I Missed my Calling

Yesterday I was talking with Brent Simmons and Brian Kellner about feed security, and how you really have to think like a hacker to find vulnerabilities in your software. That reminded me of my own brief experience as a software cracker, which I told them about.

See, back in early 1990s I had a short consulting stint with a large financial institution, working on the desktop piece of a client-server application that transferred millions of dollars over the wire. I was concerned that our login dialog might be vulnerable to password-sniffing, and when I raised this issue with my Program Manager, he tasked me with thinking of ways this could be accomplished. So I made it my calling to figure out how to get the PM’s username and password in a way that wouldn’t require physical access to his computer.

Much to my surprise, it took very little time. Here’s what I did:

I wrote a small program in Visual Basic which sat in the background waiting for a window with the same title as our login dialog to appear (this was back in the Windows 3.1 days, when it was simple to do things like that). After the login dialog was detected, I’d start monitoring the keyboard and record any keystrokes that were entered into the username and password controls. When the dialog was OK’ed, my app would write the user’s login to a text file stored on a network share.

Next I had to find a way to get my app onto the PM’s system without him knowing it. I figured out that if I gave my program the same icon as MS Word, it would look like a Word document when it was attached to an MS Mail message (this was before email clients started blocking EXEs). So I modified the program to load a document into MS Word when it was executed – that way, when the “victim” double-clicked the attachment icon, it would act just like he’d double-clicked a Word document.

When I was confident that my little program worked, I emailed it to the PM. Later that day I checked the network share for the text file containing his login, and sure enough it was there. Suffice to say, his eyes got bigger than should be humanly possible when I showed him his username and password.

I have to admit, I was pretty pleased with my cracking skills when I pulled that off. And after Brent heard this story, he said that I missed my calling :)

Side note: after discovering how easy it was to sniff passwords with a simple VB program, I emailed one of the editors of the Visual Basic Programmer’s Journal, which was the leading magazine for VB developers back then. He got in touch with someone at Microsoft about this, and they told him something along the lines of “yeah, that’s a known problem with Windows 3.1.” Oh, and the name of the editor I contacted was Robert Scoble, who later joined Microsoft and became their most famous blogger. I wonder if he remembers my email?

3 thoughts on “I Missed my Calling

  1. “large financial institution, working on the desktop piece of a client-server application that transferred millions of dollars over the wire.”
    And it was running on Windows 3.1?. LOL. God bless M$ security :).

  2. Dear Nick,
    I’m a Cochlear Implant user for the past year. This might seems like a strange post or note, but searching through google I found that you’ve got a CI, and perhpas enjoy skydiving?!
    Prior to my CI I’ve done a tandem dive, and since have dreamed of doing an AFF course. Would you have any insights on this?
    Best regards and thanks,
    Oren T. Dvoskin.
    Israel. dvoskin.oren@idc.ac.il

Comments are closed.