The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (22 page)

when the alarm went off and now was calling to say "False

alarm, it's okay."

I didn't stay around to listen.

Unchallenged The pen test was drawing to a close. The company's security executives had been so confident that the pen testers would not be able to penetrate the network and would not be able to gain unauthorized physical access to the buildings, yet no team member had been challenged. Dustin had slowly been raising the "noise level," making their presence more and more obvious. Still nothing.

Curious about how much they could get away with, several team mem- bers gained access to a company building by tailgating, lugging with them an enormous antenna, an in-your-face contraption that took a real effort to carry. Some employee would surely notice this freaky device, wonder about it, and blow the whistle. Chapter 6 The Wisdom and Folly of Penetration Testing 133

So, without badges, the team roamed first one of Biotech's secured buildings and then the other, for three hours. No one said a single thing to them. No one even asked a simple question like "What the hell is that thing?" The strongest response came from a security guard who passed them in a hallway, gave them a strange look, and moved on his way with- out even a glance back over his shoulder.

The Callisma team concluded that, as in most organizations, anyone could walk in off the street, bring in their own equipment, wander throughout the buildings, and never be stopped or asked to explain themselves and show authorization. Dustin and his teammates had pushed the envelope to an extreme without a challenge.

Hand Warmer Trick It's called a Request to Exit (REX), and it's a common feature in many business facilities like Biotech's. Inside a secure area such as a research lab, you approach a door to exit and your body triggers a heat or motion sensor that releases the lock so you can walk out; if you're carrying, say, a rack of test tubes or pushing a bulky cart, you don't have to stop and fumble with some security device to get the door to open. From outside the room, to get in, you must hold up an authorized ID badge to the card reader, or punch in a security code on a keypad.

Dustin noticed that a number of the doors at Biotech outfitted with REX had a gap at the bottom. He wondered if he could gain access by outsmarting the sensor. If from outside the door he could simulate the heat or motion of a human body on the inside of the room, he might be able to fool the sensor into opening the door.

I bought some hand warmers, like you get at any outdoor supply

store. Normally, you put them in your pockets to keep warm. I let

one get nice and warm, then hooked it to a stiff wire, which I slid

under the door and started fishing up toward the sensor, waving

it back and forth.

Sure enough, it tripped the lock.

Another taken-for-granted security measure had just bitten the dust.

In the past, I've done something similar. The trick with the type of access-control device designed to detect motion instead of heat is to shove a balloon under the door, holding on to the open end. You fill the balloon with helium and tie it off the end with a string, then let up float up near the sensor and manipulate it. Like Dustin's hand warmer, with a little patience, the balloon will do the trick. 134 The Art of Intrusion

End of the Test The Biotech lights were on but no one was home. Although the com- pany IT executives claimed they were running intrusion-detection sys- tems, and even produced several licenses for host-based intrusion detection, Dustin believes the systems were either not turned on or no one was really checking the logs.

With the project coming to a close, the Keyghost had to be retrieved from the system administrator's desk. It had remained in place for two weeks without being noticed. Since the device was located in one of the more difficult areas to tailgate, Dustin and a teammate hit the end of lunch rush and jumped to grab the door and hold it open, as if being helpful, as an employee started through. Finally, and for the first and only time, they were challenged. The employee asked if they had badges. Dustin grabbed at his waist and flashed his fake badge, and that casual movement seemed to satisfy. They didn't look frightened or embarrassed, and the employee continued into the building, allowing them to enter as well without further challenge.

After gaining access to the secured area, they made their way to a con- ference room. On the wall was a large whiteboard with familiar termi- nology scribbled on it. Dustin and his colleague realized they were in the room where Biotech held their IT security meetings, a room the com- pany would definitely not have wanted them to be in. At that moment, their sponsor walked in, and looked stunned to find them there. Shaking his head, he asked what they were doing. Meanwhile, other Biotech secu- rity people were arriving in the meeting room, including the employee they had tailgated at the building entry door.

He saw us and said to our sponsor, "Oh, I'd just like you to know

that I challenged them on the way in." This dude was actually

proud he'd challenged us. Embarrassment is what he should have

been feeling, because his single question challenge wasn't strong

enough to find out if we were legitimate.

The supervisor whose desk was rigged with the Keyghost also arrived for the meeting. Dustin took advantage of the opportunity and went to her cubicle to reclaim his hardware.

