GhostExodus Sentenced to 9 years, 2 months

 SCADA, skiddies  21 Responses »
Mar 182011
 

Jesse William McGraw, who pleaded guilty to two counts of transmitting malicious code to systems at the hospital at which he worked (including a SCADA HVAC system’s HMI), was sentenced yesterday at the U.S. District Court for Northern Texas to 110 month of custody, followed by three years of supervised release. He has also been ordered to pay restitution in the amount of $31,881.75. This is according to the latest filing on his case on PACER:

He was facing a maximum of 10 years per count, which is higher than the usual 5 years per count due to the threat to public health and safety. At one point in the case last year, he had signed a plea agreement stating that he would plead guilty in exchange for a maximum sentence of 6 years. This fell through, however, when he reneged on the deal by pleading innocent on his next appearance in court. He was then re-indicted for 14 counts, which were dropped after he agreed to (and did) plead guilty to the original two counts, outside the scope of any agreement.

On a personal note, I feel that this is a fair sentence considering the circumstances. His actions jeopardized the safety of innocent people and attempted to destroy evidence and hinder the investigation after he was taken into custody. Even after he finally pleaded guilty, he continued to blame everyone but himself, as you can see in his “cross-site scripting tunneling” story he posted, or had someone post for him, from prison three months ago.  I originally felt very sorry for him, though it’s hard to have any sympathy for someone that has continually acted against his own best interests as long as he has.

The rest of the “Electronik Tribulation Army” have gone relatively quiet. Maybe this will be a wakeup call for them to get out of this game.

UPDATE: A good post on this from the folks at the Dallas Observer:

If you’re new to the site, these are the previous posts this is a followup to:

 Posted by wesley at 4:27 pm

GhostExodus Pleads Guilty

 SCADA, skiddies  6 Responses »
May 142010
 

Today, the US Attorney’s Office announced that Jesse “GhostExodus” McGraw, has entered a guilty plea on two charges of transmitting a malicious code.  Jesse had compromised more than 14 computers at the Carrell Clinic in Dallas, Texas, where he worked as a night-shift security guard.  This included the system running the HMI (Human Machine Interface) for the hospital’s HVAC system.  To the best of my knowledge this is the only arrest and conviction of a hacker involved in a control systems/SCADA incident in the United States.

This story began last year, when I became aware of the HVAC compromise, and gathered information about it to turn over to FBI.  Throughout the process, I have been very impressed with the technical skill and responsiveness of the FBI agents.  I am also very happy with this outcome.  This may serve to educate organizations with control systems about the threats and vulnerabilities that are possible, and put other “script-kiddie” type hackers on notice that they can be tracked down and prosecuted for their actions.

The press release for the guilty plea is not yet available on the DOJ website, but the following articles are available:

I have a large collection of PDFs of court filings for this case, which I may post with commentary at some point soon, now that he has entered a guilty plea.  The PDFs make for interesting reading and a wild ride, and I don’t know of any other resources that have good documentation of a hacker case.  I’m looking forward to going through them again.

 Posted by wesley at 7:36 pm

Skiddies hacking sites in my name

 skiddies  9 Responses »
Nov 032009
 

I noticed a realty website in my referrals today, so I checked it out to see why they’d be linking here.  Here’s what I found:

http://mcgrewsecurity.com/img/nicetry.png

For those of you who are new here: This is obviously not how I roll.  Not only is it not something I would do (protip: don’t do pentesting for free), but the capitalization is awful.

Our good friend MR^E of the ETA dropped by this earlier in the day also, to leave troll comments and launch a pointless spider/scan against the site (again), so I figured I’d take a look and see what’s going on over at their new site, hackserver.org:

Wow!  MR^E figured it out before I did!  When asked about it by another member, he responded:

Stumbling across it before it even has a chance to get indexed by Google?

I’ll leave the conclusions as an exercise for the reader.

 Posted by wesley at 2:33 pm

Slides for CSE4243 GhostExodus lecture

 SCADA, skiddies  1 Response »
Aug 302009
 
Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.
The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.
I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture.
GhostExodus / Carrell Clinic Incident

If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.
If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.
If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.

The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.

I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture:

If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.

If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.

