What I am about to discuss is nothing new. But the lack of user education on this matter has prompted me to try and explain why a tool like EvilGrade is so dangerous.
What I am about to discuss is nothing new. But the lack of user education on this matter has prompted me to try and explain why a tool like EvilGrade is so dangerous.
The ‘Local Administrator’ account on a Windows workstation is one of the most scariest of all accounts. Not ‘scary’ as in it has more privileges than other accounts (Domain Administrator, NT Authority\System etc.) But ‘scary’ in the fact it is often overlooked by System Administrators as being a huge security risk. The ‘risk’ of this account is that more often than not, every computer in a given network will have the same local administrator account. (Usually due to standardisation and SOE imaging throughout the company)
“So what? The local admin account on our network won’t get you any network resources. Every user’s profile on the domain is stored on the server, nothing is local and everything has correct access permissions. Even If an attacker got this password and logged in to a machine, they can’t do anything (and good luck installing a keylogger or some malware – we have Anti Virus!” – I hear some of you System Admins saying.
Not true. Not true at all. The local admin account, if an attacker can get it, is a very valuable and damaging weapon. In this post I will point out ways that an attacker can not only obtain the local admin account/password for a given network environment, but how they use it to penetrate your entire Windows Domain, gaining domain credentials along the way. (I previously wrote a post about a disgruntled IT employee using local admin to pilfer his bosses bank account)
Targeted Spear Phishing Attacks exploiting client-side vulnerabilities have been on the rise for years. These type of attacks ‘trick’ and end-user to either visit a malicious website or click on a malicious link (which may, or may not appear to be legitimate).
I’ve seen this happen many a time. Each time is slightly different. Because as a hacker, the possibilities are almost endless in the ways and methods you can use to pull of a successful attack. You are only limited by your creativity. (Or, THEY are I should say *ahem*)
I recall a couple of years ago I was toying around with SMTP, and more in particular Exchange and Lotus Domino. I noticed that even when the server is configured to not act as a relay, it still delivers internal messages, that is to anyone on any of the domains it is configured for – WITHOUT authentication and by using telnet and the SMTP commands.
I am assuming the reason for this is because you are actually sending an email from the SMTP server itself, not from a user account.
(And before I go on, I haven’t tried this for years, and I only tested a few different servers, so would love if you guys tested your own servers and let me know if it is still relevant)
Script Kiddie: A (usually amateur) hacker who compromises files on others’ computers or launches attacks on computer systems, using widely distributed computer programs or scripts, rather than using their own unique programs or scripts – en.wiktionary.org/wiki/script_kiddie
It might be unfair to pick on Microsoft and Apple here. It’s not all their fault, but they aren’t helping situations for our beloved script kiddies.
In this day and age, I think most people are concerned with their cyber security more so than physical security. I’m not talking the government or financial sectors, but the average day to day corporation (which is most of them out there)
They have alarm codes at the entrance. RFID swipe cards for building access. Security cameras and motion detectors. Cleaners make sure they lock doors and windows at night and the office manager is sure to be diligent in cancelling all access on the cards of employees who have left. This seems pretty standard, and seems perfectly secure.
The attitude of people is, “ If somebody wants to break in, they can”. But you would be subscribing to the idea that you assume your security is ‘good enough’ to stop and deter the average criminal, opposed to the professional one.
This post is by no means comprehensive. It’s just observations by myself and some knowledge I’ve gained over the years. My recent CISSP study got me thinking about ‘Physical Security’ a bit more. I’ve always been security minded, as most of you readers probably are. But I felt there was no real resource explaining to regular people about some abhorrent weaknesses in common physical security which is actually relevant. Nothing new in here, just some thoughts that people might want to think about when implementing proper security controls in real world scenarios.
I just threw together a quick list off the top of my head in which I thought would be most relevant, also I thought i’d include a couple of real examples of what i’ve done on site, albeit it pretty mediocre! I will keep building on to this list when I get time. Keep in mind, these are all simple, common methods. Might seem boring, but the fact that these attacks still work shows that people aren’t listening.
You get what you pay for when you install locks. I’m not skilled enough myself, but we all know people can pick locks. It’s not as easy as some let on (yes I have dabbled in the past). Although someone doesn’t need to be a master locksmith to pick a lock. A lock can also be broken in to with a bump key, hammering a screwdriver into the lock, drilling it, or if you are a fan of DIY projects, the old thermal lance from the anarchist’s cookbook would see you through it in no time at all.
As I said, it is important not to cut corners on your budget for secure locks. Shop around.
