MrMean the hacker

by Peter V. Radatti
<radatti@cyber.com>

Pete Radatti is the founder and president of CyberSoft, Inc. (www.cyber.com) CyberSoft was the first company to create an antivirus product for UNIX in addition to inventing the first heterogeneous antivirus product.

Social Engineering System
Administrators on the Internet

I write this article because so many system administrators panic when they receive a message saying they are being attacked. Panic upsets lunch and makes everyone cranky in addition to wasting resources and money. I hope to help people deal with "social engineering" attacks, which are a common event on the Internet.

The simplest and bluntest definition of social engineering is a way of obtaining a goal by means of lying or deceit. This may make it sound easy to detect but for some reason when social engineering is combined with technology, people are easily fooled. It is a very effective combination.

The following exchanges took place during May 1997. I changed the userid of the person sending me the email to MrMean, and I removed most of the email headers because I saw no reason to harm whoever this person is. He was unable to harm me, and revenge is sweet only if there is something to revenge. I have not changed the user text in any way except to hide who sent it.

This is the first message received. Notice that the user sent the message to Webmaster, not root or postmaster. He most likely browsed our Web site and hit the Webmaster reply button.

From MrMean@aol.com Tue May 20 21:14:41 1997
To: webmaster@cyber.com
Subject: hackers Status: OR

I am a hacker and if you want to get a program to keep us out of places we cant get in to you will never see your webmaster program will never be there again you ass from MrMean and i am MrMean's Pal by

The first message was intended to terrify the system administrators. I believe that this was just social engineering. Why tell me that you are a hacker and that you can do nasty things to me when a real hacker wouldn't want to be found and would just do whatever he wanted? In addition, the systems were all running fine. I decided to draw the "hacker" out and learn just what he was up to. If this was a real hacker my offer to admit he is better than me should be as sweet as honey, and he might tell me where my security hole, if any, is. Finally, the "hacker" is an AOL user. AOL being a commercial Internet Service Provider certainly should know who is using this account, and that information can be obtained by court order. My reply:

From radatti@cyber.com Wed May 21 10:17:42 1997
Subject: Re: hackers
To: MrMean@aol.com

How very clever of you. So, if you got into my system where is the cookie? Why don't you leave a file called /tmp/hack on my system and tell me all about it. If you really did get in and you tell me how to fix it then I will publish a paper on my web site saying that you got in and proved it.

Keep in mind that we did not really go to too much trouble to secure the system, all we did was install some wrappers and disable a bunch of stuff in the kernel. Mostly we rely on backups.

I look forward to your reply.

Pete Radatti radatti@cyber.com

MrMean wasted no time in sending his reply. In fact, he sent two replies separated by about 30 minutes. Notice that he hit the reply button this time instead of continuing to send to the Webmaster.

From MrMean@aol.com Wed May 21 22:42:42 1997

To: radatti@cyber.com
Subject: Re: hackers

i got in your system and i can prove it because i copyed your passwords and i destroded one of your kernals and if you look a lot more in your system you might find the letter that i wrote mess with the best die like the rest

At this point I am sure that MrMean is not a real hacker, or if he is, he is very young and unskilled. He ignored my reply, didn't take the honey, and blustered too much. I checked the systems. The kernels were all there, and I could not find a message. Lies that are easy to verify are not very effective. Let's see where this will go.

From radatti@cyber.com Thu May 22 09:28:10 1997
Subject: Re: hackers
To: MrMean@aol.com

OK, I am lame. I looked all over the www system for your message and couldn't find it. The kernels are still there. Tell me where to look.

Now MrMean is claiming to be MrMean's mom. I guess it is possible but the real information is contained in the word "spam." CyberSoft has a problem with spammers faking our cyber.com domain. This has cost us thousands of dollars in wasted time and resources and has been the cause of us receiving death threats from people who just don't bother to read our automated reply. If you want to see it, send a message to <remove@cyber.com>. This is also another indication of MrMean's age. Very few hackers will ever claim to be their mom or rely upon parental authority to try to scare someone off.

From MrMean@aol.com Wed May 21 23:13:42 1997
To: radatti@cyber.com
Subject: Re: hackers

Stop sending spam here MrMean's mom.

Because MrMean is now claiming to be an adult, I will treat him as such. Notice that I am using my title, thus conferring the status of at least "equal" to the adult. If MrMean is a juvenile, this puts me in a superior position. This is also the last message that either of us will bother with because the game is over.

From radatti@cyber.com Thu May 22 08:57:59 1997
Subject: Re: hackers and spam
To: MrMean@aol.com

Dear MrMean's Mom,

We NEVER spam. We have never spammed and will never do so. We do get hit by people faking our domain address at least three times per week. When this happens we get flooded with about 17,000 remove messages. If you had sent a message to remove@cyber.com you would know this. When we can find out who faked our domain address we request they stop. If they do not then we press charges.

If you received a spam that appears to have come from the cyber.com domain then please send a copy to us so we can go after the person doing it.

Your son sent us a threatening email saying that he was going to damage our systems. We could have gone to the FBI with such an email but we felt that might have hurt him and we really do care about people, even people who threaten us. If you have any other suggestions, we will be happy to hear them.

Pete Radatti
President CyberSoft, Inc.

Conclusion

Social engineering can be as destructive to an organization as a real attack, and many people just don't know how to handle it. CyberSoft has in place some policies that make dealing with these problems easier:

1. Look for evidence on the systems. This took about 15 minutes using CyberSoft's CIT product. If you don't have CIT and you are using UNIX, run Tripwire. Run COPS and Tiger Script. Examine the "last" log.

2. Print off the messages. If they came by email, include the message headers. Most people do not know how to hide their identity on the Internet. A handle hides nothing because the Internet Service Provider knows who is paying for the account.

3. Let everyone on the network know about the "attack message" so anyone who knows anything will tell you. The other benefit of letting everyone know is they will not panic if contacted. This wastes time, but less time than a panic.

4. Do full backups to off-line media. You should be doing this anyway.

5. Learn more or ignore it. You need to make a judgment call to reply or not. Don't automatically assume that anything the "hacker" tells you is true, but verify for yourself. If you do decide to learn more, then be respectful, and don't push too much, or you may find that your MrMean has friends.

6. Decide where to draw the line. CyberSoft always responds to death threats (no matter how unlikely they may be) by contacting the legal department of the company that originated the message. We may also contact the police, but never the person who sent the message. You need to make a list of things you will always respond to and how.

Finally, the really good hackers don't rely on social engineering except as an accessory. They rely upon their technical skills.

The creation of this article was influenced by Bill Cheswick's famous paper, "An Evening with Berferd, in Which a Cracker is Lured, Endured, and Studied."