Wednesday, 10 December 2008
Thursday, 6 November 2008
However, as more and more organisations give employees the flexibility to work at home, I can't help wondering about the impact on security ... unencrypted (or WEP-encrypted) home wireless networks ... kids playing with company laptops ... unencrypted hard drives ... no clear desk policies ... poor physical security ... and an increasing trend for staff to use their home computers to connect to company VPNs. Scary stuff.
Perhaps we ought to consider expanding ethical hacking and audit to include home networks and PCs?
Tuesday, 28 October 2008
There is no cost for non-commercial use of this tool. Access is publicly available to anyone.
Wednesday, 17 September 2008
Sunday, 24 August 2008
Saturday, 2 August 2008
A little head scratching and I realised that my pride had caused me to announce that I was translating French awareness material into English in my "what are you doing at the moment" thingy in Facebook. As far as I can see this is the only place on the web where my translation skills were on display. So - are the spammers monitoring all our Facebook accounts to refine their targets, or am I being paranoid again?
Friday, 11 July 2008
If I were to wander into your offices, plug in my laptop and within minutes take control of your network infrastructure, would you be surprised?
There’s a "backdoor" into many large networks which few organisations seem to recognise or understand – Simple Network Management Protocol (SNMP). SNMP is the Internet standard protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It enables network administrators to manage network performance, find and solve network problems, and plan for network growth (ref http://www.snmplink.org/). It’s also one of the easiest ways for someone to control your network, steal information and eavesdrop on traffic!
By default, SNMP is enabled on routers, switches and even servers. If you’re using network management software like HP OpenView or IBM Tivoli then you’re using SNMP. Even if you’re not using any network management tools, you’ll still have SNMP somewhere on your network. There are two passwords (called “community strings”) that you need to know in order to take advantage of SNMP - the read string, which has a default value of “public” and the read/write string, which is set to “private”. Most people never change these defaults. Armed with this knowledge you can view, alter or remotely control any SNMP-enabled device.
When I plug into your network a DHCP server will issue me an IP address. At the same time I am also given a “default gateway” address – the address of the router that my laptop needs to know about in order to view the rest of your network. Just type “ipconfig –all” at a command prompt to see what I mean. If I feed the default gateway address into a network discovery tool like SolarWinds Network Sonar (http://www.solarwinds.net/) and if your router is set up with defaults, I will soon have details of every device on your network. I can also download the router config from each of your routers and read the administrative passwords, giving me the keys to your network infrastructure.
If you have Windows servers running SNMP (and chances are you do) then I can list the name of every user and group on that server. This gives me an excellent starting point for password guessing and dictionary attacks. I can also map out your Windows domain, discover your server names and even see what hardware you’re using.
Of course it’s not just the casual visitor who may take advantage of this vulnerability, but a disgruntled member of staff, an industrial spy disguised as a contractor or just a nosy IT graduate. Most organisations remain highly vulnerable to insider attacks, yet feel secure because they’ve spent a lot of money on firewalls. It’s time to wake up and recognise that organised crime and casual thieves will both take the easiest, least risky route and that’s from inside the organisation.
So what can you do? First and foremost, if you’re not using SNMP, turn it off! If you are using it, a good start must be to change those default community strings. But before you rush off to start this project, a few words of caution. Firstly, discover which software in your organisation is using SNMP and whether it can use non-default community strings (there are still some horrible applications with hard-coded strings and passwords in many organisations). Secondly, once you’re satisfied that nothing will break if you change those strings, select something complex that will resist a dictionary attack. A long string of mixed case, numbers and punctuation is best. Thirdly, as you’ll need to write those complex strings down, make sure you secure that information properly!
Now, before you go to set up that meeting with your network admins, there are a number of other backdoors that may reveal your SNMP strings to an attacker even after you’ve changed them all. So build a strategy to seek out those backdoors and secure them, and then develop an incident response procedure to use when your shiny new community strings are compromised.
One sneaky method of exposing SNMP community strings is via server management consoles like HP/Compaq Insight Manager (CIM), which may have been poorly configured. A web browser interface to CIM can often be found on TCP port 2301 (and 2381 for HTTPS). Older versions have a default Administrator password of “administrator”, permitting an unauthorised user to gain control of the server remotely, read and alter the SNMP strings and even power down the server.
A short network discovery exercise can provide you with valuable information on your network weaknesses and a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders.
Friday, 6 June 2008
Lately there's been a lot of news about Facebook using personal details for profit and now Canada's federal privacy commissioner has launched an investigation into Facebook. Apparently four students complained that the popular Web site violates Canadian law by disclosing personal information to advertisers without proper consent.
This in turn reminded me of a wonderful YouTube video - definitely worth watching and passing on to your less security-aware friends and family!
Tuesday, 13 May 2008
Friday, 7 March 2008
The same techniques I used to break into a Windows network in 1996 still work today, for example. Why? Because, despite manufacturers such as Microsoft and Oracle spending huge efforts to improve the security of their products, organisations still use stupid passwords, fail to understand security best practice and don't think outside of the box.