If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

 Posted by wesley at 4:07 pm

GhostExodus indicted for control system incident

 SCADA, skiddies  11 Responses »
Jul 232009
 

Just found out via the Dallas Observer’s blog that Jesse “GhostExodus” McGraw has been indicted by a federal grand jury, and has been charged with two counts of “transmitting a malicious code”, in reference to the malicious code he allegedly installed on computer systems at a hospital in the Dallas area:

If convicted, he faces up to 10 years in prison, and $250,000 in fines and restitution.

Meanwhile, the remaining members of ETA are a lot more quiet than they used to be.  XXxxImmortalxxXX, now also known as “system666″, is still a member of ETA, according to his signature on this forum, despite being the one that inadvertently tipped me off to GhostExodus’ activities:

The Fixer, a member, or at least former member, is confused about the difference between the script kiddie hacker group ETA and the Basque seperatist group ETA (“Euskadi Ta Askatasuna”):

If you’d like to catch up, here are the previous posts in this series:

 Posted by wesley at 11:15 am

US Cyber Challenge: Positive Impact

 fun, skiddies  No Responses »
Jul 122009
 

Poking around on various “hacker” forums, this sort of thing is a common sight:

If I had the stamina and will to maintain a “skiddie clown quote of the day” for any length of time, this would be a prime candidate.  Especially this part:

im sick of being hacked ive done nothing wrong expect steal about 200 passes

Looking at posts like this got me to thinking about this scene’s combination of wanting to learn about “hacking”, inexperience, and the desire to do something immediately “fun” (important point: they want to jump straight to 0wnage, with a minimum of time studying how).  It reminded me of a phenomenon I was seeing on forums like this a while back, where members were becoming aware of the CSIS and SANS US Cyber Challenge competitions:

These challenges are geared towards high school students and undergraduates, and it gives them a interesting and competitive outlet for exercising skills that might otherwise be used for more script-kiddie-like endeavors.  In addition, it helps give them motivation to learn new skills that’s missing when you have an entire Internet’s worth of computers out there that have vulnerabilities you already know how to exploit.  In a recent interview with Forbes, the director of SANS, Alan Paller, stated the logic behind this kind of competition well:

“Offense must inform defense,” he says. “We’d like it to be just training defenders, but if they don’t know how attacks are performed, they’ll be incompetent.”

It might work, too.  If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.

It might work, too.  If the structure of this training (which is still in its infancy) is good, and it’s interesting and challenging enough, then it could be possible to leverage script-kiddie-level skills into something useful.

This might be what some of the people on these forums are looking for.  I’ve already witnessed an entire “hacking group” that normally occupies themselves with web defacement split into teams and sign up for the DC3 forensics challenge.  On another site, I noticed that GhostExodus, before he was arrested, had signed up for the DC3 challenge as well, as had XXxxImmortalxxXX (the guy who bragged to me about GhostExodus’ hacks).

Maybe in the near future, activities like the US Cyber Challenge will get people like this on a productive path before they wind up getting into trouble.

 Posted by wesley at 2:41 pm

GhostExodus, the ETA, and a Control Systems Incident at Carrell Clinic (part 3)

 exploitation, SCADA, skiddies  16 Responses »
Jul 062009
 

Previous parts (Pre-requisite information.  There will be a pop quiz at the end.):

  • Part 1 – Definitely read the criminal complaint.
  • Part 2 – Watch some videos

In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online.  These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there).  When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.

What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software.  HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements.  The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.

Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system).  HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system.  While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak.  Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.

Let’s take a look at the shots (click them to see them at full resolution):

Photobucket

In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital.  The most interesting thing here is the dialog box, “BACtalk Alarm”.  The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future.  An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs.  The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.

Photobucket

Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5).  Among other things, you can see the open/closed status of the vents in various rooms.  The buttons to the right of these status could be controls to toggle the status.  I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is.  If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)

Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory.  Operators have to be trained to understand the elements of each system.  This one’s not really that bad compared to a lot of them, though.

Photobucket

This is the scary one.  It’s a list of parameters for systems in a “Surgery Center” or operating room.  Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off.  I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.

These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:

Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki

In reality, GhostExodus compromised the system with physical access as a night security guard.  It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols.  It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.

GhostExodus followed up in the same thread on warezscene with this post:

nice. You almost can’t help it ya know. It must be done!

