How your colleague steals your money

PRESTONS is a fairly large law firm in Sydney. Their list of high-end clients is as long as it is impressive.  During the latest financial crisis, PRESTON’s hasn’t been getting as much clients as budgeted for, so the company’s executives have been forced to make some cuts in order to turn a profit.

Jeremy is the desktop support guy for PRESTONS. He has been there for 5 years, and knows how to look after the company’s systems back to front. Jeremy was told recently by his boss, Max, that he will have to start having 1 day of un-paid leave a week. Jeremy isn’t the only one affected by this, but has he has just purchased a new moped to cruise around the city in, he fears he won’t be able to remake the payments. Both disgruntled and hurt by the fact the company he has worked in for so long has seemingly disregarded his years of hard work and contribution, Jeremy seeks revenge.

Max is the CIO of PRESTONS. He hasn’t worked there for too long but has found himself being the bearer of bad news for his small IT department. There is a bit of tension in the camp due to pay cuts, but it seems Jeremy is the one that just can’t accept it.

One day at lunch, Jeremy overheard Max talking to the CEO. Apparently Max was getting a pay-rise due to his fine work in cutting the IT budget in half and re-working the IT operations. This fired Jeremy up. Why is it he was getting shafted and his new boss is getting rewarded? Jeremy decides that Max will be the outlet for his payback.

One morning in the office, Jeremy pops his head up over the petition and yells out to Max…

“Hey boss, did we get paid early? The company has put money into my account; I didn’t think we got paid until Thursday?”

Slightly annoyed by Jeremy’s interruption, Max continues his email to a customer, calling out “Umm I don’t know… I’ll check in a minute”

Human predictability is just so… predictable.

Jeremy sits back and waits a few minutes, peeking up over the petition to look at Max’s screen… waiting for his bank’s website to pop up.

5 minutes later, Max has finished his email, takes a swig of coffee and fires up Firefox and logs into his bank.

The only thing Jeremy needs to know to pull of this attack is the local administrator login and password. As he is the desktop support guy, he knows what this is. Even if he did not know the local admin credentials, he could still pull off this attack (see the end of the post for more details)

Max opens up Firefox and logs in to his bank account. Jeremy can see the bank logo appear on Max’s screen from where he is sitting. This is how Jeremy knows it’s time to pull off the attack. As soon as Max has logged into the bank, his credentials are ready to be stolen. (Jeremy doesn’t have to sit there and watch Max’s screen, he can use other ways, he just needs to know that Max is logged into his bank at this time – or any other website Jeremy might want to steal)

Jeremy has downloaded a couple of small Windows tools which allow you to 1. Execute commands on a remote computer and 2. View and Dump a Windows process. Combining the two tools, Jeremy can find out what Process ID (PID) Firefox is using on Max’s computer. He then executes a command to dump firefox’s memory. (These tools can be found at the end)

So what has happened here is. When Max has logged into his bank. Firefox (or any browser for that matter) has temporarily cached his password for that session. This is stored in the browser’s memory until the entire process is closed (not just close the TAB) or the SIGN OUT link is used on the bank’s site. So when Jeremy dumps the memory from Max’s browser at the time Max is logged in, the password is captured in clear text!

Jeremy saves the memory dump to the Max’s C: drive and copies it back to his PC for analysis using Windows File Sharing with the UNC path (you can also dump the file directly to a share you have set up on your own PC so nothing is left on the victim’s machine).

He now has the memory dump on his PC, and he now has to sift through the data to find the bank login. You can use this method to find ANY password in cleartext that the victim is currently logged in to. Gmail, Facebook, Twitter etc. You just need to know ‘what’ to search for. Jeremy uses WInGrep to search through the file because it has good search functionality and can support large file sizes.

Jeremy started searching for the bank’s name. He found hundreds of entries. This will obviously take a while. He played around a little bit with searching for the banks name and ‘USERID=’ and ‘&PIN=’ and eventually…. how found it.

That is that! Jeremy knew name of the bank because 1. He saw the logo on his screen, but even if he didn’t – all Jeremy would have to do is casually ask Max one day what bank he uses, because he is thinking about swapping banks because his pay goes in a day late. Too easy really. And that is if your lazy. Searching through the dump file looking for ‘USERID’ you eventually find what you are looking for.

