Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: True tales of (mostly) white-hat hacking

Roger A. Grimes | July 23, 2013
Stings, penetration pwns, spy games — it's all in a day's work along the thin gray line of IT security.

I was a little skeptical of his allegations of computer hacking during our initial visit, but while I was there something odd happened. An Egyptian contact, to whom the CEO had sent bid responses, had received an automatic notice of an email being opened (a read receipt) from an unknown email account in response to an email he had sent my client. The read receipt should have originated from the CEO's email account, but instead it came from a university email account. It looked like, and was later confirmed, that the hacker had forgotten to turn off automated read receipts in his email client, and when he opened email intended to the CEO, his email client sent back a read receipt from his email account.

We quickly figured out that the former VP had discovered the CEO's email password and was using it to pick up copies of bid information between his former company and Egypt. The newly discovered email address linked back to a nearby university, which, coincidentally, both the former VP and I had attended years ago. The school allowed former students to continue to use limited parts of its computer system, including email. Antiquated by today's standards, the university's system had a few interesting features that proved useful in our investigation: You could look up when other people were using the system, and it would let you link email addresses to real names, along with other identifying information.

We contacted the FBI and city police to report the cyber crime. At the time, the FBI had very few computer crime experts, none with real hacking skills. But with their legal assistance, I was allowed to perform, under the FBI's legal authority, some limited forensic investigative techniques.

Sure enough, the hacker was using a university email account that we could trace to the former VP. Using various lookups, we were able to see when the former employee used the university system. The correlation to days when fish bidding was performed was striking.

Of course, we could not conclusively confirm that the former VP was using his old email account, no matter how obvious it seemed. We needed a way to track an opened email back to the former VP's current IP address, which could then be subpoenaed from his ISP. I decided to use a Web beacon.

A Web beacon (aka a Web bug) is a hidden HTML link to a nearly invisible graphic element that when viewed in an HTML-enabled client allows the custodian of that element to track information about the user who has opened it. I modified the CEO's email signature to contain an HTML link to a 1-pixel transparent GIF file located on a Web server that we managed. When anyone opened an email containing the CEO's modified signature, their email client would automatically download the Web beacon, and our Web server logs would contain the viewer's current IP address, along with time, date, and other identifying information.


Previous Page  1  2  3  4  5  6  7  8  Next Page 

Sign up for Computerworld eNewsletters.