 |
|
 |
|
|
Redspin Security Management Advisory
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 6 | September 2008
|
 |
|
Security Engineer Hacks His Way into a US Based Financial Services Company
Nathan Drier, a Security Engineer here at Redspin, recently hacked his way into a US based financial services company with close to 1 billion dollars in assets. While he had a great time getting paid to legally hack his way into a bank's network, the bank was startled to learn just how vulnerable their entire network was.
|
|
|
Nathan's Methods and Results
For the purpose of education, we decided to share the methods and results of his hack in this Security Management Advisory because there are no great secrets here — none of the vulnerabilities in the system were critical, but they managed to line themselves up in such a way that they gave him a level of access that should make any IT manager want to slam his head onto his desk until either his head or the desk give way.
The bank (we'll call them "Big Bank") outsourced its web and mail servers as well as their IT needs to a hosting company ("ABCHosting"), which is pretty common for many businesses. There was a firewall/VPN device at the edge of their office LAN, which made them feel secure — but they still depended upon the kindness of ABCHosting far more than is healthy.
|
|
Here is the basic outline of how Nathan briefly considered a life of crime:
- He discovered that ABCHosting was vulnerable to a directory traversal attack, which gave him access to all of their files.
- He downloaded the SYSTEM file, which is used to encrypt the SAM file, where all the local usernames and passwords are stored. After a little more work, he had administrator privileges to the shared email server at ABCHosting's data center. Fun, but not necessarily dangerous to Big Bank.
- He then downloaded a copy of the Windows Registry Hive which contained information about the email server software. Usernames and hashes are stored in this software hive — as was a huge list of domains that ABCHosting provided email services for, Big Bank included. Inside each domain subfolder was details on hundreds of mail accounts along with usernames and password hashes.
- The software hive used a polyalphabetic Vegenere cipher to encrypt the passwords, which is extremely simple to crack. After a little more work, he had access to the email of three Vice Presidents and the CFO — some of which contained completed loan applications and personal financial histories, which should never be in email.
- Because ABCHosting also supplied Big Bank's IT services, he hunted for the 15 username and password combinations for the ABCHosting domain. People being people, the ABCHosting techs used the identical username and password combinations to give them access to Big Bank's VPN. Ultimately, this gave Nathan complete Domain Administrator level access on Big's LAN through their VPN.
- Nathan owned the bank.
 |
|
Use Common Sense Security Measures
Again, there is nothing fancy here. Extra equipment or special software wouldn't have prevented this attack — common sense security measures would have. If ABCHosting patched their services, the directory traversal hack wouldn't have worked. If they disabled LM hashing, it would have taken longer to crack their passwords. If they set best practices permissions on the IIS user account, he couldn't have gotten permission to view files on the system. If they used better password management, he wouldn't have gotten into the bank's VPN.
Ultimately, Redspin would like to remind you to care about the little things, to make sure that your security i's are dotted and your network t's are crossed. If you have to outsource your email hosting or your IT services, make sure that you have an independent security audit of that system. A good security posture may not make you more money, but it will definitely keep guys like Nathan's evil twin out of your network.
|
|
|
|
|
 |