Apart from a lot of locks actually being able to be picked, the biggest issue with them is being able to be jimmy open by strong metal objects. I once was speaking to a local police officer, and he said “Most break and enters are pretty simple, but are so effective and quick that you can’t do much about it”. And he was referring to crowbars. A suitably sized crowbar to a particular door or window could easily get it opened with the right leverage. And pending on the type of entry point can be made undetectable.
It’s a simple concept, but it is the easiest for an intruder to use, and I think it gets overlooked. The obvious solution? Pay the extra money and buy doors and windows with security in mind. Make sure they are strong and have steel frames, make sure they have solid deadbolts. ‘Anti Shim’ locks. Make sure the hinges can’t be accessed from outside or the frame can ‘t be taken off.
[WARNING: I am about to ramble off into a story here]
I was tasked with testing the physical security of a block of offices years ago for a friend’s business (Don’t get any ideas, I don’t work for free…). Most access for the offices could be achieved from the ground floor. It was a two storey block backing onto a carpark and other businesses.
Every window in the building (ground floor and up) were sliding windows. They were metal on the outside frames and the actual locking mechanism was a metal ‘latch’ that when the two windows are closed, the latch is moved over to latch onto the other. So separating them is impossible without being able to do it from the inside.
Enter my $30 crow bar from Mitre10. It was roughly 75cm long. Reasonably thick and sturdy, but easily concealed inside a duffel bag or inside a jacket (you might have had to attend the Cronulla riots after the job, i don’t know). All that you had to do was place the flat end of the bar into the crack of the window (the left hand seal, where you would place your hand and pull right to open), then wiggle and force it in for few a few seconds. Once you had the bar in as far as it would go, you’d slowly pull back on it, and then forward. You would have to do this pretty hard, but if you didn’t want to leave a trace, it had to be slow. As you pulled back more, the latch on the lock would actually start to bend. Once you hit a certain point, the force you were putting onto it combined with the bend in the latch, would make it slip off the lock and the window would fly open. As the latch was metal, it would bend back in to place after this, as it was just for a moment you were applying pressure.
Solution? Steel window frames with real locking mechanisms. Pay the extra money. There are tonnes of providers out there now that do really good security windows and doors for reasonable prices. Use some common sense really… if the lock on the window looks a little small or fragile, then it probably is.
Crowbars are also efficient in opening doors. Same principal. Pop the flat end into the crack of the door (around about where the lock is), and bend it back. Pending on the access you can get, type of door and leverage, it might be able to be popped open. Wooden doors are the worst for this. Make sure your doors are heavy and strong with no way for any foreign object to be wedged between itself and the frame.
Motion detectors are great… provided you place them in the right spot and know how to use them. Going from the story above about gaining entry through the window off the ground floor office. As soon as I was inside the office, straight away I saw a motion detector up on the corner wall flashing with all 3 lights… the one being RED was not what you wanted to see. This triggered a silent alarm that when back to the security company. (I know this because I tested it out weeks earlier… more than once. It always took 10 minutes exactly for a guard to arrive and check the premises, and 10 minutes exactly for them to look around and leave again).
So I was standing inside this office in the middle of the night, motion detector is flashing all types of bright LEDS. I have roughly 10 minutes to do what I need to do, right? Wrong. In my bag I had a roll of white masking tape. The sort of stuff you pack boxes with, has a consistency of paper. I grabbed a chair, placed it under the alarm, stood up with my roll of tape and ripped of a square that fix perfectly over the sensor. I put a couple of layers on, replaced the chair, jumped back outside, closed the window and ran off to safety.
Looking at my watch, sure enough, 10 minutes and the security car drives into the premises. From the safety of the trees across the road, I watch him walk around with a flash light. I see him go into the main office briefly, this would be to reset the alarm. I see him go to the area I was at. And I see him leave again.
So after a while, I go back to my window. Now I don’t have 10 minutes to get what I was after… I have all night. The sensor does not pick me up when I get back inside. The intruder could take this tape off when they leave, bringing the guard back for a second time for no reason, or it could stay there until somebody finds it. More than likely it will be taken down and a guard will come back (unless they were stealing loads of equipment, they might need more get away time)
And this is a true story. But it isn’t a great example of motion sensor security and I know it has been used before. Guards should pick up on this. “Should” being the key word.
There is also a threat of if somebody had access through your premises through the day… be it an employee or somebody pretending to be an electrician (more on that later). In old motion sensors, all you have to do is pop the cover off the detector, and you see a red and black wire. If you strip these and cross them together. It will then not send an alarm back to base because you are looping the circuit, but they will not know it has been ‘deactivated’. It keeps the sensor alive, but breaks the ‘phone home’ function. I’m sure this is harder in more modern systems, but it takes decades for some places to change up physical security, and this was around back in the day, so it still is a real threat.
Another problem with motion detectors (which I could defeat in this instance) is placement. Once inside the initial office, there was a corridor that went to other areas, more offices and finally upstairs. The office I entered was half way down the hallway, probably 25 metres to the other end where the next motion detector was. Can motion detectors reach that far? These ones didn’t. The company assumed the sensor would pick up the entire length of the hall way. Which is untrue. You need to test out the strength and placement of these.
You normally don’t install security systems into your office yourself (that’s what you pay the security guys to do), but you do have to test it yourself. An easy way to test it is – through the day, walk up to a sensor and you will see the lights go off… it is picking up rapid changes in heat patterns in the environment (your body heat). Walk away… walk to the side… step back… see when the sensor stops picking up your heat. This is what criminals do. They may enter a premises under the guise of doing regular business, and test the motion detector on the way out.
There are other ways to beat motion sensors. Like the old soap water on the lens trick (spray bottle or super soaker style) but this would be a similar and more awkward approach to the tape application, more than likely the alarm will go off in the process. Moving super slow so that the sensor doesn’t see a rapid change in heat in within it’s viewing area is a popular one. Not the most efficient one, but we’ve all heard stories. Crawling along the ground under its field of view, that is also a popular one and this actually works more than people would like to think.
Solution? You need to make sure that your sensors actually cover the areas you want, and not just appear like they do. It sounds stupid I know, but have a look around your own place and see where the sensors are and how they work, and you might notice the potential that somebody could easily bypass them.
You could also invest your money on more secure types of ‘motion sensing’ systems. There is a wide arrange of technologies out there. Vibration sensors, magnetic pads, even James Bondesque laser beams. You have to factor in the beneficial costs to the assets you are protecting. The standard motion detectors are fine PROVIDED you use them properly.
One thing that people get relaxed about is spare keys in the office. Or ANY key for that matter. On this particular job, I found a jar full of keys in one of the offices. It was in a top drawer of a desk, but it wasn’t locked. Even if the lock was locked, these locks are so easy to open that a 6 year old with safety scissors could do it. In any case, I ended up testing the keys I found on various locks in the end of the building I was in, which lead me to the discovery that one of them was the master key. No need for my crowbar anymore. Master keys have codes on them so they can’t be replicated down at the corner locksmiths. But when dealing with criminals, it wouldn’t be too hard to have a contact that would do this on their behalf… or even have a machine themselves. And what about the key to one of the back offices? Surely no one would see that missing, I didn’t see a ‘do not copy’ imprint on this particular key. People would ask where the master key was, but the spare key to the back door? Maybe. Maybe not… As you can see, any entry way is an entry way. (Similar to ‘any hole is a goal’…)
Make sure to be diligent when controlling keys. If you lock a high value key into a draw with a cheap lock, then you are defeating the purpose.
Security guards are great. Provided they do their job properly! Continuing on from the story above, I knew the routine of the guards. Apart from me knowing how long it took them to respond to my alarms, they did not come around regularly. They only came out when the alarm went off. It makes it very hard for bad guys to break in if your have security guards that show up at random intervals.
Criminals could visit your site every few nights of the week and set off the alarms on purpose. Then after 2 weeks of fake alarms, when the real alarm goes off, they may be less likely to respond. I know they have fallen for this before and it shouldn’t impact their routines, but security guards are humans after all. And humans are the biggest weakness in any security function.
Please make sure you get a reputable security company to not only install your security, but do the proper checks. Ask them what service you get. If you don’t agree with their service, go elsewhere. There are plenty of good security companies out there, it doesn’t mean you have to use the cheapest…
Well won’t people that go around breaking in to your offices be caught on the old CCTVs? If you have them, then ‘probably’. But the majority of places I’ve been, cameras are placed in ineffective locations. Sure, they give a view of a ‘high risk area’ like the main entrance, but what is behind that camera? So many times you will find somebody could sneak around behind or underneath it, and cover it with something, or stick something over it (masking tape??) before they even have to walk in front of it. And if this isn’t a high risk facility that has in-house guards watching the cameras in real time, no body will respond.
