HostedDB - Dedicated UNIX Servers
-->
Chez Winn

ANATOMY OF A FRIENDLY HACK

 

Testing The Security of Your Enterprise

By Winn Schwartau

 

(The names and technical details of this story have been sanitized to disguise the client’s identity. Everything else is accurate.)

James Fallsworth, Vice President of Corporate Security at the Big American Bank called in a panic. He had just been informed that Operations and Marketing were planning to introduce a suite of new remote banking services for their seven million global customers. BA-Bank On-Line permits customers to access their accounts, move money from one to another, pay bills and remotely manage their finances.

Incredulous that he hadn’t been informed about such a major technical move, with staggering security implications, Fallsworth found himself in a quandary. The Beta program had already begun and he had less than two months before the systems were to be deployed globally. The President of the BA-Bank assumed he had been in the loop. "Just take care of it, Jim."

When most large firms, in the banking field or not, connect to the Internet, they have two choices:

  1. Connect the internal, mission-critical systems to the outside world, achieve high degrees of connectivity, encourage interactive commerce, and face very real security risks, or
  2. Maintain an isolated web presence, effectively limiting commerce to zero.

Jim Fallsworth needed to know how secure, or insecure their BAB-Remote was, and how it could affect their revenues, profits, and customer confidence. It didn’t take long for Fallsworth to decide what to do: Hire a company to test the external security controls of the bank, and determines the company’s real vulnerabilities.

GOALS

Once Jim selected the firm, they mutually worked to understand the goals of the penetration testing (others call it friendly hacking).

  1. Assess the integrity of BA-Bank’s new services and how they relate to the rest of the bank’s operations.
  2. Determine what vulnerabilities exist within those systems
  3. Offer solutions to increase the security of the systems.
  4. Demonstrate the possibility of losses to BA-Banks or its clients through any of the transaction processing systems, value added systems and through any back end systems that are not properly protected from intrusion.

RULES OF ENGAGEMENT

    In planning attacks against your own organization, it is critical to establish exactly how the friendly hacks will be carried out. Most companies are afraid of what "bad guys" can do to them. This may mean a professional criminal, foreign nationals or spies, a competitor, a terrorist – or maybe just a sixteen-year-old with a keyboard.

    In developing the Rules of Engagement, Jim Fallsworth had to choose whom he thought as a likely perpetrator; in this case, it was assumed to be Transnational Criminals with a profit motive. So the agreed upon methods to attack the BA-Bank’s networks and web sites included remote penetrations, telephone systems, maintenance ports, and any other ‘electronic doors’ to the enterprise.

    Now, criminals will do a lot of things that even we, as ‘friendly hackers’ will not, and cannot do. The so-called ‘Out of Bounds Behavior’ must be defined and adhered to. Nonetheless, all possible methods must be considered. The bad guys will not preclude using them just because they are illegal and it is prudent to understand how far real criminals might be willing to go.

Attack Methodology   Permitted?
 
Social Engineering By Telephone   Yes
Social Engineering By Mail   No
Adoption of Employee Identity – Remote   Yes
Adoption of Employee Identity –On Site   No
Pretend to Be Technical Supplier   Yes
Dumpster Diving - On Site   No
Dumpster Diving - Off Site   Yes
Personnel Extortion, Blackmail and Coercion   No
Investigate Personnel Background   No
Penetration of Business Partners   No

    (FOOTNOTE) Social Engineering is the attempt to acquire security relevant or other information that may be useful in compromising the defenses of the company under simulated attack. It can comprise anything from a friendly telephone call about a new mainframe service pack, to a probing inquiry into specific security operations. Dumpster diving is the examination of a company’s garbage, which all too often reveals customer information, internal corporate phone books and memoranda, technical documentation, diskettes and so on.

      CLIENT SUPPLIED INFORMATION

A portion of any efficient attack is to assemble competitive information on the target through open sources such as can can be found from public documents, financial reports, and technical documentation. Both time and money can be saved if the company just hands it over to the friendly hackers. The kind of information that a real attacker would find of value includes:

  • Operating systems.
  • Open technical on systems in use
  • Major venders used within the enterprise.
  • Physical address of data center and telephone centers
  • Phone exchanges information    

Jim Fallsworth agreed to provide a legitimate bank account with $1,000 in it so ‘our’ account was accessible by telephone or from the Bank’s web site. Any real attacker would certainly do anything he could to get closer to his victim, no matter the nature of the business. In this case, having an account permits us to ‘social engineer’ the bank’s employees.

