1. How MS responded
when they were hacked
A real life POV story by @DimitriNL

2. Last email Quote
“Microsoft Security
Response Center”
2018.04.28
“The team is asking that you not use
the SAM information or Microsoft's
name. Ultimately the decision is yours.

3. What you will see in this
DefCamp talk 2018
- Drama
- Mystery
- Action
- and some NSFW
As far as I know this is not
available on:

4. Who Am I now
Dimitri - 37 years
Married - A baby girl 11 months
Living in The Netherlands
My hobbies: Snowboarding & cooking
EC Council CHFI (Computer Hacking Forensic Investigator)
System Engineer
Working/worked for Dutch Government, Healthcare, Multinationals and …..

5. My dog “Rada”

6. WHAT I WILL DISCUSS
Who was I
What did I do
Why go to the press
How MS responded
What happened next

7. BACK TO THE YEAR 2000
LET’S STEAL MICROSOFT’S MOJO

8. Who was I
Age 19 years
Living At my parents house
Work ICT Service Company
Playing with firewalls
Freelance pentester
Studie System Engineer
Hobbies Wing Chun Kung Fu
& ...

9. My hobbies
Discovering new and using existing ways of hacking:
Microsoft Internet Information Server, Site Server, Frontpage extensions,
Commerce Server & Index Server.
For example:
CVE-2006-1257
Microsoft Commerce Server:
Authentication bypass
https://vuldb.com/?id.29228
2002 Found - 2003 Reported
2003 Fixed - 2006 Full disclosure

10. Online & Offline activities
Newsgroups: Buqtraq & more
Websites: Securityfocus, Attrition & Packetstorm
Books books books Networking & Red Hat & Windows books
To be in contact:
IRC (DUH)
Playing games:
Delta Force

11. EXTRA
EXTRA
READ ALL
ABOUT IT

12. Contact with “Microsoft Security Response Center"
2000.05.30
First contact
Sample files were used on
www.microsoft.com
Fourth contactSecond contact Third contact

13. First Security
Notice Report
to Microsoft
2000.05.30:
Sample files on Microsoft.com
(Source code disclosure ASP
files)
http://www.microsoft.com/indon
esia/MBICC/search/query.htm

14. Contact with “Microsoft Security Response Center"
2000.05.30
First contact
Sample files were used on
www.microsoft.com
Fourth contact
2000.05.31
Second contact
Standard installed servers:
forum.microsoft.com &
windowsce.microsoft.com
Third contact

15. Second
Security Notice
Report to
Microsoft
2000.05.31:
Standard installation of IIS 4
(Everything was possible)
http://forum.microsoft.com
https://windowsce.microsoft.co
m

16. Contact with “Microsoft Security Response Center"
2000.05.30
First contact
Sample files were used on
www.microsoft.com
Fourth contact
2000.05.31
Second contact
Standard installed servers:
forum.microsoft.com &
windowsce.microsoft.com
2000.08.15
Third contact
Database passwords
found on *.microsoft.com

17. Third Security
Notice Report
to Microsoft
2000.08.30:
Passwords found on several
servers of *.microsoft.com
(Source code disclosure
ASP/ASA files)

18. Contact with “Microsoft Security Response Center"
2000.05.30
First contact
Sample files were used on
www.microsoft.com
2000.10.22
Fourth contact
Access to several
*.microsoft.com servers.
2000.05.31
Second contact
Standard installed servers:
forum.microsoft.com &
windowsce.microsoft.com
2000.08.15
Third contact
Database passwords
found on *.microsoft.com

19. Fourth Security
Notice Report
to Microsoft
2000.10.22
Access to several
*.microsoft.com servers.

20. Fourth Security
Notice Report
to Microsoft
2000.10.23
Second email to microsoft

22. No answer after 4 days

23. Possible scenarios what they were thinking

24. 1 NOVEMBER 2000
11 days no answer
Time to do something

25. Why go to the press
Reason 1:

26. Why go to the press
Reason 2:
Microsoft doesn’t update their systems.

27. The press wanted proof
So what do you post as proof for the world to see?
https://youtu.be/Cipc8EowshY?t=12s

28. 7 NOVEMBER 2000
News article goes online

29. Some quotes from the first news article
“The latest breach was minor by
comparison and was fixed almost
immediately, the company said”
The server, which was nearing its scheduled
retirement age, suffered from not having
received a new software update, or "patch,"
that was issued Oct. 17, Sohn said. Microsoft
has corrected the problem, he added.
"It's a challenge when you run a major
network with many servers. Even though
this server was near retirement, we would
have preferred that it had the patch. It's
certainly the exception and not the rule;
this one fell through the cracks

30. After a few days
What do you post when you see the post is gone but
the servers are still not patched?
https://youtu.be/CduA0TULnow?t=1m28s
Oopsididitagain.htm
Patching your systems is very hard huh
MSG to Britney:
I loved your concert in the Netherlands

31. Some quotes from the second news article
"We want to start a
dialog with Dimitri”
“We would like to know why
Dimitri feels he needs to
challenge us this way."

32. Meeting at Microsoft in The Netherlands
What did my welcome look like

33. What we discussed
The well known Unicode Directory Traversal Exploit.
2000.10.18 Rain Forest Puppy's investigated the anonymous forum post on
Packetstorm and made a perfect explanation about the vulnerability.
2000.10.18 2000.10.18 The same evening me and some friends also posted
on NT bugtraq with details on what you can do with it.
For example you don’t need to use only the “scripts” folder but you can also
use “MSADC”folder which is default installed on the C drive. More often
used. The Scripts were usually installed on the D drive.

36. Access on the following servers
Windowsupdate.microsoft.com
128download.microsoft.com
Events.microsoft.com
Insider.microsoft.com
Library.microsoft.com
& More

37. The Damage control questions from MS:
Did you do any damage?
No
Did you upload viruses?
No
Did you create backdoors?
No
Why did you do this?
Updating systems is a difficult task for system admin. Also for MS.

38. My recommendations to MS in the year 2000
Start a Microsoft Security Response Center in Europe.
Features & samples in IIS (and Windows in general) default “off” and not “on”

39. Microsoft last words at the meeting
If you find more vulnerabilities in the future let us know.
Keep in touch at Microsoft The Netherlands.

40. Email quotes “From MS spokesman with love”
“All press contacts about your activities
that concern Microsoft are now over.
All communication about hacking Microsoft
through you to press goes through Microsoft."

41. Email quotes “From MS spokesman with love”
"If we are approached by the press,
our comments will be that we have indeed
spoken to each other, but that we will not make
further statements about this conversation."

42. Email quotes “From MS spokesman with love”
"From the US they have responded
with approval to our conversation.
I think - and I mean that - that you'll getting
away with this too easy without charges."

44. What did my employer think about it
I should have gone to my manager before exposing my
findings to say that I had access on *.microsoft.com.
They could have Microsoft as customer.
They planned a meeting at the airport
behind customs with Compaq.

45. What happens if you refuse?

47. I needed a break
What is the best place to work and have fun?

48. Working in the club scene

49. My workspace

50. My workspace

51. But what happened in 2003?

52. But what happened in 2003?
I found a vulnerability in Microsoft Commerce Server: CVE-2006-1257

53. Timeline vulnerability
2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept
2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix.
2003.04.15:

54. Timeline vulnerability
2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept
2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix.
2003.04.15: Fix in Service pack.
2003.04.26:

55. Timeline vulnerability
2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept
2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix.
2003.04.15: Fix in Service pack.
2003.04.26: Microsoft: No call call out reporter
2003.04.27: No “call out” then I will not give my support
2003.04.28:

56. Timeline vulnerability
2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept
2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix.
2003.04.15: Microsoft: Fix in Service pack.
2003.04.26: Microsoft: No call call out reporter
2003.04.27: Me: No “call out” then I will not give my support
2003.04.28: Microsoft: bla bla, customers bla bla
2003.04.28:

57. Timeline vulnerability
2003.03.10: Meeting at Microsoft The Netherlands with Proof of Concept
2003.03.31: Official Escalation Vulnerability. Microsoft is busy for a fix.
2003.04.15: Microsoft: Fix in Service pack.
2003.04.26: Microsoft: No call out reporter
2003.04.27: Me: No “call out” then I will not give my support
2003.04.28: Microsoft: bla bla, customers bla bla
2003.04.28: Me: Only the sun rises for free I’m only asking for a “call out”
2003.05.06: Microsoft: KB article in service pack will have the “call out”
2003.08.26: Microsoft released Service Pack & security bulletin regarding the
vulnerability.

58. Top questions
Most asked:
“Did you hack Microsoft?! Are you rich?”
“Can you hack somebody’s hotmail for me?”
“Can you hack a bank for me?”
Strange questions:
“Can you crash a train for us to make a documentary about hacking?”
“Can you hack a pigeon breeder website for me?”

59. Bucket list
Hack Microsoft
Receive call out in Microsoft Product
Meet Britney Spears
Going worldwide with my talk
DefCon Skytalks (USA, Las Vegas) - Sec-T (Sweden, Stockholm) -
Kaz’Hack’Stan (Kazakhstan, Almaty) - UISGCON (Ukraine, Kiev)
DefCamp (Romania, Bucharest)
& More to be confirmed

60. THANK YOU
Twitter: @DimitriNL