Monday 21 January 2008

The future of (ethical) hacking?

This post is not about where the hacking community is going (whatever that means), but more what I'd like organisations to think about.

I'm particularly proud of one aspect of our service: that we are pragmatic. By this I mean our ability to focus on genuine threats without being lost in the testosterone-driven "I've found the most obscure vulnerability ever" mindset. Wearing a white hat is much more than digging deeper than the next penetration tester - it's also about helping clients to understand where they should put their effort and their budget to get the most appropriate defence.

For me the most obvious illusion is that the important attacks will come from outside the organisation and that they will come via the interweb. If an organised criminal is going to target your organisation, then they're going to take the route that combines the best return on their investment with the highest probability of success (and to some degree the lowest risk). This is a typical business model - just an immoral one in their case.

So where do I believe organisations should focus? On what I'm calling blended attacks - attacks that combine technical skills with social engineering. These are the types of attack which we find work time after time, in the fastest way, with the highest return and with little risk of detection. There's nothing new in this sort of approach (just read Kevin Mitnick), yet the majority of organisations do little or nothing to test for these vulnerabilities.

Here's an example from my own team's experience. Recently, a UK-based insurance company asked us to test their physical security, with the objective of stealing as much information as possible. Andy and I rented a car close to their offices, then I parked in their car park and waited, having dropped Andy off at the side of the building. He was wearing a suit without a jacket, so he looked as if he had just come out from the office. At the rear of the building was a door with a proximity card access control. This door was used by the smokers who (as usual these days) had to visit a little shelter at the rear of the building to get their fix. When one employee finished her cigarette and walked back towards the door, Andy ran after her and, complaining about the weather, asked her to hold the door for him - which of course she did. He was then able to open the door from the inside and let me in. We then played our assigned roles - Andy was the employee and I was the consultant, there to conduct a security audit (of course!). We found the usual suite of meeting rooms and selected one which was empty. Within a couple of minutes I had hooked up my laptop to a network port in the floor, obtained a DHCP address and started my network discovery software. After an hour or so, some genuine employees arrived to use the meeting room - we of course apologised for the double booking and found ourselves another empty room. In total we were on site for five hours and able to grab just about anything we wanted from the network. We were never challenged or asked to show a badge, and at the end of the day we left by the same route we came in. Game over.

There really is no substitute for the "human firewall" and there's definitely no patch for ignorance (it is ignorance, not stupidity in many cases, you know). Using the results of this type of exercise demonstrates to everyone how easy this devastating style of attack can be, and allows the organisation to start the difficult process of security awareness education. And they not only have to educate the office staff, they have to educate the IT folks and the senior managers and board members too.

Tuesday 1 January 2008

Unprotected laptops

With so many staff working at home one or two days a week and everyone wanting connectivity from anywhere in the world, laptops have become very important tools. Pretty much every organisation now has a VPN to give staff remote access across the Internet, yet a tiny minority understand how much at risk they are from laptops. If an attacker were able to gain control of a lost or stolen laptop, they would have access to all the information stored on it plus the opportunity to connect to the corporate network via the VPN.

From time to time we are asked to test the security of a laptop build - perhaps the organisation is intending to migrate to a new version of Windows or has simply designed a new “build” - in any event we are asked to test the security of their standard laptop configuration.

Our first check is to see whether a BIOS password has been set. This poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system. A hard-disk password is a different problem, which often requires specialist assistance, and is therefore considerably more effective. Unless that is, the hard disk password is the same as the BIOS password in which case the problem is solved. However we have yet to find a corporate laptop utilising either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords!

Assuming that there are no BIOS passwords, all we need is a Windows username and password. Since we have physical access to the machine, that is very easy to achieve. Software such as Petter Nordahl-Hagen’s Offline NT Password and Registry Editor is free and available for download on the web. This software creates a bootable CD or floppy disk which can be used to reset the administrator’s password without ever starting Windows.

Once done, you reboot the laptop and login as Administrator with full access to everything, including any dial-up or VPN connections of course. However, if your laptop’s owner has used Microsoft’s encrypting file system (EFS) on XP, then you will not be able to recover those files, which could be very irritating!

An alternative approach is to use a program like NTFS Reader for DOS, which will allow you to make a copy of the Windows SAM file containing the usernames and passwords, again without running Windows. Once you have a copy of the SAM file, you can run a password cracking program to discover all the passwords on the laptop, and then logon with the Administrator’s legitimate credentials.

This is slightly more time consuming but leaves no evidence of tampering and preserves the EFS files intact. In case you are wondering, a sure-fire way to crack the passwords is to use rainbow tables with a tool such as Cain and Abel. The rainbow tables are pre-computed password hashes for almost every combination of letter, number and punctuation character for passwords up to 14 characters in length, making the job of finding the passwords just a matter of time. Although they are very large (many gigabytes in size) Windows rainbow tables are available for free download from the Internet or can be purchased online for delivery on a set of CDs or DVDs.

There is one simple solution to Unprotected Laptops: full disk encryption. This provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password) whilst providing the IT support people with a legitimate “backdoor” into the laptop if the user’s passphrase is forgotten or if the member of staff leaves the organisation under a cloud.