Dailydave: Re: New presentation is up: 0days: How hacking reallyworks

[Anthony Zboralski <bcs2005 () bellua com>]

I agree with you, Holden! But 0day is still useful (see below)

When we are approached by the IT department for a penetration test
or a risk assessment, the IT guys always want to limit the scope
of the project to a purely technical perspective and/or to a specific
part of their infrastructure; e.g. "we have this new firewall and online
banking system we want to test the security".

We simply refuse this kind of assignments. Like Hoden said, a real
hacker will not limit his scope and will just hit for the weakest nodes
of the  network of trust. When that happen they will go:
"Ah we got hacked!  this pen test was useless!".

I really prefer to deal with upper management to make sure we get
a larger scope and execute the exercise from both a business and
technical perspective.

As soon as a client request a pen test we start profiling the company
and analyse its network of trust.

We request to extend the scope to include our client's law firm,
its bankers, its service providers, and second & third parties
(e.g. web agencies, outsourcers...). If some of the parties involved
refuse to participate in the exercise, we still perform non-intrusive 
review
of their infrastructure.

During the profiling phase, we look at:

  * Business functions/units (Treasury, Accounting, Operations, 
Development,
Customer Support, Branches...)
  * Network of trust (ISPs, infrastructure provider [VSAT, fiber, 
microwave, etc...),
system integrators,   third party contractors, affiliations...)
  * Network Infrastructure (private and public)
  * Systems
  * Applications (web, online banking, corporate banking, payment 
gateway, core
     banking, etc..)
  * Users

Our clients are usually quite impressed with the results of the 
non-intrusive activities.
We analyse the trust dependencies, show them a nice hierarchical model 
and explain
that if a specific trust element is compromised most of the elements 
below will be
compromised as a side-effect. We also do a very simple business impact 
analysis.
It's a good marketing tool.

A lot of this information can be gathered from open sources and as I 
said above,
we start gathering intelligence as soon as we are invited to respond to 
a RFP or
approached by a company. We also keep an eye on our clients and 
prospects for any
new event or project which may introduce new risks. Of course, they 
often freak out
and wonder if they can really trust us; we explain that hackers don't 
need
their trust or authorisation to attack them. Criminals don't abide by 
the law, we do.
We also make it clear that we are not here to point fingers at anyone 
(IT, vendors, etc...)
it's just a drill to build awareness and perform due diliegence. We are 
allies not
enemies: our mission is to help our clients improve their security and 
protect their
business (although we are not a Mafia.)

Once the client give us the green light, we start the fun part.

War Dialling: most of the vendors have signed a service level agreement 
with our
clients which force them to respond to incidents within 0 to 4 hours 
depending on the
BCP/DRP requirements.  We can be sure to find a lot of modems. The 
vendors always
mention security in their marketing blurbs, in reality they don't give 
a crap. In Asia,
when IBM installs a "Secure Storage System" or a database, they stuff a 
modem and
to log-in the username  is "service" and the password is "service" and 
when Cisco Gold
Partners installs a router, they quite often set the username, password 
and enable
password to the name of the client, the name of the vendor or the name 
of the location.
(I bet this is not only the case in this region of the world)
We usually scan 3000 phone numbers derived from phone numbers we found 
in marketing
brochures, regional offices, branches, etc. It costs only a couple of 
hundred bucks to dial
all these numbers. Last time we found 146 carriers, 50 were 
interesting. Our clients was
shocked there was so many, they didn't even know about half of them as 
they have
outsourced big chunks of their infrastructure. One of the listening 
device we compromised
was used by most of the branches and ATM to dial or VPN back to the 
core banking
system. From there, we also had full access to their internal network. 
They were using
SNMP (Security Not My Problem) everywhere and we took control of every 
single Cisco
routers and switches we could find.

Wireless Security Survey, the IT Director actually complained about 
this one: "We don't use
wireless!" -Just wait... We found a couple of rogue WiFi networks, one 
of them was used by an
executive who bought a Wireless Access Point from a well known company, 
it was marketed
as reliable and secure. One Centrino laptop was bridging one of the 
local LAN to a
neighbour's wireless LAN. In both cases, no encryption, no VPN and 
default passwords.
Again we were inside. We also did a bit of war driving: our client had 
asked a vendor to
 set-up a backup link between the Head-Office and the DRC and never 
checked how it
had been implemented; the result was scary: ATM transactions and 
clearing in clear text, ...
"We don't use wireless, we should exclude this part from the scope!"

Social Engineering: we phone target individuals in critical business 
functions, IT people,
security officers, the executives and their secretaries, HR, service 
providers, etc.
We also deliver by courier or mail "free" USB thumb-drives, a bunch of 
CDROMs (labelled
"payroll",  "confidential", "proposal", "University Porn"); even when 
autorun isn't enabled
there is  always someone illiterate enough to execute our little 
trojan. Most of our new
clients never implemented segregation in networks and duties, so one 
workstation or
laptop compromised and the whole pyramid falls.

