtained by court order. My reply:

From radatti@cyber.com Wed May 21 10:17:42 1997
Subject: Re: hackers
To: MrMean@aol.com

How very clever of you. So, if you got into my system where is the cookie? Why don't you leave a file called /tmp/hack on my system and tell me all about it. If you really did get in and you tell me how to fix it then I will publish a paper on my web site saying that you got in and proved it.

Keep in mind that we did not really go to too much trouble to secure the system, all we did was install some wrappers and disable a bunch of stuff in the kernel. Mostly we rely on backups.

I look forward to your reply.

Pete Radatti
radatti@cyber.com

MrMean wasted no time in sending his reply. In fact, he sent two replies separated by about 30 minutes. Notice that he hit the reply button this time instead of continuing to send to the web master.

From MrMean@aol.com Wed May 21 22:42:42 1997
To: radatti@cyber.com
Subject: Re: hackers

 i got in your system and i can prove it because i copyed your passwords and i destroded one of your kernals and if you look a lot more in your system you might find the letter that i wrote mess with the best die like the rest

At this point I am sure that MrMean is not a real hacker or if he is then he is very young and unskilled. He ignored my reply, didn't take the honey and blustered too much. I checked the systems. The kernels were all there and I could not find a message. Lies which are easy to verify are not very effective. Lets see where this will go.

From radatti@cyber.com Thu May 22 09:28:10 1997
Subject: Re: hackers
To: MrMean@aol.com

 OK, I am lame. I looked all over the www system for your message and couldn't find it. The kernels are still there. Tell me where to look.

Now MrMean is claiming to be MrMean's mom. I guess it is possible but the real information is contained in the word "spam". CyberSoft has a problem with spammers faking our cyber.com domain. This has cost us thousands of dollars in wasted time and resources and has been the cause of us receiving death threats from people who just don't bother to read our automated reply. If you want to see it, send a message to remove@cyber.com. This is also another indication of MrMean's age. Very few hackers will ever claim to be their mom or reply upon parental authority to try and scare someone off.

From MrMean@aol.com Wed May 21 23:13:42 1997
To: radatti@cyber.com
Subject: Re: hackers

 Stop sending spam here MrMean's mom.

Since MrMean is now claiming to be an adult, I will treat him as such. Notice that I am using my title thus conferring the status of at least "equal" to the adult. If MrMean is a juvenile this puts me in a superior position. This is also the last message that either of us will bother with since the game is over.

From radatti@cyber.com Thu May 22 08:57:59 1997
Subject: Re: hackers and spam
To: MrMean@aol.com

 Dear MrMean's Mom,

We NEVER spam. We have never spammed and will never do so. We do get hit by people faking our domain address at least three times per week. When this happens we get flooded with about 17,000 remove messages. If you had sent a message to remove@cyber.com you would know this. When we can find out who faked our domain address we request they stop. If they do not then we press charges.

If you received a spam that appears to have come from the cyber.com domain then please send a copy to us so we can go after the person doing it.

Your son sent us a threatening email saying that he was going to damage our systems. We could have gone to the FBI with such an email but we felt that might have hurt him and we really do care about people, even people who threaten us. If you have any other suggestions, we will be happy to hear them.

Pete Radatti
President
CyberSoft, Inc.

Conclusions

Social Engineering can be as destructive to an organization as a real attack and many people just don't know how to handle it. CyberSoft has some policies in place that make dealing with these problems easier. They are,

1. Look for evidence on the systems. Using CyberSoft's CIT product this took about 15 minutes. If you don't have CIT and you are using UNIX then run Tripwire. Run COPS and Tiger Script. Examine the "last" log.
2. Print off the messages. If by email, include all of the message headers. Most people do not know how to hide their identify on the Internet. A handle hides nothing since the Internet Service Provider know who is paying for the account.
3. Let everyone on the network know about the "attack message" so if anyone knows anything they will tell you. The other benefit of letting everyone know is they will not panic if contacted. This wastes time but less time than a panic.
4. Do full backups to off line media. You should be doing this any way.
5. Learn more or ignore it. You need to make a judgment call to reply or not. Don't automatically assume that anything the "hacker" tells you is true but verify for yourself. If you do decide to learn more then be respectful and don't push too much or you may find that your MrMean has friends.
6. Decide where to draw the line. CyberSoft always responds to death threats (no matter how unlikely they may be) by contacting the legal department of the company that originated the message. We may also contact the police but never the person who sent the message. You need to make a list of things that you will always respond to and how.

Finally, the really good hackers do not rely on social engineering except as a accessory. They rely upon their technical skills.

The creation of this paper was influenced by Bill Cheswick's famous paper, "An Evening with Berferd, In Which a Cracker is Lured, Endured, and Studied".