    Lastly, make sure that you, as BA-Bank did, issue a Get Out of Jail Free Card. Remember that many hacking techniques are illegal; felonious federal offenses. In the unlikely event that certain activities were discovered and reported, written authorization from the company is the only way out of trouble.

EXTERNAL MAPPING

Once the preliminary research is complete, then the ersatz attack team will begin the mapping efforts. This is not about breaking into the networks, but about building non-intrusive picture, or ‘footprint’ of what the target network’s electronic perimeter looks like, including IP addresses, physical locations, maintenance and dial-up ports, telephone numbers, VRU, SNA, CISCO, NT-RAS, and other remote authentication pathways. (PIX_2)

During the External Mapping process, a suite of conventionally available analysis tools will be used, including:

  • Searching Internic will provide an in-depth look at the company’s IP infrastructure from the outside.
  • Demon Dialers scan tens of thousands of telephone numbers in search of modem tones indicating the presence of a computer.
  • Network Sniffers read traffic along the company’s identified paths.
  • Scanners such as SATAN and ISS to examine the external entry points.

Throughout this process auditable events will be logged. This is a critical step. If something goes wrong, and a system is adversely affected, an activity log helps us all understand what went wrong and what to do to fix it.

Another necessary step is the manual ‘look-and-see’ of the target’s IP range. In PIX_10, nslookup finds the related hosts, and then we see a telnet finds that a Unix machine is running Sendmail 5.x. Now we know what sort of exploits to consider and that other security holes are staring us in the face. Then in PIX_11, we want to learn the habits of the administration. We see that the last time Sysop was on-line was Dec. 11, nineteen days ago. That looks like lax security, so then we want to see who’s on-line now, find two people, and decide to wait and to use an IP anonymizer to disguise our true identity.

      FINDING NETWORK VULNERABILITIES

Once the footprint is completed, we want to learn more about its weaknesses. Never forget that your job as a network and security administrator is a lot harder than mine as an attacker: You have to make sure that every potential point of entry is secured; that every electronic door and window is protected. All I have to do is find one weak spot – and I’m in.

To find weaknesses in BA-Bank’s systems, ISS’s Internet Scanner [www.iss.net] (PIX_5) was the first tool we used, and we also ran SATAN. [Search the net for dozens of free download sites.] Other products that you might want to consider using for network scanning include Netect’s Netective, [www.netect.com], Secure Network’s ‘Ballista’ [www.securenetworks.com], Wheel Group’s NetSonar, [www.wheelgroup.com])

The purpose of these tools is to assess security, and each product has its own plusses and minuses. Ultimately, we like to use most of the available products to insure that we cover every possible base. Several new vulnerabilities pop up every month, and it is good practice to test for all of the known exploits. (PIX_6) They tell you where the electronic doors are ajar, where the windows are cracked or where there is no perimeter security at all. Do not underestimate your potential adversary.

But, at the same time, do not assume that the automated scanning equipment is the end-all/be-all either. Technology does not stand-alone; in combination with social engineering, ingenuity and creativity, new attacks are discovered regularly. So, like many other firms who specialize in security, we use a suite of proprietary and custom software tools to both identify weaknesses as well as to exploit them. (PIX_5A) The goals of this step of the process are to identify:

  • Poorly configured servers
  • Routers with holes
  • NT Registry problems
  • Operating system misconfiguration
  • Protocol spoofing capability
  • Poor password choices
  • Improper revision of applications
  • Old patches needing updating (PIX_4)

Between all the manufacturers of scanning tools, several hundred vulnerabilities can be examined, across internal and external networks, with varying types of displays available.

      BREAKING IN: THE FINAL HACK

Based upon the finding from the scanners used, from social engineering, and open source competitive intelligence, we were ready to penetrate BA-Bank’s networks. The techniques including using weak passwords, old send mail exploits, telneting to unsecure ports, ftping and modifying password files to name a few. If this sounds overly simple, most security holes are common sense practices that have been forgotten. Gaining access to the internal infrastructure is done through multiple entrances: TCP/IP, maintenance ports, PBX to data lines, CISCO, NT-RAS, dedicated networks, telephone (VRU) networks, Firewalls, Authentication servers or other network mechanisms.

