This is purely hypothetical… un-proven, and simply my own mind at work. I have no stats to back up my claim, nor pretty graphs. I have not tried this, and will not try this. I am purely doing a brain dump and hope some people enjoy.
What I am about to discuss is nothing new. But the lack of user education on this matter has prompted me to try and explain why a tool like EvilGrade is so dangerous.
The ‘Local Administrator’ account on a Windows workstation is one of the most scariest of all accounts. Not ‘scary’ as in it has more privileges than other accounts (Domain Administrator, NT Authority\System etc.) But ‘scary’ in the fact it is often overlooked by System Administrators as being a huge security risk. The ‘risk’ of this account is that more often than not, every computer in a given network will have the same local administrator account. (Usually due to standardisation and SOE imaging throughout the company)
“So what? The local admin account on our network won’t get you any network resources. Every user’s profile on the domain is stored on the server, nothing is local and everything has correct access permissions. Even If an attacker got this password and logged in to a machine, they can’t do anything (and good luck installing a keylogger or some malware – we have Anti Virus!” – I hear some of you System Admins saying.
Not true. Not true at all. The local admin account, if an attacker can get it, is a very valuable and damaging weapon. In this post I will point out ways that an attacker can not only obtain the local admin account/password for a given network environment, but how they use it to penetrate your entire Windows Domain, gaining domain credentials along the way. (I previously wrote a post about a disgruntled IT employee using local admin to pilfer his bosses bank account)
Targeted Spear Phishing Attacks exploiting client-side vulnerabilities have been on the rise for years. These type of attacks ‘trick’ and end-user to either visit a malicious website or click on a malicious link (which may, or may not appear to be legitimate).
I’ve seen this happen many a time. Each time is slightly different. Because as a hacker, the possibilities are almost endless in the ways and methods you can use to pull of a successful attack. You are only limited by your creativity. (Or, THEY are I should say *ahem*)
I recall a couple of years ago I was toying around with SMTP, and more in particular Exchange and Lotus Domino. I noticed that even when the server is configured to not act as a relay, it still delivers internal messages, that is to anyone on any of the domains it is configured for – WITHOUT authentication and by using telnet and the SMTP commands.
I am assuming the reason for this is because you are actually sending an email from the SMTP server itself, not from a user account.
(And before I go on, I haven’t tried this for years, and I only tested a few different servers, so would love if you guys tested your own servers and let me know if it is still relevant)
In this day and age, I think most people are concerned with their cyber security more so than physical security. I’m not talking the government or financial sectors, but the average day to day corporation (which is most of them out there)
They have alarm codes at the entrance. RFID swipe cards for building access. Security cameras and motion detectors. Cleaners make sure they lock doors and windows at night and the office manager is sure to be diligent in cancelling all access on the cards of employees who have left. This seems pretty standard, and seems perfectly secure.
The attitude of people is, “ If somebody wants to break in, they can”. But you would be subscribing to the idea that you assume your security is ‘good enough’ to stop and deter the average criminal, opposed to the professional one.
This post is by no means comprehensive. It’s just observations by myself and some knowledge I’ve gained over the years. My recent CISSP study got me thinking about ‘Physical Security’ a bit more. I’ve always been security minded, as most of you readers probably are. But I felt there was no real resource explaining to regular people about some abhorrent weaknesses in common physical security which is actually relevant. Nothing new in here, just some thoughts that people might want to think about when implementing proper security controls in real world scenarios.
I just threw together a quick list off the top of my head in which I thought would be most relevant, also I thought i’d include a couple of real examples of what i’ve done on site, albeit it pretty mediocre! I will keep building on to this list when I get time. Keep in mind, these are all simple, common methods. Might seem boring, but the fact that these attacks still work shows that people aren’t listening.
You get what you pay for when you install locks. I’m not skilled enough myself, but we all know people can pick locks. It’s not as easy as some let on (yes I have dabbled in the past). Although someone doesn’t need to be a master locksmith to pick a lock. A lock can also be broken in to with a bump key, hammering a screwdriver into the lock, drilling it, or if you are a fan of DIY projects, the old thermal lance from the anarchist’s cookbook would see you through it in no time at all.
As I said, it is important not to cut corners on your budget for secure locks. Shop around.