Cameras are known as security deterrents (as they often deter criminals from doing an offense through fear of getting recorded). It is only a deterrent if the criminal can actually be identified. If no body is watching these tapes than it doesn’t deter anyone from breaking in. Robbing a supermarket maybe. But if nobody is watching, a camera can be easily covered, or a disguise would be worn. The tapes don’t usually even get viewed unless the next day they find the office has been robbed, or if they come in early Monday morning and they find their server room without any servers… That’s when the tapes get checked. (Remember, I am talking normal business here, no high risk facilities)
And that brings me to the next thought. IP Cameras. They are pretty awesome. If they are used right, that is. This borders into the realm of cyber security but still relevant. I recall being at a client’s office and auditing their systems, and found that their IP camera system’s server only held recordings for 7 days. 7 Days isn’t much at all. You might think that ‘if somebody committed a crime, 7 days is enough recordings’. But no way. If the intruder knew of how long you stored your tapes for, they could do something in the form of a social engineering attack. Make some bogus phone calls to the office, say something about building management or that they have been sent to check the fire extinguishers comply with safety regulation. Come into the office one day, pretend to be doing whatever it is they claimed to be doing, disable sensors, leave a window at the back of the office unlocked, plant hardware keyloggers, steal a sensitive laptop – all sorts of stuff. They could even plug in a Rogue Access Point under a desk if they were that way inclined. All types of things could be done to give more leverage to an intruder. But say Monday morning 2 weeks later, the company finds they have been robbed. They check the tapes and see a robber wearing a mask quietly cleaning out the office. As he is disguised, there isn’t much they can do. When the police ask ‘Was there any one unusual around here lately?’. The office might mention the nice man who came to fix the lights a couple of weeks ago seemed a little out of place. ‘Well when was he here? Can we see the CCTV footage?’… ‘Sorry we only hold footage for 7 days…’.
Another thing with IP cameras. Like any other computer system, there is a potential they can be broken. The sheer number of SOHO security cameras that have been wrongly configured and in which you can view online through special search requests is scary. Doing a WHOIS look up on the IP and some digging could give you the actual company and address that this camera is currently servicing. Shodan can illustrate how simple this actually is http://shodanhq. Do we really need more criminals finding their prey this easy? You want to make it harder for the bad guys, not easier.
I still think the percentage of HID contactless smart cards in Australia is around 90% (I did read the figures somewhere a couple of years ago). You know when you work in an office building, and you more than likely have a white card that you swipe to gain entry? The one with HID written on it? They can be cloned pretty easy by products from vendors such as http://proxmark.org/proxmark. If somebody had one of these readers in their backpack, they could easily walk up behind you on the street… or while you are having a few after work drinks at the pub. Or perhaps when you put your wallet down for a minute. It just takes a second of getting close to you, and your card could be stolen. Social Engineering could come in to play here, but regardless of the method to obtain it, the point is they can be cloned. If a criminal wanted access to a sensitive area of the business…they could follow the CEO out of the office one day, or the IT manager even.
Cloning the card (putting the reader in a close enough proximity to the victim’s card) will now copy the data onto the device, and it can be written to a new card. This new card will have the same access of the one that was just cloned. All of the facility security logs will see is that the other person’s card was used for entry at a certain time (which may land them in hot water pending on what happens after a successful intrusion).
If you work in a large office building, with different companies on different floors. Who has a swipe card that can get into every office and every company? Come on guess… it’s really quite simple and very scary. Probably the most least security conscious person of them all… the humble cleaner.
Cleaner’s are employed by the building to clean the offices. Not necessarily just the company’s offices, but the entire building. Pending on what building you work in, they could have access to all areas, or just designated spots. Around 5.30pm you see flocks of them start to make their rounds around the office for their nightly shifts. Their cards are usually hanging off their waste as well. This is the low hanging fruit. Cloning a card that is ‘access all areas’!? Not dissimilar to Willy Wonka’s golden ticket.
How do you defend against your card being cloned? You could purchase something like an RFID shield to issue to all employees. This might be cumbersome as employees would need to take the cards out of the protective jackets every time they enter an area. But it is that sweet spot in the balance of security and productivity you are after. You decide how important your assets are, and decide accordingly. http://www.rfid-shield.com/
You should also be diligent in card management. Making sure cards are deactivated when lost or stolen. Making sure that no employee has after hours access if it is not a job requirement (think the principal of least privilege but for the physical world)
Server Rooms/Data Centres
If data is of high importance, it will no doubt be stored in a secure Data Processing Facility (this may be with a third party, and may be complete with biometrics and ‘proper’ access controls). But what about the regular run-of-the-mil company? Your data is just as important to you as anybody else’s is to them. These type of companies often don’t have the budget, or knowledge of proper physical security.
Server Rooms are a gold mine, for all sorts of reasons and for all sorts of intruders. If somebody snuck in to one, they could install a trap device to capture traffic entering and leaving the entire organisation, they could install a rogueAP on the sensitive and protected ‘server VLAN’, they could even load a bootkit onto your servers, and have access from the comfort of their own home, stealing confidential information and having access to everything in your company while they sit back and drink lattes. They could steal, they could sabotage, they could do anything to the central nervous system of your organisation. It is the last place you want un-authorised people to access.
One thing I learnt while studying CISSP’s Physical Security domain is that apart from having layered security zones in your facility protecting your most holiest of assets (think a physical maze of walls and offices, each one slowing down an attacker from reaching the gold mine in the middle – which is your server room), is that dropped ceilings are bad. As you can see from this picture.
It had never occurred to me before and I don’t know why, but The MAJORITY of places I have worked had dropped ceilings. Pretty simple for somebody to remove one of those panels from somewhere else in the building and crawl across. Might be unlikely, but again, how important is your data to you? More importantly, how important is your data to somebody else?
It’s also good practice to have a sign in form for server rooms, and accompany any individuals entering your room. Preferably your server room should have strong glass walls so everyone in the department can see who or what is inside at any given time. CCTV also wouldn’t be a bad idea to implement inside to back up your physical security controls. It might also have good auditing functions if one of the administrators used the general domain admin account and stuffed up the exchange database from the console, the camera could correlate with the time stamps of your logs.
I’ve been in so many places where all they had was a swipe card for server room access (read above on cloning), with the server rooms not even located near any IT teams, just the general staff population. Do you think anyone non-IT staff member would care if somebody walked in with overalls and a toolbox and swiped their way into the server room? Nope.
Protecting your data in transit
How about your data when you travel? You might have a full disk encryption solution on your company laptop. You might need to take it with you on business. You leave it in a hotel room when you go out for dinner perhaps. How secure are these hotels? If you had mission critical files on your laptop which was in your hotel room, how much confidence would you have that nothing on there could be taken? I can’t speak for all hotels, or even hotels overseas, but all of the hotels I’ve stayed in have no CCTV in the actual hallways. Only at elevator entrances and main thoroughfares. If your laptop went missing from your room… there would be no realistic way of tracking down who did it (by looking over the CCTV footage). And worse yet, if your hard drive was cloned you wouldn’t even know.
How could somebody break in to your room undetected? Simple! A perfectly shaped piece of metal or aluminium can be used to unlock most doors from the outside. One of these could fit inside a suitcase or carry bag. (Here is a video demonstrating this technique)
“So who cares if someone steals my laptop… so who cares if someone breaks into my room or steals my laptop!” I hear you protest. Well, someone could 1. Clone your drive, taking it away and bypassing all authentication and encryption. 2. They could do it on the spot, or 3. they could just steal it and break through it elsewhere. How would somebody do this? Some of the most popular Full Disk Software Encryption packages (looking at you TrueCrypt and PGP) can have their entire encryption and local authentication bypassed using a bootloader like “Stoned Bootkit”or the dreaded ‘Evil Maid’ attack. A bootkit could be run by booting the laptop off of the bootkit CD or USB stick.
This all might sound a little far-fetched and like too much effort for somebody to go through to get your files. If they succeed, you might say “Kudos to them, the deserved it”. Truth is, all of this isn’t really that hard. It’s all very basic stuff. Mid-Level criminals can and do pull this off. And again, how much is someone willing to pay for YOUR data?
One thing you could do is take the laptop cable locks with you when you travel which can secure your device to a solid foundation, preventing most people from being able to steal it. They still could cut through it yes, but slowing down or deterring an attacker is better than nothing at all.
Another technical control your laptop should have is a BIOS password and to not allow the boot order to be changed. Sure, BIOS can be cracked, but it involves opening up the device in most cases, and the criminal may not have enough time to do this. Stealing the drive or cloning it might be the only option for them. So this might be a wake up call to not store data locally. If you do need local data when you travel, consider fully encrypted (hardware) USB sticks (IronKey are great) and store your data there. Make sure you do not lose it though! These drives can securely destroy themselves automatically if they get into the wrong hands. But we want to prevent that from happening to start with.
User awareness is paramount for security. Both physical and technical. You need to inform and train all staff on proper security procedures and why they are needed. You have to do it in an interesting way also, or they won’t listen. One thing I think is a good idea, is to get a piece in the monthly newsletter (or whatever) for Information Security matters. But make it relevant to the users. People are actually interested in being more secure, it is how you deliver it to them which can cause the heartache.
One month do a write up on ‘how to stay sure on facebook’ and ‘how to protect your bank account from being hacked’ etc, and link the technologies and concepts in to business systems and why it needs to be done. Staff love reading a little creative snippet about how a social engineer can infiltrate a company and sneak out data… and the lessons start to be learnt from within. You also want to reward users for good behavior and make them proud to work for you, there is nothing worse than disgruntled employees. They are more dangerous than the criminals we are trying to defend against.
Everything I have posted are just for general awareness. Most people know these techniques, as I said “it is nothing new”. I tried to steer away from getting too geeky and just keeping things simple. I also wanted to stay clear of the general mundane foundations of physical security and actually put in some relevant and useful information. I could have went on forever if I started with combining different social engineering attacks with physical penetration. And one thing to keep in mind. This controversy to perform client side pentests? This content is highly relevant and just shows why these sorts of tests need to be conducted for businesses to keep them safe.
Hope you enjoyed, and I hope someone at least learnt how to be more secure from this.
Earlier in the year I was doing some freelance security work for a friend of mine who runs a small IT consultancy business. He doesn’t really specialise in security, but when the needs arises he usually gives me a call and I can do some work for him.
This story is about a pentest I performed for him. I am not the most technically skilled hacker out there. I think I am just good at utilising the technical skills I have with my creativity. The customer in this story had the worst security i’ve seen in my whole career. The events that unfold are pretty rare and you’d be hard pushed to find any pentest as easy as this.
Obviously names have been sanitised for legal reasons. I also wish I had screen shots for this one. But at the time of the test I wasn’t thinking this would make for a good story. Boy was I wrong! A lot of legal and boring aspects have been discarded from this post and I have left the most juicy parts to make it a more entertaining read. All of this is true.
So I got a call from my friend one day, asking if I wanted some easy work. I was in the middle of a big network project at work so didn’t have much extra time to spare, but he promised it should only be a day or two over the weekend. So I agreed.
This is a pretty small consultancy and I was contracted on and off to be ‘the security specialist’ when a client arose asking for that particular skill set.
Meet AdvertisingX. AdvertisingX is a mid-sized Sydney based Ad Agency. They have 4 branch offices around Australia, Sydney being the head (There are A LOT of Ad agencies in Sydney). The CEO (lets call her Sally), called my friend’s consultancy looking for someone who could perform an IT security audit of the company. The reason for this is that one of the Desktop Support guys had complained to the CEO that he thinks the IT manager isn’t doing his job as well as he should. Desktop Support guy explained that the majority of his days are spent cleaning Spyware out of people’s browsers, disinfecting their PCs from viruses and sitting in the lab re-imaging machines because some sort of Malware has rendered the machine useless. Desktop Support guy had complained to his manager but got no where. “We have a centralised anti-virus solution and a checkpoint firewall, there is nothing to be worried about, our security is fine” was the response that Desktop Support guy would get.
Sally had no idea what the day to day grind of the IT department actually was but what she heard had made her concerned. And I can see why. I have been in-house IT before where there have been no proper security policies and management. Things get really painful, especially if you’re the Desktop Support guy.
My friend had a meeting with Sally and organised an audit (much to the reluctance of the IT manager). I hadn’t been called in at this point. My friend went in to the office, sat down with the IT team and got all the required information he needed and got to work checking out their infrastructure. I was working that day so he had to fill in for me. I spoke to him over the phone on what he needs to look out for as what I had heard from Desktop Support guy, I have seen before. “Check what servers they are running, how their AV is set up, what firewall rules they have, what other network devices or security they have. Check patch management. How accounts get distributed. How their domain is set up etc” – I told him.
I will try and spare as much boring audit details as possible here because I want to share the experience I had with AdvertisingX which I think is more entertaining than the long list of gaping holes which my friend found on site. But for a quick pre-game run down. They were running McAfee EPO on a central server in Sydney. It was set to push updates to secondary EPO servers at the branch offices and from their push out AV updates. But it turns out that EPO in Sydney was set to download updates from the McAfee site on a high port number. This port was not opened on the outbound firewall rule. And the way EPO was set up there was no logging or notifications. Someone had set this up (incorrectly) and assumed it worked. The mind boggles. So every PC in the company (roughly 300) had not had Anti Virus updates for a year and a half. Not only that, it was discovered that there was no Patch Management. This was a Windows environment, and there was no distribution of patches, and to make it worse, each PC was set to ‘download windows updates but ask me before installing’. Do you think staff would click yes to updates? I think not. And the desktop images were not even standardised. Every 20 or so PCs had a different configuration and set up. The worst thing was also that the company was running Internet Explorer 6 on the majority of workstations, and each staff member had local administer rights on their PC! It was a complete mess. So suffice to say it was not hard to get in to this network from the outside. And suffice to say that the report handed over to Sally at the end of the audit was enough to make her fire the IT manager. But I think there was some more entertaining things in that report, which I will get to momentarily.
Media and Advertising agencies are funny creatures. I have had a lot of experience with these. You can have two types, you can have the bigger agencies which are governed by SOX, and relatively controlled and secure (if they stay compliant), and then you have the smaller private companies which are an open slather of security risks. The reason for this lies with the culture of the industry. Advertising and Media agencies pride themselves on being not only glamorous and professional, but also casual and fun. People rock up to work wearing tshirts and sandals. You see people drinking beer around the office at any given time on any given day. People playing and sharing music out of their computers. Downloading games or goatse like images to send around their group of colleagues. It is a fun environment to work in… unless you are the security guy.
So my friend called me up and told me the situation. He had already done and internal audit, and with his findings I started probing around from the outside. I didn’t want to use the stale ‘scan the permitter-find sploits-then sploit’ technique which is tried and true. I wanted to try a more social aspect because this was shortly after the Aurora exploit had come out and I thought I’d give it a try.
It didn’t take me long to find the Managing Director’s PA on Facebook after looking around the company website and finding out her name. I was also looking for the CEO’s PA but that didn’t turn up any usable results. So I picked this one. (If you recall, the Google Hack was instigated using a similar technique).
I also looked around on the AdvertisingX’s list of clients and who was the individual account managers for them. Media and Ad Agencies love showing off their work. They pride themselves on it. I took a list of account manager’s names and searched for them in Facebook. Only 2 from the 9 managers did not have profiles from what I could see. (The other 7 may not have even been the managers in question, I don’t know – but it’s not relevant at this point because the 2 names which came up blank are all I need to go on)
So I picked one at random, and created a Facebook profile using her name. Let’s call her Mindy. I just set her profile to private with no information and sent a friend request to the PA with a message “Hey! I thought I’d join the club and finally get on Facebook”.
Within 30 minutes I got an email notification informing me that me and the Personal Assistant were now friends. Yay.. I have a new friend! (Goes to show how much work must have been getting done in that office!)
Now that I had her trust, I set up a Metasploit session on of my Lab PC and configured the Aurora exploit to listen for any incoming connections on localhost:80/AdXparty09 with a reverseTCP shell. I created a NAT rule on my router to make sure that any port 80 traffic (which I had configured for Aurora) would translate to my Metasploit box.
I logged in to Facebook as Mindy and started typing up a private message.
“Hi PA, how’s your day going?
Hey do you know anything about these pictures on the Intranet from the Xmas party?
(I could have tried masking this link, but I have trust in the lack of security awareness of a Personal Assistant, and especially considering a known colleague within her company was asking her something relevant to both of them)
I went to make a coffee, and by the time I got back to my desk, I saw an active session in Metasploit. Too easy. It really was. So much for the IT managers whiz-bang Checkpoint.
I checked my Facebook messages and saw a response.
“Hey yeah day’s not so bad. Just waiting till 5!
Ummm the link doesn’t work. What pictures are you talking about?”
I didn’t want to raise too much suspicion and have my cover blown just yet so I replied
“Oh sorry never mind. I was trying to get some copies and I saw you were in a few. It’s ok I figured out how to download them!”
Ok so that should give me some time without PA phoning up Mindy asking why she sent her a strange Facebook message.
I hopped onto Metasploit and connected to PA’s PC. I ran the DIR command and was going through what files she had stored locally. It turns out these staff also seem to store all of their work locally and not on the network. Tisk Tisk! Add that to a long laundry list of things wrong with this IT infrastructure.
Using some past experience and common sense, I assume that with most PA’s are always logging into their bosses emails for them (for a variety of reasons). So I was crossing my fingers that she would have saved the password somewhere. And yep, she did.
C:\Documents and Settings\PA\Desktop\HarryPass.doc
I am pretty much laughing to myself at this point. I haven’t seen such a lapse in security for a long time. I had a look around and surprise surprise, I also found HER login password. I don’t even have to bind a Metasploit keylogger to her winlogon service. Again, too easy.
I hopped onto my other PC and did some DNS scans of their domain. Domain Transfers were off which I was happy to see for them, it was hosted by a third party however, so I can’t give any credit to them for that little nugget of security.