    The next step is to map the internal infrastructure itself. A wide range number of technical methods including password crackers, (PIX_8) applications password crackers, poor controls on application resources, system controls, system utilities, operating system controls at the kernel, root and other full privileged layers of the infrastructure. Customized tools are often needed to achieve penetration depending upon what is discovered.

For example, if an external connection through TCP/IP connects to an NT box number 1. NT box 1 may in fact connect to NT boxes 2 through 8. NT boxes 2 through 8 may have no direct connection to the outside world than only through NT box 1. (PIX_1) Therefore, the successful penetration of NT box 1 is critical to the success of penetration throughout the rest of the enterprise. Because so often internal security assumes that external security offers strong protection, internal security methods and mechanisms are often implemented in a much less rigorous manner which will make our jobs that much easier.

      TELEPHONE AND PBX INTRUSIONS

    All too often, we forget that the telephone system and company PBX are an integrated part of the business process, and therefore must be considered in our vulnerability testing of a corporate network. With BA-Bank and Jim Fallsworth, their telephone switch and PBX was included in our studies because the systems were integral to their business process. However, with most businesses, at least a cursory examination is in order.

    The company telco system may well have undocumented connections to the data network and offer a path for the interloper. An examination of the audit logs will provide a sense of normal activity; but most importantly, scanning for unwanted modems is the most critical element in protecting internal networks and remote access ports. Remember, that all it takes is an unwitting secret modem and a PC set to Remote Server Mode, and you and your entire network opens up. (PIX_7 is two good pix to use)

    Once we identified a small number of modems within the dialing range of BA-Bank’s data center (555-XXXX), we looked at what security mechanisms were in place. Several had password protection so we launched automatic password guessing schemes to see how weak or strong they were. What finally made our job easy, though, was a manual attack, using simply guessed passwords on one Cisco router’s maintenance port. BINGO! That was our first success.

    Social Engineers can also take advantage of company PBX’s. An outsider calls your company and asks for an extension – any extension. He reaches either a live person (rarely!) or voicemail, then asks to be transferred back to the Operator who then sees the call as coming from an internal location.

The object of penetration of PBX and VRU (Voice Recognition Unit) systems is to identify:

  • Identification of access points
  • Penetration of accounts
  • Penetration and control of controller systems (as with the Cisco router)
  • Identification of DISA ports or Direct Inward Service Administration
  • Identification and penetration of maintenance ports
  • Operating system vulnerabilities.
  • Applications such as IVR or Internal Voice Recognition and PBX voice mailbox-forwarding services.

      DENIAL OF SERVICE

A major portion of the penetration exercises performed for BA-Bank was to determine just how strong their upcoming on-line, web-based banking services actually were. Sure, their networks had been compromised and it was proven that we could access their back-end transaction processing systems. Recommendation were made on what policies, procedures, methods and technologies could be used to enhance their system efficacy. But, Jim Fallsworth wisely recognized that that was not enough.

BA-Bank was going on-line and going to use the Internet as a source of company revenues, profits and customer confidence. The BA-Bank web site had to be reliable; up and running all of the time: that’s called Availability – one of the three tenets of information security (in addition to confidentiality and integrity). Therefore, if BA-Bank’s web site was to be attacked, and their services no longer available to their customers, they would undoubtedly suffer both financially and on the public relations front.

Fallsworth asked to see how easy or difficult it would be to successfully launch a denial of service attack against the BA-Bank remote banking web site. The techniques used require extensive custom tools.

We used attacks against Gopher FTP with back end VTAM processing, MDS, NFS, UCP and TCP/IP ports against the Web processors. We also used techniques such as IP spoofing, session hijacking, a host of lesser-known TCP/IP assaults and Java, Active-X and CGI weaknesses.

    These will be used to penetrate the Web based transaction processing system. Graffiti attacks will be used against the Web server as well. The client needs to understand that not only transaction processing penetrations present a security problem to their infrastructure but one of perception management on the part of the customers or clients who may use these remote banking services. If the clients come to the home page of the client’s Web based bank and they find pornographic or other inappropriate material on those pages the client will face a public relations and client confidence issue that must be dealt within a short amount of time.