Apart from a lot of locks actually being able to be picked, the biggest issue with them is being able to be jimmy open by strong metal objects. I once was speaking to a local police officer, and he said “Most break and enters are pretty simple, but are so effective and quick that you can’t do much about it”. And he was referring to crowbars. A suitably sized crowbar to a particular door or window could easily get it opened with the right leverage. And pending on the type of entry point can be made undetectable.
It’s a simple concept, but it is the easiest for an intruder to use, and I think it gets overlooked. The obvious solution? Pay the extra money and buy doors and windows with security in mind. Make sure they are strong and have steel frames, make sure they have solid deadbolts. ‘Anti Shim’ locks. Make sure the hinges can’t be accessed from outside or the frame can ‘t be taken off.
[WARNING: I am about to ramble off into a story here]
I was tasked with testing the physical security of a block of offices years ago for a friend’s business (Don’t get any ideas, I don’t work for free…). Most access for the offices could be achieved from the ground floor. It was a two storey block backing onto a carpark and other businesses.
Every window in the building (ground floor and up) were sliding windows. They were metal on the outside frames and the actual locking mechanism was a metal ‘latch’ that when the two windows are closed, the latch is moved over to latch onto the other. So separating them is impossible without being able to do it from the inside.
Enter my $30 crow bar from Mitre10. It was roughly 75cm long. Reasonably thick and sturdy, but easily concealed inside a duffel bag or inside a jacket (you might have had to attend the Cronulla riots after the job, i don’t know). All that you had to do was place the flat end of the bar into the crack of the window (the left hand seal, where you would place your hand and pull right to open), then wiggle and force it in for few a few seconds. Once you had the bar in as far as it would go, you’d slowly pull back on it, and then forward. You would have to do this pretty hard, but if you didn’t want to leave a trace, it had to be slow. As you pulled back more, the latch on the lock would actually start to bend. Once you hit a certain point, the force you were putting onto it combined with the bend in the latch, would make it slip off the lock and the window would fly open. As the latch was metal, it would bend back in to place after this, as it was just for a moment you were applying pressure.
Solution? Steel window frames with real locking mechanisms. Pay the extra money. There are tonnes of providers out there now that do really good security windows and doors for reasonable prices. Use some common sense really… if the lock on the window looks a little small or fragile, then it probably is.
Crowbars are also efficient in opening doors. Same principal. Pop the flat end into the crack of the door (around about where the lock is), and bend it back. Pending on the access you can get, type of door and leverage, it might be able to be popped open. Wooden doors are the worst for this. Make sure your doors are heavy and strong with no way for any foreign object to be wedged between itself and the frame.
Motion detectors are great… provided you place them in the right spot and know how to use them. Going from the story above about gaining entry through the window off the ground floor office. As soon as I was inside the office, straight away I saw a motion detector up on the corner wall flashing with all 3 lights… the one being RED was not what you wanted to see. This triggered a silent alarm that when back to the security company. (I know this because I tested it out weeks earlier… more than once. It always took 10 minutes exactly for a guard to arrive and check the premises, and 10 minutes exactly for them to look around and leave again).
So I was standing inside this office in the middle of the night, motion detector is flashing all types of bright LEDS. I have roughly 10 minutes to do what I need to do, right? Wrong. In my bag I had a roll of white masking tape. The sort of stuff you pack boxes with, has a consistency of paper. I grabbed a chair, placed it under the alarm, stood up with my roll of tape and ripped of a square that fix perfectly over the sensor. I put a couple of layers on, replaced the chair, jumped back outside, closed the window and ran off to safety.
Looking at my watch, sure enough, 10 minutes and the security car drives into the premises. From the safety of the trees across the road, I watch him walk around with a flash light. I see him go into the main office briefly, this would be to reset the alarm. I see him go to the area I was at. And I see him leave again.
So after a while, I go back to my window. Now I don’t have 10 minutes to get what I was after… I have all night. The sensor does not pick me up when I get back inside. The intruder could take this tape off when they leave, bringing the guard back for a second time for no reason, or it could stay there until somebody finds it. More than likely it will be taken down and a guard will come back (unless they were stealing loads of equipment, they might need more get away time)
And this is a true story. But it isn’t a great example of motion sensor security and I know it has been used before. Guards should pick up on this. “Should” being the key word.