Looking Back At one point during the test, certain someone would notice, Dustin and the team had brazenly scanned the company's entire network, end to end. There wasn't a single response to this invasive procedure. Despite behaviors that Dustin describes as "screaming and shouting," the client's Chapter 6 The Wisdom and Folly of Penetration Testing 135

people never noticed any of the attacks. Even the "noisy" network scans to identify any potentially vulnerable systems had never been noticed.

At the end we were running scans taking up huge amounts of

network bandwidth. It was almost as if we were saying, "Hey,

catch us!"

The team was amazed at how numb the company seemed to be, even knowing full well that the pen testers would be trying their damnedest to break in.

By the end of the test, it was bells, whistles, screaming, shouting,

and rattling pans. Nothing! Not a single flag raised.

This was a blast. It was overall my favorite test ever.

INSIGHT Anyone curious about the ethics of a security consultant, whose work requires slipping into places (both literally and figuratively) that an out- sider is not supposed to be, will find the techniques of Mudge and Dustin Dykes enlightening.

While Mudge used only technical methods in the attack he described, Dustin used some social engineering as well. But he didn't feel very good about it. He has no qualms with the technical aspects of the work and admits to enjoying every moment of it. But when he has to deceive peo- ple face to face, he becomes uncomfortable.

I was trying to rationalize why this is. Why does one rip at me

and the other has no effect? Maybe we're brought up not to lie to

people, but we're not taught computer ethics. I would agree that

there's generally less compunction when fooling a machine than

deceiving your fellow man.

Still, despite his qualms, he regularly feels an adrenalin rush whenever he pulls off a smooth social engineering caper.

As for Mudge, I think it's fascinating that, while he wrote a very pop- ular password-cracking tool, in other areas he relies on methods that are the stock-in-trade of hackers everywhere.

COUNTERMEASURES Mudge identified a default firewall rule that allowed incoming connections to any high TCP or UDP port (over 1024) from any packet that had a 136 The Art of Intrusion

source port of 53, which is the port for DNS. Exploiting this configura- tion, he was able to communicate with a service on the target computer that eventually allowed him to gain access to a mount daemon, which enables a user to remotely mount a file system. Doing this, he was able to gain access to the system by exploiting a weakness in NFS (network file system), and gain access to sensitive information.

The countermeasure is to carefully review all firewall rules to ensure they're consistent with company security policy. During this process, keep in mind that anyone can easily spoof a source port. As such, the fire- wall should be configured to allow connectivity only to specific services when basing the rule on the source port number.

As mentioned elsewhere in this book, it's very important to ensure that both directories and files have proper permissions.

After Mudge and his colleagues successfully hacked into the system, they installed sniffer programs to capture login name and passwords. An effective countermeasure would be using programs based on crypto- graphic protocols, such as ssh.

Many organizations will have policies regarding passwords or other authentication credentials for accessing computer systems, but fall short on PBX or voicemail systems. Here, the l0pht team had easily cracked several voicemail box passwords belonging to executives at the target company, who were using typical default passwords, like 1111, 1234, or the same as the phone extension. The obvious countermeasure is to require reasonably secure passwords to be set on the voicemail system. (Encourage employees not to use their ATM pin either!)

For computers containing sensitive information, the method described in the chapter for constructing passwords using special nonprinting char- acters created with the Num Lock, key, and numeric keypad is highly recommended.

Dustin was able to freely walk into Biotech's conference room, since it was located in a public area. The room had live network jacks that con- nected to the company's internal network. Companies should either dis- able these network jacks until needed or segregate the network so that the company's internal network is not accessible from public areas. Another possibility would be a front-end authentication system that requires a valid account name and password before allowing the person to communicate.

One method to mitigate tailgating attacks is to modify what social psy- chologists call the politeness norm. Through appropriate training, com- pany personnel need to overcome the discomfort that many of us feel about challenging another person, as often happens when entering a building or work area through a secured entrance. Employees properly Chapter 6 The Wisdom and Folly of Penetration Testing 137

trained will know how to politely question about the badge when it's apparent the other person is attempting to "tag along" with them through the entrance. The simple rule should be this: Ask, and if the per- son doesn't have a badge, refer them to security or the receptionist, but don't allow strangers to accompany you into a secured entrance.