Just this week we again found Windows domain administrator accounts with pathetically weak passwords and business-critical infrastructure with default SNMP read/write strings. It took just just minutes to gain complete control of a global company's network with no prior knowledge at all. Every time we are asked to conduct a social engineering exercise - walking in the back door with the smokers, strolling past reception carrying a sandwich at lunchtime, or phoning the help desk and getting remote access - we find the same thing. No security awareness amongst staff at all.
So imagine my delight when five major clients all approached me to assist with staff awareness training this year. It seems that large organisations are finally getting to grips with the "human firewall" concept and realising that they need to invest in people, not just technology. Let's hope this trend continues!
Monday, 21 January 2008
I'm particularly proud of one aspect of our service: that we are pragmatic. By this I mean our ability to focus on genuine threats without being lost in the testosterone-driven "I've found the most obscure vulnerability ever" mindset. Wearing a white hat is much more than digging deeper than the next penetration tester - it's also about helping clients to understand where they should put their effort and their budget to get the most appropriate defence.
For me the most obvious illusion is that the important attacks will come from outside the organisation and that they will come via the interweb. If an organised criminal is going to target your organisation, then they're going to take the route that combines the best return on their investment with the highest probability of success (and to some degree the lowest risk). This is a typical business model - just an immoral one in their case.
So where do I believe organisations should focus? On what I'm calling blended attacks - attacks that combine technical skills with social engineering. These are the types of attack which we find work time after time, in the fastest way, with the highest return and with little risk of detection. There's nothing new in this sort of approach (just read Kevin Mitnick), yet the majority of organisations do little or nothing to test for these vulnerabilities.
Here's an example from my own team's experience. Recently, a UK-based insurance company asked us to test their physical security, with the objective of stealing as much information as possible. Andy and I rented a car close to their offices, then I parked in their car park and waited, having dropped Andy off at the side of the building. He was wearing a suit without a jacket, so he looked as if he had just come out from the office. At the rear of the building was a door with a proximity card access control. This door was used by the smokers who (as usual these days) had to visit a little shelter at the rear of the building to get their fix. When one employee finished her cigarette and walked back towards the door, Andy ran after her and, complaining about the weather, asked her to hold the door for him - which of course she did. He was then able to open the door from the inside and let me in. We then played our assigned roles - Andy was the employee and I was the consultant, there to conduct a security audit (of course!). We found the usual suite of meeting rooms and selected one which was empty. Within a couple of minutes I had hooked up my laptop to a network port in the floor, obtained a DHCP address and started my network discovery software. After an hour or so, some genuine employees arrived to use the meeting room - we of course apologised for the double booking and found ourselves another empty room. In total we were on site for five hours and able to grab just about anything we wanted from the network. We were never challenged or asked to show a badge, and at the end of the day we left by the same route we came in. Game over.
There really is no substitute for the "human firewall" and there's definitely no patch for ignorance (it is ignorance, not stupidity in many cases, you know). Using the results of this type of exercise demonstrates to everyone how easy this devastating style of attack can be, and allows the organisation to start the difficult process of security awareness education. And they not only have to educate the office staff, they have to educate the IT folks and the senior managers and board members too.
Tuesday, 1 January 2008
From time to time we are asked to test the security of a laptop build - perhaps the organisation is intending to migrate to a new version of Windows or has simply designed a new “build” - in any event we are asked to test the security of their standard laptop configuration.
Our first check is to see whether a BIOS password has been set. This poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system. A hard-disk password is a different problem, which often requires specialist assistance, and is therefore considerably more effective. Unless that is, the hard disk password is the same as the BIOS password in which case the problem is solved. However we have yet to find a corporate laptop utilising either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords!
Assuming that there are no BIOS passwords, all we need is a Windows username and password. Since we have physical access to the machine, that is very easy to achieve. Software such as Petter Nordahl-Hagen’s Offline NT Password and Registry Editor is free and available for download on the web. This software creates a bootable CD or floppy disk which can be used to reset the administrator’s password without ever starting Windows.
Once done, you reboot the laptop and login as Administrator with full access to everything, including any dial-up or VPN connections of course. However, if your laptop’s owner has used Microsoft’s encrypting file system (EFS) on XP, then you will not be able to recover those files, which could be very irritating!
An alternative approach is to use a program like NTFS Reader for DOS, which will allow you to make a copy of the Windows SAM file containing the usernames and passwords, again without running Windows. Once you have a copy of the SAM file, you can run a password cracking program to discover all the passwords on the laptop, and then logon with the Administrator’s legitimate credentials.
This is slightly more time consuming but leaves no evidence of tampering and preserves the EFS files intact. In case you are wondering, a sure-fire way to crack the passwords is to use rainbow tables with a tool such as Cain and Abel. The rainbow tables are pre-computed password hashes for almost every combination of letter, number and punctuation character for passwords up to 14 characters in length, making the job of finding the passwords just a matter of time. Although they are very large (many gigabytes in size) Windows rainbow tables are available for free download from the Internet or can be purchased online for delivery on a set of CDs or DVDs.
There is one simple solution to Unprotected Laptops: full disk encryption. This provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password) whilst providing the IT support people with a legitimate “backdoor” into the laptop if the user’s passphrase is forgotten or if the member of staff leaves the organisation under a cloud.