There is also a threat of if somebody had access through your premises through the day… be it an employee or somebody pretending to be an electrician (more on that later). In old motion sensors, all you have to do is pop the cover off the detector, and you see a red and black wire. If you strip these and cross them together. It will then not send an alarm back to base because you are looping the circuit, but they will not know it has been ‘deactivated’. It keeps the sensor alive, but breaks the ‘phone home’ function. I’m sure this is harder in more modern systems, but it takes decades for some places to change up physical security, and this was around back in the day, so it still is a real threat.
Another problem with motion detectors (which I could defeat in this instance) is placement. Once inside the initial office, there was a corridor that went to other areas, more offices and finally upstairs. The office I entered was half way down the hallway, probably 25 metres to the other end where the next motion detector was. Can motion detectors reach that far? These ones didn’t. The company assumed the sensor would pick up the entire length of the hall way. Which is untrue. You need to test out the strength and placement of these.
You normally don’t install security systems into your office yourself (that’s what you pay the security guys to do), but you do have to test it yourself. An easy way to test it is – through the day, walk up to a sensor and you will see the lights go off… it is picking up rapid changes in heat patterns in the environment (your body heat). Walk away… walk to the side… step back… see when the sensor stops picking up your heat. This is what criminals do. They may enter a premises under the guise of doing regular business, and test the motion detector on the way out.
There are other ways to beat motion sensors. Like the old soap water on the lens trick (spray bottle or super soaker style) but this would be a similar and more awkward approach to the tape application, more than likely the alarm will go off in the process. Moving super slow so that the sensor doesn’t see a rapid change in heat in within it’s viewing area is a popular one. Not the most efficient one, but we’ve all heard stories. Crawling along the ground under its field of view, that is also a popular one and this actually works more than people would like to think.
Solution? You need to make sure that your sensors actually cover the areas you want, and not just appear like they do. It sounds stupid I know, but have a look around your own place and see where the sensors are and how they work, and you might notice the potential that somebody could easily bypass them.
You could also invest your money on more secure types of ‘motion sensing’ systems. There is a wide arrange of technologies out there. Vibration sensors, magnetic pads, even James Bondesque laser beams. You have to factor in the beneficial costs to the assets you are protecting. The standard motion detectors are fine PROVIDED you use them properly.
One thing that people get relaxed about is spare keys in the office. Or ANY key for that matter. On this particular job, I found a jar full of keys in one of the offices. It was in a top drawer of a desk, but it wasn’t locked. Even if the lock was locked, these locks are so easy to open that a 6 year old with safety scissors could do it. In any case, I ended up testing the keys I found on various locks in the end of the building I was in, which lead me to the discovery that one of them was the master key. No need for my crowbar anymore. Master keys have codes on them so they can’t be replicated down at the corner locksmiths. But when dealing with criminals, it wouldn’t be too hard to have a contact that would do this on their behalf… or even have a machine themselves. And what about the key to one of the back offices? Surely no one would see that missing, I didn’t see a ‘do not copy’ imprint on this particular key. People would ask where the master key was, but the spare key to the back door? Maybe. Maybe not… As you can see, any entry way is an entry way. (Similar to ‘any hole is a goal’…)
Make sure to be diligent when controlling keys. If you lock a high value key into a draw with a cheap lock, then you are defeating the purpose.
Security guards are great. Provided they do their job properly! Continuing on from the story above, I knew the routine of the guards. Apart from me knowing how long it took them to respond to my alarms, they did not come around regularly. They only came out when the alarm went off. It makes it very hard for bad guys to break in if your have security guards that show up at random intervals.
Criminals could visit your site every few nights of the week and set off the alarms on purpose. Then after 2 weeks of fake alarms, when the real alarm goes off, they may be less likely to respond. I know they have fallen for this before and it shouldn’t impact their routines, but security guards are humans after all. And humans are the biggest weakness in any security function.
Please make sure you get a reputable security company to not only install your security, but do the proper checks. Ask them what service you get. If you don’t agree with their service, go elsewhere. There are plenty of good security companies out there, it doesn’t mean you have to use the cheapest…
Well won’t people that go around breaking in to your offices be caught on the old CCTVs? If you have them, then ‘probably’. But the majority of places I’ve been, cameras are placed in ineffective locations. Sure, they give a view of a ‘high risk area’ like the main entrance, but what is behind that camera? So many times you will find somebody could sneak around behind or underneath it, and cover it with something, or stick something over it (masking tape??) before they even have to walk in front of it. And if this isn’t a high risk facility that has in-house guards watching the cameras in real time, no body will respond.