Fabricating phony corporate ID badges offers a too-easy technique for walking into a supposedly secure building unchallenged. Even security guards don't often look at a badge closely enough to tell whether it's the genuine goods or a fake. This would be tougher to get away with if the company established (and enforced) a policy calling on employees, con- tractors, and temporary workers to remove their badges from public view when they leave the building, depriving would-be attackers with lots of opportunities to get a good look at the badge design.

We all know security guards are not going to examine each employee's ID card with close scrutiny (which, after all, would be a near impossibil- ity for even a conscientious guard when streams of people parade past first thing in the morning and at the end of the day). So, other methods of protecting against unwanted entry by an attacker need to be consid- ered. Installing electronic card readers brings a much higher degree of protection. But in addition, security guards must be trained how to thor- oughly question anyone whose card is not recognized by the card reader, since, as suggested in the story, the problem may not be a small glitch in the system but an attacker attempting to gain physical entry.

While company-wide security awareness training has been growing much more common, it's almost always lacking in a big way. Even com- panies with an active program often overlook the need for specialized training for managers so that they are appropriately equipped to ensure that those under them are following the mandated procedures. Companies that are not training all employees in security are companies with weak security.

THE BOTTOM LINE It's not often that readers are afforded the opportunity of gaining insight into the thinking and the tactics of someone who has contributed signif- icantly to the arsenal of hacker's tools. Mudge and l0phtCrack are in the history books.

In the view of Callisma's Dustin Dykes, companies asking for a pene- tration test often make decisions against their own best interests. You'll never know how vulnerable your company truly is until you authorize a full-scale, no-holds-barred test that allows social engineering and physi- cal entry, as well as technical-based attacks.

Of Course Your Bank

Is Secure -- Right? If you try to make your systems foolproof, there is always one more fool who is more inventive than you.

-- Juhan

E

ven if other organizations don't measure up in their security

practices to bar the door to hackers, at least we'd like to think

that our money is safe, that no one can obtain our financial information or even, nightmare of nightmares, get to our bank accounts and issue commands that put our money into their pockets.

The bad news is that the security at many banks and financial institu- tions is not as good as the people responsible for it imagine it is. The fol- lowing stories illustrate the point.

IN FARAWAY ESTONIA This story illustrates that sometimes even a guy who isn't a hacker can successfully hack into a bank. That's not good news for the banks, or for any of us.

I have never visited Estonia, and may never get there. The name con- jures up images of ancient castles surrounded by dark woods and super- stitious peasants -- the sort of place a stranger doesn't want to go wandering about without an ample stash of wooden stakes and silver bul- lets. This ignorant stereotype (helped along by corny low-budget horror

139 140 The Art of Intrusion

flicks set in Eastern European woods, hamlets, and castles) turns out to be more than a little inaccurate.

The facts turn out to be quite different. Estonia is a good deal more modern than I pictured, as I learned from a hacker named Juhan who lives there. Twenty-three-year-old Juhan lives alone in a spacious four- room apartment in the heart of the city with "a really high ceiling and a lot of colors."

Estonia, I learned, is a small country of about 1.3 million (or roughly the population of the city of Philadelphia) stuck between Russia and the Gulf of Finland. The capital city of Tallinn is still scarred by massive con- crete apartment buildings, drab monuments to the long-dead Soviet empire's attempt to house its subjects as economically as possible.

Juhan complained, "Sometimes when people want to know about Estonia, they ask things like, `Do you have doctors? Do you have a uni- versity?' But the fact is that Estonia is joining the European Union on the first of May [2004]." Many Estonians, he says, are working toward the day when they can move out of their cramped Soviet-era apartment to a small home of their own in a quiet suburb. And they dream of being able to "drive a reliable import." In fact, a lot of people already have cars and more and more people are getting their own homes, "so it's improving every year." And technologically, as well, the country is no backwater, as Juhan explained:

Estonia already in the beginning of nineties started to implement

the infrastructure of electronic banking, ATMs and Internet

banking. It's very modern. In fact, Estonian companies provide

computer technology and services to other European countries.