Hopefully this isn’t something many people feel compelled to do.

 Posted by wesley at 9:01 am

GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 2)

 analysis, fun, links, SCADA, skiddies  17 Responses »
Jul 022009
 

If you haven’t read Part 1 of this story, then you really ought to take a look at it first.  It serves as a good overview, and the criminal complaint filed by the FBI is a good read.

Yesterday afternoon was GhostExodus’ detention hearing.  I’m not very familiar with the process one goes through after being arrested for something like this, so I had to look up what this meant.  I found the following site which, I believe, explains detention hearings well:

(Looks like a cool site beyond this, even.  Kind of a legal equivalent to the blog I run here.)

I was informed yesterday afternoon that the Judge in this case found that there was probable cause to detain Jesse McGraw while the case is pending.

Here are some links to the coverage this is getting.  I’m linking articles that I think my readers would enjoy, especially those where the reporters were thorough enough to contact me personally to get the stories:

The members of the press I’ve talked to on the phone and over IM have been very nice.  There are many more stories than this, you can poke around on Google News if you like, but your best source of technical information for fellow security and control-systems folks is going to be right here, of course :)

Now, time to break out the popcorn.  Here are two of the most interesting videos that were posted to GhostExodus’ youtube accounts.  It’s my understanding that these videos were played in court yesterday.  After each video, I’ve summarized some points of interest in each video:

  • “Post July 4th” is a strange choice of title here, as it’s before July 4th, and in preparation for the attacks scheduled for the 4th
  • He’s recording this by holding his laptop in front of him (reflections in elevator)
  • Claims to have infiltrated corporate offices, but it’s obviously a medical facility
  • Watch for medical charts and such on the walls when he sits down
  • Appears to be the collar of a security guard uniform peeking out of the top of the hoodie
  • The FBI identified this computer at the clinic by the toy flamingo on top of the monitor

  • This was recorded at a desk at the hospital where McGraw was a security guard.
  • I thought about buying one of those camera pens until I saw this.  Not inconspicuous.
  • Showing off your fake FBI credentials on youtube isn’t very smart.

I will continue this series with more posts, discussing the HVAC compromise, how I came to be aware of it, and the techniques I used to gather information on the suspect.  Still pooped from talking to so many people about this, but I’m enjoying spreading the gospel of control-systems security ;)

 Posted by wesley at 2:29 pm

Perl hacking is dead (lol)

 fun, skiddies  20 Responses »
May 262009
 

Script kiddie forum pic of the day:

perlhackingisdead1

Naughty avatar censored, but I kept the language in case you want to try and make any sense of this chunk of thread.  PsyKon-X’s contribution is particularly hard to read through:

Perl does indeed work my friend but the coders in which the perl hack was designed for are being patched faster than the hacker is making the perl scripts, and also depends on if the person using the script for example is using phpbb and hasnt patched it with the new version this is vulnrable

Diagram that sentence.

All of you whitehats posting scripts to milw0rm are killing the perl hacking scene ;-) .

 Posted by wesley at 12:22 pm

Yousif Yalda's friend, Mark gives me a call

 skiddies  14 Responses »
Sep 072008
 

Yousif called me several times after the first post about him, however, after a while he gave up and delegated the late-night calls to his friend Mark.  In response to a recent post, Mark gave me a call at about 2AM last night.  My wife and I were up watching DVDs of Battlestar Galactica, so it’s not as inconvenient as you would think.

I was getting bored of the call, and decided to fire up Audacity, in order to record some of his profane rants and play them back to him.  Once he wrapped his head around the fact that I was able to record the call, he decided that he wanted me to record a message to post here, on my website.

The following, is that message.  While I took this as an opportunity to play around with iMovie, I haven’t censored any of the language or idiocy that’s present in his audio.  If you are easily offended, then you might not want to watch.  If you’re at work, well, you might want to save this till you get home, or get some headphones :)

Edit: Yousif apparently didn’t like the fact that this video was in the “Related Videos” box for the commercial he made ripped off from Lanier Leather for his affiliate marketing site.  He managed to report the YouTube version of this video into oblivion, so here it is on metacafe:

Edit: Awesome comments down below.  Glad you could join us, Mark.  I guess this is where you can contact him for the time being.

 Posted by wesley at 12:49 pm
 Older Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha