Forwarded from: William Knowles <wk@private> http://www.informationweek.com/hardware/showArticle.jhtml?articleID=177100115 By Ira Winkler Internet Security Advisors Group InformationWeek Jan 16, 2006 A large multinational company was about to undergo a full security audit, and the CIO didn't want any surprises. He was looking for advance warning of any problems that might be discovered in the formal audit so he could be ready with a remediation plan. The company, which employs more than 10,000 people, is responsible for critical elements of physical infrastructures around the world and is regularly targeted by a wide variety of bad guys, including terrorists and foreign governments. The CIO believed the company had some problems with physical security and end-user systems but thought he had the servers and network locked down. To get a true picture of the company's overall security, the CIO hired my team to do a preassessment without informing the majority of employees. For political reasons, he had to let several people know the test would be performed. And just to make my job more of a challenge, the director of the network operations center vowed my team wouldn't break into his systems or facilities. Most of the company's assessment funds had been allocated to the formal audit, so the preassessment budget was tight. We had an advantage in that I'd been at the facility before for an unrelated reason, so I knew the makeup of the main facility and some of its physical weaknesses, which would save us a day or so of reconnaissance. Open-Source Intelligence We typically begin an espionage simulation by gathering intelligence on the company's physical, technical, and operational infrastructures, and on its personnel. Our search revealed a variety of information about the contracts the company was pursuing, as well as details on its facilities. Most troubling, we found maps of some facilities in high-risk areas, which could help malicious parties target the company and its people. We also found a corporate phone directory intended for internal use. This would have immense value for the social-engineering attacks we were planning. We uncovered information about the company's generic technical architecture by looking at trade Web sites and postings the company's IT staff had made to newsgroups. We knew the company had a Windows infrastructure with Sun Microsystems computers handling most of the server duties. Knowing the hardware and software let us predict technical vulnerabilities and helped us prepare to target the systems, both internally and externally. We also found a variety of corporate domains to target. Later we learned that the people responsible for managing the company's Internet presence didn't know about some of these domains, which provided back doors into the company. Along the same lines, our search turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. We learned of the discrepancy when we informed someone from the CIO's staff of our findings at a breakfast meeting our first day on-site. As happens in about half our reconnaissance efforts, we found evidence of illicit employee activities. For example, one employee was using his company E-mail account to sell information on how to perform criminal activities. After a day and a half of this preliminary investigation, we ventured on-site. Three of us were involved in the internal test: Kevin, a technician familiar with attacks on Unix and Windows (the company's typical environments); Jeff, who would focus on social engineering and could assist on the technical side; and me. My focus was on the "black bag" aspects of the test--physically going into a high-risk environment to steal information or perform other high-risk tasks to support the espionage operations. Our first job was to get into the building complex, which housed multiple tenants sharing a common entrance. An outside firm handled the facilities management and physical security. The reception desk was in the center of the main lobby, roughly 20 feet from the door. The lobby was wide open, so when we arrived I told my accomplices to act as if we were talking about something important and ignore the receptionist as we walked through the lobby toward the main building. The receptionist tried to get our attention, but we proceeded without being stopped. There was a proximity-card sensor on the door to the offices, and the door was locked, so we waited for someone to come out and walked on in. We found the office our breakfast contact had assigned to us. Our team had its own gear--hubs, Ethernet cables, and so on--and we set up a small LAN inside the office off the room's Ethernet port. At this point, I thought we should get company badges. I called the company operator and asked to talk to the people responsible for issuing badges. She connected me to the reception desk. I told the person who answered that I was the CIO and I had subcontractors who needed to be issued badges. She told me, "Just send them down now." Jeff and I went back downstairs, at which point the receptionist recognized us and said she had tried to talk to us when we came in. We apologized, saying we didn't know we had to stop and were there to make everything right. A uniformed guard, who'd been standing next to the desk, led us to a room with a machine. There, we filled out a form requesting name, company, and contact information, which the guard didn't verify, and had our pictures taken. We made small talk with the guard, who asked what type of work we were doing. I told her it was computer work, and she asked, "Will you need access to the computer room?" "Definitely," I replied. She then made sure our badges were authorized to open computer-room locks. When the badges were finished, the guard handed them to us and told us the access privileges might not take effect for a couple of hours. Back in our office, Kevin told us he'd identified more than 250 Web servers through network scanning. The preponderance of Web servers indicated that the company had lost control of the internal architecture and was wasting resources. Most important, these systems were poorly maintained. These and the end-user PCs were vulnerable to viruses, worms, and other attacks. The file and mail servers were generally secure but still had some vulnerabilities. Easy Access Next we decided to scope out the computer room. The three of us headed to the basement, where we spotted a door in a back corner labeled "Computer Room." Duh. We entered the server room, which was unattended. We walked around, looking at the monitors, most of which were labeled. Kevin noticed that one was labeled "PDC," likely for primary domain controller. Kevin found that the system was logged on as the administrator. He quickly opened the User Administration tool and added a new user to the