Analysing the results of DNSbrute I found OWA.AdX.com.au. (This is the Outlook Web Access service for those who don’t know. It allows web access to your emails while out of the office. Usually running on an un-patched IIS server, I might add).
I logged in to their webmail as PA to see if the password she had written down still worked. It was dated 2 years ago. Yep… it worked.
I logged in as the Managing Director (Harry) to see if his password was valid. Yep, it was. (Looks like someone managing IT wasn’t aware of strong password schemes)
I started to sift through the emails to see if there was any juicy data I could use for my report. Account numbers or client details would be preferred. You always have to find the most sensitive or damaging company information to present to a company so they are disturbed and shocked enough to actually change their security policies.
I didn’t find too much in Harry’s email. Just a lot of meeting requests and lunches (I think I am in the wrong profession, wish I could go out on boozy lunches all day every day).
So I went to PA’s email to have a look around. After sifting through a pile of Facebook alerts (come on guys… you’re are making this painful) I found a bunch of emails from different staff members. Subjects were “Guest List for AdvertisingX Launch Party”. I had a look at these emails and went through her sent items and discovered that AdvertisingX was actually hosting some type of event at their offices the following week. PA was responsible for the RSVP and was taking down names from the company managers of who they wanted on their guest lists for the night. I thought about this for a second and a light bulb flickered on over my head so hard I almost had a seizure.
I called up my friend who was actually controlling this audit and asked him to clarify what Sally had asked of the audit. “Anything goes right? You have that in writing? She wants to see how deep the rabbit hole can go?”. And she did.
I logged back in to Harry’s email account and checked his calendar. He was actually in the office today but had a late lunch appointment. I went into his Outlook rules and created a rule stating.
Reply fro: PA
Rule: Permanently Delete
I turned this rule on. I went through his sent items and found the email he had previously sent PA with a list of people he wanted on the door for this party. I forwaded this back to PA with an addition.
Subject: FW: Guest List for AdvertisingX Launch Party
Sorry, I forgot to add someone to the list.
I sent the email. And deleted it from Harry’ sent items.
I waited for a while and logged back in to PA’s. I saw my email had been read. I checked her sent items and saw a reply.
“Yep not a problem. Added.”
Excellent! I am feeling pretty Jame’s Bondish at this point.
I logged back in to Harry’s and take off the rule before PA sends him any other emails. I am pretty sure there will be no further discussion regarding this one last addition.
Fast forward 2 weeks when I have completed all my remote infiltration and tests. I have collated my report with all of the security vulnerabilities and snippets from emails and documents. I even managed to FGDump the SAM database of their Windows Server 03 Domain Controller. JTR cracked over 75% of these in 2 hours (no need for Rainbow Tables even). I even managed to get access to the CEO (Sally’s) Vaio laptop and discovered she had an SD Card in the slot. I copied these images over to my computer and planned to include one in my report…. Until I discovered mid way through that It was not a good idea. Moving on…
My report is done. And it is thick. I have given it to my friend who includes it to the official report and takes it to meet with Sally. After 45 minutes of their meeting they get to the end of the report where there is a single A4 sized picture. It is a picture of me, having a beer, with the clueless IT manager (yes, I found him at the party). Thanks AdvertisingX – was a good night :). I was trying to prove a point that due to careless security, so easily someone can infiltrate your most personal of assets, and having physical access to roam around INSIDE AdvertisingX having beers and food with people… not good! I made a note indicating that they are lucky I was a ‘good guy’… imagine if an attacker had free roam inside your office. If that doesn’t hit close to home in a way management can understand, I don’t know what will.
There has been some discussion lately about pen-testing companies not performing client-side attacks. General consensus is because most organisations know they will fail these tests and they can seem unfair to un-willing staff. Also, it is pretty hard to measure effective security controls on a living asset (human staff member). Where are the rules and guidelines?
A company can still pass auditing and compliance regulations by not testing their staff on common social engineering attacks (which essentially this is – just taken into web2.0), but we all know that this is a real security threat to companies. The majority of attacks and break-ins are able to be pulled off thanks to the user sitting inside the company, regardless of if the user is aware of it or not.
In this case I told above, I wasn’t working for a security firm. It was an independant audit. And the customer got what they wanted, they found weaknesses which should be addressed. No 0-days were used to attack the client, the Aurora patch should have been patched atleast a month before the audit, considering it’s publicity.
The outcome? Updated internet usage policies regarding new social networking platforms and user education and awareness training. That user education also applies to the IT team who needed to be more dilligent in patch management.