Cameras are known as security deterrents (as they often deter criminals from doing an offense through fear of getting recorded). It is only a deterrent if the criminal can actually be identified. If no body is watching these tapes than it doesn’t deter anyone from breaking in. Robbing a supermarket maybe. But if nobody is watching, a camera can be easily covered, or a disguise would be worn. The tapes don’t usually even get viewed unless the next day they find the office has been robbed, or if they come in early Monday morning and they find their server room without any servers… That’s when the tapes get checked. (Remember, I am talking normal business here, no high risk facilities)
And that brings me to the next thought. IP Cameras. They are pretty awesome. If they are used right, that is. This borders into the realm of cyber security but still relevant. I recall being at a client’s office and auditing their systems, and found that their IP camera system’s server only held recordings for 7 days. 7 Days isn’t much at all. You might think that ‘if somebody committed a crime, 7 days is enough recordings’. But no way. If the intruder knew of how long you stored your tapes for, they could do something in the form of a social engineering attack. Make some bogus phone calls to the office, say something about building management or that they have been sent to check the fire extinguishers comply with safety regulation. Come into the office one day, pretend to be doing whatever it is they claimed to be doing, disable sensors, leave a window at the back of the office unlocked, plant hardware keyloggers, steal a sensitive laptop – all sorts of stuff. They could even plug in a Rogue Access Point under a desk if they were that way inclined. All types of things could be done to give more leverage to an intruder. But say Monday morning 2 weeks later, the company finds they have been robbed. They check the tapes and see a robber wearing a mask quietly cleaning out the office. As he is disguised, there isn’t much they can do. When the police ask ‘Was there any one unusual around here lately?’. The office might mention the nice man who came to fix the lights a couple of weeks ago seemed a little out of place. ‘Well when was he here? Can we see the CCTV footage?’… ‘Sorry we only hold footage for 7 days…’.
Another thing with IP cameras. Like any other computer system, there is a potential they can be broken. The sheer number of SOHO security cameras that have been wrongly configured and in which you can view online through special search requests is scary. Doing a WHOIS look up on the IP and some digging could give you the actual company and address that this camera is currently servicing. Shodan can illustrate how simple this actually is http://shodanhq. Do we really need more criminals finding their prey this easy? You want to make it harder for the bad guys, not easier.
I still think the percentage of HID contactless smart cards in Australia is around 90% (I did read the figures somewhere a couple of years ago). You know when you work in an office building, and you more than likely have a white card that you swipe to gain entry? The one with HID written on it? They can be cloned pretty easy by products from vendors such as http://proxmark.org/proxmark. If somebody had one of these readers in their backpack, they could easily walk up behind you on the street… or while you are having a few after work drinks at the pub. Or perhaps when you put your wallet down for a minute. It just takes a second of getting close to you, and your card could be stolen. Social Engineering could come in to play here, but regardless of the method to obtain it, the point is they can be cloned. If a criminal wanted access to a sensitive area of the business…they could follow the CEO out of the office one day, or the IT manager even.
Cloning the card (putting the reader in a close enough proximity to the victim’s card) will now copy the data onto the device, and it can be written to a new card. This new card will have the same access of the one that was just cloned. All of the facility security logs will see is that the other person’s card was used for entry at a certain time (which may land them in hot water pending on what happens after a successful intrusion).
If you work in a large office building, with different companies on different floors. Who has a swipe card that can get into every office and every company? Come on guess… it’s really quite simple and very scary. Probably the most least security conscious person of them all… the humble cleaner.
Cleaner’s are employed by the building to clean the offices. Not necessarily just the company’s offices, but the entire building. Pending on what building you work in, they could have access to all areas, or just designated spots. Around 5.30pm you see flocks of them start to make their rounds around the office for their nightly shifts. Their cards are usually hanging off their waste as well. This is the low hanging fruit. Cloning a card that is ‘access all areas’!? Not dissimilar to Willy Wonka’s golden ticket.
How do you defend against your card being cloned? You could purchase something like an RFID shield to issue to all employees. This might be cumbersome as employees would need to take the cards out of the protective jackets every time they enter an area. But it is that sweet spot in the balance of security and productivity you are after. You decide how important your assets are, and decide accordingly. http://www.rfid-shield.com/
You should also be diligent in card management. Making sure cards are deactivated when lost or stolen. Making sure that no employee has after hours access if it is not a job requirement (think the principal of least privilege but for the physical world)
Server Rooms/Data Centres
If data is of high importance, it will no doubt be stored in a secure Data Processing Facility (this may be with a third party, and may be complete with biometrics and ‘proper’ access controls). But what about the regular run-of-the-mil company? Your data is just as important to you as anybody else’s is to them. These type of companies often don’t have the budget, or knowledge of proper physical security.
Server Rooms are a gold mine, for all sorts of reasons and for all sorts of intruders. If somebody snuck in to one, they could install a trap device to capture traffic entering and leaving the entire organisation, they could install a rogueAP on the sensitive and protected ‘server VLAN’, they could even load a bootkit onto your servers, and have access from the comfort of their own home, stealing confidential information and having access to everything in your company while they sit back and drink lattes. They could steal, they could sabotage, they could do anything to the central nervous system of your organisation. It is the last place you want un-authorised people to access.
One thing I learnt while studying CISSP’s Physical Security domain is that apart from having layered security zones in your facility protecting your most holiest of assets (think a physical maze of walls and offices, each one slowing down an attacker from reaching the gold mine in the middle – which is your server room), is that dropped ceilings are bad. As you can see from this picture.
It had never occurred to me before and I don’t know why, but The MAJORITY of places I have worked had dropped ceilings. Pretty simple for somebody to remove one of those panels from somewhere else in the building and crawl across. Might be unlikely, but again, how important is your data to you? More importantly, how important is your data to somebody else?
It’s also good practice to have a sign in form for server rooms, and accompany any individuals entering your room. Preferably your server room should have strong glass walls so everyone in the department can see who or what is inside at any given time. CCTV also wouldn’t be a bad idea to implement inside to back up your physical security controls. It might also have good auditing functions if one of the administrators used the general domain admin account and stuffed up the exchange database from the console, the camera could correlate with the time stamps of your logs.
I’ve been in so many places where all they had was a swipe card for server room access (read above on cloning), with the server rooms not even located near any IT teams, just the general staff population. Do you think anyone non-IT staff member would care if somebody walked in with overalls and a toolbox and swiped their way into the server room? Nope.
Protecting your data in transit
How about your data when you travel? You might have a full disk encryption solution on your company laptop. You might need to take it with you on business. You leave it in a hotel room when you go out for dinner perhaps. How secure are these hotels? If you had mission critical files on your laptop which was in your hotel room, how much confidence would you have that nothing on there could be taken? I can’t speak for all hotels, or even hotels overseas, but all of the hotels I’ve stayed in have no CCTV in the actual hallways. Only at elevator entrances and main thoroughfares. If your laptop went missing from your room… there would be no realistic way of tracking down who did it (by looking over the CCTV footage). And worse yet, if your hard drive was cloned you wouldn’t even know.
How could somebody break in to your room undetected? Simple! A perfectly shaped piece of metal or aluminium can be used to unlock most doors from the outside. One of these could fit inside a suitcase or carry bag. (Here is a video demonstrating this technique)
“So who cares if someone steals my laptop… so who cares if someone breaks into my room or steals my laptop!” I hear you protest. Well, someone could 1. Clone your drive, taking it away and bypassing all authentication and encryption. 2. They could do it on the spot, or 3. they could just steal it and break through it elsewhere. How would somebody do this? Some of the most popular Full Disk Software Encryption packages (looking at you TrueCrypt and PGP) can have their entire encryption and local authentication bypassed using a bootloader like “Stoned Bootkit”or the dreaded ‘Evil Maid’ attack. A bootkit could be run by booting the laptop off of the bootkit CD or USB stick.
This all might sound a little far-fetched and like too much effort for somebody to go through to get your files. If they succeed, you might say “Kudos to them, the deserved it”. Truth is, all of this isn’t really that hard. It’s all very basic stuff. Mid-Level criminals can and do pull this off. And again, how much is someone willing to pay for YOUR data?
One thing you could do is take the laptop cable locks with you when you travel which can secure your device to a solid foundation, preventing most people from being able to steal it. They still could cut through it yes, but slowing down or deterring an attacker is better than nothing at all.
