interview with magicfx

[Paul Howell]

News outlets have been reporting that Ebay, the on-line auction
house, has been broken into.  Here's a story based on
an interview with the cracker, a college student majoring
in C.S.

This story is from http://www.forbes.com/tool/html/99/mar/0319/side1.htm

< paul


Going once, going twice ... HACKED! 

By Adam L. Penenberg 

Bay(nasdaq: EBAY), the hot one-to-one auction
site, was hacked on Saturday March 13 by a
22-year old college student who goes by the
handle MagicFX. But the story doesn't end
there. The hacker maintains access to the site
and can return at will. He has "root" access to eBay's
computers, the same kind the legitimate
administrators enjoy. This means he could change
prices or place fake ads, divert traffic to other sites or
even take down the entire network. 

This was starkly illustrated to this reporter on
Wednesday night, when the hacker, to prove his
point, took down eBay's home page for two minutes
and replaced it with the message: 

Proof by MagicFX that you can't always trust people not even 
huge companies. (who woulda known that?) "It's 9:30 PM . . . 
do you know who has YOUR credit card information?" 

Although eBay customers don't use credit cards to pay
for merchandise--the site acts as a
middleman--sellers use them to pay the company
service fees. When contacted, the company refused to
comment, saying that unnamed law enforcement
officials had requested that eBay remain silent about
issues surrounding hacking. 

Initially, the hacker, who would not divulge his real
name, gained access to eBay's computers on
Saturday afternoon by figuring out what accounts
existed, then trying simple passwords. Since eBay is
an e-commerce site, MagicFX tried words like
"commerce," "trading" and "eBay," until he cracked
one, although he would not divulge the password he
used. He says he was surprised eBay's technicians
didn't use standard password protecting schemes,
which would have meant a mixture of numbers and
letters. 

Once inside, MagicFX employed a technique referred
to as a "local root buffer overflow." He ran a script that
transmits too much information into a targeted zone.
The data that can't fit is then manipulated so that he
was able to trick the computer into running his
commands at an elevated privilege. 

"I exploited a buffer overflow condition, which existed
in an SUID root program," says the hacker, who is
finishing up a B.S. in computer science. "Then I used
software which I had written myself to get to the rest
of the network. FreeBSD was the first machine I
accessed, the rest were Solaris." 

>From there, MagicFX modified the system's software
so that instead of providing administrators with a
secure way to work from a remote machine, it logged
that information to a hidden file, so that not only
could he intercept passwords and log in names, but
actually watch everyone's keystrokes. 

"After gaining access to more of the network, I tried to
figure out how the service worked. Most of the web
servers run on Windows machines, which use the SMB
protocol to load a template page off a specified
machine and dynamically create the HTML." 

For Saturday's hack, MagicFX left his page up for
about 45 minutes; he claims it was viewed by about
4,000 site visitors. (Hackers often attack on weekend
evenings, because most system administrators are
out of the office.) The reason more people didn't
witness the hack is that eBay deploys several web
servers and balances the load based on the amount
of traffic. Since MagicFX exploited only one machine
for the web page hack, only users served by that
machine could view the hacked page. 

But he claims the company must know about the
hack, since he monitored E-mails from users alerting
the company. He pulled his own page down and
logged off when he spotted a system
administrator--"to be nice." 

Mirrors--or copies--of both Saturday's and
Wednesday's hacked eBay pages have been archived
by Brian Martin, a computer security consultant, on his
site attrition.org
(http://www.attrition.org/mirror/attrition/ebay.com) 

What does MagicFX say about eBay's security? "I think
they have better security than NASA, but that's not
saying much." 

Martin, who also witnessed the Wednesday night eBay
hack, says, "Large systems like eBay are focused on
keeping the money machine running smoothly, but
this has come at the expense of security. Users
should realize that just because a site says their
personal information and credit card numbers are
secure doesn't necessarily make it so." 

MagicFX says he hacked eBay, which has a market cap
of more than $18 billion, because he wanted to see
how a large e-commerce site worked from the inside.
Once there, he discovered an added bonus: eBay
uses a proprietary system to do its trading, he says,
and the source code is highly prized in the hacker
world. As a result, a number of hackers have
approached him for a copy, but he has not complied,,
since he hasn't had a chance to sift through it yet. 

This was not the first hack for MagicFX. Recently he
also defaced web sites promoting the movies Varsity
Blues and 200 Cigarettes, "because they got a lot of
hits and I didn't like the movies really." He also hit
monicalewinsky.com because it is "anti-Clinton" and
"ourfirsttime," a site that claimed it would webcast a
man and woman losing their virginity. MagicFX says he
hacked the site to get the word out it was a media
hoax. 

"I have learned at least as much by hacking as I have
in school," he says. 

External link: 
attrition.org