11 September 2009

HACKING SMALL BUSINESS NETWORKS: PART I



SECURITY VS. INSECURITY



Good security is a four-factor equation, starting at the perimeter and consistently applied throughout.




A secure network has strong borders with a minimum exposed surface area. That means only the services required to perform relevant tasks are ever installed and only the minimum number of ports are opened for interconnection between devices. Strong, secure networks also have well-planned and defined permission structures (called Access Control Lists—or “ACL”) which limit each user to the information and resources needed to perform his/her tasks. These permission structures and borders are integrated into the company’s written processes as a guide to the safe and effective use thereof. Enforcement of policy and process are verified through good accountability processes and vigorous 24/7/365 intrusion detection systems.


Every cryptographer and security expert will agree that no network is ever complete secure. Given enough time, someone can penetrate any system. The goal of an IT professional is to provide “relative security,” where the economics of an attack are altered such that at an acceptable level of complexity and access control limitations, the amount of effort required to gain unauthorized access is increased beyond the amount of effort the criminal is willing to expend in order to earn the perceived reward for having done so. Concurrently, effective security strategies must also increase the attacker’s fear of detection, capture, or failure while depriving the attacker of any confidence that the attack may succeed. Put another way, “relative security” in small business IT is attained when a computer criminal considers the effort-risk-reward equation for attacking a small business to be the equivalent of an attack on a major financial institution.


In selecting a target, a criminal attacker will evaluate its prospects based on three advantages: surprise, anonymity and technical superiority. To counter a computer criminal the IT support personnel must remove these, which he might first identify by assuming the role of “consultant-as-criminal” and conducting focused, planned penetration testing against the networks for which he/she is responsible.








  • SURPRISE


    “Surprise” is an attacker’s ability to set the time and terms of an attack. No strategy can realistically remove an attacker’s surprise advantage completely. But a determined IT professional might limit the possible times and terms of an attack to a set of circumstances that maximize the potential for detection and capture. An attacker will then ultimately have the choice of continuing the attack with the higher risk-state or moving on to easier prey. Examples of strategies used to minimize the surprise advantage include:




    • Access-control policies which disable network services during off-business hours.

    • MAC filtering and VLAN technology

    • Premises Visibility and Surveillance.




  •  


  • ANONYMITY


    Surprise is a part of anonymity. However, while surprise is the ability to set the time and terms of an attack (thereby making the attacker anonymous), anonymity is the art of perpetuating this initiative to remain undetected and unidentifiable during and after the attack, thereby realizing a pay-off without the attending consequences. This also allows the criminal repeated access to the same network—increasing the criminal’s return on investment. Take the common burglar for example: A burglar could theoretically cut a convenient hole in the side of an office building to gain access to and steal a company’s valuables. But this will cause a good deal of noise and appear highly suspicious to any passers-by. As a result, the police are more likely to be summoned and the perpetrator is more likely to be apprehended. This explains why nearly all burglars prefer a more casual, quiet method of entrance. They are preserving their anonymity to increase their chance of escape without consequence and possibly to return for subsequent crimes in the area. Thus a burglar who ‘bumps’ the lock at a front-door quickly and casually might be seen by observers as authorized to be at the door, then entering the building and later moving items out. He has the surprise advantage to determine the time and terms of his crime as well as the anonymity afforded by others who erroneously dismiss his behavior as normal and acceptable to complete the criminal act and escape. For this reason, many businesses install alarm systems to monitor the doors and windows as well as movement within the building. They are eliminating the chance of anonymity (or secrecy) by placing an automated system as a trap for the offender. Likewise, a secure business must always know who can access their network and from where. To remove anonymity a business must limit the ability of an attacker to access the network without being identified. This goes further than simple usernames and passwords. It must also include the logging of IP and MAC addresses, the use of surveillance cameras and the logging of all activity on the network for periodic, automated and manual review by IT personnel.



  •  


  • TECHNICAL SUPERIORITY


    The advantage of technical superiority comes not only from a lack of technical qualification on the part of the IT personnel but also from a lack of resources and consistent business interests. The author will freely admit that he himself has been in many situations where competing business interests prevented him from exercising his technical expertise to better protect client networks. These competing interests (as discussed earlier) include failures of the managed services business model, the break-fix model and a lack of client cooperation. No matter how qualified or skilled an IT support team may be, if the business interests involved are not consistent with industry best practices, the attacker will ultimately have technical superiority. Keeping this advantage on the side of the small business requires written, consistently applied processes, intrusion detection mechanisms, continuing education and periodic penetration testing.






CONSULTANT-AS-CRIMINAL: PENETRATION TESTING



In this discussion the reader will be asked to assume the role of the consultant-as-criminal to begin looking at the small business network as a source of opportunities for cheap thrills, low-cost resources or marketable information. As an analyst, the consultant will not only conduct the attack but carefully document the processes employed and the results obtained. In the end, the consultant will achieve four objectives, illustrated below:



Objectives of Penetration Testing



  • Inventory all exposed assets and resources.

  • Prove the feasibility of an attack on the target network.

  • Probe the exposed assets and resources to identify the scope of vulnerability.

  • Collect information which can be used to find remedial solutions.



The consultant will either prove or disprove the security of the network, creating a data set in support of his conclusions that can be reviewed as a final report by the small business owner and IT managers. Ideally, this report would be standardized by the SMB IT community but ultimately should include at least four (4) elements, described below:





  • NATURE (CHRONOLOGY)


    To define the nature of the vulnerability, the consultant should provide a step-by-step timeline of the attack. Using this documentation others should be able to reproduce an attack reliably when they question the validity of the reported results. This section should start with a description of the vulnerability and attack strategy as a description of the nature of the problem.


  • SCOPE (INVENTORY)


    All devices visible to the consultant-attacker as a result of his work, described in the chronology should be identified in this section of the final report. This may be only a dump from an IP scanner. But any device which could be identified should be included. Sophisticated professionals will want to further to include a graphical topology where they can prove the interrelationships between devices, open ports, MAC addresses and other data using their attack strategy.


  • SEVERITY (ASSESSMENT)


    Based on the evidence in the chronology, the services exploited, data viewed, copied or potentially deleted and the possibility of installing malicious software should be evaluated and included in a severity assessment. This assessment completes the problem statement and leads the after-action report to a positive conclusion.


  • REMEDIAL MEASURES (ACTION PLAN)


    In conclusion of a penetration testing after-action report, the business owner should be presented with remedial options for every vulnerability discovered. These should be clearly defined in an action plan format with timelines, costs and plain-language descriptions of why each will resolve the underlying problem.


A report on security vulnerabilities should not be delivered to a business owner by a sales representative, email or other potentially impotent means. This type of information should be delivered by an account manager in the company of a supporting technician or engineer. Where possible the consultant who conducted the attack should be present as well, but this is ultimately an internal decision. The author will stop short of saying that the IT support company who identifies serious security flaws should make every responsible effort to ensure the report is not lost in the fog of a client’s daily business operations and it should not be so trivial as to be seen as a sales pitch. The responsible owner will have questions that deserve answers. The author has seen far too many situations where technical information is improperly delivered to a business owner by non-technical or poorly qualified sales representatives or account managers only to later call the author on the phone to get “the real story.” Even today the author received a call from the office manager of a client of the author’s former employer who wanted assurance that what she was told was accurate. It was, but there is a trust relationship that is lacking in this industry, caused by competing business interests.



ATTACK STRATEGIES: BROAD-RANGE VS. TECHNOLOGY-SPECIFIC



Much of the vulnerability testing performed in the industry is carried out by manufacturers in sterile labs or in large corporate environments. Virtually no security testing occurs in the small business community by any IT Services Provider.



NOTE: We can all thank the political interests of the private investigations lobby for pushing many state legislatures, such as Texas Representative Joe Driver, to pass laws which require licensing and promise hefty fines for those few well-intentioned IT services providers who would otherwise proactively protect their clients. Naturally this also helps insure the low supply of licensed personnel creates higher-than-reasonable costs for security-related services.


This vacuum creates the opportunities we mentioned earlier in our introduction and problem statement. Many small business owners with whom the author has worked have been lead to the false assumption that the manufacturers diligently test their products and that this testing is sufficient to protect small business. However, this is not true. Even where a manufacturer tests the product’s security, it cannot possibly test the configuration which a technician used in the field when the product was deployed after purchase.



NOTE: As mentioned in the author’s disclaimer, many jurisdictions require IT professionals involved in security-related computer work, such as penetration testing be first licensed by a government entity in that jurisdiction. This requirement applies only to small businesses who outsource their IT work in the cases which the author reviewed, but does not apply to in-house IT personnel—such as those on-staff with large organizations. Thus, legislation which is promised to ‘protect’ society has created a greater risk for consumers and a more costly option for small businesses who are less able to compete with larger corporations.


It is the need to test product configuration that ultimately justifies security testing in large corporations. Most vulnerabilities after all are caused by poor implementation and a lack of security patching when manufacturer do find defects. Without an equal effort at the small business level, the SMB market is protected only by technology-specific, product-focused testing at the manufacturer level. Since few business owners or IT professionals servicing the SMB market actively monitor security developments, new exploits found by so-called ‘black-hat’ or ‘white-hat’ hackers. This technology-specific testing leaves the SMB community exposed to broad-range attacks. The broad-range attack focuses not only on the technology-specific weaknesses that can be exploited by a criminal but also includes any configuration errors in their scope of action. This evaluation serves large corporations well and should be implemented in any solid small business IT services plan.



As this broad-range approach to testing is a ‘real world’ attack simulation, the consultant-as-criminal may use any tool of the criminal trade that will not violate the law in order to simulate an attack on the target network. This includes the exploitation of technology weaknesses as well as failures of human nature, using the ‘social engineering’ strategies discussed later in this chapter. A sophisticated attacker might even use a mix of social engineering and technology exploits to compromise otherwise technologically secure networks. This will help raise the awareness of the business owner and employees and lead to the development of better internal practices the client company can use to protect consumers, employees and the organization itself. But to conduct such a mixed-mode, realistic attack the consultant performing the attack should be known only to the owner by some agreed-upon code word and have no insider knowledge of the target network other than that deemed necessary to stay on the right side of the law.



Ideally the attacker will enter the test with no knowledge of the network—other than information such as a wireless SSID to avoid targeting the wrong network. When planning a simulated intrusion it is critical that the consultant-as-attacker has planned the attack and has ensured that he does have the safeguard information needed to ensure he only attacks the authorized network and no that of some third party. Serious consequences could otherwise arise from a mistake.


As the consultant assumes the new role of consultant-as-criminal some preparations are in order. In the next section, we will discuss the consultant’s ‘kit’ and its preparation. This ‘kit’ will include all of the tools needed to attack a small business network through technological means. As we discuss specific attack scenarios we may modify or add to this kit to meet the needs of the scenario. The business owner reading this section should pay careful attention to the low cost and high availability of the materials used to build this kit. It is this mixture of low cost and readily available supplies that makes this such a tempting effort for the criminal community.



ATTACK STRATEGIES: PREPARING THE KIT




Almost every small business owner starts his business by dreaming of realizing some measure of success performing a job he/she finds rewarding. This desired reward is both psychological, emotional and financial. While the reward only comes to those few who go the distance to earn their success, the initial stages are familiar to every aspiring entrepreneur who beings by researching the options available, possibly attending seminars or conferences or reading books to learn more about financing, management, marketing or the many other aspects of starting and running a business. The criminal does somewhat the same thing in his illegitimate enterprise.



A criminal—whether a robber, thief, computer criminal or drug dealer—starts with a deviant fantasy of some perceived reward that will come from the commission of his/her illegal pursuits. At first this fantasy is a means of escaping some personal frustration, defect or failure. Yet this is the key starting point in the criminal’s progress to build a ‘kit’ to commit his/her future crimes. This foundation is a set of deviant thinking errors which will justify otherwise irrational actions. A consultant who wants to truly test the potential for criminal intrusion into any network must first start by understanding the common thinking errors and how they apply to the planning and execution of a crime. Thinking errors are not discussed in detail as this is more a subject for a psychologist to explore. For purposes of this discussion we will reduce these thinking errors to those false premises which lead a person to (a) dehumanize the effects of their actions, leading to a disregard for the needs, rights or wants of others; (b) assume a grandiose belief that the criminal’s needs or wants override the needs or rights of others by mere fact that they are the needs or wants of the perpetrator; and (c) form justifications for what would objectively be considered wrong or illegal within the framework of rational society.



THE MENTAL “KIT” (CRIMINAL THINKING ERRORS)



  • Dehumanize the effects of their actions, leading to a disregard for the needs, rights or wants of others;

  • Assume a grandiose belief that the criminal’s needs or wants override the needs or rights of others by mere fact that they are the needs or wants of the perpetrator; and

  • Form justifications for what would objectively be considered wrong or illegal within the framework of rational society.




Once a criminal has taken his fantasies to maturity through the development of thinking errors to enable him to plan and execute the attack, the mental kit is equipped with its next level: technical skill. At this stage the criminal will develop the skills needed to fulfill his/her fantasy by reading, talking to friends and experimenting with whatever resources are available. This may involve committing smaller crimes in the community which ultimately escalate the criminal to the end-game the criminal desires to play against a victim he/she feels ‘deserves’ or ‘will not be harmed by’ the criminal’s acts.



A consultant working to assemble the mental kit will obviously not desire to become a criminal—though some of the best people suited to this line of work have a criminal history in their past that they have overcome. Instead, the consultant will want to develop a good understanding of these thinking errors and the skills the criminal must learn to carry out his/her fantasy. Several procedures to develop these skills are included in a latter chapter. But the thinking errors must be explored by each individual. When performing a test attack, the consultant-as-criminal must be motivated to avoid capture, seek quick rewards and demonstrate a disregard for what would otherwise be considered acceptable behavior.



Once a criminal has his mental kit prepared, or possibly as he develops the skills portion of the mental kit, he/she will begin to form the physical portion of the “kit.” Just as many business owners start to build their businesses while still learning the ropes, the criminal too will often learn-on-the-fly. This impulsive nature of criminal enterprise and its sense of challenging the norm is a similarity that should help any entrepreneur understand the computer criminal and the threat they pose to the small business. These are often determined people frustrated by the “way things are.” Their creativity demonstrates this point all the more clearly as one examines the cost of a typical kit used to crack any WEP/WPA wireless network.



The author assembled a kit for testing in the scenarios described in this book. He started with a spare ACER TravelMate 2420 laptop with built-in wireless, a BackTrack3 Live DVD and backpack. Pricing similar materials at a local Goodwill store, the author found that for just under $500 the author could build an anonymous kit with no association to himself. Armed with this basic kit an attacker can potentially gain unauthorized access to many small business wireless networks that are secured using WEP or WPA-PSK. With a few additional skills the attacker could also exploit wired networks as well and perform limited penetration-in-depth.






The basic kit was extended when the author switched from the BackTrack3 Live DVD to the Ubuntu 9.04 operating system. He also added a 16GB USB (cost: $30) and an external PCMCIA wireless network adapter (cost: $15, used). With the USB key, a cost of $30, the author was able to use the free VMware Player to run a portable Windows virtual machine containing the tools provided in Mark Spivey’s Practical Hacking Techniques and Countermeasures. In most cases a Windows XP license would have cost an additional $200 or so, however many criminals will use a pirated copy costing them nothing (See the “stealing license keys” attack scenario later in this chapter). In the author’s case, he used a license from his Microsoft TechNet subscription. Finally there is the matter of the air card. Originally added as a second network connection for short-range relay attacks, this card could have been used as a throw-away to further avoid being caught with any evidence connecting an attacker to a crime. All told, the author spent approximately $560 to assemble a fully-functional kit that resembles a serious threat to the business community. Only later in testing the “relay attack” strategy did the author make another significant modification to the penetration testing kit.



In July 2009, the author built a self-contained relay kit to meet the needs of a given relay-attack scenario (described below). He used a backpack with a reinforced plastic base and travel wheels (cost: $30 ) to hold a used car battery (cost: $23 from a local scrap yard) and inverter (cost: $60) purchased at Wal-Mart some time back. This relay kit required disabling the latch switch on the laptop to prevent closing the lid from sending the laptop into standby or hibernate. All told, the author added a little more than $100 to the cost of his research and created a relay kit that would run without external power for up to 12 hours.



A NOTE FOR CONSULTANTS


As a consultant testing client networks there is a significant need for accurate and reproducible documentation of all work performed. For this reason, the author would suggest consultants use some variant of the relay kit described in this case, remotely controlling the same from their production laptop to conduct any testing. The use of screen-capture software to record all work performed in a video format will provide an excellent protection from liability and near-perfect documentation of all technical procedures. The author recommends a product like Camtasia for these purposes.





ATTACK STRATEGIES: ASSESSING THE TARGET




Almost all criminals will visit their target at least once prior to exploitation to evaluate their weakness. This fact is probably what leads most criminals to victimize people and organizations they know or to which they have familiar access. This process is sometimes called ‘casing’ or ‘grooming’ by criminologists but in a tactical sense it is nothing more than reconnaissance. The criminal seeks to adapt a deviant fantasy to a given practical situation and needs information to select a target which will maximize the potential for success while minimizing any exposure to the consequences of his/her actions. Business owners and their employees can protect themselves at this point from many crimes (not just computer crimes) through common-sense proactive measures set out in a company’s policy manual and reinforced through regular meetings and training. The criminal is seeking a company who lacks this vigilance or whose employees simply fail to follow-through on planned practices. Technology alone will never protect any organization completely, though surveillance cameras and alarm systems do help deter crime, but common sense on the part of employees is needed as well.



In the case of computer crime, an attacker may never need to enter the premises of a target company. It may be easier to exploit wireless signals emitted by the devices used in a business to avoid ever actually entering the premises which would lead to easier identification of the culprit. Those targets whose wireless signals are not well protected represent the first and most vulnerable target class. Others either do not use wireless networks or have properly protected their wireless networks. Some are even fortunate to be located in an environment where attacks on any existing wireless networks are not feasible. But these businesses may not properly protect their wired perimeter and belong to a second target class. The effort required to exploit their networks is greater but the exposure to attackers worldwide rather than those within a smaller wireless network’s range makes them vulnerable nonetheless. There is that third target class whose technology is secure and whose IT support personnel are vigilant but whose employees carelessly handle information an attacker might use to otherwise exploit the company (such as usernames, passwords, financial information, email address, phone numbers, etc.).



While the author was building his relay kit for use in the “wireless relay attack” scenario, below, he encountered a good example of human failure that often leads to a business being targeted by a criminal. The author had travelled to a scrap yard to purchase a used car battery. He had just finished pulling the battery from a used car and had taken the battery to the front where an employee was testing the battery to see if it would hold a charge. While waiting, the author stood idle, looking about and noticed the company’s checkbook sitting open on the counter. This oversight gave the author a perfect (albeit upside down) view of important financial information for the company—i.e. company name, bank name, bank routing number and account number. With this information any criminal could easily defraud the company online without even the basic technical skill we will focus most of our time addressing in this book.



In the figure below we see the typical, fully developed small business network that has all of the latest cool technologies. This is our reference model for studying small business network security. In this model we see indications of where such a network is vulnerable. Almost every device, service or technology can potentially be exploited if it is not properly configured.




This fact brings to mind the lesson of an old friend from the author’s adolescence, named Dan Duley, who once explained to the author that the only ‘secure’ computer was one that was unplugged and encased in concrete. Unfortunately this is not a realistic solution. No computer is or will ever be completely secure. Mostly this is due to the fallible human equation, manifest in every aspect of technology from the engineers and designers to the implementing technicians and the end users. People will always make mistakes, and as with the accounting industry, the IT services industry must have periodic auditors to detect and fix those mistakes. Small business owners deserve it and should reasonably expect this level of complete service.



We can attain ‘relative security’ in technology just as we do elsewhere in a business model. We can protect ourselves by minimizing risk. Looking at the above figure we see that in a worst case scenario the perimeter may be exploited over the internet or through wireless connections. Internally intruders who have breached the perimeter, as well as disgruntled employees, may completely exploit a business. But this does not have to be the case for most businesses who adopt a sound approach. Those businesses will deter any attack as the criminals seek weaker more vulnerable targets. Thus, the name of the game is making your network less vulnerable than the next guy.


If you don't want to be eaten, run faster than the next guy.



As an IT consultant interested in protecting client businesses and their customers, we should view every service, open port and device as a potential weakness in the network’s defense. This is demonstrated well in the following attack scenarios as well as in the “Penetration-In-Depth” chapter. Without a serious effort to secure internal resources, perimeter security is the only thing between a criminal and the business’ most private information. Perimeter defense on its own provides only a minimum defense against external intruders but does little if anything to protect against employee and vendor-employee computer crime. As the same consultant assuming the criminal role temporarily to assess a network’s defenses, the same is true from a different perspective. With no insider knowledge, the consultant-as-criminal must view every service looking for an ‘open door’ so to speak, through which the attacker may gain access to the target network. But the consultant must never stop at just one service. He/she must conduct a broad-range approach, evaluating each open service and determining the risk each presents. If there are more than two or three weaknesses that the consultant could exploit then the business definitely requires serious attention and the IT service provider should be concerned that their practices are inadequate across the board.




The consultant-as-criminal should obviously begin by determining if any of the target company’s services use clear text authentication. That means finding any services used in the organization that transmit usernames and passwords between client software applications and server-side applications without encryption. This is still a widespread occurrence. The author has seen this in every industry from small retailers to medical practices.


NOTE: It is actually quite scary to see medical establishments that have passed accreditation and third-party audits (especially those involving HIPAA compliance) which use clear text authentication and violate the other best practices discussed in this book. For the author this proves that one cannot legislate problems away.


Many forget that some of the core technologies we use today were developed before the proliferation of the internet, back in a time when networks were internal, isolated entities and those with ‘internet’ access trusted one another to abide by a code of ethics that the criminal community does not observe in the modern internet era. Internet protocols such as telnet, FTP, POP, IMAP, SMTP, etc. by default do not encrypt usernames and passwords when they transmit these credentials to the server. This means that users who re-use their banking password for their POP email account are transmitting that password in readable text to their mail server. Where the user is accessing an office mail server from home or where the business hosts its POP server offsite (such as an ISP provided mail server) the user transmits that password in clear text several times per day. Every time an email client such as Outlook or Outlook Express contacts the mail server to download any new email message, the program must transmit the user’s username and password. This information can be captured by a criminal using legitimate network analysis software (such as Wireshark) and then reuse that information. An example of Wireshark is provided below for the non-technical reader to see first-hand how easy it is for a criminal to read a clear-text password transmitted over a network:





NOTE: By default Windows 2003 Small Business Server R2 SP2 running the Microsoft Exchange 2003 email server will not use clear text passwords for POP/SMTP authentication. Instead it uses a weak encryption algorithm known as NTLM, which will be discussed later as we address the ability of a criminal to attack this simple security mechanism using a cryptanalysis tool called “rainbow tables.” As computers have become more powerful and less expensive, the effort to use rainbow tables against weak cryptographic algorithms, such as NTLM, has become feasible for almost all computer criminals. Tutorials and software to do this are readily available.


Most people think that capturing an email password is trivial. One user to whom the author explained this fact responded that she did not care if anyone has access to her email. But a criminal is not seeing email access. He/she is seeing an opportunity to learn about the user’s passwords in general. A clear text, captured password is most likely to be re-used by many users. It will most likely be added to a large collection of captured passwords—known as a “dictionary” and used in an attack. Persons who use a book of the Bible as a password in one instance can be reasonably assumed to use other books of the bible or religious themes in other passwords. Thus, the criminal can profile the user to deploy a specialized dictionary in guessing passwords.



More importantly many business owners and their employees now have Smart phones or PDAs to communicate, track payroll, log transactions and customer billing information as well as for other uses. Some of these owners and employees have purchased devices without consulting their IT advisors and soon find that they must use POP email though their server supports other more secure methods. In these cases, the employee or owner also has expected their IT support to give them domain administrator privileges over the network. Where a technician is directed or erroneously configures the mail server to use a weak encryption option or no encryption, an attacker could gain access to that user’s account. The same username and password used to access the internal POP server will almost always be the same username and password used to login to the windows environment at the office. This is also true for file transfers which use the FTP protocol or the SIP protocol used with Voice-Over-IP (VOIP) phone systems.



NOTE:
The author once tried to mitigate this risk when an owner refused the option of an SSL certificate to secure the POP server by using a special user account named [username]_mobile@[domain].com. This account received emails forwarded from the user’s main account and sent emails with the reply-to address of the user’s main email address. However, the complexity confused many technicians and the owner, causing it to be removed in favor of NTLM encryption only. The business in this case was a medical practice and the owner is a member of the domain administrators group. Yet no one in the client’s organization or at the IT services company where the author worked seemed concerned that this represented a real and significant threat. Given that SSL certificates can be purchased for about $30 per year, the chosen course was at a minimum irresponsible if not negligent. Of course, the author concedes this is better than the countless small business owners and their employees who continue to use PDA devices with POP/SMTP accounts that do not even use basic password encryption.


ATTACK STRATEGIES: SELECTING AN OPTION



Attacks can be generally categorized in one of three groups: direct attack, relay attack and remote attack. These strategies can be applied individually or in a concerted, multi-level attack tailored to fit a given set of circumstances. While most attacks will use the direct attack approach, this is due to the limited skill level of most computer criminals. Sophisticated and experienced criminals will use more advanced compound strategies to exploit target networks. The error for a consultant-as-criminal is to evaluate a network from the more advanced attack possibilities rather than assume a direct-attack-only posture. This ensures that the consultant will better assess the true scope of the vulnerability. Later the minimum required effort required to attack the network successfully can be assessed to make a cost-benefit analysis for any remedial recommendations.



  • DIRECT ATTACK


    A Direct attack is any attack conducted onsite at the target area through a direct connection between the target network and the attacker’s computer/device. Thus, using aircrack-ng with a laptop to gain access to a wireless network is a direct attack. However, direct attack increases the risk of detection and capture. In some cases, direct attack increases this risk such that it is not feasible, necessitating a more creative method of access.



  • RELAY ATTACK


    The two indirect methods of attack are extremely similar. The first is the ‘relay attack’ where access to the target area is possible but limited or requiring extreme discretion. These attacks are best suited to situations where the criminal must use a second device to project his access either into a space where he cannot physically access or into a time when the risk of detection would be too high. This ‘relay kit’ is then accessed remotely from another network, wireless signal or over the internet. In the test phase of this project, the author developed such a kit (described earlier) using a laptop, backpack, inverter and car battery. He customized shell scripts on this relay unit to automate the WEP/WPA-PSK crack procedure described in Appendix B and successfully compromised a test-target network.



  • REMOTE ATTACK



    The third method of attack is the remote attack. This is not simply a person accessing the network over the internet, as such would technically be a direct attack. Instead the remote attack (often used by those distributing viruses, Trojans and other malicious software) aimed at first gaining access to an external trusted device then using that device to conduct a relay attack. The person who carries, owns or uses the compromised device in a remote attack is often unaware of their complicity in the attack. They proceed as usual to conduct business while giving access to the attacker in the background. Remote and relay attacks both can be primary stage strategies to gain access beyond the perimeter, or as demonstrated in the next chapter, a remote or relay attack can be the second-stage strategy for penetration-in-depth.



SCENARIO #1: “RESTAURANT ATTACK”



We will start in our consultant-as-criminal role, assuming the title of ‘free-loader’ aimed at getting free internet from a target wireless network while we enjoy a warm lunch at a local restaurant. Technologically this attack does not differ from any other attack on a wireless network. Here, we will have only the following basic gear:




  • Laptop

  • BackTrack3 Live DVD

  • Wireless Network Adapter





Acknowledgement: The author would like to anonymously thank the IT professional and business owner who agreed to test this scenario. I am sure this was a lunch we all will remember for a long time. NOTE: Several business owners and IT professionals agreed to participate in this project. In return the author has promised each business owner that his/her name. company, SSID or other information will never be disclosed as this could attract negative publicity and other attackers. Thus, any names of companies, SSIDs or other identifying information is pure fiction created for illustrative purposes only. Whatever resemblance to actual persons, organizations or entities is pure coincidence. The author would like to thank many frustrated IT support persons for their participation. In one case, the owner did not tell the IT professional what the meeting was about and the author wishes to both apologize and thank that person for her participation and later advice. It was never the author’s intent to blind-side anyone in this research.

Our strategy is simple. It is lunchtime and we enter a local restaurant with our laptop. We ask for a seat that has an electrical outlet for additional power and we order the daily special. So far, we have done nothing more than establish a solid ‘roost’ to work from with endless power to sustain our operation. In theory we could remain for hours in this roost to attack and exploit the target network. But as free-loaders we are motivated to find quick, easy internet access. We power on our laptop and soon find three small business networks in the area. Our first move is to assess these networks in terms of weakness and signal strength to find the optimal target. The first network ("ACME Auto") has an 20% signal strength and is protected by the original WEP protocol. This is a weak network but its signal strength will require more time to crack. On the other hand, the second network has an 80% signal strength and is protected by the stronger-but-vulnerable WPA-PSK protocol. It’s signal strength makes it a great target and the use of a pre-shared key (PSK) makes it vulnerable. But the time required to crack WPA makes us look at the third network. This network has a 70% signal strength and uses the same WEP protocol implemented on the first network. As free-loaders we would probably attack the third network. Unfortunately the network we were authorized to crack was the ACME Auto wireless. Given that the third network was most likely a residential connection with little more than an internet connection to offer, only a freeloader would consider it a worthwhile objective. Obviously no small business owner reading this page wants to be that third network, though many are. This is just a retelling of a field experiment. The fact that the weakest network was a residential connection is pure coincidence. There are many other cases the author has found where businesses use WEP.



Our challenge in this case increased over that of a typical freeloader, but it was nonetheless feasible. Using the laptop we executed out WEP-cracking procedure (See “Procedure: Cracking WEP/WPA-PSK” in the appendices). The attack required a little more than one hour to obtain the WEP key but it was nonetheless successful. Soon we had access to ACME Auto, but our owner was not completely convinced that we were not pulling some technological smoke-and-mirrors game. To “prove” our attack the owner agreed to allow the author to access his workstation and change the desktop picture. We did this using the Metasploit Framework and proved not only that we could access his wireless network as freeloaders but that we could obtain “unauthorized” access to a computer on his network used to conduct auto sales and make changes to that computer.



The above attack scenario was verified by the author with two other clients of the author’s IT professional friend. In all cases, the networks were quickly secured using WPA with either AES or AES+TKIP. Those networks who could support RADIUS were adapted to do so. But in each case, the wireless networks using WEP or WPA-PSK were compromised, though networks using WPA-PSK with large, random pre-shared keys were harder to crack and required longer times. This proved that an attack on WPA-PSK is less likely to succeed within the short time frame of a lunch break but nonetheless is possible for those who have longer attack windows—such as neighbors or employees.



SCENARIO #2: “WIRELESS RELAY ATTACK”




A relay attack is more complex than a direct attack. This is not the strategy the author can see any free-loader employing for mere internet access. In fact, most vandals would not have the patience or aptitude to apply the relay strategy. This approach is pretty much geared toward high-tech, sophisticated criminals such as the thief. We must apply greater technical skill, a few more resources and a strong tactical plan if we are to succeed. That means we have four objective: (a) Prepare a wireless relay station, (b) Deploy this wireless relay station to the target site, (c) Connect to and remotely control and/or monitor the relay station during the attack process, and finally (d) Recover the relay station following a successful attack.



In July 2009, with the help of a friend, the author was introduced to a business owner who was interested in the author’s research. He agreed that his network was not secure—using WEP—but maintained that no person could get reasonably close enough to the network without drawing attention to themselves. As attorney, this owner was out to prove his case when he agreed to walk through the floor of his office building while the author used NetStumbler to map out the range of his network and had to assess the feasibility of an attack. In the end he had to admit that a direct attack was not feasible under the circumstances. But the author argued that a relay attack would succeed. The owner-attorney accepted the challenge and the two scheduled the attack to take place on the following Friday afternoon.



The author and attorney met for lunch at the Subway sandwich shop on Congress Avenue in downtown Austin, Texas. There, they discussed the attack the author had planned and agreed that the author would conduct the attack with the owner-attorney present in case security became curious. The two then walked from the restaurant South on Congress to the skyscraper where the owner-attorney’s office was located. As they approached the building, the author pointed out the surveillance cameras watching the building’s approaches. Both the author and the attorney agreed that any determined criminal would not enter the building himself. We both would speculate that an attacker would use an accomplice (probably a kid wanting to ‘make a name for himself’) to carry out the relay deployment scenario. As the attorney and author entered the building, they did discuss the skewed nature of the attack. The author might attract attention without the accompaniment of the attorney that he would not attract alone. Yet, the attorney did concede that many visitors do enter the office tower each day without scrutiny.



Once the author and attorney arrived at the floor where the target law office was located, the author walked directly to the restrooms where he deployed the “relay kit” for the duration of the attack. The author had seen the restrooms during his prior visit. An otherwise unfamiliar attacker would have had to identify this quickly while determining if any of the other doors could be used for the attack. Fortunately one of these doors was a publicly accessible restroom with a tile ceiling. Mounting the ‘relay kit’ was the riskiest operation . This entire operation required twenty minutes. It is likely that with practice it could have been done with less time, but the fact that the author was not caught says this is a relatively solid strategy. All told, the procedure went as follows:



“RELAY KIT” MOUNTING PROCEDURE USED IN JULY 2009



  • Enter the restroom and find an empty stall with ready access to the ceiling.

  • Enter the stall and place the backpack on the toilet.

  • Open the backpack and power-on the laptop, ensuring it successfully boots the Ubuntu Linux system image pre-installed.

  • Observe as the system initiates an auto-login and the attack-automation scripts begin to execute.

  • Close the package and prepare the kit for deployment above the ceiling tiles.

  • Climb up the restroom stall side panel and wedge-in the body to position self for deployment.

  • Shift the ceiling tiles to the side, exposing the plenum and suspension wires.

  • Attach a small clamp to the suspension cable and tighten the tension screw.

  • Use nylon cord attached to relay kit to hoist kit up to a position for placement.

  • Lift the kit in place and use the nylon cord to hang the kit from the clamp affixed to the suspension cables.

  • Test the weight to ensure the kit will not overcome the load capacity of the ceiling suspension cables.

  • Store the remaining nylon cable in the open space above the tiles.

  • Re-position the ceiling tiles and ex-filtrate the area.



Once the ‘relay kit’ was properly installed, the author went with the owner into his office to conduct the remainder of the attack. In a real scenario, this part would have been done off-premises by the actual attacker as the accomplice made his/her getaway. Nonetheless, the owner and author used a second laptop to access the ‘relay kit’ via a second wifi interface on the relay kit. From this position, the author was able to use SSH to conduct the relay attack. In under 30 minutes the attacker had the WEP key and was connecting to the network. The attorney was amazed to watch the author connect to his PC using Dame Ware. Satisfied that the attack was both feasible and represented a significant threat to his business, the attorney decided to take the author’s recommendation. He contacted the person who had introduced them and agreed to allow the wireless network to be re-configured to use WPA2(AES+TKIP) while the author went to recover the relay kit.


As we have discussed, the above scenario was limited in many ways from a real attack. This does violate the author’s earlier promise that these scenarios would be as realistic as possible. However, no opportunity presented itself to test this strategy realistically as either no willing parties could be found or the situation presented too great a risk to the author, who had no desire for a run-in with law enforcement, building security or a property owner.
In a real attack, the professional criminal would have recruited some third party to deploy the relay kit. This person would probably be a ‘vandal’ who seeks the respect of the criminal and carries out the plan in order to ‘prove’ himself/herself. This accomplice would ensure that the criminal’s face does not appear on any surveillance cameras. Instead the cameras would show the intruder with his backpack—possibly looking like an intern or maybe even dressed as an interviewee—entering the premises for recon one day, coached by the attacker. Later, after the criminal prepares the ‘relay kit,’ the accomplice would return (perhaps with a second person as a look-out) to deploy the kit.
Once the relay kit is deployed the criminal attacker will use remote means to access and connect to the laptop. Most likely this will require a daemon running on the relay kit computer to connect to the internet and establish a VPN or other connection to the attacker’s staging network. From this staging network the attacker will coordinate the remaining attack procedures. Most likely the attacker will seek to establish a ‘foothold’ on the network by installing remote-access software on a vulnerable device to allow continued access once the relay kit is removed. Once the ‘foothold’ is in place, the accomplice will be deployed to retrieve the attack and no one will know of the attacker’s backdoor access. This recovery operation has two objectives—



SCENARIO #3: “REMOTE ATTACK”



In August 2009 the author had shared an earlier book written for this project with an associate who criticized the hypothetical of a remote attack. He claimed that no IT professional would fall for something this obvious. The author accepted the challenge and asked permission to conduct an attack on the associate’s computer. The associate agreed and the game began. Two weeks later the author called the associate and asked for “help” with a technical issue. The associate, an expert in the area the author was “having a problem,” had a little time and was intrigued by the fictitious programming problem. He agreed to look at the problem closer once he was at home. Later that evening, the author posted the program for download. Without fail his friend downloaded the program an launched it only to encounter a fictitious error created by the author. The associate fumbled with the program for a few minutes, perplexed. He was unaware that every password stored on his home computer had been potentially compromised. The program sent to the associate had collected the user hashes for every user account on the system. Those hashes were then emailed to the author using a dead drop account, which the author accessed to download the data. Using these hashes, the author passed the information through a program called ‘rcrack’ which uses rainbow tables to decode usernames and passwords. This information was then transmitted back to the associate who has since conceded that even seasoned IT professionals are vulnerable. For those who still have their doubts, run any of the password recovery programs from NirSoft on your computer to see how much information is stored on the average computer which an attacker could exploit. In the case of the associate, the author’s program could have just as easily installed a remote-access service, key logger or other threat.



SCENARIO #4: “ATTACK OVER WIRED NETWORKS”



The author has demonstrated that WEP/WPA-PSK wireless networks are not secure and should not be trusted. Regardless of the strategy used to penetrate the wireless perimeter, WEP/WPA-PSK is not an adequate for home or office. In fact, aggressive businesses concerned about their security should require that their IT standards extend to the home networks of any remote workers or persons who take work/computers home with them. These standards should require the use of WPA2 (AES) at a minimum and the use of built-in RADIUS servers where possible. In fact, dedicated business network devices would provide added protection. But wireless networking is not the only hole to be found in the perimeter. Wired internet connections can be compromised as well.


Enter the attacker with a simple port scanner (such as nmap). This individual has compromised a third-party network which he/she will use as his staging area. We will refer to this as his/her “roost.” It is his/her operating base for the attack. From this location, he/she can anonymously attack another network with little fear of capture. His/her risk will increase if he continues to use the same roost more than once. Like a sniper he/she must attack only a certain number of times from this position before relocating to another site.


Enter the criminal attacker’s plan—identify vulnerable network services and exploit the weaknesses in these services to gain entry into the perimeter. First the attacker must find this perimeter on the internet. Must like a burglar must find an address to rob a specific target, the computer criminal must find the internet address (or “IP) assigned to the network. In most businesses this is not hard since the business will often have a static public IP and an internal mail server. This internal mail server will require a few special DNS records to be configured for the email system to work in according with the rules of the internet—known as the RFCs. These special DNS records include the mail exchange (MX) record that points other mail servers seeking the business’ email servers to the network where the mail servers are located. The DNS records also includes the reverse lookup (PTR) record which cross-references the business network to the DNS name (such as ‘google.com’) to the IP address of the network (such as 4.2.2.2). MX and PTR records cannot be avoided. But unfortunately they can be used to identify a network on the open internet.


Our criminal attacker starts this reconnaissance process by searching for the company’s online identity. Using Google, the attacker finds that the company ACME Funereal Services has a web site located at the URL http://acmefunerals.com. The attacker now has a starting point. He uses the following procedure to learn more about this domain name:




  1. Open command shell.

  2. Type ‘nslookup’ and press enter.

  3. The nslookup utility will start and the ‘>’ prompt will await further input.




  4. Type ‘set type=MX’ and press enter,
  5. Enter the domain name for our target network and press enter.
  6. Reference information for the network that will receive any mail sent to the given domain name. [NOTE: in the following example, the MX record for samcaldwell.info forwards emails to a server named dns.jomax.net (which is operated by Godaddy.com).



  7. Typically the MX record lookup will return a ‘mail.acmefunerals.com’ address.
  8. We then lookup the IP address for that DNS record by performing a lookup of the A record for ‘mail.acmefunerals.com.’
  9. Type typing ‘set type=a’ and pressing enter.
  10. Type ‘mail.acmefunerals.com’ and press enter.
  11. Nslookup returns an IP address for this A record: 235.231.212.225 (This IP is a fictitious example).
  12. We now correlate that IP address to determine if the PTR record supports our finding. After all, we could otherwise end up attacking a spam filtering service.
  13. Type ‘set type=PTR’ and press enter.
  14. Enter the IP address discovered above and press enter.
  15. The PTR record is returned. This should reference the mail domain.

NOTE:
One might use this IP address with the telnet utility to connect to the mail server and test operation thereof as a final check. As per the RFCs, this address should respond to a lookup for the mail box postmaster@[domain], etc.



The attacker has reversed the mail address to find the target network according to DNS. Yet he/she has not positively identified the network. He/she might look up the IP address using an IP locator to identify the Internet Service Provider Using some basic social engineering skills, the attacker will be able to confirm that the target network has the same ISP, meaning the target network is most likely referenced by the earlier discovered IP address.


With the perimeter identified, the attacker next moves to scan the perimeter for weaknesses. Much as a wireless network is made vulnerable by poorly implemented technology, wired networks are also weakened by improperly managed/configured services. Our attacker will find these holes using a ‘port scanner’ utility such as nmap. The scan of 235.231.212.225 shows our criminal that the following ports are open—that is, the ports are allowing access to some device listening and responding on the other (internal) side of the firewall.



Discovered Open Ports


PortNameDescription

25SMTPMail Relay/Transport

80HTTPUnsecured Web Services

443HTTPSSecured Web Services (SSL)

21FTPFile Transfer Protocol (Unsecured)

110POPIncoming Email (Unsecured)

5060SIPSession Initiation Protocol (VOIP) (Unsecured)

See RFC 1700 for a list of application layer port numbers.



The attacker knows that he/she can attack ports 25, 21, 110 and 5060 easiest since these protocols transmit usernames and passwords in ‘clear text.’ He must only intercept the traffic. This part is more challenging but possible. The criminal soon finds that the business owner uses POP/SMTP to check his email. POP/SMTP is also used by the company salesperson to receive email on her PDA device. The attacker next uses the telnet command to view the email server’s welcome banner (type “telnet acmefunerals.com 25” into a command shell and press enter):



220 acmefunerals.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at [time stamp]


From this banner , the attacker knows the mail server is a Microsoft Exchange 2003 Server running on a Windows 2003 Small Business platform. This may tell an attacker that the POP/SMTP or FTP credentials used with this network are more than likely the same active directory user credentials used with the rest of the network. Once he/she compromises the POP/SMTP or FTP credentials, the rest of the network will be laid open to the permissions of the compromised user. All that is required is a small number of interactions with the users over these unsecure protocols and the stage is set for the attack.



The criminal may take two avenues: (1) tap a wired connection outside the firewall and use a packet sniffer to read the cleartext passwords or (2) intercept traffic on the remote network(s) used by the end users to connect to their vulnerable services. In the case of ACME Funerals, we might either seek to compromise the owner’s home computer where he also receives work email. But we might also use a directional antenna to intercept traffic from the sales person’s PDA and to sniff out the POP/SMTP passwords.



Given that we know the company uses a small business server—learned earlier from the mail server’s banner text, we know that almost all services are on the same server. Once we have sniffed the packets and found the username and password of the sales person, we proceed to access the person’s FTP account. We navigate through the FTP server directory structure and find that our access is limited to the sales folder only. Thus we rename our remote-access software “CRITICAL SALES OPPORTUNITY.XLS.EXE” and upload the file to the FTP server. When the sales person sees the file, he will be tempted to open the file—but may never do so. This is just one opportunity for our access. As the reader should see, gaining wired access is harder than wireless access.



Our next opportunity comes from the Exchange webmail (or “Outlook Web Access”) which may or may not explain the exposed ports 80 and 443. We may log into this console at our leisure using the sales person’s credentials and access all of the person’s contacts, emails and public folders. For the vandal this might include sending embarrassing messages. But for the thief this could be a simple means of spamming the community.



Our last opportunity allows us to compromise the business owner—who we know most likely runs under administrative permissions. The criminal learns that the target company’s owner frequents a local coffee shop to meet with a group of other business owners. The criminal decides that his best hope is to sit in his car, using Wireshark to sniff the public 802.11 wireless network at the coffee shop for the owner to check his email. Once this is done, the packets will be captured containing the username and password. With this username and password, the criminal now has complete control over the target network.


SCENARIO #5: “STEALING LICENSE KEYS”



Many criminals, especially freeloaders, do not see a need to observe copyright. This seems like a victimless crime, but recently on IRC, the author encountered and individual who asked others in the chat room if anyone knew how he could get a license key for Windows XP. Another user suggested the person try using Bit Torrent to find a cracked corporate license, which the individual said he would try. This naturally lead the author to ask himself “How do people get these corporate license keys to begin with?” Software piracy is a serious offense that can land people in jail and face huge fines, but where does the illegal key come from? Naturally the first suspect to come to mind is the IT staff at some company who takes a license home for personal use, who later tells a friend “Hey, just use this one…but you know keep it to yourself.” That, we all know never happens. But the author started to wonder about other means to steal license keys. While he could not find any evidence that the scenario presented in this section is being actively or widely practiced, it is a feasible security risk that should concern both large and small organizations given the fines that are associated with software piracy.



Any owner or IT professional who carefully examines the Microsoft End-User License Agreement accepted by using Microsoft products will find that it is the end-user organization’s responsibility to prevent the proliferation of illegal copies of the product. This means that an organization has X number licenses of, say, Windows XP Professional and that license key makes its way to Bit Torrent for public download by users worldwide, the organization itself may be held responsible for fines which can range from $150,000 to $200,000 fines per software title. This naturally lead the author to speculate that this risk could be a greater danger if there were a strategy that the external, unknown criminal could use to steal license keys.



It did not take much of a leap of imagination to connect tools many technicians use to recover license keys and the criminal community which we have already proved can potentially gain unauthorized access to a company’s computer systems. Tools such as “Magical Jellybean Key Finder” are common to all computer technicians who have faced a situation where a legally licensed software package must be reinstalled but the client does not have the license key on hand. Yet these tools can be scripted and run remotely. In some cases these tools can be run remotely without user knowledge. In these scenarios it is more than feasible that a criminal with unauthorized access to a network could steal the license keys from a small businesses computer systems and sell those keys on the black market.



Naturally the author would not make this statement without testing the scenario. Given the legal constraints, the author created a test network using his home office and Microsoft TechNet subscription. The network consisted of a Wireless network using WPA-PSK, a Windows XP Professional computer and a Windows Small Business Server 2003 virtual machine configured as a domain controller. Once the network was properly configured (using default settings where possible) and all systems were patched with the latest service packs and other protective measures, the author asked an associate to remote into his test network and change all passwords, IP addresses and wireless pre-shared keys. The author then conducted the attack using his basic kit from the comfort of his back porch with a signal strength of forty percent. In two hours the wireless security had been compromised and the author had access to the test network. Using the steps described later in the “penetration-in-depth” chapter of this book, the author was able to gain local administrator access to the Windows XP workstation and install Magical Jellybean, which he ran to reveal the license key used on this system. Copying that key, the author completed the attack within less than an hour of gaining access. Expanding this test, the author conducted further testing to lift keys for Microsoft Office and other software titles he had licenses to use. He then expanded the test against his own workstation and managed to “steal” over $1,200 in software within a single afternoon.


SCENARIO #6: “SOCIAL ENGINEERING: THE GEEK CON-ARTIST”







CON ARTIST (PLURAL CON ARTISTS)

“A person who defrauds or swindles others after first gaining their trust; a scam operator.”


(Source: http://en.wiktionary.org/wiki/con_artist





Con-artists are well known in the society. Hollywood has made the con artist a hero and villain, as well as a stereotype. The author recently went to downtown Austin to find out what one hundred people thought of first when they heard the word “con artist.” Of that one hundred people, most said “telemarketer,” “lawyer,” or “politician.” No one said “computer criminal,” “computer geek,” or anything about social engineering.



SOCIAL EXPERIMENT

Response %Responding

Telemarketer 30

Lawyer 21

Politician 11

Used Car Salesman 9

Ex-Spouse 7

Other 22



Note: This experiment was conducted in mid-July 2009. The author walked from the intersection of Oltorf and Congress north to 11th and Congress randomly asking 100 persons to say the first thing that came to mind when they heard the words “blue,” “happy,” and “con-artist.” No participants were told anything other than “My name is Sam Caldwell. I am doing a research study on human response, may I ask for your help?” Participants who agreed, and most did, were then asked to say the first thing that came to mind when the author said a word.



“Social engineering” is the glamorous term for ‘con-artistry’ used to gather information needed to secure unauthorized access to a computer system, commit fraud, etc. It can take many forms, ranging from calls to customer service based on false pretexts and deceptive interviews with a company to gain perspective on internal procedures to dumpster diving, phishing and fraudulent solicitation. Of the various attack strategies used to gain unauthorized access to a computer network, social engineering is the most successful. Unfortunately for the criminal it is also the most risky, more likely to result in capture because it requires some level of interaction with people that might later identify the criminal.



The informative website SecurityFocus.com has an excellent story demonstrating social engineering at a large shipping company:



SOCIAL ENGINEERING FUNDAMENTALS, PART I: HACKER TACTICS


BY SARAH GRANGER (LAST UPDATED DECEMBER 18, 2001)

A TRUE STORY


One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.



The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.


In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.)


(Quoted on 12 September 2009 from http://www.securityfocus.com/infocus/1527 with minor format changes.)





This story demonstrates how easily a criminal attacker can use social engineering principles to compromise a security conscious large corporation. A small business owner must wonder how much easier it would be to use social engineering on a small company. With the permission of an owner of one business, the author conducted an experiment to find out how well social engineering would work with a small business. To do this, the author started with an online search to find information about the business. He went to the company’s website and found the business’ name, address and contact information. He then went to the Texas Comptroller’s website where he searched the taxable entities database to find the company’s name, taxpayer ID number, file number and owner contact information. He also used a Google search and learned that the owner had made several regular contributions to the National Republican Congressional Committee. The owner then agreed to allow a test of the employees. The author called the company and asked to speak with someone in public relations or marketing. After all, marketing people and public relations people love when the community comes calling for free publicity. Using the not-quite-false pretext that he was writing an article on how Austin small business computer needs differ from big corporations, the author managed to coax the office manager into answering some questions. For the next fifteen minutes, the author interviewed the office manager with several questions:



INTERVIEW QUESTIONS WITH A SMALL BUSINESS OFFICE MANAGER


Question: How many computers do you have?

Answer: We have three computers in the office and two point-of-sale terminals up front.

Question: Do you have any servers?

Answer: I am not sure. I think so. But that would be a question for Allen, our computer guy.

Question: Do you have in-house IT people or do you outsource your IT services?

Answer: We have a local company, [name omitted], that takes care of that. They take really good care of us.

Question: What is your biggest concern with computers?

Answer: Well…making sure they are running.

Question: How many outages do you have in a given month?

Answer: Maybe one or two if the power goes out or something. Really we don’t have many problems.

Question: Do you pay a flat fee for managed computer services or do you work with [name omitted] on a pay-as-you-go basis?

Answer: We pay as we go but they have this thing were we buy blocks of time each month. They usually come out once a week to make sure we are okay and we call them if there is an emergency.

Question: How often do you need computer services?

Answer: Not really that often. We had someone out yesterday, but that was about it.

Question: I am not sure this applies to you, but does your IT services company carry any badge or other way for your customers to know they are an authorized vendor in your organization?

Answer: Uhmm…not really. They have business cards, I think.

Question: Do you have a disaster recovery plan in the event of a catastrophe?

Answer: [Pause]…I would have to check on that.

Question: How important is backing up data for your business.

Answer: We backup every day to a little thingy under our counter. I am not sure what to call it.

Question: Last question, what is the biggest difference you see between big businesses and small businesses in terms of computers.

Answer: Well we don’t have the money to spend on the latest things. Our computers are pretty old…seven or eight years….and we just have to make do with what we have. For us it’s a choice between growing and buying stuff we don’t really need.



For the most part these questions seem pretty simple and harmless. The office manager was more than happy to know that her business would be used in a published article—which wasn’t exactly a lie. The owner reviewed the questions that evening and also saw no harm in anything the office manager had said. The same afternoon, the author went to the IT services company and spoke with a technician about pricing for a new custom-build PC. The company appeared to have only three to five employees. All were dressed in business casual attire that appeared professional but did not identify them as employees of the company. When the author was ready to leave he asked one employee, a gentleman named Mark, if he had a business card. Mark was happy to provide a card and promised the author he could get him a good deal on the computer he wanted. Inspecting the business card, the author noticed it didn’t have any specific employee’s name. It was a generic company business card.



The author, however, was not interested in purchasing a computer. He had just created a scenario whereby he could secure access to the target company, using a false pretext that many criminals are all too willing to use: the “I’m-with-I.T.” card. Before doing anything, the author talked with the owner about what he planned and the owner agreed to be out of the office when the attack happened. They also agreed to contact the IT services company and meet first to ensure no one would be too upset if this worked. As expected, the IT company’s owner was not happy to be under scrutiny, but the owner was agreeable and the author had emphasized that he was trying to help the IT consulting industry and small businesses as a whole. He went along but promised no cooperation, which is what the author had wanted. He also assured the owner that anything the author did was not covered by any warranty and would be billed hourly outside of their existing contract.



The author was afraid the IT company would tip-off employees at the company and decided to carry out the attack that same afternoon rather than the following day as planned. The owner conceded the point and went home, while the author drove to the company. He entered the store and presented the business card, saying “Hi. My name is Sam. I am a tech with [company omitted]. The office sent me to do a weekly test of the backups and such. Is everything running okay this week?” The college student at the front desk smiled awkwardly and asked where “Allen” was. From the phone interview with the office manager, the author knew “Allen” was the normal technician who took care of the client. The author shrugged, “I’m kind of new here. I think they said he was out sick or something this week.” The employee nodded and said she would get the office manager.



The office manager was more skeptical. She explained that she had previously told the IT company that she only wanted Allen, but when the author explained that Allen was out sick and that he had scheduled the author to do nothing more than check the backup tapes, the office manager finally gave in rather than confront what to her probably appeared to be just another cog in the machine. She instead showed the author the location of the external hard disk sitting under the front counter next to one of the POS terminals. The author went through the motions of verifying that it had power and was accessible from windows. He then opened the backup software and checked the logs. Then he stopped to observe that no one was paying attention. Checking the system, he found that the computer was a stand-alone workstation running point-of-sale software from a local administrator account. While standing there unsupervised he could have installed a remote agent—or for that matter, any employee could have done so—without any interruption. After twenty minutes, the author left on foot and called the owner.
The owner explained that the office manager had called the IT services company who had denied the author was an employee when she came back to the front and found the author was gone. The owner had diffused the situation. In the end the IT services provider claimed there was no risk since the office manager had in fact called to verify the author’s identity, but the office manager later admitted that she had left the author unattended at the computer terminal while she debated about whether or not to call. The employee working the front counter also admitted that she had left the author unattended when she went to the restroom. She did not find it strange that the author left without having her sign paperwork for the ‘service call’ until this was mentioned to her. Only the owner seems to have appreciated this exercise. The author still owes him lunch as of this writing as a way of saying thank you for helping with the project.



Readers should walk away from this section with a cold feeling. As IT consultants we must do a better job of ensuring we carry photo-bearing credentials which identify us as employees of our employer organizations. As business owners we should expect no less than this minimum respect for the safety and security of the business. Employee training and clearly defined policy are critical. There is no security technology which will protect a business in this situation. Even had there been a video camera watching the author at the computer terminal in the previous example, it would have deterred only a few criminals. Other criminals would have risked it, as is evidenced every time a convenience store is robbed. Many criminals know that a lot of small businesses use fake cameras. These cheap shell devices are intended to scare intruders, but they have become so prevalent that they can be spotted at times. In other cases, the criminal feels it is worth the risk. Poor quality images and other weaknesses of low-cost technologies further weaken the deterrent capacity of a camera and lead to a false feeling of security.


SCENARIO #7: “CAMERAS AND WIRELESS NETWORKS”




Recently while chatting with others on IRC, the author encountered a user who works in the Information Technology field. He related a story he had heard where a woman had installed a wireless camera in her home to watch the babysitter with her six-month old daughter. The technician said the police were summoned to the home when the woman’s ex-husband had started showing people photographs of his daughter sleeping. The photographs proved that the ex-husband had obtained the images from the wireless camera and investigators soon concluded that the babysitter had not been involved. Instead, further inquiry had found that the ex-husband had paid one of the technician’s under-age friends to crack the home wireless network’s WEP key to gain unauthorized access to the camera. The evidence to prove the crime was not sufficient for prosecutors to act against the ex-husband and the juvenile was only 11 years old. The author was unable to ascertain whether or not the juvenile was charged, but the fact that an 11-year old cracked the WEP encryption illustrates the severity of the problem.



The author concedes that the above story does not involve a small business. But it was fresh on his mind when he recently went to an Austin area dry cleaner’s. It was fifteen minutes before a meeting and the author had accidentally brushed against fresh drywall, streaking white plaster across the sleeve of his suit jacket. He ducked quickly into a nearby dry cleaner and asked if they could help. In minutes he was back in action as this local small business fixed the jacket for free. But while waiting on his jacket, the author noticed that the dry cleaner had a small wall-mounted wireless video camera watching the cash register. This, to him, was something any criminal would see and understand represented a huge opportunity. A week later the author stopped by to say thank you by bringing in a load of dry cleaning. The same woman who had helped him previously was at the counter and the author mentioned the camera and his work on this book. He asked if he could use his laptop to confirm his suspicion that the camera was insecure. She agreed and the author found the camera was not using WEP or WPA-PSK as he had expected, but it was using no encryption at all. Images of the cash register were being transmitted in the open to anyone with the knowledge that the camera was there and the skills to connect to its signal. It turns out that the owner himself had setup the device.


SCENARIO #8: PUBLICLY VISIBLE INFORMATION AND DUMPSTER DIVING




In many cases where a criminal targets the small business he/she does not have to use the dumpster diving technique. But this is a valid tool when necessary. Many companies do not shred documents containing sensitive information. In fact, to test this theory, the author decided to do a little dumpster diving. He travelled to a nearby office complex after hours dressed in semi-professional attire. Once onsite, he found the dumpster between two buildings and hopped in to begin searching for any interesting information. Before he started, however, he tied a piece of dental floss to his ankle and tied the other end to his car keys which he conveniently dropped into the trash. He had hoped not to be interrupted, but soon found himself confronted by a contract security guard who asked what the author was doing in the dumpster, clearly suspicious.



The author stood up, appearing frustrated and embarrassed in his now sweat-stained purple button down and slacks and explained, “Man, I got pissed when I was leaving and threw my keys. God, I don’t know what I was thinking but…oh…as if enough didn’t go wrong today!” The security guard asked if the author worked in the complex. The author had seen a sign for a psychologist nearby when he was parking his car and replied, “No. I am a patient of Dr. [name omitted]. I see her once a week. This week was just…well…I need to find my keys.”



As expected, the guard did not interrupt as the author continued the search in silence. But he did not leave. Eventually the author gave up and ‘found the keys’ by discretely pulling the dental floss attached to his ankle. He had failed to find anything but had escaped further scrutiny. He instead tried another office complex and used the same routine. Only no security guard appeared. In this case as well there was no really interesting information. Some of the papers were shredded but a good deal were useless trash or papers with no apparently important information. Finally the following morning the author tried one more location. This location was in South Austin a good distance from his home and in an office complex where a local IT services firm was located. Here, the author hit pay dirt. He found a good deal of shredded documents, but in one bag, he found a legal pad with what appeared to be usernames, phone numbers and passwords. On two pages there were IP addresses the author later verified through reverse DNS lookup belonged to local companies in Austin. He continued the experiment one more day and the following morning decided to beat the Texas heat by starting out early to dive into some north central Austin dumpsters. Taking the bus to the site rather than drive, the author had decided that his ‘cover story’ was that his wife had been mad last night and had thrown his car keys in the dumpster. It seemed plausible. As he walked into the complex, he observed that most of the businesses were retail shops, though one business was a pediatrician and another was a bookseller. All seemed like legitimate targets of a criminal dumpster diver. After an hour, the author found a small box in a bag of trash that he opened to find a stack of carbonless credit card imprint forms. These are the forms used by old-style credit card imprinters the author recognized from his days as a field technician. Rarely are these forms used in a store any longer thanks to online credit card processing. But nonetheless, the author had found them with their still readable credit card numbers, company names, cardholder names and dates. Most were dated seven years prior to the date of the author’s experiment. But the fact that they were disposed of intact by any business was a serious concern which warrants mention in this book. Small business owners especially must concern themselves with the proper destruction of sensitive information. Every owner will agree that unlike a large corporation with vast resources, a small business does not have the resources to sustain the liability a large fraud exposure could create.



Yet dumpster diving is not the only means of obtaining publicly accessible information that can compromise a business or its customer’s private information. Many end users have a bad habit of writing down usernames and passwords. The worst offenders post these written reminders on the face of their computer monitors, sketch them on desk calendars and place them in their rolodex files. In the end, they defeat the very purpose of having a password. The reader will recall the business mentioned earlier in this book whose employee had cut the backup tape to conceal her theft of petty cash after deleting the QuickBooks file. In that case, we discussed how the user had all of the passwords for her computer posted on the face of her monitor visible from a window. This creates a situation where any criminal can encounter an opportunity to find an easy target. More importantly, fellow employees in the organization who are not authorized access to some materials can learn and use the password to commit crimes and defraud the company. But the most important example of publicly viewable and dangerous information is posted by the credit card processing industry in many businesses.



Back in 2005, the author was selling credit card processing services and equipment for a company that promised to beat anyone’s rates. As trained, he would walk up to a business owner and start his sales pitch. In some cases the owner knew his/her rates and terms. But surprisingly the author would often run into business owners who were not exactly sure what rate they were paying or when their last rate increase had taken effect. This usually lead owners to call their processing companies and ask for the information. It wasn’t long after he started, that the author realized the phone number and account information needed to talk to his processing company about the business was almost always provided on a sticker affixed to the side of the credit card reader itself. This worked wonders for the author’s sales pitch.
Almost overnight, the author began a new sales pitch. He would enter a business, see the sticker affixed visibly to the credit card reader and ask to speak with a manager or the owner. When he introduced himself he would ask the owner or manager if he could show how he was more responsible and a better business partner for the company. His first point was to show the owner/manager the label and to make a phone call to the credit card processing company using that information to obtain information about the company before handing the phone to the owner/manager so they could verify that the author was not using some smoke-and-mirror tactic. Rates at that point were just icing on the sales pitch. The author would convert the business to his company’s credit card processing services (and possible sell them a new reader) and end the transaction by removing the sticker and placing the information on the back of a business card he had printed himself. It was a classic use of the same type of strategy used by criminals to compromise a business.



The author learned through this experience that anyone using information on the stickers affixed to the side of the credit card readers could almost always contact a customer service representative and obtain information about the business’ processing agreement without any other information. The author was further able to demonstrate for one business that a person could change the ACH routing information on an account with one competitor using no further information than was provided by reading numbers off of the sticker and at most providing a company phone number of record and name of the owner. Further, this information can be seen by customers paying for purchases. With a cell phone discretely pocketed in his trousers, the author was able in one case to type the account number and other information into his cell phone before stepping outside with the owner to call the credit card processing company. He and the owner then proceeded to change the banking information on the account to route funds to the business’ saving account rather than to its checking account as evidence of the attack. The owner then complained to the processing company, who eventually blamed a employee error for the breach rather than standard business practices .


SCENARIO #9: MINING EX-EMPLOYEE KNOWLEDGE




While interviewing with a successful Austin-area managed services provider (MSP), the author met a gentleman who agreed that security was a problem in small business but did not see a strong market for providing IT security services due to costs and regulation. In his experience, clients rarely heeded his advice on security matters and appeared indifferent to security. He told of one medical practice that insisted on using the same password for every user account in the company. Users were not allowed to change passwords. The password was the same as it had been since the practice had first started using computers: “Password01.” No matter how many times the engineer or his coworkers had suggested this be changed, the status quo was perpetuated. Finally the engineer had asked the office manager “So, what do you do when an employee quits? They still know the password.” The office manager responded “Well…we hadn’t thought that far.” Amazingly enough as of the retelling of this story, the password still had not changed. This story creates another possible security hole: ex-employee knowledge. It is possible that a criminal might find just a disgruntled, recently fired employee who would be willing to sell password and other knowledge of the former employer ‘s computer network. This does not have to be IT staff to be dangerous. In the above case it could be any employee in the company. If the employee can provide user account information that remains valid after the employee’s termination, then the criminal can compromise the network. This is an even greater problem where common passwords are used—especially within IT services firms. Security must be dynamic. When employees leaves a company, and the employee had a key to the building, the locks are often changed or at least rotated to protect the company from burglary. So, too, must the employees user accounts be disabled and any common passwords changed. It is probably that an employee will remain in the same industry, working for a competitor. Given access to the company network, directly or indirectly there exists an opportunity for the person to help the new employer by stealing information from the old employer.


RECAP




In this chapter we started our discussion of small business network vulnerabilities with a general discussion about what makes a good network ‘relatively secure’ and how the absence of good security can be exploited by a consultant to identify problems before a criminal abuses that accessibility to defraud and possibly ruin a small company. We then defined a strategy for this testing before walking through the equipment and mental preparations needed to successfully commit a computer crime. Finally we reviewed several test scenarios and field experiences from a real-world and practical stand point. Nonetheless, thus far our discussion has been superficial and has shown how a criminal could use specific tactics to do little damage. In most cases, we have concerned ourselves with perimeter breaches where no internal security existed or the security was not relevant to the attack.



The following chapter will expand on this superficial view of the problem and explore a concept known as “penetration-in-depth” to show how a criminal might plan an exploit against a perimeter defense, followed by a subsequent attack or chain of attacks to gain complete control over a network. In doing this we show one common example of how an IT company’s failure to respond quickly and a company executive’s impatience can create vulnerabilities which allow a criminal opportunity to gain access to a company’s information. At the end of this discussion, the reader should have formed a deep understanding of the important of computer network security in any business.



For the most part these questions seem pretty simple and harmless. The office manager was more than happy to know that her business would be used in a published article—which wasn’t exactly a lie. The owner reviewed the questions that evening and also saw no harm in anything the office manager had said. The same afternoon, the author went to the IT services company and spoke with a technician about pricing for a new custom-build PC. The company appeared to have only three to five employees. All were dressed in business casual attire that appeared professional but did not identify them as employees of the company. When the author was ready to leave he asked one employee, a gentleman named Mark, if he had a business card. Mark was happy to provide a card and promised the author he could get him a good deal on the computer he wanted. Inspecting the business card, the author noticed it didn’t have any specific employee’s name. It was a generic company business card.



The author, however, was not interested in purchasing a computer. He had just created a scenario whereby he could secure access to the target company, using a false pretext that many criminals are all too willing to use: the “I’m-with-IT” card. Before doing anything, the author talked with the owner about what he planned and the owner agreed to be out of the office when the attack happened. They also agreed to contact the IT services company and meet first to ensure no one would be too upset if this worked. As expected, the IT company’s owner was not happy to be under scrutiny, but the owner was agreeable and the author had emphasized that he was trying to help the IT consulting industry and small businesses as a whole. He went along but promised no cooperation, which is what the author had wanted. He also assured the owner that anything the author did was not covered by any warranty and would be billed hourly outside of their existing contract.



The author was afraid the IT company would tip-off employees at the company and decided to carry out the attack that same afternoon rather than the following day as planned. The owner conceded the point and went home, while the author drove to the company. He entered the store and presented the business card, saying “Hi. My name is Sam. I am a tech with [company omitted]. The office sent me to do a weekly test of the backups and such. Is everything running okay this week?” The college student at the front desk smiled awkwardly and asked where “Allen” was. From the phone interview with the office manager, the author knew “Allen” was the normal technician who took care of the client. The author shrugged, “I’m kind of new here. I think they said he was out sick or something this week.” The employee nodded and said she would get the office manager.



The office manager was more skeptical. She explained that she had previously told the IT company that she only wanted Allen, but when the author explained that Allen was out sick and that he had scheduled the author to do nothing more than check the backup tapes, the office manager finally gave in rather than confront what to her probably appeared to be just another cog in the machine. She instead showed the author the location of the external hard disk sitting under the front counter next to one of the POS terminals. The author went through the motions of verifying that it had power and was accessible from windows. He then opened the backup software and checked the logs. Then he stopped to observe that no one was paying attention. Checking the system, he found that the computer was a stand-alone workstation running point-of-sale software from a local administrator account. While standing there unsupervised he could have installed a remote agent—or for that matter, any employee could have done so—without any interruption. After twenty minutes, the author left on foot and called the owner.
The owner explained that the office manager had called the IT services company who had denied the author was an employee when she came back to the front and found the author was gone. The owner had diffused the situation. In the end the IT services provider claimed there was no risk since the office manager had in fact called to verify the author’s identity, but the office manager later admitted that she had left the author unattended at the computer terminal while she debated about whether or not to call. The employee working the front counter also admitted that she had left the author unattended when she went to the restroom. She did not find it strange that the author left without having her sign paperwork for the ‘service call’ until this was mentioned to her. Only the owner seems to have appreciated this exercise. The author still owes him lunch as of this writing as a way of saying thank you for helping with the project.



Readers should walk away from this section with a cold feeling. As IT consultants we must do a better job of ensuring we carry photo-bearing credentials which identify us as employees of our employer organizations. As business owners we should expect no less than this minimum respect for the safety and security of the business. Employee training and clearly defined policy are critical. There is no security technology which will protect a business in this situation. Even had there been a video camera watching the author at the computer terminal in the previous example, it would have deterred only a few criminals. Other criminals would have risked it, as is evidenced every time a convenience store is robbed. Many criminals know that a lot of small businesses use fake cameras. These cheap shell devices are intended to scare intruders, but they have become so prevalent that they can be spotted at times. In other cases, the criminal feels it is worth the risk. Poor quality images and other weaknesses of low-cost technologies further weaken the deterrent capacity of a camera and lead to a false feeling of security.




SECURITY VS. INSECURITY



Good security is a four-factor equation, starting at the perimeter and consistently applied throughout.




A secure network has strong borders with a minimum exposed surface area. That means only the services required to perform relevant tasks are ever installed and only the minimum number of ports are opened for interconnection between devices. Strong, secure networks also have well-planned and defined permission structures (called Access Control Lists—or “ACL”) which limit each user to the information and resources needed to perform his/her tasks. These permission structures and borders are integrated into the company’s written processes as a guide to the safe and effective use thereof. Enforcement of policy and process are verified through good accountability processes and vigorous 24/7/365 intrusion detection systems.


Every cryptographer and security expert will agree that no network is ever complete secure. Given enough time, someone can penetrate any system. The goal of an IT professional is to provide “relative security,” where the economics of an attack are altered such that at an acceptable level of complexity and access control limitations, the amount of effort required to gain unauthorized access is increased beyond the amount of effort the criminal is willing to expend in order to earn the perceived reward for having done so. Concurrently, effective security strategies must also increase the attacker’s fear of detection, capture, or failure while depriving the attacker of any confidence that the attack may succeed. Put another way, “relative security” in small business IT is attained when a computer criminal considers the effort-risk-reward equation for attacking a small business to be the equivalent of an attack on a major financial institution.


In selecting a target, a criminal attacker will evaluate its prospects based on three advantages: surprise, anonymity and technical superiority. To counter a computer criminal the IT support personnel must remove these, which he might first identify by assuming the role of “consultant-as-criminal” and conducting focused, planned penetration testing against the networks for which he/she is responsible.








  • SURPRISE


    “Surprise” is an attacker’s ability to set the time and terms of an attack. No strategy can realistically remove an attacker’s surprise advantage completely. But a determined IT professional might limit the possible times and terms of an attack to a set of circumstances that maximize the potential for detection and capture. An attacker will then ultimately have the choice of continuing the attack with the higher risk-state or moving on to easier prey. Examples of strategies used to minimize the surprise advantage include:




    • Access-control policies which disable network services during off-business hours.

    • MAC filtering and VLAN technology

    • Premises Visibility and Surveillance.




  •  


  • ANONYMITY


    Surprise is a part of anonymity. However, while surprise is the ability to set the time and terms of an attack (thereby making the attacker anonymous), anonymity is the art of perpetuating this initiative to remain undetected and unidentifiable during and after the attack, thereby realizing a pay-off without the attending consequences. This also allows the criminal repeated access to the same network—increasing the criminal’s return on investment. Take the common burglar for example: A burglar could theoretically cut a convenient hole in the side of an office building to gain access to and steal a company’s valuables. But this will cause a good deal of noise and appear highly suspicious to any passers-by. As a result, the police are more likely to be summoned and the perpetrator is more likely to be apprehended. This explains why nearly all burglars prefer a more casual, quiet method of entrance. They are preserving their anonymity to increase their chance of escape without consequence and possibly to return for subsequent crimes in the area. Thus a burglar who ‘bumps’ the lock at a front-door quickly and casually might be seen by observers as authorized to be at the door, then entering the building and later moving items out. He has the surprise advantage to determine the time and terms of his crime as well as the anonymity afforded by others who erroneously dismiss his behavior as normal and acceptable to complete the criminal act and escape. For this reason, many businesses install alarm systems to monitor the doors and windows as well as movement within the building. They are eliminating the chance of anonymity (or secrecy) by placing an automated system as a trap for the offender. Likewise, a secure business must always know who can access their network and from where. To remove anonymity a business must limit the ability of an attacker to access the network without being identified. This goes further than simple usernames and passwords. It must also include the logging of IP and MAC addresses, the use of surveillance cameras and the logging of all activity on the network for periodic, automated and manual review by IT personnel.



  •  


  • TECHNICAL SUPERIORITY


    The advantage of technical superiority comes not only from a lack of technical qualification on the part of the IT personnel but also from a lack of resources and consistent business interests. The author will freely admit that he himself has been in many situations where competing business interests prevented him from exercising his technical expertise to better protect client networks. These competing interests (as discussed earlier) include failures of the managed services business model, the break-fix model and a lack of client cooperation. No matter how qualified or skilled an IT support team may be, if the business interests involved are not consistent with industry best practices, the attacker will ultimately have technical superiority. Keeping this advantage on the side of the small business requires written, consistently applied processes, intrusion detection mechanisms, continuing education and periodic penetration testing.






CONSULTANT-AS-CRIMINAL: PENETRATION TESTING



In this discussion the reader will be asked to assume the role of the consultant-as-criminal to begin looking at the small business network as a source of opportunities for cheap thrills, low-cost resources or marketable information. As an analyst, the consultant will not only conduct the attack but carefully document the processes employed and the results obtained. In the end, the consultant will achieve four objectives, illustrated below:



Objectives of Penetration Testing



  • Inventory all exposed assets and resources.

  • Prove the feasibility of an attack on the target network.

  • Probe the exposed assets and resources to identify the scope of vulnerability.

  • Collect information which can be used to find remedial solutions.



The consultant will either prove or disprove the security of the network, creating a data set in support of his conclusions that can be reviewed as a final report by the small business owner and IT managers. Ideally, this report would be standardized by the SMB IT community but ultimately should include at least four (4) elements, described below:





  • NATURE (CHRONOLOGY)


    To define the nature of the vulnerability, the consultant should provide a step-by-step timeline of the attack. Using this documentation others should be able to reproduce an attack reliably when they question the validity of the reported results. This section should start with a description of the vulnerability and attack strategy as a description of the nature of the problem.


  • SCOPE (INVENTORY)


    All devices visible to the consultant-attacker as a result of his work, described in the chronology should be identified in this section of the final report. This may be only a dump from an IP scanner. But any device which could be identified should be included. Sophisticated professionals will want to further to include a graphical topology where they can prove the interrelationships between devices, open ports, MAC addresses and other data using their attack strategy.


  • SEVERITY (ASSESSMENT)


    Based on the evidence in the chronology, the services exploited, data viewed, copied or potentially deleted and the possibility of installing malicious software should be evaluated and included in a severity assessment. This assessment completes the problem statement and leads the after-action report to a positive conclusion.


  • REMEDIAL MEASURES (ACTION PLAN)


    In conclusion of a penetration testing after-action report, the business owner should be presented with remedial options for every vulnerability discovered. These should be clearly defined in an action plan format with timelines, costs and plain-language descriptions of why each will resolve the underlying problem.


A report on security vulnerabilities should not be delivered to a business owner by a sales representative, email or other potentially impotent means. This type of information should be delivered by an account manager in the company of a supporting technician or engineer. Where possible the consultant who conducted the attack should be present as well, but this is ultimately an internal decision. The author will stop short of saying that the IT support company who identifies serious security flaws should make every responsible effort to ensure the report is not lost in the fog of a client’s daily business operations and it should not be so trivial as to be seen as a sales pitch. The responsible owner will have questions that deserve answers. The author has seen far too many situations where technical information is improperly delivered to a business owner by non-technical or poorly qualified sales representatives or account managers only to later call the author on the phone to get “the real story.” Even today the author received a call from the office manager of a client of the author’s former employer who wanted assurance that what she was told was accurate. It was, but there is a trust relationship that is lacking in this industry, caused by competing business interests.



ATTACK STRATEGIES: BROAD-RANGE VS. TECHNOLOGY-SPECIFIC



Much of the vulnerability testing performed in the industry is carried out by manufacturers in sterile labs or in large corporate environments. Virtually no security testing occurs in the small business community by any IT Services Provider.



NOTE: We can all thank the political interests of the private investigations lobby for pushing many state legislatures, such as Texas Representative Joe Driver, to pass laws which require licensing and promise hefty fines for those few well-intentioned IT services providers who would otherwise proactively protect their clients. Naturally this also helps insure the low supply of licensed personnel creates higher-than-reasonable costs for security-related services.


This vacuum creates the opportunities we mentioned earlier in our introduction and problem statement. Many small business owners with whom the author has worked have been lead to the false assumption that the manufacturers diligently test their products and that this testing is sufficient to protect small business. However, this is not true. Even where a manufacturer tests the product’s security, it cannot possibly test the configuration which a technician used in the field when the product was deployed after purchase.



NOTE: As mentioned in the author’s disclaimer, many jurisdictions require IT professionals involved in security-related computer work, such as penetration testing be first licensed by a government entity in that jurisdiction. This requirement applies only to small businesses who outsource their IT work in the cases which the author reviewed, but does not apply to in-house IT personnel—such as those on-staff with large organizations. Thus, legislation which is promised to ‘protect’ society has created a greater risk for consumers and a more costly option for small businesses who are less able to compete with larger corporations.


It is the need to test product configuration that ultimately justifies security testing in large corporations. Most vulnerabilities after all are caused by poor implementation and a lack of security patching when manufacturer do find defects. Without an equal effort at the small business level, the SMB market is protected only by technology-specific, product-focused testing at the manufacturer level. Since few business owners or IT professionals servicing the SMB market actively monitor security developments, new exploits found by so-called ‘black-hat’ or ‘white-hat’ hackers. This technology-specific testing leaves the SMB community exposed to broad-range attacks. The broad-range attack focuses not only on the technology-specific weaknesses that can be exploited by a criminal but also includes any configuration errors in their scope of action. This evaluation serves large corporations well and should be implemented in any solid small business IT services plan.



As this broad-range approach to testing is a ‘real world’ attack simulation, the consultant-as-criminal may use any tool of the criminal trade that will not violate the law in order to simulate an attack on the target network. This includes the exploitation of technology weaknesses as well as failures of human nature, using the ‘social engineering’ strategies discussed later in this chapter. A sophisticated attacker might even use a mix of social engineering and technology exploits to compromise otherwise technologically secure networks. This will help raise the awareness of the business owner and employees and lead to the development of better internal practices the client company can use to protect consumers, employees and the organization itself. But to conduct such a mixed-mode, realistic attack the consultant performing the attack should be known only to the owner by some agreed-upon code word and have no insider knowledge of the target network other than that deemed necessary to stay on the right side of the law.



Ideally the attacker will enter the test with no knowledge of the network—other than information such as a wireless SSID to avoid targeting the wrong network. When planning a simulated intrusion it is critical that the consultant-as-attacker has planned the attack and has ensured that he does have the safeguard information needed to ensure he only attacks the authorized network and no that of some third party. Serious consequences could otherwise arise from a mistake.


As the consultant assumes the new role of consultant-as-criminal some preparations are in order. In the next section, we will discuss the consultant’s ‘kit’ and its preparation. This ‘kit’ will include all of the tools needed to attack a small business network through technological means. As we discuss specific attack scenarios we may modify or add to this kit to meet the needs of the scenario. The business owner reading this section should pay careful attention to the low cost and high availability of the materials used to build this kit. It is this mixture of low cost and readily available supplies that makes this such a tempting effort for the criminal community.



ATTACK STRATEGIES: PREPARING THE KIT




Almost every small business owner starts his business by dreaming of realizing some measure of success performing a job he/she finds rewarding. This desired reward is both psychological, emotional and financial. While the reward only comes to those few who go the distance to earn their success, the initial stages are familiar to every aspiring entrepreneur who beings by researching the options available, possibly attending seminars or conferences or reading books to learn more about financing, management, marketing or the many other aspects of starting and running a business. The criminal does somewhat the same thing in his illegitimate enterprise.



A criminal—whether a robber, thief, computer criminal or drug dealer—starts with a deviant fantasy of some perceived reward that will come from the commission of his/her illegal pursuits. At first this fantasy is a means of escaping some personal frustration, defect or failure. Yet this is the key starting point in the criminal’s progress to build a ‘kit’ to commit his/her future crimes. This foundation is a set of deviant thinking errors which will justify otherwise irrational actions. A consultant who wants to truly test the potential for criminal intrusion into any network must first start by understanding the common thinking errors and how they apply to the planning and execution of a crime. Thinking errors are not discussed in detail as this is more a subject for a psychologist to explore. For purposes of this discussion we will reduce these thinking errors to those false premises which lead a person to (a) dehumanize the effects of their actions, leading to a disregard for the needs, rights or wants of others; (b) assume a grandiose belief that the criminal’s needs or wants override the needs or rights of others by mere fact that they are the needs or wants of the perpetrator; and (c) form justifications for what would objectively be considered wrong or illegal within the framework of rational society.



THE MENTAL “KIT” (CRIMINAL THINKING ERRORS)



  • Dehumanize the effects of their actions, leading to a disregard for the needs, rights or wants of others;

  • Assume a grandiose belief that the criminal’s needs or wants override the needs or rights of others by mere fact that they are the needs or wants of the perpetrator; and

  • Form justifications for what would objectively be considered wrong or illegal within the framework of rational society.




Once a criminal has taken his fantasies to maturity through the development of thinking errors to enable him to plan and execute the attack, the mental kit is equipped with its next level: technical skill. At this stage the criminal will develop the skills needed to fulfill his/her fantasy by reading, talking to friends and experimenting with whatever resources are available. This may involve committing smaller crimes in the community which ultimately escalate the criminal to the end-game the criminal desires to play against a victim he/she feels ‘deserves’ or ‘will not be harmed by’ the criminal’s acts.



A consultant working to assemble the mental kit will obviously not desire to become a criminal—though some of the best people suited to this line of work have a criminal history in their past that they have overcome. Instead, the consultant will want to develop a good understanding of these thinking errors and the skills the criminal must learn to carry out his/her fantasy. Several procedures to develop these skills are included in a latter chapter. But the thinking errors must be explored by each individual. When performing a test attack, the consultant-as-criminal must be motivated to avoid capture, seek quick rewards and demonstrate a disregard for what would otherwise be considered acceptable behavior.



Once a criminal has his mental kit prepared, or possibly as he develops the skills portion of the mental kit, he/she will begin to form the physical portion of the “kit.” Just as many business owners start to build their businesses while still learning the ropes, the criminal too will often learn-on-the-fly. This impulsive nature of criminal enterprise and its sense of challenging the norm is a similarity that should help any entrepreneur understand the computer criminal and the threat they pose to the small business. These are often determined people frustrated by the “way things are.” Their creativity demonstrates this point all the more clearly as one examines the cost of a typical kit used to crack any WEP/WPA wireless network.



The author assembled a kit for testing in the scenarios described in this book. He started with a spare ACER TravelMate 2420 laptop with built-in wireless, a BackTrack3 Live DVD and backpack. Pricing similar materials at a local Goodwill store, the author found that for just under $500 the author could build an anonymous kit with no association to himself. Armed with this basic kit an attacker can potentially gain unauthorized access to many small business wireless networks that are secured using WEP or WPA-PSK. With a few additional skills the attacker could also exploit wired networks as well and perform limited penetration-in-depth.






The basic kit was extended when the author switched from the BackTrack3 Live DVD to the Ubuntu 9.04 operating system. He also added a 16GB USB (cost: $30) and an external PCMCIA wireless network adapter (cost: $15, used). With the USB key, a cost of $30, the author was able to use the free VMware Player to run a portable Windows virtual machine containing the tools provided in Mark Spivey’s Practical Hacking Techniques and Countermeasures. In most cases a Windows XP license would have cost an additional $200 or so, however many criminals will use a pirated copy costing them nothing (See the “stealing license keys” attack scenario later in this chapter). In the author’s case, he used a license from his Microsoft TechNet subscription. Finally there is the matter of the air card. Originally added as a second network connection for short-range relay attacks, this card could have been used as a throw-away to further avoid being caught with any evidence connecting an attacker to a crime. All told, the author spent approximately $560 to assemble a fully-functional kit that resembles a serious threat to the business community. Only later in testing the “relay attack” strategy did the author make another significant modification to the penetration testing kit.



In July 2009, the author built a self-contained relay kit to meet the needs of a given relay-attack scenario (described below). He used a backpack with a reinforced plastic base and travel wheels (cost: $30 ) to hold a used car battery (cost: $23 from a local scrap yard) and inverter (cost: $60) purchased at Wal-Mart some time back. This relay kit required disabling the latch switch on the laptop to prevent closing the lid from sending the laptop into standby or hibernate. All told, the author added a little more than $100 to the cost of his research and created a relay kit that would run without external power for up to 12 hours.



A NOTE FOR CONSULTANTS


As a consultant testing client networks there is a significant need for accurate and reproducible documentation of all work performed. For this reason, the author would suggest consultants use some variant of the relay kit described in this case, remotely controlling the same from their production laptop to conduct any testing. The use of screen-capture software to record all work performed in a video format will provide an excellent protection from liability and near-perfect documentation of all technical procedures. The author recommends a product like Camtasia for these purposes.





ATTACK STRATEGIES: ASSESSING THE TARGET




Almost all criminals will visit their target at least once prior to exploitation to evaluate their weakness. This fact is probably what leads most criminals to victimize people and organizations they know or to which they have familiar access. This process is sometimes called ‘casing’ or ‘grooming’ by criminologists but in a tactical sense it is nothing more than reconnaissance. The criminal seeks to adapt a deviant fantasy to a given practical situation and needs information to select a target which will maximize the potential for success while minimizing any exposure to the consequences of his/her actions. Business owners and their employees can protect themselves at this point from many crimes (not just computer crimes) through common-sense proactive measures set out in a company’s policy manual and reinforced through regular meetings and training. The criminal is seeking a company who lacks this vigilance or whose employees simply fail to follow-through on planned practices. Technology alone will never protect any organization completely, though surveillance cameras and alarm systems do help deter crime, but common sense on the part of employees is needed as well.



In the case of computer crime, an attacker may never need to enter the premises of a target company. It may be easier to exploit wireless signals emitted by the devices used in a business to avoid ever actually entering the premises which would lead to easier identification of the culprit. Those targets whose wireless signals are not well protected represent the first and most vulnerable target class. Others either do not use wireless networks or have properly protected their wireless networks. Some are even fortunate to be located in an environment where attacks on any existing wireless networks are not feasible. But these businesses may not properly protect their wired perimeter and belong to a second target class. The effort required to exploit their networks is greater but the exposure to attackers worldwide rather than those within a smaller wireless network’s range makes them vulnerable nonetheless. There is that third target class whose technology is secure and whose IT support personnel are vigilant but whose employees carelessly handle information an attacker might use to otherwise exploit the company (such as usernames, passwords, financial information, email address, phone numbers, etc.).



While the author was building his relay kit for use in the “wireless relay attack” scenario, below, he encountered a good example of human failure that often leads to a business being targeted by a criminal. The author had travelled to a scrap yard to purchase a used car battery. He had just finished pulling the battery from a used car and had taken the battery to the front where an employee was testing the battery to see if it would hold a charge. While waiting, the author stood idle, looking about and noticed the company’s checkbook sitting open on the counter. This oversight gave the author a perfect (albeit upside down) view of important financial information for the company—i.e. company name, bank name, bank routing number and account number. With this information any criminal could easily defraud the company online without even the basic technical skill we will focus most of our time addressing in this book.



In the figure below we see the typical, fully developed small business network that has all of the latest cool technologies. This is our reference model for studying small business network security. In this model we see indications of where such a network is vulnerable. Almost every device, service or technology can potentially be exploited if it is not properly configured.




This fact brings to mind the lesson of an old friend from the author’s adolescence, named Dan Duley, who once explained to the author that the only ‘secure’ computer was one that was unplugged and encased in concrete. Unfortunately this is not a realistic solution. No computer is or will ever be completely secure. Mostly this is due to the fallible human equation, manifest in every aspect of technology from the engineers and designers to the implementing technicians and the end users. People will always make mistakes, and as with the accounting industry, the IT services industry must have periodic auditors to detect and fix those mistakes. Small business owners deserve it and should reasonably expect this level of complete service.



We can attain ‘relative security’ in technology just as we do elsewhere in a business model. We can protect ourselves by minimizing risk. Looking at the above figure we see that in a worst case scenario the perimeter may be exploited over the internet or through wireless connections. Internally intruders who have breached the perimeter, as well as disgruntled employees, may completely exploit a business. But this does not have to be the case for most businesses who adopt a sound approach. Those businesses will deter any attack as the criminals seek weaker more vulnerable targets. Thus, the name of the game is making your network less vulnerable than the next guy.


If you don't want to be eaten, run faster than the next guy.



As an IT consultant interested in protecting client businesses and their customers, we should view every service, open port and device as a potential weakness in the network’s defense. This is demonstrated well in the following attack scenarios as well as in the “Penetration-In-Depth” chapter. Without a serious effort to secure internal resources, perimeter security is the only thing between a criminal and the business’ most private information. Perimeter defense on its own provides only a minimum defense against external intruders but does little if anything to protect against employee and vendor-employee computer crime. As the same consultant assuming the criminal role temporarily to assess a network’s defenses, the same is true from a different perspective. With no insider knowledge, the consultant-as-criminal must view every service looking for an ‘open door’ so to speak, through which the attacker may gain access to the target network. But the consultant must never stop at just one service. He/she must conduct a broad-range approach, evaluating each open service and determining the risk each presents. If there are more than two or three weaknesses that the consultant could exploit then the business definitely requires serious attention and the IT service provider should be concerned that their practices are inadequate across the board.




The consultant-as-criminal should obviously begin by determining if any of the target company’s services use clear text authentication. That means finding any services used in the organization that transmit usernames and passwords between client software applications and server-side applications without encryption. This is still a widespread occurrence. The author has seen this in every industry from small retailers to medical practices.


NOTE: It is actually quite scary to see medical establishments that have passed accreditation and third-party audits (especially those involving HIPAA compliance) which use clear text authentication and violate the other best practices discussed in this book. For the author this proves that one cannot legislate problems away.


Many forget that some of the core technologies we use today were developed before the proliferation of the internet, back in a time when networks were internal, isolated entities and those with ‘internet’ access trusted one another to abide by a code of ethics that the criminal community does not observe in the modern internet era. Internet protocols such as telnet, FTP, POP, IMAP, SMTP, etc. by default do not encrypt usernames and passwords when they transmit these credentials to the server. This means that users who re-use their banking password for their POP email account are transmitting that password in readable text to their mail server. Where the user is accessing an office mail server from home or where the business hosts its POP server offsite (such as an ISP provided mail server) the user transmits that password in clear text several times per day. Every time an email client such as Outlook or Outlook Express contacts the mail server to download any new email message, the program must transmit the user’s username and password. This information can be captured by a criminal using legitimate network analysis software (such as Wireshark) and then reuse that information. An example of Wireshark is provided below for the non-technical reader to see first-hand how easy it is for a criminal to read a clear-text password transmitted over a network:





NOTE: By default Windows 2003 Small Business Server R2 SP2 running the Microsoft Exchange 2003 email server will not use clear text passwords for POP/SMTP authentication. Instead it uses a weak encryption algorithm known as NTLM, which will be discussed later as we address the ability of a criminal to attack this simple security mechanism using a cryptanalysis tool called “rainbow tables.” As computers have become more powerful and less expensive, the effort to use rainbow tables against weak cryptographic algorithms, such as NTLM, has become feasible for almost all computer criminals. Tutorials and software to do this are readily available.


Most people think that capturing an email password is trivial. One user to whom the author explained this fact responded that she did not care if anyone has access to her email. But a criminal is not seeing email access. He/she is seeing an opportunity to learn about the user’s passwords in general. A clear text, captured password is most likely to be re-used by many users. It will most likely be added to a large collection of captured passwords—known as a “dictionary” and used in an attack. Persons who use a book of the Bible as a password in one instance can be reasonably assumed to use other books of the bible or religious themes in other passwords. Thus, the criminal can profile the user to deploy a specialized dictionary in guessing passwords.



More importantly many business owners and their employees now have Smart phones or PDAs to communicate, track payroll, log transactions and customer billing information as well as for other uses. Some of these owners and employees have purchased devices without consulting their IT advisors and soon find that they must use POP email though their server supports other more secure methods. In these cases, the employee or owner also has expected their IT support to give them domain administrator privileges over the network. Where a technician is directed or erroneously configures the mail server to use a weak encryption option or no encryption, an attacker could gain access to that user’s account. The same username and password used to access the internal POP server will almost always be the same username and password used to login to the windows environment at the office. This is also true for file transfers which use the FTP protocol or the SIP protocol used with Voice-Over-IP (VOIP) phone systems.



NOTE:
The author once tried to mitigate this risk when an owner refused the option of an SSL certificate to secure the POP server by using a special user account named [username]_mobile@[domain].com. This account received emails forwarded from the user’s main account and sent emails with the reply-to address of the user’s main email address. However, the complexity confused many technicians and the owner, causing it to be removed in favor of NTLM encryption only. The business in this case was a medical practice and the owner is a member of the domain administrators group. Yet no one in the client’s organization or at the IT services company where the author worked seemed concerned that this represented a real and significant threat. Given that SSL certificates can be purchased for about $30 per year, the chosen course was at a minimum irresponsible if not negligent. Of course, the author concedes this is better than the countless small business owners and their employees who continue to use PDA devices with POP/SMTP accounts that do not even use basic password encryption.


ATTACK STRATEGIES: SELECTING AN OPTION



Attacks can be generally categorized in one of three groups: direct attack, relay attack and remote attack. These strategies can be applied individually or in a concerted, multi-level attack tailored to fit a given set of circumstances. While most attacks will use the direct attack approach, this is due to the limited skill level of most computer criminals. Sophisticated and experienced criminals will use more advanced compound strategies to exploit target networks. The error for a consultant-as-criminal is to evaluate a network from the more advanced attack possibilities rather than assume a direct-attack-only posture. This ensures that the consultant will better assess the true scope of the vulnerability. Later the minimum required effort required to attack the network successfully can be assessed to make a cost-benefit analysis for any remedial recommendations.



  • DIRECT ATTACK


    A Direct attack is any attack conducted onsite at the target area through a direct connection between the target network and the attacker’s computer/device. Thus, using aircrack-ng with a laptop to gain access to a wireless network is a direct attack. However, direct attack increases the risk of detection and capture. In some cases, direct attack increases this risk such that it is not feasible, necessitating a more creative method of access.



  • RELAY ATTACK


    The two indirect methods of attack are extremely similar. The first is the ‘relay attack’ where access to the target area is possible but limited or requiring extreme discretion. These attacks are best suited to situations where the criminal must use a second device to project his access either into a space where he cannot physically access or into a time when the risk of detection would be too high. This ‘relay kit’ is then accessed remotely from another network, wireless signal or over the internet. In the test phase of this project, the author developed such a kit (described earlier) using a laptop, backpack, inverter and car battery. He customized shell scripts on this relay unit to automate the WEP/WPA-PSK crack procedure described in Appendix B and successfully compromised a test-target network.



  • REMOTE ATTACK



    The third method of attack is the remote attack. This is not simply a person accessing the network over the internet, as such would technically be a direct attack. Instead the remote attack (often used by those distributing viruses, Trojans and other malicious software) aimed at first gaining access to an external trusted device then using that device to conduct a relay attack. The person who carries, owns or uses the compromised device in a remote attack is often unaware of their complicity in the attack. They proceed as usual to conduct business while giving access to the attacker in the background. Remote and relay attacks both can be primary stage strategies to gain access beyond the perimeter, or as demonstrated in the next chapter, a remote or relay attack can be the second-stage strategy for penetration-in-depth.



SCENARIO #1: “RESTAURANT ATTACK”



We will start in our consultant-as-criminal role, assuming the title of ‘free-loader’ aimed at getting free internet from a target wireless network while we enjoy a warm lunch at a local restaurant. Technologically this attack does not differ from any other attack on a wireless network. Here, we will have only the following basic gear:




  • Laptop

  • BackTrack3 Live DVD

  • Wireless Network Adapter




Acknowledgement: The author would like to anonymously thank the IT professional and business owner who agreed to test this scenario. I am sure this was a lunch we all will remember for a long time. NOTE: Several business owners and IT professionals agreed to participate in this project. In return the author has promised each business owner that his/her name. company, SSID or other information will never be disclosed as this could attract negative publicity and other attackers. Thus, any names of companies, SSIDs or other identifying information is pure fiction created for illustrative purposes only. Whatever resemblance to actual persons, organizations or entities is pure coincidence. The author would like to thank many frustrated IT support persons for their participation. In one case, the owner did not tell the IT professional what the meeting was about and the author wishes to both apologize and thank that person for her participation and later advice. It was never the author’s intent to blind-side anyone in this research.

Our strategy is simple. It is lunchtime and we enter a local restaurant with our laptop. We ask for a seat that has an electrical outlet for additional power and we order the daily special. So far, we have done nothing more than establish a solid ‘roost’ to work from with endless power to sustain our operation. In theory we could remain for hours in this roost to attack and exploit the target network. But as free-loaders we are motivated to find quick, easy internet access. We power on our laptop and soon find three small business networks in the area. Our first move is to assess these networks in terms of weakness and signal strength to find the optimal target. The first network ("ACME Auto") has an 20% signal strength and is protected by the original WEP protocol. This is a weak network but its signal strength will require more time to crack. On the other hand, the second network has an 80% signal strength and is protected by the stronger-but-vulnerable WPA-PSK protocol. It’s signal strength makes it a great target and the use of a pre-shared key (PSK) makes it vulnerable. But the time required to crack WPA makes us look at the third network. This network has a 70% signal strength and uses the same WEP protocol implemented on the first network. As free-loaders we would probably attack the third network. Unfortunately the network we were authorized to crack was the ACME Auto wireless. Given that the third network was most likely a residential connection with little more than an internet connection to offer, only a freeloader would consider it a worthwhile objective. Obviously no small business owner reading this page wants to be that third network, though many are. This is just a retelling of a field experiment. The fact that the weakest network was a residential connection is pure coincidence. There are many other cases the author has found where businesses use WEP.



Our challenge in this case increased over that of a typical freeloader, but it was nonetheless feasible. Using the laptop we executed out WEP-cracking procedure (See “Procedure: Cracking WEP/WPA-PSK” in the appendices). The attack required a little more than one hour to obtain the WEP key but it was nonetheless successful. Soon we had access to ACME Auto, but our owner was not completely convinced that we were not pulling some technological smoke-and-mirrors game. To “prove” our attack the owner agreed to allow the author to access his workstation and change the desktop picture. We did this using the Metasploit Framework and proved not only that we could access his wireless network as freeloaders but that we could obtain “unauthorized” access to a computer on his network used to conduct auto sales and make changes to that computer.



The above attack scenario was verified by the author with two other clients of the author’s IT professional friend. In all cases, the networks were quickly secured using WPA with either AES or AES+TKIP. Those networks who could support RADIUS were adapted to do so. But in each case, the wireless networks using WEP or WPA-PSK were compromised, though networks using WPA-PSK with large, random pre-shared keys were harder to crack and required longer times. This proved that an attack on WPA-PSK is less likely to succeed within the short time frame of a lunch break but nonetheless is possible for those who have longer attack windows—such as neighbors or employees.



SCENARIO #2: “WIRELESS RELAY ATTACK”




A relay attack is more complex than a direct attack. This is not the strategy the author can see any free-loader employing for mere internet access. In fact, most vandals would not have the patience or aptitude to apply the relay strategy. This approach is pretty much geared toward high-tech, sophisticated criminals such as the thief. We must apply greater technical skill, a few more resources and a strong tactical plan if we are to succeed. That means we have four objective: (a) Prepare a wireless relay station, (b) Deploy this wireless relay station to the target site, (c) Connect to and remotely control and/or monitor the relay station during the attack process, and finally (d) Recover the relay station following a successful attack.



In July 2009, with the help of a friend, the author was introduced to a business owner who was interested in the author’s research. He agreed that his network was not secure—using WEP—but maintained that no person could get reasonably close enough to the network without drawing attention to themselves. As attorney, this owner was out to prove his case when he agreed to walk through the floor of his office building while the author used NetStumbler to map out the range of his network and had to assess the feasibility of an attack. In the end he had to admit that a direct attack was not feasible under the circumstances. But the author argued that a relay attack would succeed. The owner-attorney accepted the challenge and the two scheduled the attack to take place on the following Friday afternoon.



The author and attorney met for lunch at the Subway sandwich shop on Congress Avenue in downtown Austin, Texas. There, they discussed the attack the author had planned and agreed that the author would conduct the attack with the owner-attorney present in case security became curious. The two then walked from the restaurant South on Congress to the skyscraper where the owner-attorney’s office was located. As they approached the building, the author pointed out the surveillance cameras watching the building’s approaches. Both the author and the attorney agreed that any determined criminal would not enter the building himself. We both would speculate that an attacker would use an accomplice (probably a kid wanting to ‘make a name for himself’) to carry out the relay deployment scenario. As the attorney and author entered the building, they did discuss the skewed nature of the attack. The author might attract attention without the accompaniment of the attorney that he would not attract alone. Yet, the attorney did concede that many visitors do enter the office tower each day without scrutiny.



Once the author and attorney arrived at the floor where the target law office was located, the author walked directly to the restrooms where he deployed the “relay kit” for the duration of the attack. The author had seen the restrooms during his prior visit. An otherwise unfamiliar attacker would have had to identify this quickly while determining if any of the other doors could be used for the attack. Fortunately one of these doors was a publicly accessible restroom with a tile ceiling. Mounting the ‘relay kit’ was the riskiest operation . This entire operation required twenty minutes. It is likely that with practice it could have been done with less time, but the fact that the author was not caught says this is a relatively solid strategy. All told, the procedure went as follows:



“RELAY KIT” MOUNTING PROCEDURE USED IN JULY 2009



  1. Enter the restroom and find an empty stall with ready access to the ceiling.

  2. Enter the stall and place the backpack on the toilet.

  3. Open the backpack and power-on the laptop, ensuring it successfully boots the Ubuntu Linux system image pre-installed.

  4. Observe as the system initiates an auto-login and the attack-automation scripts begin to execute.

  5. Close the package and prepare the kit for deployment above the ceiling tiles.

  6. Climb up the restroom stall side panel and wedge-in the body to position self for deployment.

  7. Shift the ceiling tiles to the side, exposing the plenum and suspension wires.

  8. Attach a small clamp to the suspension cable and tighten the tension screw.

  9. Use nylon cord attached to relay kit to hoist kit up to a position for placement.

  10. Lift the kit in place and use the nylon cord to hang the kit from the clamp affixed to the suspension cables.

  11. Test the weight to ensure the kit will not overcome the load capacity of the ceiling suspension cables.

  12. Store the remaining nylon cable in the open space above the tiles.

  13. Re-position the ceiling tiles and ex-filtrate the area.



Once the ‘relay kit’ was properly installed, the author went with the owner into his office to conduct the remainder of the attack. In a real scenario, this part would have been done off-premises by the actual attacker as the accomplice made his/her getaway. Nonetheless, the owner and author used a second laptop to access the ‘relay kit’ via a second wifi interface on the relay kit. From this position, the author was able to use SSH to conduct the relay attack. In under 30 minutes the attacker had the WEP key and was connecting to the network. The attorney was amazed to watch the author connect to his PC using Dame Ware. Satisfied that the attack was both feasible and represented a significant threat to his business, the attorney decided to take the author’s recommendation. He contacted the person who had introduced them and agreed to allow the wireless network to be re-configured to use WPA2(AES+TKIP) while the author went to recover the relay kit.


As we have discussed, the above scenario was limited in many ways from a real attack. This does violate the author’s earlier promise that these scenarios would be as realistic as possible. However, no opportunity presented itself to test this strategy realistically as either no willing parties could be found or the situation presented too great a risk to the author, who had no desire for a run-in with law enforcement, building security or a property owner.
In a real attack, the professional criminal would have recruited some third party to deploy the relay kit. This person would probably be a ‘vandal’ who seeks the respect of the criminal and carries out the plan in order to ‘prove’ himself/herself. This accomplice would ensure that the criminal’s face does not appear on any surveillance cameras. Instead the cameras would show the intruder with his backpack—possibly looking like an intern or maybe even dressed as an interviewee—entering the premises for recon one day, coached by the attacker. Later, after the criminal prepares the ‘relay kit,’ the accomplice would return (perhaps with a second person as a look-out) to deploy the kit.
Once the relay kit is deployed the criminal attacker will use remote means to access and connect to the laptop. Most likely this will require a daemon running on the relay kit computer to connect to the internet and establish a VPN or other connection to the attacker’s staging network. From this staging network the attacker will coordinate the remaining attack procedures. Most likely the attacker will seek to establish a ‘foothold’ on the network by installing remote-access software on a vulnerable device to allow continued access once the relay kit is removed. Once the ‘foothold’ is in place, the accomplice will be deployed to retrieve the attack and no one will know of the attacker’s backdoor access. This recovery operation has two objectives—



SCENARIO #3: “REMOTE ATTACK”



In August 2009 the author had shared an earlier book written for this project with an associate who criticized the hypothetical of a remote attack. He claimed that no IT professional would fall for something this obvious. The author accepted the challenge and asked permission to conduct an attack on the associate’s computer. The associate agreed and the game began. Two weeks later the author called the associate and asked for “help” with a technical issue. The associate, an expert in the area the author was “having a problem,” had a little time and was intrigued by the fictitious programming problem. He agreed to look at the problem closer once he was at home. Later that evening, the author posted the program for download. Without fail his friend downloaded the program an launched it only to encounter a fictitious error created by the author. The associate fumbled with the program for a few minutes, perplexed. He was unaware that every password stored on his home computer had been potentially compromised. The program sent to the associate had collected the user hashes for every user account on the system. Those hashes were then emailed to the author using a dead drop account, which the author accessed to download the data. Using these hashes, the author passed the information through a program called ‘rcrack’ which uses rainbow tables to decode usernames and passwords. This information was then transmitted back to the associate who has since conceded that even seasoned IT professionals are vulnerable. For those who still have their doubts, run any of the password recovery programs from NirSoft on your computer to see how much information is stored on the average computer which an attacker could exploit. In the case of the associate, the author’s program could have just as easily installed a remote-access service, key logger or other threat.



SCENARIO #4: “ATTACK OVER WIRED NETWORKS”



The author has demonstrated that WEP/WPA-PSK wireless networks are not secure and should not be trusted. Regardless of the strategy used to penetrate the wireless perimeter, WEP/WPA-PSK is not an adequate for home or office. In fact, aggressive businesses concerned about their security should require that their IT standards extend to the home networks of any remote workers or persons who take work/computers home with them. These standards should require the use of WPA2 (AES) at a minimum and the use of built-in RADIUS servers where possible. In fact, dedicated business network devices would provide added protection. But wireless networking is not the only hole to be found in the perimeter. Wired internet connections can be compromised as well.


Enter the attacker with a simple port scanner (such as nmap). This individual has compromised a third-party network which he/she will use as his staging area. We will refer to this as his/her “roost.” It is his/her operating base for the attack. From this location, he/she can anonymously attack another network with little fear of capture. His/her risk will increase if he continues to use the same roost more than once. Like a sniper he/she must attack only a certain number of times from this position before relocating to another site.


Enter the criminal attacker’s plan—identify vulnerable network services and exploit the weaknesses in these services to gain entry into the perimeter. First the attacker must find this perimeter on the internet. Must like a burglar must find an address to rob a specific target, the computer criminal must find the internet address (or “IP) assigned to the network. In most businesses this is not hard since the business will often have a static public IP and an internal mail server. This internal mail server will require a few special DNS records to be configured for the email system to work in according with the rules of the internet—known as the RFCs. These special DNS records include the mail exchange (MX) record that points other mail servers seeking the business’ email servers to the network where the mail servers are located. The DNS records also includes the reverse lookup (PTR) record which cross-references the business network to the DNS name (such as ‘google.com’) to the IP address of the network (such as 4.2.2.2). MX and PTR records cannot be avoided. But unfortunately they can be used to identify a network on the open internet.


Our criminal attacker starts this reconnaissance process by searching for the company’s online identity. Using Google, the attacker finds that the company ACME Funereal Services has a web site located at the URL http://acmefunerals.com. The attacker now has a starting point. He uses the following procedure to learn more about this domain name:




  1. Open command shell.

  2. Type ‘nslookup’ and press enter.

  3. The nslookup utility will start and the ‘>’ prompt will await further input.




  4. Type ‘set type=MX’ and press enter,
  5. Enter the domain name for our target network and press enter.
  6. Reference information for the network that will receive any mail sent to the given domain name. [NOTE: in the following example, the MX record for samcaldwell.info forwards emails to a server named dns.jomax.net (which is operated by Godaddy.com).



  7. Typically the MX record lookup will return a ‘mail.acmefunerals.com’ address.
  8. We then lookup the IP address for that DNS record by performing a lookup of the A record for ‘mail.acmefunerals.com.’
  9. Type typing ‘set type=a’ and pressing enter.
  10. Type ‘mail.acmefunerals.com’ and press enter.
  11. Nslookup returns an IP address for this A record: 235.231.212.225 (This IP is a fictitious example).
  12. We now correlate that IP address to determine if the PTR record supports our finding. After all, we could otherwise end up attacking a spam filtering service.
  13. Type ‘set type=PTR’ and press enter.
  14. Enter the IP address discovered above and press enter.
  15. The PTR record is returned. This should reference the mail domain.

NOTE:
One might use this IP address with the telnet utility to connect to the mail server and test operation thereof as a final check. As per the RFCs, this address should respond to a lookup for the mail box postmaster@[domain], etc.



The attacker has reversed the mail address to find the target network according to DNS. Yet he/she has not positively identified the network. He/she might look up the IP address using an IP locator to identify the Internet Service Provider Using some basic social engineering skills, the attacker will be able to confirm that the target network has the same ISP, meaning the target network is most likely referenced by the earlier discovered IP address.


With the perimeter identified, the attacker next moves to scan the perimeter for weaknesses. Much as a wireless network is made vulnerable by poorly implemented technology, wired networks are also weakened by improperly managed/configured services. Our attacker will find these holes using a ‘port scanner’ utility such as nmap. The scan of 235.231.212.225 shows our criminal that the following ports are open—that is, the ports are allowing access to some device listening and responding on the other (internal) side of the firewall.



Discovered Open Ports


PortNameDescription

25SMTPMail Relay/Transport

80HTTPUnsecured Web Services

443HTTPSSecured Web Services (SSL)

21FTPFile Transfer Protocol (Unsecured)

110POPIncoming Email (Unsecured)

5060SIPSession Initiation Protocol (VOIP) (Unsecured)

See RFC 1700 for a list of application layer port numbers.



The attacker knows that he/she can attack ports 25, 21, 110 and 5060 easiest since these protocols transmit usernames and passwords in ‘clear text.’ He must only intercept the traffic. This part is more challenging but possible. The criminal soon finds that the business owner uses POP/SMTP to check his email. POP/SMTP is also used by the company salesperson to receive email on her PDA device. The attacker next uses the telnet command to view the email server’s welcome banner (type “telnet acmefunerals.com 25” into a command shell and press enter):



220 acmefunerals.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at [time stamp]


From this banner , the attacker knows the mail server is a Microsoft Exchange 2003 Server running on a Windows 2003 Small Business platform. This may tell an attacker that the POP/SMTP or FTP credentials used with this network are more than likely the same active directory user credentials used with the rest of the network. Once he/she compromises the POP/SMTP or FTP credentials, the rest of the network will be laid open to the permissions of the compromised user. All that is required is a small number of interactions with the users over these unsecure protocols and the stage is set for the attack.



The criminal may take two avenues: (1) tap a wired connection outside the firewall and use a packet sniffer to read the cleartext passwords or (2) intercept traffic on the remote network(s) used by the end users to connect to their vulnerable services. In the case of ACME Funerals, we might either seek to compromise the owner’s home computer where he also receives work email. But we might also use a directional antenna to intercept traffic from the sales person’s PDA and to sniff out the POP/SMTP passwords.



Given that we know the company uses a small business server—learned earlier from the mail server’s banner text, we know that almost all services are on the same server. Once we have sniffed the packets and found the username and password of the sales person, we proceed to access the person’s FTP account. We navigate through the FTP server directory structure and find that our access is limited to the sales folder only. Thus we rename our remote-access software “CRITICAL SALES OPPORTUNITY.XLS.EXE” and upload the file to the FTP server. When the sales person sees the file, he will be tempted to open the file—but may never do so. This is just one opportunity for our access. As the reader should see, gaining wired access is harder than wireless access.



Our next opportunity comes from the Exchange webmail (or “Outlook Web Access”) which may or may not explain the exposed ports 80 and 443. We may log into this console at our leisure using the sales person’s credentials and access all of the person’s contacts, emails and public folders. For the vandal this might include sending embarrassing messages. But for the thief this could be a simple means of spamming the community.



Our last opportunity allows us to compromise the business owner—who we know most likely runs under administrative permissions. The criminal learns that the target company’s owner frequents a local coffee shop to meet with a group of other business owners. The criminal decides that his best hope is to sit in his car, using Wireshark to sniff the public 802.11 wireless network at the coffee shop for the owner to check his email. Once this is done, the packets will be captured containing the username and password. With this username and password, the criminal now has complete control over the target network.


SCENARIO #5: “STEALING LICENSE KEYS”



Many criminals, especially freeloaders, do not see a need to observe copyright. This seems like a victimless crime, but recently on IRC, the author encountered and individual who asked others in the chat room if anyone knew how he could get a license key for Windows XP. Another user suggested the person try using Bit Torrent to find a cracked corporate license, which the individual said he would try. This naturally lead the author to ask himself “How do people get these corporate license keys to begin with?” Software piracy is a serious offense that can land people in jail and face huge fines, but where does the illegal key come from? Naturally the first suspect to come to mind is the IT staff at some company who takes a license home for personal use, who later tells a friend “Hey, just use this one…but you know keep it to yourself.” That, we all know never happens. But the author started to wonder about other means to steal license keys. While he could not find any evidence that the scenario presented in this section is being actively or widely practiced, it is a feasible security risk that should concern both large and small organizations given the fines that are associated with software piracy.



Any owner or IT professional who carefully examines the Microsoft End-User License Agreement accepted by using Microsoft products will find that it is the end-user organization’s responsibility to prevent the proliferation of illegal copies of the product. This means that an organization has X number licenses of, say, Windows XP Professional and that license key makes its way to Bit Torrent for public download by users worldwide, the organization itself may be held responsible for fines which can range from $150,000 to $200,000 fines per software title. This naturally lead the author to speculate that this risk could be a greater danger if there were a strategy that the external, unknown criminal could use to steal license keys.



It did not take much of a leap of imagination to connect tools many technicians use to recover license keys and the criminal community which we have already proved can potentially gain unauthorized access to a company’s computer systems. Tools such as “Magical Jellybean Key Finder” are common to all computer technicians who have faced a situation where a legally licensed software package must be reinstalled but the client does not have the license key on hand. Yet these tools can be scripted and run remotely. In some cases these tools can be run remotely without user knowledge. In these scenarios it is more than feasible that a criminal with unauthorized access to a network could steal the license keys from a small businesses computer systems and sell those keys on the black market.



Naturally the author would not make this statement without testing the scenario. Given the legal constraints, the author created a test network using his home office and Microsoft TechNet subscription. The network consisted of a Wireless network using WPA-PSK, a Windows XP Professional computer and a Windows Small Business Server 2003 virtual machine configured as a domain controller. Once the network was properly configured (using default settings where possible) and all systems were patched with the latest service packs and other protective measures, the author asked an associate to remote into his test network and change all passwords, IP addresses and wireless pre-shared keys. The author then conducted the attack using his basic kit from the comfort of his back porch with a signal strength of forty percent. In two hours the wireless security had been compromised and the author had access to the test network. Using the steps described later in the “penetration-in-depth” chapter of this book, the author was able to gain local administrator access to the Windows XP workstation and install Magical Jellybean, which he ran to reveal the license key used on this system. Copying that key, the author completed the attack within less than an hour of gaining access. Expanding this test, the author conducted further testing to lift keys for Microsoft Office and other software titles he had licenses to use. He then expanded the test against his own workstation and managed to “steal” over $1,200 in software within a single afternoon.


SCENARIO #6: “SOCIAL ENGINEERING: THE GEEK CON-ARTIST”







CON ARTIST (PLURAL CON ARTISTS)

“A person who defrauds or swindles others after first gaining their trust; a scam operator.”


(Source: http://en.wiktionary.org/wiki/con_artist





Con-artists are well known in the society. Hollywood has made the con artist a hero and villain, as well as a stereotype. The author recently went to downtown Austin to find out what one hundred people thought of first when they heard the word “con artist.” Of that one hundred people, most said “telemarketer,” “lawyer,” or “politician.” No one said “computer criminal,” “computer geek,” or anything about social engineering.



SOCIAL EXPERIMENT

Response %Responding

Telemarketer 30

Lawyer 21

Politician 11

Used Car Salesman 9

Ex-Spouse 7

Other 22



Note: This experiment was conducted in mid-July 2009. The author walked from the intersection of Oltorf and Congress north to 11th and Congress randomly asking 100 persons to say the first thing that came to mind when they heard the words “blue,” “happy,” and “con-artist.” No participants were told anything other than “My name is Sam Caldwell. I am doing a research study on human response, may I ask for your help?” Participants who agreed, and most did, were then asked to say the first thing that came to mind when the author said a word.



“Social engineering” is the glamorous term for ‘con-artistry’ used to gather information needed to secure unauthorized access to a computer system, commit fraud, etc. It can take many forms, ranging from calls to customer service based on false pretexts and deceptive interviews with a company to gain perspective on internal procedures to dumpster diving, phishing and fraudulent solicitation. Of the various attack strategies used to gain unauthorized access to a computer network, social engineering is the most successful. Unfortunately for the criminal it is also the most risky, more likely to result in capture because it requires some level of interaction with people that might later identify the criminal.



The informative website SecurityFocus.com has an excellent story demonstrating social engineering at a large shipping company:



SOCIAL ENGINEERING FUNDAMENTALS, PART I: HACKER TACTICS


BY SARAH GRANGER (LAST UPDATED DECEMBER 18, 2001)

A TRUE STORY


One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.



The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.


In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.)


(Quoted on 12 September 2009 from http://www.securityfocus.com/infocus/1527 with minor format changes.)





This story demonstrates how easily a criminal attacker can use social engineering principles to compromise a security conscious large corporation. A small business owner must wonder how much easier it would be to use social engineering on a small company. With the permission of an owner of one business, the author conducted an experiment to find out how well social engineering would work with a small business. To do this, the author started with an online search to find information about the business. He went to the company’s website and found the business’ name, address and contact information. He then went to the Texas Comptroller’s website where he searched the taxable entities database to find the company’s name, taxpayer ID number, file number and owner contact information. He also used a Google search and learned that the owner had made several regular contributions to the National Republican Congressional Committee. The owner then agreed to allow a test of the employees. The author called the company and asked to speak with someone in public relations or marketing. After all, marketing people and public relations people love when the community comes calling for free publicity. Using the not-quite-false pretext that he was writing an article on how Austin small business computer needs differ from big corporations, the author managed to coax the office manager into answering some questions. For the next fifteen minutes, the author interviewed the office manager with several questions:



INTERVIEW QUESTIONS WITH A SMALL BUSINESS OFFICE MANAGER


Question: How many computers do you have?

Answer: We have three computers in the office and two point-of-sale terminals up front.

Question: Do you have any servers?

Answer: I am not sure. I think so. But that would be a question for Allen, our computer guy.

Question: Do you have in-house IT people or do you outsource your IT services?

Answer: We have a local company, [name omitted], that takes care of that. They take really good care of us.

Question: What is your biggest concern with computers?

Answer: Well…making sure they are running.

Question: How many outages do you have in a given month?

Answer: Maybe one or two if the power goes out or something. Really we don’t have many problems.

Question: Do you pay a flat fee for managed computer services or do you work with [name omitted] on a pay-as-you-go basis?

Answer: We pay as we go but they have this thing were we buy blocks of time each month. They usually come out once a week to make sure we are okay and we call them if there is an emergency.

Question: How often do you need computer services?

Answer: Not really that often. We had someone out yesterday, but that was about it.

Question: I am not sure this applies to you, but does your IT services company carry any badge or other way for your customers to know they are an authorized vendor in your organization?

Answer: Uhmm…not really. They have business cards, I think.

Question: Do you have a disaster recovery plan in the event of a catastrophe?

Answer: [Pause]…I would have to check on that.

Question: How important is backing up data for your business.

Answer: We backup every day to a little thingy under our counter. I am not sure what to call it.

Question: Last question, what is the biggest difference you see between big businesses and small businesses in terms of computers.

Answer: Well we don’t have the money to spend on the latest things. Our computers are pretty old…seven or eight years….and we just have to make do with what we have. For us it’s a choice between growing and buying stuff we don’t really need.



For the most part these questions seem pretty simple and harmless. The office manager was more than happy to know that her business would be used in a published article—which wasn’t exactly a lie. The owner reviewed the questions that evening and also saw no harm in anything the office manager had said. The same afternoon, the author went to the IT services company and spoke with a technician about pricing for a new custom-build PC. The company appeared to have only three to five employees. All were dressed in business casual attire that appeared professional but did not identify them as employees of the company. When the author was ready to leave he asked one employee, a gentleman named Mark, if he had a business card. Mark was happy to provide a card and promised the author he could get him a good deal on the computer he wanted. Inspecting the business card, the author noticed it didn’t have any specific employee’s name. It was a generic company business card.