Launching "Denial of Service" attacks becomes easier and easier. Client confidence is a potential victim as is the stream of revenue from remote banking and remote banking generates the stream profits intended. The "Denial of Service" attacks will include: (PIX_9)

  • SYN-ACK attacks
  • UDP attacks
  • ICMP bombing
  • Mail bombing
  • And other well-known and identified JAVA applications based attacks against HTML, CGI, NT and UNIX based Web servers.

Using all of these service attacks will be coordinated with the client prior to the attacks actually taking place to ensure that the client does not, in fact, suffer any down time.

      ONCE YOU’VE BROKEN IN

Once your Friendly Hackers have broken into your systems, your work has only just begun. First of all, do not stop at one vulnerability; there are likely many more in many different places. From our experience (and we’ve never failed at breaking in to anyone’s networks yet) we’ve never seen just one isolated weakness. Make sure that you’ve conducted a structured attack, and examined all aspects of the project. In BA-Bank’s case, we only examined the perimeter security controls.

In many jobs, though, you need to bring your Friendly Hackers inside your facility, to complete their analysis and security audit right on-site. While many system vulnerabilities are certainly detectable from the outside, (i.e., from the Internet), a more thorough approach includes an internal analysis of installation, configuration, system logs and applications operation. Most of this information is generally not available externally, but is part and parcel of a security audit.

Then, once all of the data has been collected; the footprint, the vulnerabilities, the internal analysis of selected systems – it’s time for recommendations. Better security firms will make recommendations not from a technical basis but from a business impact standpoint. Appropriate risk analysis must be weighed against the findings and actions taken.

In many cases, changes in procedure, policy and configuration will solve a lot of your security problems. In other cases, though, additional authentication processes are required; perhaps the addition of an access control mechanism is called for; or maybe just isolating information and services from the enterprise network is the most expedient and security-sound answer. No matter the approach, thoroughly document everything.

You will want to examine how to secure the enterprise from external vulnerabilities discovered and work with the staff to:

  • Make recommendation in hardware, software and policy to meet these goals.
  • Assist in performing system tune-ups
  • Explore other internal vulnerabilities that might exist
  • Identify need for patches updates

    IN CONCLUSION

    Conducting an analysis of your network’s security is a normal method of insuring business process integrity. The depth of the analysis will be determined by your company’s particular needs, worries, connectivity and amount of reliance upon IP and other networks to conduct business. You, your security staff and your contractor or consultants should work together to define the goals, the methods and processes for the entire project. In addition, because different companies perform external security audits in a variety of ways, it’s good practice make sure of at least a few things before you proceed.

  • How much insurance does the consultant carry?
  • Make sure complete and accurate audit logs are maintained throughout the process.
  • Create a "shut-off" valve so that the testing can be stopped within a minute’s notice in case something goes wrong.
  • Reports should be tailored to multiple audiences: technical, middle management, and Board level.
  • Listen to the results

Lastly, and just as important as every other step in assessing your security profile, do not assume that just because you have gone through the testing process that your networks are secure. All you really know is the condition of your networks at the moment of their evaluation. Just like the rest of your company’s infrastructure, security is a dynamic, ever changing condition that requires constant vigilance. So, the prudent security manager will use the first comprehensive testing as a benchmark, and continue to sponsor periodic reviews of the system. Especially important is to perform a pre-deployment analysis of systems before they go on-line – not after your suffer the consequences.

In the meantime – good hacking!

* * * * *

I’d like to thank the following firms and individuals for their contributions and assistance in the preparation of this article:

  • Axent Technologies: www.axent.com
  • Bob Ayers, Department of Defense (as an individual)
  • Dr, Fred Cohen, Strategic Gaming Partners (www.infowar.com/sgp/)
  • Internet Security Systems: www.iss.net
  • Carolyn Meinel, Moderator of The Happy Hacker: happyhacker.org
  • Netect: www.netect.com
  • Secure Networks, Inc.: www.securenetworks.com
  • The Security Experts, Inc.: www.securityexperts.com
  • The Wheel Group: www.wheelgroup.com

 

AUTHOR

Winn Schwartau is the COO of The Security Experts, Inc., a security consulting firm (www.securityexperts.com) and the President of Infowar.Com, (www.infowar.com) the world’s largest security web site.