You might think this would describe a hacker's heaven: all that Internet use and probably way behind the curve when it comes to security. Not so, according to Juhan:

Regarding the Internet security, this, in general, is a good place

due to the fact that the country and communities are so small. It's

actually quite convenient for service providers to implement tech-

nologies. And, regarding the financial sector, I think the fact

that enables the Americans to make a connection is that Estonia

has never had an infrastructure of bank checks -- the checks that

you're using to pay a lot of bills in the shops.

Very few Estonians ever go into a bank office, he says. "Most people have checking accounts, but don't know what a bank check looks like." Chapter 7 Of Course Your Bank Is Secure -- Right? 141

Not because they're unsophisticated about financial things but because, in this area, at least, they are ahead of us, as Juhan explains:

We've never had a large infrastructure of banks. Already, in the

beginning of the nineties, we'd started implementing the infra-

structure of electronic banking and Internet banking. More than

90 to 95 percent of people and businesses transferring money to

each other are using Internet banking.

And they use credit cards, or "bank cards" in the European terminology.

It's more convenient to use direct payment in the form of Internet

banking or bank cards, and there is just no reason for people to

use checks. Unlike America, nearly everyone here uses the Internet

for banking and to pay their bills

The Bank of Perogie Juhan has been heavily into computers since the tender age of 10, but doesn't consider himself a hacker, just a white hat serious about security. Interviewing him was no problem -- he started learning English in school beginning in second grade. The young Estonian has also done a lot of studying and traveling abroad, giving him further opportunities to develop his English conversational skills.

One recent winter in Estonia was especially harsh, with polar condi- tions, snow banks all around, and temperatures down to minus 25 degrees Celsius (13 degrees below zero Fahrenheit). It was so bitter that even the locals, who were used to frigid winters, didn't want to go out unless they had to. This was a good time for a computer guy to stay glued to his screen, hunting for anything good enough to capture his attention.

That's what Juhan was doing when he stumbled onto the Web site of what we'll call the Bank of Perogie. It looked like a target worth exploring.

I stepped into the interactive FAQ section that allows people to

post questions. I have the habit of looking into Web page form

sources. I sort of just got to a Web site and I started to look into

it. You know the process yourself -- you surf around and you just

browse without any strategic purpose.

He could see that the file system was the type used by Unix. That immediately narrowed the type of attacks he would try. Viewing the source code of several web pages revealed a hidden variable that pointed to a filename. When he tried changing the value stored in the hidden form element, "It became clear that they didn't do any sort of request for 142 The Art of Intrusion

authentication. So whether I submitted input from a bank site or from a local PC didn't matter to the bank server," he said.

He changed the attributes of the hidden form element to point to the password file, which allowed him to display the password file on his screen. He discovered that the passwords were not "shadowed," which means the standard encrypted form of every account's password was vis- ible on his display. So, he was able to download the encrypted passwords and run them through a password cracker.

Juhan's password cracker program of choice was a well-known one with the deliciously amusing name of "John the Ripper," which he ran using a standard English dictionary. Why English instead of Estonian? "It's common practice around here to use English passwords." But the fact is that many Estonians have a good basic knowledge of English.

The cracker program didn't take long, only about 15 minutes on his PC, since the passwords were basic -- simple English words with a few num- bers tacked on the end. One of them was golden: he recovered the root password, giving him administrator's privileges. And there was more:

There is this one telebanking service that has a trade name which

I'm not sure if I should mention here, but [I found] an account

for that service. It looked like it was probably the system account

that was running the services on that server.

He didn't go further in this direction, explaining that "having passwords was the point where I stopped." Prudence was the name of the game.

I could get in trouble. After all, I work in the information secu-

rity business. I had some motivation not to do any harm.

But the situation looked too good to be true. I figured it might be

a honey pot, a trap to lure people like me in and then get prose-

cuted. So I contacted my superiors and they reported it to the bank.

His disclosure didn't get him into hot water with his employer, nor with the bank, but quite the opposite. His company was offered the assignment of investigating further and coming up with a solution to plug the loophole. Juhan's company put him on the job, figuring he could finish what he'd already started.

It was sort of surprising to me that the events went like that

because actually the Internet security in Estonia is at a better

level than it is elsewhere. This is not determined by me, but is said

by many people who have come here from other places. So it was Chapter 7 Of Course Your Bank Is Secure -- Right? 143

kind of surprising for me to find out this one hole and then how

easy it was to get my hands on very secret sort of information.