Another technical control your laptop should have is a BIOS password and to not allow the boot order to be changed. Sure, BIOS can be cracked, but it involves opening up the device in most cases, and the criminal may not have enough time to do this. Stealing the drive or cloning it might be the only option for them. So this might be a wake up call to not store data locally. If you do need local data when you travel, consider fully encrypted (hardware) USB sticks (IronKey are great) and store your data there. Make sure you do not lose it though! These drives can securely destroy themselves automatically if they get into the wrong hands. But we want to prevent that from happening to start with.
User awareness is paramount for security. Both physical and technical. You need to inform and train all staff on proper security procedures and why they are needed. You have to do it in an interesting way also, or they won’t listen. One thing I think is a good idea, is to get a piece in the monthly newsletter (or whatever) for Information Security matters. But make it relevant to the users. People are actually interested in being more secure, it is how you deliver it to them which can cause the heartache.
One month do a write up on ‘how to stay sure on facebook’ and ‘how to protect your bank account from being hacked’ etc, and link the technologies and concepts in to business systems and why it needs to be done. Staff love reading a little creative snippet about how a social engineer can infiltrate a company and sneak out data… and the lessons start to be learnt from within. You also want to reward users for good behavior and make them proud to work for you, there is nothing worse than disgruntled employees. They are more dangerous than the criminals we are trying to defend against.
Everything I have posted are just for general awareness. Most people know these techniques, as I said “it is nothing new”. I tried to steer away from getting too geeky and just keeping things simple. I also wanted to stay clear of the general mundane foundations of physical security and actually put in some relevant and useful information. I could have went on forever if I started with combining different social engineering attacks with physical penetration. And one thing to keep in mind. This controversy to perform client side pentests? This content is highly relevant and just shows why these sorts of tests need to be conducted for businesses to keep them safe.
Hope you enjoyed, and I hope someone at least learnt how to be more secure from this.
Here in Australia. A number of large and popular ISPs use the same username and password for your ADSL/Broadband connection as they do with the customer’s ISP website/webmail/account page.
For example if you sign up for ADSL2+ on an affected carrier. They ask you what ‘account name’ you want. They generally give you a password. This is what you enter into your modem/router to connect to their service. This same username and password is what you’d use on their website to gain access to webmail or to check your account usage, update contact details and view banking and invoice information. These online services allow you to change that password without affecting your internet connection, but majority of people don’t do this. The majority of people don’t even log in to their ISPs webmail or account page unless they need to update some details.
Why is this so dangerous? Most of the passwords they provide are pretty random and cryptic. They should be more safe than say… letting the customer choose a password of ‘molly123’ yeah? Well yes… and NO.
Enter wireless security. I am going to lean out of a limb and say 85% of people don’t change their Wireless Router’s default password (from in the field experience). Most people don’t touch it once it has been set up initially. If you are running WEP, or using WPA/WPA2 with weak password (yes WPA2 PSK can be cracked as easy as WEP if your password is not strong) and if you HAVEN’T changed your router’s default password… AND if you are signed up with an ISP that uses the same authentication for your internet service as they do with their online service website, then your account details can be compromised (There are a lot of IFs and BUTs here, but surprisingly enough, this is the case for a lot of users).
The way in which your account can be compromised is so easy, and so stupid, it may just make you decide to log in to your ISP’s website and change those passwords after reading this article.
Enter the beauty of Firefox Addons. https://addons.mozilla.org/en-US/firefox/addon/10174/
This addon will unmask the asterisks (*******) in a password field. On modem/routers, this will be there for the Internet Connection Settings (and VOIP if the modem uses this service).
This is a screen dump of a compromised router. The user did not have a strong WPA pass key and was easily cracked. They also didn’t change the default router password from ‘admin’ because they thought WPA was secure enough.
From here the attacker logs into the router and finds the section where the ISP is asking for a username and password for Internet Connectivity.
With the Firefox plugin installed, the attacker just hovers over the password and voila!
What can be stolen? Your personal account information including name, phone number, address, credit card or direct debit information (limited but still available), VOIP call records etc. People can use this information to aid in identity theft, or leverage it to gain access to other services, accounts and websites you may use.
Now you may be saying to yourself, “what’s the big deal?”. Yes if an attacker has gotten onto your wireless network, they could be sitting their running a sniffer, capturing MORE sensitive information. They may perform a sex-sandwich attack (man-in-the-middle styles) or they may find a way to exploit and take over any PC on the network. These things take a little time. Hovering over a password to steal the password, and using that to log in to a secure personal accounts page where A LOT of information is divulged takes just a minute. And the information on that page can and will be used against in a court of 0wnage.
How to avoid?
Simple. STRONG WPA2 authentication (AES CCMP at the minimum) with a LONG and random pass-phrase. Change the default password for your router to something complex. Insert the usual wireless security tips and tricks, MAC address filtering, rotating pass-keys, DHCP disabled, obscure subnet etc. And finally, change your online account settings with your ISP to use different login credentials than what is used on your modem/router.
Thing is, most people don’t know that someone is sitting their using their wireless connection. They only know when and if their connection may reach is bandwidth cap, or slows down or they get a large bill. THAT’S when the user will think “what the hell… i think someone is stealing my internet”. They will then change their security, or even disable wireless. This won’t happen if the attacker has access to your ISP accounts page, looks at your bandwidth usage and what ADSL plan you are on. They can use your connection freely without tipping you off because they know how much bandwidth they can get away with before someone notices.
I didn’t think this deserved a new post. But after writing this, I have discovered another way that this type of attack can be performed. (It isn’t really a discovery but in the aid of educating users, it should be said).
Depending on the settings on your home modem… there is a strong chance that by someone entering your public IP address into a browser, will get the management interface of your modem. WITHOUT having to go through the wireless hacking method mentioned above.
To do this… people could use the website from http://shodanhq.com to search for popular modem names. This will reveal modems with port 80 active. You can also limit your searches to country. A simple search for ‘netgear country:AU’ brings up hundreds of results. Most of them can be assessed by the default password. And again, majority of these allow you to view their ISP’s password using the Firefox plugin. This would be a gold mine for people trying to harvest personal information on people, which could easily lead to identity theft. Secure your routers people.
It has just been discovered that some Linksys routers have a vulnerability where it displays your administration passwords in clear text. The Affected router is
the Linksys WRT54G - Firmware Version: v7.00..
This doesn’t seem like too much of an issue. But if you have changed the default admin password (as you should), but someone cracks your wireless (which may be your weakest point of entry), then they can discover your router’s password, thus enabling them to carry out the techniques above.
If you have one of these routers, update the Firmware to a later version.
PRESTONS is a fairly large law firm in Sydney. Their list of high-end clients is as long as it is impressive. During the latest financial crisis, PRESTON’s hasn’t been getting as much clients as budgeted for, so the company’s executives have been forced to make some cuts in order to turn a profit.
Jeremy is the desktop support guy for PRESTONS. He has been there for 5 years, and knows how to look after the company’s systems back to front. Jeremy was told recently by his boss, Max, that he will have to start having 1 day of un-paid leave a week. Jeremy isn’t the only one affected by this, but has he has just purchased a new moped to cruise around the city in, he fears he won’t be able to remake the payments. Both disgruntled and hurt by the fact the company he has worked in for so long has seemingly disregarded his years of hard work and contribution, Jeremy seeks revenge.
Max is the CIO of PRESTONS. He hasn’t worked there for too long but has found himself being the bearer of bad news for his small IT department. There is a bit of tension in the camp due to pay cuts, but it seems Jeremy is the one that just can’t accept it.
One day at lunch, Jeremy overheard Max talking to the CEO. Apparently Max was getting a pay-rise due to his fine work in cutting the IT budget in half and re-working the IT operations. This fired Jeremy up. Why is it he was getting shafted and his new boss is getting rewarded? Jeremy decides that Max will be the outlet for his payback.
One morning in the office, Jeremy pops his head up over the petition and yells out to Max…
“Hey boss, did we get paid early? The company has put money into my account; I didn’t think we got paid until Thursday?”
Slightly annoyed by Jeremy’s interruption, Max continues his email to a customer, calling out “Umm I don’t know… I’ll check in a minute”
Human predictability is just so… predictable.
Jeremy sits back and waits a few minutes, peeking up over the petition to look at Max’s screen… waiting for his bank’s website to pop up.
5 minutes later, Max has finished his email, takes a swig of coffee and fires up Firefox and logs into his bank.
