This story illustrates that sometimes even a guy who isn’t a hacker can successfully hack into a bank. That’s not good news for the banks, or for any of us. I have never visited Estonia, and may never get there. The name conjures up images of ancient castles surrounded by dark woods and superstitious peasants — the sort of place a stranger doesn’t want to go wandering about without an ample stash of wooden stakes and silver bullets. This ignorant stereotype (helped along by corny low-budget horror flicks set in Eastern European woods, hamlets, and castles) turns out to be more than a little inaccurate.
The facts turn out to be quite different. Estonia is a good deal more modern than I pictured, as I learned from a hacker named Juhan who lives there. Twenty-three-year-old Juhan lives alone in a spacious four-room apartment in the heart of the city with “a really high ceiling and a lot of colors.”
Estonia, I learned, is a small country of about 1.3 million (or roughly the population of the city of Philadelphia) stuck between Russia and the Gulf of Finland. The capital city of Tallinn is still scarred by massive concrete apartment buildings, drab monuments to the long-dead Soviet empire’s attempt to house its subjects as economically as possible.
Juhan complained, “Sometimes when people want to know about Estonia, they ask things like, ‘Do you have doctors? Do you have a university? ’ But the fact is that Estonia is joining the European Union on the first of May [2004].” Many Estonians, he says, are working toward the day when they can move out of their cramped Soviet-era apartment to a small home of their own in a quiet suburb. And they dream of being able to “drive a reliable import.” In fact, a lot of people already have cars and more and more people are getting their own homes, “so it’s improving every year.” And technologically, as well, the country is no backwater, as Juhan explained:
Estonia already in the beginning of nineties started to implement the infrastructure of electronic banking, ATMs and Internet banking. It’s very modern. In fact, Estonian companies provide computer technology and services to other European countries.
You might think this would describe a hacker’s heaven: all that Internet use and probably way behind the curve when it comes to security. Not so, according to Juhan:
Regarding the Internet security, this, in general, is a good place due to the fact that the country and communities are so small. It’s actually quite convenient for service providers to implement technologies. And, regarding the financial sector, I think the fact that enables the Americans to make a connection is that Estonia has never had an infrastructure of bank checks — the checks that you’re using to pay a lot of bills in the shops.
Very few Estonians ever go into a bank office, he says. “Most people have checking accounts, but don’t know what a bank check looks like.” Not because they’re unsophisticated about financial things but because, in this area, at least, they are ahead of us, as Juhan explains:
We’ve never had a large infrastructure of banks. Already, in the beginning of the nineties, we’d started implementing the infrastructure of electronic banking and Internet banking. More than 90 to 95 percent of people and businesses transferring money to each other are using Internet banking.
And they use credit cards, or “bank cards” in the European terminology.
It’s more convenient to use direct payment in the form of Internet banking or bank cards, and there is just no reason for people to use checks. Unlike America, nearly everyone here uses the Internet for banking and to pay their bills
The Bank of Perogie
Juhan has been heavily into computers since the tender age of 10, but doesn’t consider himself a hacker, just a white hat serious about security. Interviewing him was no problem — he started learning English in school beginning in second grade. The young Estonian has also done a lot of studying and traveling abroad, giving him further opportunities to develop his English conversational skills.
One recent winter in Estonia was especially harsh, with polar conditions, snow banks all around, and temperatures down to minus 25 degrees Celsius (13 degrees below zero Fahrenheit). It was so bitter that even the locals, who were used to frigid winters, didn’t want to go out unless they had to. This was a good time for a computer guy to stay glued to his screen, hunting for anything good enough to capture his attention.
That’s what Juhan was doing when he stumbled onto the Web site of what we’ll call the Bank of Perogie. It looked like a target worth exploring. I stepped into the interactive FAQ section that allows people to post questions. I have the habit of looking into Web page form sources. I sort of just got to a Web site and I started to look into it. You know the process yourself — you surf around and you just browse without any strategic purpose.
He could see that the file system was the type used by Unix. That immediately narrowed the type of attacks he would try. Viewing the source code of several web pages revealed a hidden variable that pointed to a filename. When he tried changing the value stored in the hidden form element, “It became clear that they didn’t do any sort of request for authentication. So whether I submitted input from a bank site or from a local PC didn’t matter to the bank server,” he said.
He changed the attributes of the hidden form element to point to the password file, which allowed him to display the password file on his screen. He discovered that the passwords were not “shadowed,” which means the standard encrypted form of every account’s password was visible on his display. So, he was able to download the encrypted passwords and run them through a password cracker.
Juhan’s password cracker program of choice was a well-known one with the deliciously amusing name of “John the Ripper,” which he ran using a standard English dictionary. Why English instead of Estonian? “It’s common practice around here to use English passwords.” But the fact is that many Estonians have a good basic knowledge of English.
The cracker program didn’t take long, only about 15 minutes on his PC, since the passwords were basic — simple English words with a few numbers tacked on the end. One of them was golden: he recovered the root password, giving him administrator’s privileges. And there was more:
There is this one telebanking service that has a trade name which I’m not sure if I should mention here, but [I found] an account for that service. It looked like it was probably the system account that was running the services on that server.
He didn’t go further in this direction, explaining that “having passwords was the point where I stopped.” Prudence was the name of the game. I could get in trouble. After all, I work in the information security business. I had some motivation not to do any harm.
But the situation looked too good to be true. I figured it might be a honey pot, a trap to lure people like me in and then get prosecuted. So I contacted my superiors and they reported it to the bank.
His disclosure didn’t get him into hot water with his employer, nor with the bank, but quite the opposite. His company was offered the assignment of investigating further and coming up with a solution to plug the loophole. Juhan’s company put him on the job, figuring he could finish what he’d already started.
It was sort of surprising to me that the events went like that because actually the Internet security in Estonia is at a better level than it is elsewhere. This is not determined by me, but is said by many people who have come here from other places. So it was kind of surprising for me to find out this one hole and then how easy it was to get my hands on very secret sort of information.
Personal Opinion
From experiences like this, Juhan has come to believe it’s in the best interest of a company that finds itself compromised by a hacker not to prosecute, but instead work with the hacker to fix whatever problems he or she has uncovered — sort of a “if you can’t beat ’em, join ’em” philosophy. Of course, the government doesn’t usually see it this way, as proven yet again with the hounding of Adrian Lamo (see Chapter 5, “The Robin Hood Hacker”), saddled with a felony conviction despite the fact that he (for the most part) provided a public service by advising companies of their vulnerabilities. Prosecuting can certainly be a lose/ lose situation, especially if the company never learns the particular vulnerabilities the hacker used to infiltrate its network.
As a knee-jerk response, firewalls and other defenses are piled on, but it’s an approach that may completely overlook the unseen flaws that astute hackers may discover, not to mention all the ones already well-known to the hacker community. Juhan captured his view on this in a particularly vivid statement: