CM Sherman Gallery – PWND

Jim ‘JJ’ James sounded puzzled, “Let me get this straight – you want me to break into the gallery and take a photograph? I am sorry Mr. Collins – that isn’t the sort of thing we do. We do penetration tests of the network – we don’t remove items from the client’s business.”

Marshal Collins, chairperson of the CM Sherman Gallery Society, smiled – “Sorry – poor choice of words. Not ‘take’ as in steal but just take a picture of yourself inside the gallery. Proof that you were actually able to get inside the gallery.”

JJ was the co-owner and main operative of ‘JJ Cyber Security’. They specialized in computer network penetration (pen) testing. Commonly known as White Hat hacking, they were hired to test company networks for potential cyber vulnerabilities. While the large companies handled the major clients, they serviced medium size companies all over New Jersey, Pennsylvania, and New York. Located in the township of Glens Ridge NJ, JJ Cyber Security’s office belied the fact it was the top cyber security firm in the state.

Jill Swanson, JJ’s wife and business partner, was the receptionist/operative/hacker, sat in the outer office. To her right, a large room that served as the main command center/workshop, behind her was JJ’s office. The wall behind her was dominated by a sign “We comply with Section 18 U.S.C. 2511(2)(d) on the recording conversations.” Jill, a former law student, had the sign made. It was her private joke – that section allowed them to record conversations.

Jill had taken Collins’ call to set up an appointment. She had already prepared an extensive dossier on him. She did that for every new client. Being paranoid was the natural product of being in a security business. It also meant they recorded all client interviews. JJ had started recording as soon as Collins entered his office.

“Maybe I should explain. . . . The gallery is currently showing a collection of photographs by local photographers. They aren’t really that valuable. . . . However, we are hoping to exhibit more prestigious works in future. We need to know not only that the network is secure, but also that the building is secure. . . . Insurance costs for exhibits are through the roof.”

Jimmy thought about it for a moment. It was a much smaller job than they usually took on, but it was for the local gallery. They had even donated to the gallery’s last fundraiser.

“I think we can fit you in. But probably not before Memorial Day. Our fee will be $5,000.00 . . . How many people know about us ?”

“Sounds fair. . . . Just the board. Should I tell the gallery manager?”

“No – the fewer people that know the better. That way we get a true picture of the security set up. . . . We will need a signed release from you and at least two other board members giving us permission to attempt the test; also saying that we are not responsible for any losses incurred as a result of the test, and no one will lose their job due to our findings – this isn’t a witch hunt. And, I will need the contact information for the person looking after your website – just in case something goes wrong while we are probing the site.”

“Done. I will have the release couriered over in the morning.”

After Collins left JJ came out to see Jill. He didn’t need to ask if she had been listening to the conversation.

“What do you think?”

Jill smiled “I think you are getting soft – you might as well have said we would do it for pro bono.”

“People don’t value things they get for free. . . . How would you like to see our new art gallery?”

Smiling – “I thought you would never ask.”

The gallery was a short walk down Bloomfield Ave. from their office in the Glen Ridge Arcade. The stone building previously housed the Blue Foundry Bank which had moved to a larger building. It had only recently been converted to an art gallery. Exhibit rooms were on the two floors of the main building with the basement used for storage. An annex at the back that once housed the ATM drive-through now served as the office area.

JJ grabbed a ‘selfie stick’ and a fanny pack. They were two of JJ’s favorite tools. The ‘selfie stick’ was by far his favorite surveillance tool. To anyone watching, he and Jill were taking a lot of ‘selfies’ in front of various displays. In fact, JJ had reversed the cameras, they were taking detailed pictures of the area. In the fanny pack was an Ubertooth scanner that could ‘eavesdrop’ and record the ‘conversations’ all Bluetooth devices have with the server. An Apple iPhone was set up to capture the WiFi signals.

Back in the office, Jill started downloading the images from her phone to her computer – JJ went into the workshop and loaded the captured information into Netshark.

“Bingo – I thought I should have recognized the name”

JJ went out to see what Jill was looking at.

“I never connected CM Sherman with Cindy Sherman. She is pretty famous, one of her prints is worth over $3,000,000.”

JJ whistles “Not the one on display here?”

“No. But, I bet they would like to display it here. I can see why they are so anxious to check their building security.”

It was two days before the releases arrived. There were two pages – a release form authorising an audit of the gallery’s security and a list of tests to be done. Jill gave them a quick glance and passed them to JJ.


JJ looked up. Jill was always testing him on the way contracts were worded. Over the years she had saved them from lawsuits on a number of occasions where what the client asked them to do wasn’t authorized in the contract.

“Some of the things they asked for don’t apply. . . . It looks like they just grabbed a bunch of ideas from the Internet.”

“How are you going to play this one?”

JJ grinned. “You know what they say – honesty is the best policy.”

Looking up the phone number for Roger Lynch, the gallery manager, JJ calls and gets his secretary.

“Mr Lynch please. . . . Mr. James calling.”

“Mr. Lynch, JJ James from JJ Cyber Security.”

“Oh yes – you’re here in Glen Ridge”

“Yes – just up the road from you in the Arcade. . . . We’ve been hired to do a security audit for insurance purposes by . . . ” sounding frazzled. “by – I have their name here somewhere . . .”

“Continental Insurance.”

“Thank you – yes Continental Insurance. . . . I would like to do a quick walk through with you today then do a full audit on Wednesday. Does that work for you?”

“Any time today is good.”

“Great! Thank you – I will be there in about twenty minutes.”

As soon as Jill heard the name of the insurance company she made up a bogus business card for their head of security.

“It must be weird using your real name”

“A little. It’s a small town, there is probably someone there who recognises me. . . . Could you check out their website?”

“Yep – When do you think I should ‘find’ the memory stick?”

This was ‘old school’ hacking and one were women better at than men. A man handing in a memory stick he had found might be suspicious – a women didn’t raise any concerns. If the stick was plugged into a computer and a file opened, the hacker could, potentially, take control of the system. The one Jill would ‘find’ would just send a message back to them with the computer’s ID.

“Do it tomorrow morning. That will give lots of time for someone to play with it. . . . Could you check if there are any exploits of the ‘SecureSite 3000’ lock on the main door? We should probably get one – I would like to play with it.” JJ had a database of exploits for most home security electronic locks and some commercial ones as well.

Grabbing his briefcase which, in addition to sniffers for BlueTooth and WiFi, scanned for other radio sources. It also had two video cameras, one forward facing, one backward-facing, and two high definition still cameras, one regular and one infrared. He also put on what looked like a FitBit but housed a camera controlled by touching the buckle.

“Ready for war?”

“Yep – should be about an hour. . . . Go for beer when I get back?”

“Sounds good”

JJ arrived early and walked around the building. The entrance to the annex section was off Darwin Place. A wooded area and the train station screened the door. However, lack of a door handle meant people still needed to be ‘buzzed in’. JJ went around to the Ridgewood entrance. That looked promising, the key tumbler lock had been replaced with an electronic lock and there wasn’t a camera. JJ recognized the lock.

A receptionist sat between the side door and the main entrance, off the parking lot. She called Roger Lynch.

“Mr. James, pleased to meet you.”



“Roger, I just want to do a quick walkthrough today. But, first” – JJ passes him his business card and the one Jill had prepared. “This is my card, the other is my boss’s card. If you have any concerns, please give me or him a call.” This was a bit dangerous, but so far, no one had ever tried to verify JJ’s story.

“So you just have the three entrances. . . . The door off Darwin Place is still just ‘buzz in’?”

“Yes – but we rarely use it.” Lynch was starting to get more at ease.

“If you aren’t using it, you should consider bolting it shut. . . . I don’t see any motion detectors.”

“No, the security company monitors the video twenty four seven.”

“Even so, you should consider motion detectors. Security is built on layers. The more layers you have the better.”

The rest of the walk through went much the same with JJ passing on small tips on security and Lynch unwittingly giving JJ information that would allow him to enter the building.

Jill was just finishing something on her computer when JJ got back to the office.

“How did it go?”

“Pretty good. Nothing we didn’t see when we were there the other day. The video should be easy to get into – the locks are even easier . . . I already have an exploit for the lock on the Ridgewood Ave entrance. Did you find anything on the ‘SecureSite 3000’ on the parking lot door?”

“No – I have the lock on order. It should be here tomorrow. . . . I’m running WPScan on their website. I am going to let it run a brute force attack overnight to crack the passwords.” Grabbing her jacket – “I think it’s your turn to buy the beer.”

When they arrived the next morning Jill found WPScan had cracked the admin password. The site had default security settings, allowing unlimited attempts to try and login. It only took WPScan 10,000 tries to get the password. Jill logged in as ‘admin’ and started looking through the files.

JJ did a drive-by of the gallery to get their GPS coordinates. Driving back to the office he grabbed his high-gain Yagi antenna and took it to the roof. Using the gallery’s GPS he aimed the antenna at their location. He already had the login password for the WiFi from the information he got from sniffing the devices when they visited there.

After logging into the gallery network JJ scanned their network to see what computers were connected. Next, he scanned each of the computers to see what ports (doors) they had open. From this point on he had control of everything on the network.

Jill was doing her thing on the website. She had saved a list of all the site users with their email addresses, putting it aside for now. Passwords are encrypted, she decided not to decrypt them. That would be crossing the line between White Hat and Black Hat hacking.

JJ would wait until Sunday, when the gallery was closed, before breaking in. The nice thing about having hacked the lock was he could walk up to the door in the middle of the day and open the door. In addition to opening the door, his hack prevented the ‘door open’ message from being sent to the legitimate owner of the lock.

JJ was back at his desk when Jill called him over.

“Have a look at this.”

“What am I looking at?”

“It’s the user list I saved yesterday. . . . I expected just a list of members of the gallery society, probably no more than one hundred members, but there are over a thousand entries. Most look like this.”

JJ looked at the names, most of which were combinations of letters, numbers, and characters “It looks like the real name has been encrypted.”

“That’s what I thought. They are also a different user class than society members. . . . And, look at the email address – they are on the gallery email server. The only other people having email addresses are the gallery staff.”

JJ had a sickening feeling. “Can you run a PHP script?”

“Yes – Hello Dolly is still there.” ‘Hello Dolly’ is a fun plugin that is shipped with WordPress. Since it isn’t usually displayed on the site, it can be used to run malicious programs. Jill was surprised it hadn’t been removed.

“Dump the directories.”

Jill types in the code – “That doesn’t look right.”

“Yeah – there is a blank line at the top of the list.”

“Shit – a hidden directory. They are using a space as the directory name.” ‘That is definitely old school’

“What is in that directory?” A knot was forming in his stomach – he was afraid of what he would see.

Jill looked pale, her hands were clammy. She checked her code three times before pushing ‘Enter’. A list of hundreds of images scrolled down the screen.

Jill looked up – “We don’t have to look at them.”

JJ was shaking – half with anger, half with fear. JJ was disgusted, terrified, falling into the pit of paranoia by what they had stumbled upon. Memories of being abused as a child, memories he had spent twenty years repressing, were boiling up.

“There is an index.php page. I’ll print that?”

The HTML code came up on the screen. As JJ had feared, there was what appeared to be an authorization check in the page header. If an unauthorized person opened the page in a browser they would get an error message. In JJ’s heightened state of paranoia, he assumed an intruder alert would also be sent to the site owner.

As they read the code JJ started to pace.

‘Select Child By Age’
‘Select Child by Gender’

Jill had regained some of her composure. She saved the information she could, took screen shots of the things she couldn’t save, and slowly backed out of the website. Then she called their contact in the FBI. The agent that had made the case against JJ’s abuser.

“Hey JJ – what’s up man?”

“Hi Frank, it’s Jill.”

“Hi Jill – to what do I owe the pleasure of your call?”

“We were doing a pen test when we stumbled on a child porn site.”

“Christ – how is JJ”

Jill is struggling to sound calm – “Not good.” JJ was sitting in his chair staring blankly at the screen.

“How do you know it is child porn? Did you look at the images?”

“Hell No! – never. We looked at the index page. . . ‘Select Child By Age’ and ‘Select Child by Gender’. It is definitely a child porn site.”

“Can you secure the site?”

“No. If I change the admin password a notice will be sent to the site owner. Also, the site is hosted on Google cloud. I have no access to that account. The account owner can go in and erase everything with a few commands.”

“Do you have the name of the person who created the site?”

“Yes. I’ll text it to you. But, he may have been hacked. The security on the child porn section is much better than that for the website.”

“We will still need to seize his computer. I’ll also get Google to freeze the account. . . . I will get a crew up there as soon as I can. I will be there in about two hours”

“Thanks Frank”

“Take care of JJ – I’ll be there as soon as I can.”


The news of the child pornography site broke on CNN three months later.

“The FBI and Interpol released a joint statement that they had made twenty arrests for trafficking in child pornography. In the statement, they said a small website in rural New Jersey had been hacked and taken over to distribute child pornography. They said the owner of the site was unaware of the operation. A tip from a member of the public who had found the site by accident led to the investigation and the arrests.

No other details were released”

| Leave a comment |

Leave a Reply

Your email address will not be published. Required fields are marked *