The only thing Jeremy needs to know to pull of this attack is the local administrator login and password. As he is the desktop support guy, he knows what this is. Even if he did not know the local admin credentials, he could still pull off this attack (see the end of the post for more details)
Max opens up Firefox and logs in to his bank account. Jeremy can see the bank logo appear on Max’s screen from where he is sitting. This is how Jeremy knows it’s time to pull off the attack. As soon as Max has logged into the bank, his credentials are ready to be stolen. (Jeremy doesn’t have to sit there and watch Max’s screen, he can use other ways, he just needs to know that Max is logged into his bank at this time – or any other website Jeremy might want to steal)
Jeremy has downloaded a couple of small Windows tools which allow you to 1. Execute commands on a remote computer and 2. View and Dump a Windows process. Combining the two tools, Jeremy can find out what Process ID (PID) Firefox is using on Max’s computer. He then executes a command to dump firefox’s memory. (These tools can be found at the end)
So what has happened here is. When Max has logged into his bank. Firefox (or any browser for that matter) has temporarily cached his password for that session. This is stored in the browser’s memory until the entire process is closed (not just close the TAB) or the SIGN OUT link is used on the bank’s site. So when Jeremy dumps the memory from Max’s browser at the time Max is logged in, the password is captured in clear text!
Jeremy saves the memory dump to the Max’s C: drive and copies it back to his PC for analysis using Windows File Sharing with the UNC path (you can also dump the file directly to a share you have set up on your own PC so nothing is left on the victim’s machine).
He now has the memory dump on his PC, and he now has to sift through the data to find the bank login. You can use this method to find ANY password in cleartext that the victim is currently logged in to. Gmail, Facebook, Twitter etc. You just need to know ‘what’ to search for. Jeremy uses WInGrep to search through the file because it has good search functionality and can support large file sizes.
Jeremy started searching for the bank’s name. He found hundreds of entries. This will obviously take a while. He played around a little bit with searching for the banks name and ‘USERID=’ and ‘&PIN=’ and eventually…. how found it.
That is that! Jeremy knew name of the bank because 1. He saw the logo on his screen, but even if he didn’t – all Jeremy would have to do is casually ask Max one day what bank he uses, because he is thinking about swapping banks because his pay goes in a day late. Too easy really. And that is if your lazy. Searching through the dump file looking for ‘USERID’ you eventually find what you are looking for.
Jeremy cleans out Max’s account over a few days and can now afford to ride his pride and joy…
… Although Jeremy wasn’t the smartest hacker out there. It didn’t take Max long to figure out what happened. And the bank looking at what bank account his money vanished to…
Now this attack was very simple. All it does is illustrate how easy it can be for someone within a company with local admin rights to steal all of your credentials. This doesn’t just work for browsers, but any service which is running. What makes this more interesting is you don’t really need admin rights on the victim’s PC. You could get in early one morning, boot up their PC with a CD or USB containing the bootkit ‘kon boot’ http://www.piotrbania.com/all/kon-boot
Kon Boot bypasses local windows authentication. You boot it up, takes a few seconds, then the usual login screen appears. You can then remove the external media and nobody will realise. They will log in to the computer/network as normal. Thing is, everything that requires local authentication gets bypassed. So you can pull off the above attack even without local admin rights. You just have to have physical access to their PC.
There are obviously a wide array of attack methods to do things like this… keyloggers being the main one. But there is more possibility of your keylogger being detected. This method… pretty hard to detect if you aren’t actively looking for it.
In this example, Max was using a fully patched version of Windows 7 and fully patched version of Firefox. It isn’t a flaw with the application’s security because nothing was exploited. Legitimate tools were used in an illegitimate way.
It has been observed that some websites encrypt these session passwords, but if you want to test it yourself, dump your browser memory and do a search for one of your passwords. You will be scared at how many times it appears in cleartext.
Ways to avoid this happening to you:
The only real way to prevent this is to have proper access rules set up throughout the organisation. Don’t give employees access to perform tasks that they do not need to do their job. Even then, if you have locked down policies on your workstation, anybody can bypass local authentication on their own PC (to install nasty tools) and YOUR PC by using one of the many bootkits out there. Best thing to do? Make sure you lock down the BIOS so no external media can be booted off of without proper authentication. And again, if you have an IT Support guy in the company – he will need to know these for his daily duties, so all i can say is… keep your employees happy