Physical Pen test, this is also a very fun part... We go straight to 
the headquarters and do
a walk in. We first go uninvited and follow someone in. As long we wear 
nice shoes,
shirt and tie, no one is  asking questions. Even after two bombings 
(the Marriot
and the Australian Embassy, physical security in most buildings is 
still very poor.
When it isn't the case we get invited for an job interview or pose as a 
journalist and request
an interview. Again dropping a USB thumb-drive or CDROM in the lift can 
lead to interesting
results. Once we have access to an office floor, we go straight to a 
conference room and ask
someone if we can use the room for 20 minutes, if they have port 
security; we just squat
an empty workstation.

Internet Pen test, this can be completely useless because in most cases 
we have already
targeted and compromised the people who maintain the online 
applications. We never do
exhaustive scans, it isn't the purpose of the exercise. A pen test is 
more a role playing game.
Also we try to be as stealthy as possible, we communicate heavily with 
our clients but we
never tell them when we are going to perform an attack; and usually I 
prefer to have them in
the middle of the night. We do a quick risk assessment,  if there is a 
box we can compromise
easily, we check if it can impact business continuity or not. If it 
does we propose our client to
demonstrate the exploit in their development  environment/sandbox.

Internal Pen test: in our report we link the internal pen test to the 
network compromises
we executed in the other project activities. Our clients also like to 
know what can be done
by a hacker, a corporate spy, a intern, a curious or rogue employee, a 
consultant or vendor
with limited access to their infrastructure. During one of our last 
missions, from a neutral
area, we successfully compromised our clients ATMs' source code, core 
banking and
online banking applications source code in less than 3 hours. This 
could have been done
from any of entry points (wireless, modem, social engineer/trojan, 
physical pen...)
Now I would not say that 0day attacks are useless. Most of the time, we 
would never
need them but whenever we can use 0day we will (how much is CANVAS 
anyway?)
It helps our client realise that even if they have good patch 
management, they still need
a good ISMS, secure business processes, 24h monitoring, expert advise 
(from us) to
minimize the impact of a compromise (hardening, segregation in networks 
and duties,
risk assessment, technology watch, intelligence gathering,  due 
diligence, etc.), training,
conferences  ( http://www.bellua.net - http://www.cansecwest.com - 
http://www.blackhat.com)...
Another advantage of 0day is to lock out all the lamers selling 
vulnerability scanning with
nessus,  ISS, etc. Most of these ! () # are quick-fix product vendors 
disguised as consultants
who give a false sense of security to the clients. They tell them to 
put 3 firewalls and a bunch
of crap IDS to protect their data center while everything around it is 
still open or vuln. This is
ridiculous... and what really piss me is that their product sales 
subsidise their consulting
activities to compete with us on price. Cisco Channel Partners for 
example offers free
"Secure Infrastructure Design" to their prospects.

That's a long e-mail, I hope I didn't bore you. 'tis late, time to 
sleep.
Cheers,

Anthony Zboralski
--
Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005 () bellua com - Phone: +62213918330 HP:+628159102495

On 6 Feb 2005, at 13:51, Holden Williamson wrote:

> Dear list,
>   I don´t wish to rain too heavily on everyone´s parade, but "real
> hacking" has very little to do with 0day and even less to do with
> remote exploits at all.
> Before dave got quite so hype about selling canvas he used to admit
> that 0days, and remote exploits in general (implicitly, at least) were
> for the "weekend warriors" - the penetration testing teams and the
> scriptkiddies.
> Remote exploits are of use to only these two catagories of attackers.
> Scriptkiddies because they have no understanding of true attack
> paradigms and penetration testers because they can only attack the
> scope of the target which they have been assigned.
> Any "real hacker" will already have set up "infrastructure" many years
> ago and will maintain this. "REAL HACKING" is done by having root on
> boxes and doing a lot of harvesting and correlation of password/auth
> token data.
> For example, if I wanted to own navy.mil I would not attack navy.mil,
> I would go via the Astronomy lab at the university of Maryland.
> Likewise when I want to own Microsoft I go via the computer science
> lab at Cambridge.
> The internet is a network of trust. You are only as secure as the
> weakest link in your chain of trust. This is an attack paradigm known
> to "REAL HACKERS" as Trusted Path Exploitation.
> Any penetration test cannot take into account your ISP or any other
> boxes logging into (or having access to in any way) your network.
>
> Therefore, if penetration testing without 0days is useless in the face
> of 0days then penetration testing with 0days (and therefore any
> penetration testing within the current legal bounds) is useless in the
> face of Trusted Path Execution, which is how all the "REAL HACKERS" do
> everything anyway.
>
> This whole thread is yet another iteration of the trend for people to
> turn hacking into some kind of game of academic masturbation.
> The sooner people realise that hacking is a psychological and not a
> technological game the sooner networks will become secure.
> Luckily for people like me this isn't going to happen very soon.
>
> Yours (very drunk) in motherfucking (brazillian) cyberspace -
> Holden Williamson AKA the limey haqr
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave
--
Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005 () bellua com - Phone: +62213918330 HP:+628159102495

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave