The Cybersecurity Canon: Kingpin

Rick Howard


Category: Cybersecurity

cybersec canon red

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Kingpin: How a Hacker Took Over the Billion-Dollar Cybercrime Underground (2011) by Kevin Poulsen

Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007.

Butler’s downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with amazing descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions.

In much the same way that Clifford Stoll’s The Cuckoo’s Egg reads like a spy novel, Kingpin reads like a crime novel. Cybersecurity professionals might know the highlights of this cyber criminal underworld, but Poulsen is able to provide a lot of detail about how this world functions that is understood by mostly only the cyber criminals themselves and the law enforcement officials who stalk them.

The Story

Back when I first learned of the Max Butler story, I remember being fascinated at the time that this guy was linked to another strange and amazing story about the hackers behind the TJX breaches in 2007. I even presented the story at RSA in 2010. Poulsen, from Wired magazine, did some of the original reporting on the story in 2008 and then took the time to publish this book about it in 2011.

Butler—a.k.a. Iceman among other aliases—happened to be one of its most notorious carders. For the uninitiated, a carder is a hacker who engages in the illicit collection (theft) and underground-market selling of stolen credit card information. Butler’s infamy did not just come from his brilliant hacker prowess, however. The hacking community considers him to be a hacker god because of his unbelievable moxie. Poulsen fills the book with unbelievable stories of hacker derring-do, but in my humble opinion, Butler’s most astonishing act came when he decided that he did not like the status quo of the current carding scene.

After Shadowcrew

Two years after the feds shut down the Shadowcrew underground carding forum in October 2004, the carding community was fractured. Multiple carding groups emerged to fill the space left by Shadowcrew, but there was mistrust in the air, and none of the hackers were sharing information. Butler had a naive view of the hacking world and believed that there should be a place for underground researchers to freely share and discuss this kind of credit card information without the worry of getting arrested. He thought there needed to be a place where people like him could meet and discuss tradecraft and business within a trusted environment. So, he decided to fix the situation.

In a 48-hour marathon hacking session, Butler compromised the four leading carding forums of the day, which were run by criminal hackers; stole the user databases that resided there, which included user IDs and passwords; stole the forum transcripts that also resided there, which included everybody’s chat sessions; reinstalled everything on his own forum called CardersMarket; destroyed the data that resided on those rival forums; and then sent an e-mail to every user on the four compromised servers saying that he was now the forum Kingpin. How awesome is that? What ego does it take to even think that you could get away with such an operation? But he did. The customers of the now-defunct servers—the cyber criminals—grumbled a bit. But because they could continue to operate, most stayed on Butler’s new CardersMarket forum.

One of the four forums that Butler compromised was called DarkMarket. This is the same forum that FBI agent Keith Mularski was able to penetrate as an undercover agent just months prior to Butler’s takeover. Mularski convinced the owner of DarkMarket to let him be the forum administrator. Because of that, DarkMarket was the only forum to survive Butler’s attacks. Mularski was scrupulous about making backups, and because of that, he had DarkMarket back online only days after Butler’s blitzkrieg. He remained undercover as a forum administrator and monitored every conversation on the forum for the FBI for two years. Because of that effort, Mularski helped put the puzzle pieces together that ultimately resulted in Butler’s arrest.

Before Kingpin, I always assumed that Butler suspected Mularski as being a fed from the start. According to Poulsen, Butler had traced Mularski’s IP address back to the National Cyber-Forensics & Training Alliance (NCFTA) and knew he was a plant. Butler told anybody on the forums who would listen to him to stay away from Mularski, but nobody believed him.

Poulsen describes how the “new” CardersMarket forum was a cesspool of mistrust and politics, and Butler accused a lot of hackers of working for the feds as they accused him of doing likewise. Nobody got any traction. Butler’s takeover did not instigate a new era of trust and cooperation among the carders; it had almost the opposite effect.

The Tech

Butler’s gateway drug to hacking was probably the online phenomenon called TinyMUDs, the successors to multi-user dungeons (MUDs). MUDs were typically Dungeons & Dragons (D&D)-themed multi-user text-based games, the precursor to the three-dimensional and graphical massively multiplayer online role-playing games (MMORPGs) like World of Warcraft today. TinyMUDs discarded the D&D game elements and allowed users to meet each other and build onto their environments as they saw fit, kind of like the precursor to the three-dimensional MMORPG called Second Life. I recently highlighted this MUD culture in a blog about another Cybersecurity Canon-worthy novel called The Blue Nowhere. Just like both hacker characters in The Blue Nowhere, Butler was an avid TinyMUD player, and also just like the hacker characters, he stored the tools of his trade in unsuspecting compromised sites, tools likes NetXray, Laplink, and Symantec’s pcAnywhere.

Throughout Poulsen’s book, it is clear that Butler never really understood where the line existed between white-hat and black-hat activity. One of Butler’s early epic hacks came about when the security community discovered a gigantic security vulnerability in the BIND implementation of the domain name system (DNS).

Thinking that it was his duty as a white-hat security researcher to fix the problem, Butler crafted a buffer overflow attack that leveraged the vulnerability, scanned the Internet for DNS systems that were vulnerable, compromised those machines with the buffer overflow attack, downloaded a rootkit to each of the machines that he now owned, and installed the patch that fixed the vulnerability. He thought he was doing a worthy community service to the world. The owners of all of those DNS boxes had a different opinion.

As a white-hat researcher, he helped develop BRO, one of the first experiments in intrusion detection systems. While assisting the Honeynet Project, he developed a program called Privmsg that allowed him to reconstruct hacker chat messages by listening to network traffic. The guts of Privmsg became a part of BRO.

Wearing his black hat, Butler became an expert at wardriving to find unprotected WiFi sites that he could use to hide his hacking activity. He used the Bifrost Trojan to gain entry into unsuspecting victim computers but modified it to bypass anti-virus engines. He tested his modifications on multiple VMware instances running different versions of anti-virus engines. Then he delivered his creation to other black-hat hackers in order to see what they were doing and to steal their credit card dumps for his own profit. He took advantage of a serious vulnerability in a software program called RealVNC. VNC stands for virtual network console, and the RealVNC software ran on point-of-sale devices on many small businesses’ computers. Like he did with the DNS vulnerability, Butler scanned the Internet looking for vulnerable instances in order to compromise the machines and steal the credit card information that the business owners collected daily. To say the least, he was a little conflicted.

Butler’s business partner, Chris Aragon, was responsible for the money-laundering piece of their illicit carding enterprise. After reading Poulsen’s description of the mechanics, you cannot help but think that being a cyber criminal is really hard work. Most non-geeks never really think about the difficulty of converting stolen credit card numbers into real cash. There is a convoluted process involving specialized equipment and many small transactions involving multiple people. You essentially have to make credit cards, and the accompanying driver’s licenses, by imprinting the credit card numbers and user information onto blank card material. You hand those cards to your mules—in Aragon’s case, four or five young and attractive women—who would spend the day shopping for high-end luxury items. The mules return the merchandise back to Aragon, who in turn sells it on eBay at reduced prices. Poulsen goes into great detail about how Aragon, and later Butler on his own, went about this daily business.

Poulsen also describes how the advent of distributed denial of service (DDoS) attacks originated in the hacking community as a way for black-hat hackers to mess with each other. But when Michael Calce—a.k.a. MafiaBoy—launched an experimental DDoS attack against some prominent public websites—CNN, Yahoo!, Amazon, eBay, Dell, and E-Trade—the cat was out of the bag, and the result was an emergency meeting of security experts at the White House.

Butler used hard drive encryption to protect his data and, by inference, his hacking activity. The thought was that this best practice in the hacker community would protect hackers in case law enforcement seized their equipment. Law enforcement officials could grab the hard drives, but because the drives were encrypted, officials would not be able to read any of the information. When the feds finally showed up on Butler’s doorstep, accompanied by some forensics experts from Carnegie Mellon, Butler thought he was secure. Unfortunately, they showed up almost unannounced, and Butler did not have the time to power his systems down. What he did not realize is that while the systems are running, the key for the encryption is stored in RAM. It took them a while, but the forensics experts were able find the encryption key in RAM and unlock Butler’s hard drives.

Conclusion

Poulsen nails this story. He recounts the transition of Max Butler from pure white-hat hacker into something gray: sometimes a white hat, sometimes a black hat. The technical hacking detail is fascinating, but more importantly, Poulsen is able to pull the curtain back on the cyber criminal world and describe how it functions with a lot of detail. You should have read this by now.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS