An ideal candidate for Cyber Security has the ability to think as a hacker would while maintaining a highly ethical standard of conduct.
Investigations
I have been responsible for three investigations while at Micron Technology, Inc.
- While responsible for the APIM infrastructure at Micron the whole system went down one day. Operation was restored almost immediately. Investigation eventually revealed that a setting related to the number of open file handles as required by the manufacturer had once been documented, but somehow had eventually been lost in the documentation. As systems were upgraded each was rebuilt with the required setting not set. As the system proved more and more reliable and full production systems began to use the resource eventually there was enough activity to cause the number of open file handles to go over the limit. Documentation was corrected, all servers were scheduled to have the setting fixed and were corrected with the normal Change Management process. New settings were added to monitor the settings in case the setting somehow changed (via System Center Operations Manager), as well as a series of Robot Framework scripts I was using because the SCOM team was months behind on adding settings to monitor. This issue was set in motion before I took over shared ownership of the product. Being the owner at the time of the incident, I was responsible for the investigation.
- A Micron-standard library was released into production with an issue which created an outage at one of Micron’s remote sites. An investigation lead to an employee who was *the* go-to person who normally performed releases into production. Somehow, after months of testing in a development environment with teams testing their software against the updated library, he decided to make a slight change to the development instance and then push it into production. This broke both the development and production environment as related to the library. As most of the process is automated the end result was an update to documentation on the process of releasing a production library to perform testing of the new library after it is released at least once, to ensure it does work. Though this step seems intuitive, it was not in the documented procedure.
- Regarding the first item in this list, it was also the case that someone on the team responsible for servers implementing high-availability simply turned off the HA port associated with the APIM servers. This shocking incident could not be tracked down to a specific individual, though I did get a hold of the manager of the employees who work on the HA server and after suggesting they see who was on shift at the time still reported it would be impossible to identify the person responsible though it could be said with 100% confidence that someone did disable the port. Whether the actual person was identified or not, the end goal was met in that a new server was being being onboarded to implement HA and it had full logging of all activity meaning in the future identifying the person responsible would be possible.
Hacking & Outside-of-the-box Thinking
The goal here is to show the ability to think the way a hacker does in order to maintain systems in a more safe manner than would otherwise be possible.
- While in college & learning everything I could about Linux I sought to print via Linux. By locating the owners manual online of the group printer, and by scanning open ports, I was able to locate an alternative method to print which Linux supported. Without even really trying, I ended up with free print jobs. In fact, someone could be in the middle of printing and their print job would stop, mine would complete, then their print job would start again. This is an example of using an available resource in a way it was not intended.
- At some point I heard the phrase “promiscuous mode” in association with network cards. What I heard seemed kind of hard to believe, so I set things up and began watching port 25. At the time the dorm was on a HUB and almost without end went past emails and the username/password of my fellow classmates. By watching other ports I was even able to view someone’s IRC session with ANSI updates allowing my screen to show exactly the same display as theirs. Though I did nothing with this information it is a lesson you never forget. When folks say things are sent in plain text, they most definitely are. I immediately began using PGP and later GPG, only to experience the disappointment we all do when you have the solution to a security issue but are unable to implement it because everyone has to participate, and not everyone is technically able enough to join in.
- In the early days of Linux security holes were common and I used one of these to create a root user on my friends computer, though he never noticed and I had to let him know after a couple weeks.
- Maintaining a Linux system meant watching for security holes and patches and applying them as quickly as possible. When teardrop came out I was patched almost immediately. That day while sitting in chat channels the channels would empty as the attack was performed regularly on all the members. There we’d be just a few people, all the people who were patched, and one of them … but which one? In the evening someone was hitting all the Quake servers on campus, resulting in my server being the only one active that night. I was attacked as well and while watching my logs was able to identity the source and person responsible.
- Teardrop came out near the end of school and my graduation, and I happened to put together a script which, if I had pressed enter, would have looped through all network addresses owned by the college campus sending a teardrop packet to each. It felt empowering a bit. I figured, if I wanted to I could copy it to a cd and insert it in a computer in the library with a delay. Back then cds would run if inserted, even if no one was logged in. I never ran the attack of course, I have always had a strong sense of ethics, but it was an interesting moment to have the ability to crash the entire campus.
- While at college I copied off the entire student directory. There was a requirement to enter at least the first two letters of the students last name which I did with an algorithm ‘aa’ ‘ab’ ‘ac’. This allowed me to identify who was in which room. This is another example of using a system in a way it was not intended.
- Downloading mp3s via IRC used to be a thing. People had scripts which would display the song they were currently listening to. I wrote my own IRC client (and DCC transfer implementation) in C and used it to watch the IRC channel and upon the display of an mp3 file used FTP-like commands via an IRC messaging session to download the mp3. By the end of the day my hard drive was maxed with all the latest music.
- A fellow student asked me to assist with checking his program for use cases he might have missed. I opened a telnet session to his program then closed it without sending anything. His program crashed. When you know what developers have to look out for, you can make the same checks on the code of others.
Here is a reward for having reaching this page: a mysterious video from (the hacker group?) Cicada 3301
An audio file from the same group, steganography in action…
And of course, you never saw any of this …
π