Back in the early 2000's, I worked for a firm that was responsible for investigating TV Smart Card hacking for a major satellite provider.
Here are some of the highlights of how we tracked and caught some of the hackers.
A thread.
Here are some of the highlights of how we tracked and caught some of the hackers.
A thread.
So for those of you not familiar with how satellite TV worked back then here is some background.
- The provider would "beam" a stream of data (e.g. TV channels etc) from a ground station up to a geosynchronous satellite
- Geosynch was important as you target a country/region
- The provider would "beam" a stream of data (e.g. TV channels etc) from a ground station up to a geosynchronous satellite
- Geosynch was important as you target a country/region
- The satellite would then take that data & "beam" it back down to the area below it (b/c geosync)
- Individual subscribers would have both a dish & a decoder box (dbox) since the stream was encrypted
- The decoders would have a Smart Card(SC) that could decrypt the stream
- Individual subscribers would have both a dish & a decoder box (dbox) since the stream was encrypted
- The decoders would have a Smart Card(SC) that could decrypt the stream
- The key parts of this were the dbox + the SC
- The "brains" was the pairing of the two
- You can think of the dbox as the algo and the SC as the "key"
- In reality, the SC had its own processing power but now we are getting technical
- The "brains" was the pairing of the two
- You can think of the dbox as the algo and the SC as the "key"
- In reality, the SC had its own processing power but now we are getting technical
Back to the hacking.
So the initial cards were very easy to hack. They could easily be read and cloned by standard SC hardware.
Later generations became much harder and used things like Zero Knowledge Tests (ZKTs) etc to make them harder to crack.
So the initial cards were very easy to hack. They could easily be read and cloned by standard SC hardware.
Later generations became much harder and used things like Zero Knowledge Tests (ZKTs) etc to make them harder to crack.
Around the time I got involved, the cards were still in sort of a middle state where you couldn't just buy a cloner and make a new card but people with some tech smarts/engineering backgrounds could create clone cards.
This was the early 2000's so the internet was still a wild place where anyone could set up a forum, start sharing information and get lots of forum members who were in to this kind of thing. There were a LOT of little websites, a few big ones and one REALLY big one.
One of the first things we wanted to do was find out: "How big is the BIG one really?"
For example, it had 150,000+ registered users.
This freaked out the client because it appeared that there were 100s of thousands of people potentially involved in hacking their cards.
For example, it had 150,000+ registered users.
This freaked out the client because it appeared that there were 100s of thousands of people potentially involved in hacking their cards.
This was in the old vBulletin days and we noticed that you could view a user's profile without being logged in if you went to a url along the lines of url/user/id=1.
So we decided to sample every thousandth user e.g. 1, 1001, 2001 etc all the way to 150K
So we decided to sample every thousandth user e.g. 1, 1001, 2001 etc all the way to 150K
What we found:
- around 998 / 1000 users had ever posted
- 2 / 1000 users had posted more than 100 posts
- 1 / 1000 users had posted more than 500 posts
In other words, <150 people were actively posting on the website.
Client breathes big sigh of relief!
- around 998 / 1000 users had ever posted
- 2 / 1000 users had posted more than 100 posts
- 1 / 1000 users had posted more than 500 posts
In other words, <150 people were actively posting on the website.
Client breathes big sigh of relief!
There were also questions from the client along the lines of: "Hey, we can get the FBI and/or RCMP (The Mounties!) to shut this website down. Why don't we just do that?"
Our answer: "NO! This is our single biggest source of intel! If you shut it down then...
Our answer: "NO! This is our single biggest source of intel! If you shut it down then...
A. They will know we are on to them
B. Due to A, they will start locking down who can see the information
C. Due to B, we won't have access to what's going on"
Anytime I've heard about govt or intel services leaving sources active, I think about that conversation.
B. Due to A, they will start locking down who can see the information
C. Due to B, we won't have access to what's going on"
Anytime I've heard about govt or intel services leaving sources active, I think about that conversation.
As the operation progressed, the FBI/RCMP would arrest people and seize their hardware.
This led to both affidavits we could read and servers etc that we could access.
I'll start with some of the interesting things from the affidavits.
This led to both affidavits we could read and servers etc that we could access.
I'll start with some of the interesting things from the affidavits.
Imagine the movie Blow with Johnny Depp but replace cocaine with satellite TV hacking.
e.g. "There I was, working at Circuit City selling satellite TV packages.
Someone came up to me and said, 'hey, you can sell pirated cards when you sell a package...
e.g. "There I was, working at Circuit City selling satellite TV packages.
Someone came up to me and said, 'hey, you can sell pirated cards when you sell a package...
and we can split the proceeds' I thought about it and said 'sure!'
It worked so well that I eventually started buying the hacked cards directly from the supplier. Then I set up a website and made so much I quit Circuit City and bought a mansion in Florida.
It worked so well that I eventually started buying the hacked cards directly from the supplier. Then I set up a website and made so much I quit Circuit City and bought a mansion in Florida.
That's where I was when the FBI raided my house and now I'm here."
Another (much shorter version): "Yeah, when the hackers wanted to show us the new cards, it cost $10K just to go to the demo and they dudes had guns!"
Remember, we're talking about satellite TV here.
Another (much shorter version): "Yeah, when the hackers wanted to show us the new cards, it cost $10K just to go to the demo and they dudes had guns!"
Remember, we're talking about satellite TV here.
On the hardware side, we would rack mount servers that had 10s or even 100s of Apache virtual hosts on them backed by one MySql DB.
I remember the day I swapped out the mysql admin dir of a seized server with a dir of know acct + password. We instantly had admin access...
I remember the day I swapped out the mysql admin dir of a seized server with a dir of know acct + password. We instantly had admin access...
and I got the rush of "hey, we can see EVERYTHING!"
This included DMs between admins etc which, in turn, led to more arrests and seizures etc
This included DMs between admins etc which, in turn, led to more arrests and seizures etc
Speaking of targeting sites, a big problem was how to rank the sites in order of priority.
For a long time, it was a curated list of sites that took hours to generate, review etc and required an in depth knowledge of all of the sites.
For a long time, it was a curated list of sites that took hours to generate, review etc and required an in depth knowledge of all of the sites.
One of my first projects was to build an Access DB that had an entry per site and a bunch of "yes/no" flags e.g. takes credit cards, ships internationally etc.
Eventually we had data on hundreds of sites but we weren't sure how to write the algo to rank them.
Eventually we had data on hundreds of sites but we weren't sure how to write the algo to rank them.
Then, one of the Project Managers had a brilliant idea: "Hey, we already have a ranking right? So let's work backwards! Adjust the weights on the yes/no flags till we get a ranking that matches what we have now!"
This was genius idea for two reasons:
1. We could now rank the sites programatically
2. Data collection on each site could be done in parallel by anyone (e.g. interns) even if they had no knowledge of the broader picture
1. We could now rank the sites programatically
2. Data collection on each site could be done in parallel by anyone (e.g. interns) even if they had no knowledge of the broader picture
The coolest part was that the same PM from earlier got to write up a report for the @FBI about everything we had learned.
The irony: he HATED writing and thought he was terrible at it but the SAC in charge of the case apparently held up the report in front of their agents...
The irony: he HATED writing and thought he was terrible at it but the SAC in charge of the case apparently held up the report in front of their agents...
And said “Listen up! Read this report because this is EXACTLY how I want reports from all of you to be: clear, well written, has a great narrative and flow and is easy to understand!”
/thread
Thanks for reading and if you liked this thread, here is another thread about fighting spam when I worked at the same company.
Thanks for reading and if you liked this thread, here is another thread about fighting spam when I worked at the same company.
And here is a big list of my other threads about all kinds of things