Jeremy cleans out Max’s account over a few days and can now afford to ride his pride and joy…

… Although Jeremy wasn’t the smartest hacker out there. It didn’t take Max long to figure out what happened. And the bank looking at what bank account his money vanished to…

FIN

After Thoughts:

Now this attack was very simple. All it does is illustrate how easy it can be for someone within a company with local admin rights to steal all of your credentials. This doesn’t just work for browsers, but any service which is running. What makes this more interesting is you don’t really need admin rights on the victim’s PC. You could get in early one morning, boot up their PC with a CD or USB containing the bootkit ‘kon boot’ http://www.piotrbania.com/all/kon-boot

Kon Boot bypasses local windows authentication. You boot it up, takes a few seconds, then the usual login screen appears. You can then remove the external media and nobody will realise. They will log in to the computer/network as normal. Thing is, everything that requires local authentication gets bypassed. So you can pull off the above attack even without local admin rights. You just have to have physical access to their PC.

There are obviously a wide array of attack methods to do things like this… keyloggers being the main one. But there is more possibility of your keylogger being detected. This method… pretty hard to detect if you aren’t actively looking for it.

In this example, Max was using a fully patched version of Windows 7 and fully patched version of Firefox. It isn’t a flaw with the application’s security because nothing was exploited. Legitimate tools were used in an illegitimate way.

It has been observed that some websites encrypt these session passwords, but if you want to test it yourself, dump your browser memory and do a search for one of your passwords. You will be scared at how many times it appears in cleartext.

Tools used:

BeyondExec  http://www.beyondlogic.org/consulting/remoteprocess/BeyondExec.htm

Process Viewer http://www.beyondlogic.org/solutions/processutil/processutil.htm

PMDump http://ntsecurity.nu/toolbox/pmdump/

Ways to avoid this happening to you:

The only real way to prevent this is to have proper access rules set up throughout the organisation. Don’t give employees access to perform tasks that they do not need to do their job. Even then, if you have locked down policies on your workstation, anybody can bypass local authentication on their own PC (to install nasty tools) and YOUR PC by using one of the many bootkits out there. Best thing to do? Make sure you lock down the BIOS so no external media can be booted off of without proper authentication. And again, if you have an IT Support guy in the company – he will need to know these for his daily duties, so all i can say is… keep your employees happy :)


The art of hiding passwords in plain sight

Every few years there is a discussion held in the security field. It’s always the same question and the same answers. Passwords. How do we use them securely? Most of these articles don’t even get read because to a lot of security professionals, and even end-users, it is like listening to a broken record.

I thought I’d touch on a slightly different approach to password security. Recently an article was posted on ThreatPost.com from Gunter Ollmann who stated that due to the shear number and complexities of passwords required for the day to day use of technology for the average user which is too high, leads to user’s re-using passwords for multiple sites and choosing weak passwords (because they are easy to remember). (Article can be found here http://threatpost.com/en_us/blogs/why-you-should-write-down-your-passwords-070610)

Now I somewhat agree with this viewpoint, and I somewhat don’t. It is true that people are re-using passwords across various sites. It is true people are choosing weak passwords so they can be remembered. What Gunter states is that people should infact, write down their passwords, and choose complex ones which you change often. He states that there is less chance of someone breaking in to your home or office and reading the post-it note you stuck on your monitor, then there is of a hacker or piece of malware either cracking your easy to remember passwords or syphoning them out of browser memory where people choose to allow the ‘remember password’ function.

Now while all of this is true. I can’t help to think however, that if malware or a hacker has got access to your machine in the first place. Even if you use strong passwords that you change often, don’t reuse them for different websites or services, and have a post-it note on your monitor. When you enter one of these passwords, the hacker/malware can and will intercept this. If you change your password often, whatever has infected your machine in the first place does not require any password to stay on your machine, because it is exploiting some type of vulnerability. So no matter what password scheme you use, if you have a compromised machine, it does not matter.

So his point there is invalid by saying writing them down is more secure. But it is true that if you are using complex and ever changing passwords, it is harder for people to try and ‘guess’ your password and log in to a service as you. This happens a lot in Social Networks. So much private information is disclosed on people, others take this information, and try and use it to guess their way into your account. This is where writing down your password is a good idea (provided your machine is not infected or exploitable to start with).

So I thought I’d give some examples on ways people might be able to write down passwords without making it so obvious for anyone who walks by your computer.

In the old days when mobile phones were dumb, a good idea was to store your complex passwords into a file or txt msg to yourself, somehow hidden within a message. If your phone was PIN protected, your password would be reasonably safe. With the evolution of the smartphones, they are as vulnerable, if not more vulnerable than the current PC. So I would not recommend storing passwords on your phone unless you can hide them well.

One other method back in the day was to just write down your passwords and keep it in your wallet. What are the chances of someone stealing your wallet? Well, again, there is a chance.

No matter where you physically store your password (be it written on a post-it note on your monitor or a piece of paper in your wallet) there is a real chance others can see or get a hold of this. So the solution is simple. Obfuscation.

Security through obscurity is never a good thing. But I believe that it is perfect for physically hiding passwords/pass-phrases. You can store your passwords wherever you want, on your phone, in your wallet or on your desk, in plain view of everyone, but only you can read what the password actually is.

If someone opened my drawer and found a piece of paper that said “Login for XXX: molly3618” – Then it is pretty obvious what it is.

If someone opened my drawer and found an old shopping list I made for the supermarket on Friday, would they think anything of it?

If someone went through my wallet and found a fuel receipt dated a few months ago, would they take any notice?

If someone opened up the Christmas card that was sitting on my desk, which was my from my grand mother, would they think there was something sinister going on?

The answer for the last 3 questions is ‘no’. If somebody was rifling through my desk at work, or home trying to find where I had written down my passwords, they would glance over all of the above. The trick is to use long and complex passwords, or pass-phrases which you derive from common, seemingly unnoticeable objects in the vicinity of your work area (or on your persons). All you have to do is sit down with a pen and piece of paper, and come up with a technique that you will start using for your passwords. And make sure you play around with a few examples to make sure you remember it. This will be your ‘key’ to remembering passwords.

For example: I might decide to hide my passwords within a shopping list. I might decide that every third item on the shopping list is a piece of my password/pass-phrase. I might decide that after each word I will add a special character and a space. Once you have your system (key) memorised you can use it repeatedly on anything around you. I now know my own password technique, so to make another password for another site, I might take out the fuel receipt from my wallet. Every third word on it, plus a special character and a space after each word. The card from my grandmother, every third word with a special character and a space. You re-use your password technique (key) on anything to get a unique and fresh passwords each time. This is a form of cryptography. And it may be dangerous if your technique is too obvious, because all the attacker needs to do is figure out your technique (key) and they can determine (crack) what all of your passwords are. So some care needs to be taken. This is just one example, you are only limited by your creativity.

Another example might be a print out from a technical book. ‘How to add ACLs to a Cisco Router’ (or something relevant to your profession). Having this pinned to your cubicle looks commonplace. You might have a few highlighted areas of text as most people would. These highlighted, or circled areas of text could be apart of a password. The biggest challenge is knowing WHAT website/service you are using for each password. This is also another layer of security.

If people understand your password key, they might not know what site it is for. You could deal with this a variety of ways. From scribbling down a keyword that indicates to you, and you only what website this is for. For example, writing down a scribbly note saying “note: don’t forget to check ebay for those skiis!” on the bottom of your shopping list. Indicates every third word in the shopping list is the password for your eBay account. A $ sign for your bank account. A doodle of a cartoon guy’s face for Facebook. Possibilities are endless. Provided you understand what it means, and not obvious to anyone else, then it is all you need.

You could just write a sentence or a random note or doodle, that reminds you which site or service this particular password is for. Again, this should be obvious to you, but nobody else. The trick here is hiding secrets within seemingly normal, common-place and unnoticeable objects.

There are unlimited ways you can obfuscate physically written secrets. You just have to use your imagination. The only ‘key’ you ever have to remember is how you derive your passwords. You could even have a poster hanging on your wall, provided you know that you use every third word (or whatever you decide on) then you will always know the password by looking at the poster.

As I stated before. If your computer has been compromised, any password you enter into the system, regardless of its strength and complexity, will get intercepted. So writing them down in secret messages has no impact on this. But let’s assume your PC is clean and free of any malware or viruses. And you have a fair few passwords you need to remember for your work login, banking website, social network and you want a safe way of having complex and hard to guess passwords for each one which you can easily remember. Then I think that obfuscating your passwords is the way to go. Get creative.

I may or may not have this picture as my desktop backround. Can you figure out my password and what website it may be for?

FACEBOOK: Adventures! Who@ Dragons#