The author, however, was not interested in purchasing a computer. He had just created a scenario whereby he could secure access to the target company, using a false pretext that many criminals are all too willing to use: the “I’m-with-I.T.” card. Before doing anything, the author talked with the owner about what he planned and the owner agreed to be out of the office when the attack happened. They also agreed to contact the IT services company and meet first to ensure no one would be too upset if this worked. As expected, the IT company’s owner was not happy to be under scrutiny, but the owner was agreeable and the author had emphasized that he was trying to help the IT consulting industry and small businesses as a whole. He went along but promised no cooperation, which is what the author had wanted. He also assured the owner that anything the author did was not covered by any warranty and would be billed hourly outside of their existing contract.



The author was afraid the IT company would tip-off employees at the company and decided to carry out the attack that same afternoon rather than the following day as planned. The owner conceded the point and went home, while the author drove to the company. He entered the store and presented the business card, saying “Hi. My name is Sam. I am a tech with [company omitted]. The office sent me to do a weekly test of the backups and such. Is everything running okay this week?” The college student at the front desk smiled awkwardly and asked where “Allen” was. From the phone interview with the office manager, the author knew “Allen” was the normal technician who took care of the client. The author shrugged, “I’m kind of new here. I think they said he was out sick or something this week.” The employee nodded and said she would get the office manager.



The office manager was more skeptical. She explained that she had previously told the IT company that she only wanted Allen, but when the author explained that Allen was out sick and that he had scheduled the author to do nothing more than check the backup tapes, the office manager finally gave in rather than confront what to her probably appeared to be just another cog in the machine. She instead showed the author the location of the external hard disk sitting under the front counter next to one of the POS terminals. The author went through the motions of verifying that it had power and was accessible from windows. He then opened the backup software and checked the logs. Then he stopped to observe that no one was paying attention. Checking the system, he found that the computer was a stand-alone workstation running point-of-sale software from a local administrator account. While standing there unsupervised he could have installed a remote agent—or for that matter, any employee could have done so—without any interruption. After twenty minutes, the author left on foot and called the owner.
The owner explained that the office manager had called the IT services company who had denied the author was an employee when she came back to the front and found the author was gone. The owner had diffused the situation. In the end the IT services provider claimed there was no risk since the office manager had in fact called to verify the author’s identity, but the office manager later admitted that she had left the author unattended at the computer terminal while she debated about whether or not to call. The employee working the front counter also admitted that she had left the author unattended when she went to the restroom. She did not find it strange that the author left without having her sign paperwork for the ‘service call’ until this was mentioned to her. Only the owner seems to have appreciated this exercise. The author still owes him lunch as of this writing as a way of saying thank you for helping with the project.



Readers should walk away from this section with a cold feeling. As IT consultants we must do a better job of ensuring we carry photo-bearing credentials which identify us as employees of our employer organizations. As business owners we should expect no less than this minimum respect for the safety and security of the business. Employee training and clearly defined policy are critical. There is no security technology which will protect a business in this situation. Even had there been a video camera watching the author at the computer terminal in the previous example, it would have deterred only a few criminals. Other criminals would have risked it, as is evidenced every time a convenience store is robbed. Many criminals know that a lot of small businesses use fake cameras. These cheap shell devices are intended to scare intruders, but they have become so prevalent that they can be spotted at times. In other cases, the criminal feels it is worth the risk. Poor quality images and other weaknesses of low-cost technologies further weaken the deterrent capacity of a camera and lead to a false feeling of security.


SCENARIO #7: “CAMERAS AND WIRELESS NETWORKS”




Recently while chatting with others on IRC, the author encountered a user who works in the Information Technology field. He related a story he had heard where a woman had installed a wireless camera in her home to watch the babysitter with her six-month old daughter. The technician said the police were summoned to the home when the woman’s ex-husband had started showing people photographs of his daughter sleeping. The photographs proved that the ex-husband had obtained the images from the wireless camera and investigators soon concluded that the babysitter had not been involved. Instead, further inquiry had found that the ex-husband had paid one of the technician’s under-age friends to crack the home wireless network’s WEP key to gain unauthorized access to the camera. The evidence to prove the crime was not sufficient for prosecutors to act against the ex-husband and the juvenile was only 11 years old. The author was unable to ascertain whether or not the juvenile was charged, but the fact that an 11-year old cracked the WEP encryption illustrates the severity of the problem.



The author concedes that the above story does not involve a small business. But it was fresh on his mind when he recently went to an Austin area dry cleaner’s. It was fifteen minutes before a meeting and the author had accidentally brushed against fresh drywall, streaking white plaster across the sleeve of his suit jacket. He ducked quickly into a nearby dry cleaner and asked if they could help. In minutes he was back in action as this local small business fixed the jacket for free. But while waiting on his jacket, the author noticed that the dry cleaner had a small wall-mounted wireless video camera watching the cash register. This, to him, was something any criminal would see and understand represented a huge opportunity. A week later the author stopped by to say thank you by bringing in a load of dry cleaning. The same woman who had helped him previously was at the counter and the author mentioned the camera and his work on this book. He asked if he could use his laptop to confirm his suspicion that the camera was insecure. She agreed and the author found the camera was not using WEP or WPA-PSK as he had expected, but it was using no encryption at all. Images of the cash register were being transmitted in the open to anyone with the knowledge that the camera was there and the skills to connect to its signal. It turns out that the owner himself had setup the device.


SCENARIO #8: PUBLICLY VISIBLE INFORMATION AND DUMPSTER DIVING




In many cases where a criminal targets the small business he/she does not have to use the dumpster diving technique. But this is a valid tool when necessary. Many companies do not shred documents containing sensitive information. In fact, to test this theory, the author decided to do a little dumpster diving. He travelled to a nearby office complex after hours dressed in semi-professional attire. Once onsite, he found the dumpster between two buildings and hopped in to begin searching for any interesting information. Before he started, however, he tied a piece of dental floss to his ankle and tied the other end to his car keys which he conveniently dropped into the trash. He had hoped not to be interrupted, but soon found himself confronted by a contract security guard who asked what the author was doing in the dumpster, clearly suspicious.



The author stood up, appearing frustrated and embarrassed in his now sweat-stained purple button down and slacks and explained, “Man, I got pissed when I was leaving and threw my keys. God, I don’t know what I was thinking but…oh…as if enough didn’t go wrong today!” The security guard asked if the author worked in the complex. The author had seen a sign for a psychologist nearby when he was parking his car and replied, “No. I am a patient of Dr. [name omitted]. I see her once a week. This week was just…well…I need to find my keys.”



As expected, the guard did not interrupt as the author continued the search in silence. But he did not leave. Eventually the author gave up and ‘found the keys’ by discretely pulling the dental floss attached to his ankle. He had failed to find anything but had escaped further scrutiny. He instead tried another office complex and used the same routine. Only no security guard appeared. In this case as well there was no really interesting information. Some of the papers were shredded but a good deal were useless trash or papers with no apparently important information. Finally the following morning the author tried one more location. This location was in South Austin a good distance from his home and in an office complex where a local IT services firm was located. Here, the author hit pay dirt. He found a good deal of shredded documents, but in one bag, he found a legal pad with what appeared to be usernames, phone numbers and passwords. On two pages there were IP addresses the author later verified through reverse DNS lookup belonged to local companies in Austin. He continued the experiment one more day and the following morning decided to beat the Texas heat by starting out early to dive into some north central Austin dumpsters. Taking the bus to the site rather than drive, the author had decided that his ‘cover story’ was that his wife had been mad last night and had thrown his car keys in the dumpster. It seemed plausible. As he walked into the complex, he observed that most of the businesses were retail shops, though one business was a pediatrician and another was a bookseller. All seemed like legitimate targets of a criminal dumpster diver. After an hour, the author found a small box in a bag of trash that he opened to find a stack of carbonless credit card imprint forms. These are the forms used by old-style credit card imprinters the author recognized from his days as a field technician. Rarely are these forms used in a store any longer thanks to online credit card processing. But nonetheless, the author had found them with their still readable credit card numbers, company names, cardholder names and dates. Most were dated seven years prior to the date of the author’s experiment. But the fact that they were disposed of intact by any business was a serious concern which warrants mention in this book. Small business owners especially must concern themselves with the proper destruction of sensitive information. Every owner will agree that unlike a large corporation with vast resources, a small business does not have the resources to sustain the liability a large fraud exposure could create.



Yet dumpster diving is not the only means of obtaining publicly accessible information that can compromise a business or its customer’s private information. Many end users have a bad habit of writing down usernames and passwords. The worst offenders post these written reminders on the face of their computer monitors, sketch them on desk calendars and place them in their rolodex files. In the end, they defeat the very purpose of having a password. The reader will recall the business mentioned earlier in this book whose employee had cut the backup tape to conceal her theft of petty cash after deleting the QuickBooks file. In that case, we discussed how the user had all of the passwords for her computer posted on the face of her monitor visible from a window. This creates a situation where any criminal can encounter an opportunity to find an easy target. More importantly, fellow employees in the organization who are not authorized access to some materials can learn and use the password to commit crimes and defraud the company. But the most important example of publicly viewable and dangerous information is posted by the credit card processing industry in many businesses.



Back in 2005, the author was selling credit card processing services and equipment for a company that promised to beat anyone’s rates. As trained, he would walk up to a business owner and start his sales pitch. In some cases the owner knew his/her rates and terms. But surprisingly the author would often run into business owners who were not exactly sure what rate they were paying or when their last rate increase had taken effect. This usually lead owners to call their processing companies and ask for the information. It wasn’t long after he started, that the author realized the phone number and account information needed to talk to his processing company about the business was almost always provided on a sticker affixed to the side of the credit card reader itself. This worked wonders for the author’s sales pitch.
Almost overnight, the author began a new sales pitch. He would enter a business, see the sticker affixed visibly to the credit card reader and ask to speak with a manager or the owner. When he introduced himself he would ask the owner or manager if he could show how he was more responsible and a better business partner for the company. His first point was to show the owner/manager the label and to make a phone call to the credit card processing company using that information to obtain information about the company before handing the phone to the owner/manager so they could verify that the author was not using some smoke-and-mirror tactic. Rates at that point were just icing on the sales pitch. The author would convert the business to his company’s credit card processing services (and possible sell them a new reader) and end the transaction by removing the sticker and placing the information on the back of a business card he had printed himself. It was a classic use of the same type of strategy used by criminals to compromise a business.



The author learned through this experience that anyone using information on the stickers affixed to the side of the credit card readers could almost always contact a customer service representative and obtain information about the business’ processing agreement without any other information. The author was further able to demonstrate for one business that a person could change the ACH routing information on an account with one competitor using no further information than was provided by reading numbers off of the sticker and at most providing a company phone number of record and name of the owner. Further, this information can be seen by customers paying for purchases. With a cell phone discretely pocketed in his trousers, the author was able in one case to type the account number and other information into his cell phone before stepping outside with the owner to call the credit card processing company. He and the owner then proceeded to change the banking information on the account to route funds to the business’ saving account rather than to its checking account as evidence of the attack. The owner then complained to the processing company, who eventually blamed a employee error for the breach rather than standard business practices .


SCENARIO #9: MINING EX-EMPLOYEE KNOWLEDGE




While interviewing with a successful Austin-area managed services provider (MSP), the author met a gentleman who agreed that security was a problem in small business but did not see a strong market for providing IT security services due to costs and regulation. In his experience, clients rarely heeded his advice on security matters and appeared indifferent to security. He told of one medical practice that insisted on using the same password for every user account in the company. Users were not allowed to change passwords. The password was the same as it had been since the practice had first started using computers: “Password01.” No matter how many times the engineer or his coworkers had suggested this be changed, the status quo was perpetuated. Finally the engineer had asked the office manager “So, what do you do when an employee quits? They still know the password.” The office manager responded “Well…we hadn’t thought that far.” Amazingly enough as of the retelling of this story, the password still had not changed. This story creates another possible security hole: ex-employee knowledge. It is possible that a criminal might find just a disgruntled, recently fired employee who would be willing to sell password and other knowledge of the former employer ‘s computer network. This does not have to be IT staff to be dangerous. In the above case it could be any employee in the company. If the employee can provide user account information that remains valid after the employee’s termination, then the criminal can compromise the network. This is an even greater problem where common passwords are used—especially within IT services firms. Security must be dynamic. When employees leaves a company, and the employee had a key to the building, the locks are often changed or at least rotated to protect the company from burglary. So, too, must the employees user accounts be disabled and any common passwords changed. It is probably that an employee will remain in the same industry, working for a competitor. Given access to the company network, directly or indirectly there exists an opportunity for the person to help the new employer by stealing information from the old employer.


RECAP




In this chapter we started our discussion of small business network vulnerabilities with a general discussion about what makes a good network ‘relatively secure’ and how the absence of good security can be exploited by a consultant to identify problems before a criminal abuses that accessibility to defraud and possibly ruin a small company. We then defined a strategy for this testing before walking through the equipment and mental preparations needed to successfully commit a computer crime. Finally we reviewed several test scenarios and field experiences from a real-world and practical stand point. Nonetheless, thus far our discussion has been superficial and has shown how a criminal could use specific tactics to do little damage. In most cases, we have concerned ourselves with perimeter breaches where no internal security existed or the security was not relevant to the attack.



The following chapter will expand on this superficial view of the problem and explore a concept known as “penetration-in-depth” to show how a criminal might plan an exploit against a perimeter defense, followed by a subsequent attack or chain of attacks to gain complete control over a network. In doing this we show one common example of how an IT company’s failure to respond quickly and a company executive’s impatience can create vulnerabilities which allow a criminal opportunity to gain access to a company’s information. At the end of this discussion, the reader should have formed a deep understanding of the important of computer network security in any business.



For the most part these questions seem pretty simple and harmless. The office manager was more than happy to know that her business would be used in a published article—which wasn’t exactly a lie. The owner reviewed the questions that evening and also saw no harm in anything the office manager had said. The same afternoon, the author went to the IT services company and spoke with a technician about pricing for a new custom-build PC. The company appeared to have only three to five employees. All were dressed in business casual attire that appeared professional but did not identify them as employees of the company. When the author was ready to leave he asked one employee, a gentleman named Mark, if he had a business card. Mark was happy to provide a card and promised the author he could get him a good deal on the computer he wanted. Inspecting the business card, the author noticed it didn’t have any specific employee’s name. It was a generic company business card.



The author, however, was not interested in purchasing a computer. He had just created a scenario whereby he could secure access to the target company, using a false pretext that many criminals are all too willing to use: the “I’m-with-IT” card. Before doing anything, the author talked with the owner about what he planned and the owner agreed to be out of the office when the attack happened. They also agreed to contact the IT services company and meet first to ensure no one would be too upset if this worked. As expected, the IT company’s owner was not happy to be under scrutiny, but the owner was agreeable and the author had emphasized that he was trying to help the IT consulting industry and small businesses as a whole. He went along but promised no cooperation, which is what the author had wanted. He also assured the owner that anything the author did was not covered by any warranty and would be billed hourly outside of their existing contract.



The author was afraid the IT company would tip-off employees at the company and decided to carry out the attack that same afternoon rather than the following day as planned. The owner conceded the point and went home, while the author drove to the company. He entered the store and presented the business card, saying “Hi. My name is Sam. I am a tech with [company omitted]. The office sent me to do a weekly test of the backups and such. Is everything running okay this week?” The college student at the front desk smiled awkwardly and asked where “Allen” was. From the phone interview with the office manager, the author knew “Allen” was the normal technician who took care of the client. The author shrugged, “I’m kind of new here. I think they said he was out sick or something this week.” The employee nodded and said she would get the office manager.



The office manager was more skeptical. She explained that she had previously told the IT company that she only wanted Allen, but when the author explained that Allen was out sick and that he had scheduled the author to do nothing more than check the backup tapes, the office manager finally gave in rather than confront what to her probably appeared to be just another cog in the machine. She instead showed the author the location of the external hard disk sitting under the front counter next to one of the POS terminals. The author went through the motions of verifying that it had power and was accessible from windows. He then opened the backup software and checked the logs. Then he stopped to observe that no one was paying attention. Checking the system, he found that the computer was a stand-alone workstation running point-of-sale software from a local administrator account. While standing there unsupervised he could have installed a remote agent—or for that matter, any employee could have done so—without any interruption. After twenty minutes, the author left on foot and called the owner.
The owner explained that the office manager had called the IT services company who had denied the author was an employee when she came back to the front and found the author was gone. The owner had diffused the situation. In the end the IT services provider claimed there was no risk since the office manager had in fact called to verify the author’s identity, but the office manager later admitted that she had left the author unattended at the computer terminal while she debated about whether or not to call. The employee working the front counter also admitted that she had left the author unattended when she went to the restroom. She did not find it strange that the author left without having her sign paperwork for the ‘service call’ until this was mentioned to her. Only the owner seems to have appreciated this exercise. The author still owes him lunch as of this writing as a way of saying thank you for helping with the project.



Readers should walk away from this section with a cold feeling. As IT consultants we must do a better job of ensuring we carry photo-bearing credentials which identify us as employees of our employer organizations. As business owners we should expect no less than this minimum respect for the safety and security of the business. Employee training and clearly defined policy are critical. There is no security technology which will protect a business in this situation. Even had there been a video camera watching the author at the computer terminal in the previous example, it would have deterred only a few criminals. Other criminals would have risked it, as is evidenced every time a convenience store is robbed. Many criminals know that a lot of small businesses use fake cameras. These cheap shell devices are intended to scare intruders, but they have become so prevalent that they can be spotted at times. In other cases, the criminal feels it is worth the risk. Poor quality images and other weaknesses of low-cost technologies further weaken the deterrent capacity of a camera and lead to a false feeling of security.




No comments:

Post a Comment

Be civil, Do not violate the law and do not abuse the rights of others. As I once learned from reading Mark Twain, we all have the right to freedom of speech and the good sense not to use it unless we are willing to take responsibility for our words.