system, then added the user to the Administrator group. Then we left, quite unnoticed. Back to our office, Kevin logged on to the PDC and had control of the company's entire Windows infrastructure. He downloaded the password file and proceeded to crack passwords. Jeff started calling people he'd identified in his research and used several ruses to get them to disclose their passwords. He claimed to be an administrator investigating a security incident in which an outsider had called the help desk to change people's passwords. Of course, the employees then had to tell him their passwords. Jeff then pulled up the names of key employees and started to focus on the cracked passwords. Because the company's user IDs were predictable, Jeff and Kevin identified the CEO's and pulled up his password. They logged on to his account. They also learned the CEO's secretary's name and pulled up her account. We acquired information critical to the company's success, such as financial information, key project status, multibillion-dollar proposals, and other insider information. We also accessed information that could have compromised the CEO's personal safety, such as the tail number of the private jet he uses to fly into high-risk areas. We got to the CEO's information through other means as well. Our espionage simulation included physical walkthroughs, and we specifically targeted the information-systems and human-resources departments and the executive offices. Again, the card-access systems gave us access to all the necessary facilities. Although some people didn't leave anything that could give us access to sensitive information, more than enough people had their passwords hidden in plain sight--taped to monitors or under keyboards--that we could access their accounts and, therefore, other people's information. In the executive offices, keys and passwords, while not universally available, often were easy to find. For example, the CEO's secretary had the CEO's password written on a piece of paper inside her desk, even though the password was his first name. We gained access to the secretary's desk by finding a set of keys in another desk in the executive area. Also inside the secretary's desk was a key to the CEO's office. We had similar success getting data from the offices of the CFO and general counsel. Then there were the Unix systems. By the second day, the CIO thought we could take some chances that I advised him we wouldn't take in real life because we already had the ability to control all the systems remotely. He specifically wanted me to get physical access to the network operations center. Jeff found out the name of a technical support person who was away for a week. Sporting our headquarters access badges, we drove over to the network operations center, walked up to this building's receptionist, and told her we were there to see the person we knew was away. She told us he was out for the week. I replied that we were with the audit staff and needed to make sure we had all the systems cataloged in advance for the upcoming audit. I said we'd been told that person would show us around the center so we could count the systems. She volunteered to show us the facility. We had planned how the attack would go. Jeff was to stay near the woman, and I would wander out of sight. As in most such operations centers, system names and IP addresses were taped to the system boxes. We recorded the names and addresses. While Jeff was distracting our escort and I was out of sight behind an equipment rack, I pulled something out of my bag and put it in the racks as if it were a network tap. After a couple of minutes, we told the woman we had everything we needed, and we left. Spyware Installed >From a technical perspective, Kevin had found critical vulnerabilities in the network operations center's main servers before our visit. The systems appeared to be well-patched. However, staff members didn't check the servers regularly for vulnerabilities and missed reinstalling all patches when they reloaded operating systems. Because of the nature of the vulnerabilities found, we would have had to reboot the systems to finish the compromise and get root privileges on the critical servers. We didn't want to bring down the system, so Kevin came up with an alternative attack. Thanks to the password-cracking Kevin had performed, he compromised the Sun admin's desktop system, which was actually a Windows system. He installed spyware that let him watch the administrator's activities and control the system. We waited for the admin to perform a remote logon to the Unix systems, which would let us capture the admin accounts and passwords. Although we didn't need to do this because Kevin had identified vulnerabilities on the servers, it was a way to get root access without bringing down the systems. We eventually got the admin accounts for the Unix network. This, of course, provided an immense amount of engineering and project data. All in all, this was a busy two days--yes, two days. Generally, all company information was available to us. We didn't have any information that a malicious party couldn't have found independently and with minimal effort. Although some might say we were just lucky, my teams consistently have this level of success in this time frame. The people who will cause you the most harm are the professional and malic-ious criminals who want to access your information or cause you damage without being detected. Although these criminals might not get the same results as we did in two days, they very well may have more funding and time than we did and could use those to their advantage. -=- Lessons Learned Our simulated espionage yielded the following recommendations: Demand authorization and verification from a company employee or sponsor for a person to receive a facility access card. Require special approval of the manager responsible for a facility for extra access privileges and notify that manager when such access has been granted. Establish security-awareness programs that include both physical and technical issues. Perform regular vulnerability scans on all network systems. Maintain audit logs for critical systems and review them regularly. Log out of critical systems when not in use and activate screen savers with passwords, even when they're in supposedly secured areas. Never assume you can hide keys or passwords. There are just so many places they can be hidden, and people will find them. Perform regular walkthroughs to find obvious vulnerabilities. -=- Ira Winkler, CISSP, is president of the Internet Security Advisors Group and the author of Spies Among Us (Wiley, 2005). This article originally appeared inSecure Enterprise, an InformationWeek sister publication. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Jan 16 2006 - 22:53:02 PST