Personal Opinion From experiences like this, Juhan has come to believe it's in the best interest of a company that finds itself compromised by a hacker not to prosecute, but instead work with the hacker to fix whatever problems he or she has uncovered -- sort of a "if you can't beat 'em, join 'em" phi- losophy. Of course, the government doesn't usually see it this way, as proven yet again with the hounding of Adrian Lamo (see Chapter 5, "The Robin Hood Hacker"), saddled with a felony conviction despite the fact that he (for the most part) provided a public service by advising companies of their vulnerabilities. Prosecuting can certainly be a lose/ lose situation, especially if the company never learns the particular vulner- abilities the hacker used to infiltrate its network.

As a knee-jerk response, firewalls and other defenses are piled on, but it's an approach that may completely overlook the unseen flaws that astute hackers may discover, not to mention all the ones already well- known to the hacker community. Juhan captured his view on this in a particularly vivid statement:

If you try to make your systems foolproof, there is always one more

fool who is more inventive than you.

THE LONG-DISTANCE BANK HACK Gabriel speaks French as his native language and lives in a Canadian town so small that, even though he describes himself as a white-hat hacker and considers defacing an act of stupidity, he acknowledges that he's "done it a time or two when bored to the point of despair," or when he found a site "where security was so shoddy someone needed to be taught a lesson."

But how does a guy in rural Canada come to hack a bank in a state in the southern United States, right in the heart of Dixie? He found a Web site that showed "what IP address ranges (netblocks) were assigned to particular organizations."1 He searched the list "for words such as gov- ernment, bank, or whatever," and it would pop up some IP range (for example, 69.75.68.1 to 69.75.68.254), which he would then scan.

One of the items that he stumbled onto was an IP address that belonged to a particular bank in the heart of Dixie. That launched Gabriel into what would become an intensive hack. 144 The Art of Intrusion

A Hacker Is Made, Not Born At age 15 (which, as you may have noted from previous chapters, ranks as a late start, something like taking up basketball in high school and going on to the NBA), Gabriel had advanced from playing games like Doom to hacking with a friend on his 386 machine with its 128MB hard drive. When the machine proved too slow for what he wanted to do, Gabriel spent what was for him a fortune playing network games at the local computer caf�.

The world of computers was addictive and sweet relief from the harsh competitiveness of high school, where Gabriel endured daily teasing by peers, simply because he was different. It didn't help that he was the new kid on the block and the youngest in his class, having started his schooling in another province before his family moved. No one ever said it was easy being a geek.

His parents, who both work for the government, couldn't understand their son's obsession with the machines, but then this seems a common problem for generations raised in technologically night-and-day time periods. "They never wanted me to buy a computer," he recalls. What they wanted was that he "just get out and do something else." Mom and Dad were so worried about their boy that they sent him to a psycholo- gist to help "normalize" him. Whatever happened in those sessions, it definitely didn't result in the gangly teenager's giving up his passion for computers.

Gabriel took Cisco courses at a local trade college. Completely self- taught, he often knew more than the teachers, who would sometimes defer difficult explanations to him. The now 21-year-old Canadian seems to have the kind of hacker talent that allows making discoveries on his own. Even when it's a well-known exploit, the ability marks the hacker as living in a different world from the "script kiddies," who discover nothing on their own, but rather just download goodies from the Web.

One program he favored was called Spy Lantern Keylogger. This is another of those programs with the ability to electronically shadow peo- ple as they work, allowing the hacker to secretly intercept every keystroke typed on the target's computer system -- except that this one is suppos- edly completely invisible on the target's machine.

In addition, he also used the "shadowing" feature of an application called Citrix MetaFrame (an on-demand enterprise access suite), which is designed to allow system administrators to monitor and assist company employees. With the shadowing feature, the system administrator can covertly look over the shoulder of a user, seeing everything on his or her computer screen and what the user is doing and typing, and can even take over control of the computer. A knowing hacker who can locate a company Chapter 7 Of Course Your Bank Is Secure -- Right? 145

running Citrix may be able to do the same: take over computers. This obviously requires great caution. If he's not careful, the hacker's actions will be spotted, since anyone sitting at the computer will see the result of the actions that the attacker is taking (the cursor moving, applications opening, and so forth). But the opportunity can also provide a hacker with a chance for some innocent fun.