[ISN] Anatomy Of A Break-In
isn at c4i.org
Tue Jan 17 01:32:05 EST 2006
Forwarded from: William Knowles <wk at c4i.org>
By Ira Winkler
Internet Security Advisors Group
Jan 16, 2006
A large multinational company was about to undergo a full security
audit, and the CIO didn't want any surprises. He was looking for
advance warning of any problems that might be discovered in the formal
audit so he could be ready with a remediation plan.
The company, which employs more than 10,000 people, is responsible for
critical elements of physical infrastructures around the world and is
regularly targeted by a wide variety of bad guys, including terrorists
and foreign governments. The CIO believed the company had some
problems with physical security and end-user systems but thought he
had the servers and network locked down.
To get a true picture of the company's overall security, the CIO hired
my team to do a preassessment without informing the majority of
employees. For political reasons, he had to let several people know
the test would be performed. And just to make my job more of a
challenge, the director of the network operations center vowed my team
wouldn't break into his systems or facilities.
Most of the company's assessment funds had been allocated to the
formal audit, so the preassessment budget was tight. We had an
advantage in that I'd been at the facility before for an unrelated
reason, so I knew the makeup of the main facility and some of its
physical weaknesses, which would save us a day or so of
We typically begin an espionage simulation by gathering intelligence
on the company's physical, technical, and operational infrastructures,
and on its personnel. Our search revealed a variety of information
about the contracts the company was pursuing, as well as details on
its facilities. Most troubling, we found maps of some facilities in
high-risk areas, which could help malicious parties target the company
and its people. We also found a corporate phone directory intended for
internal use. This would have immense value for the social-engineering
attacks we were planning.
We uncovered information about the company's generic technical
architecture by looking at trade Web sites and postings the company's
IT staff had made to newsgroups. We knew the company had a Windows
infrastructure with Sun Microsystems computers handling most of the
server duties. Knowing the hardware and software let us predict
technical vulnerabilities and helped us prepare to target the systems,
both internally and externally.
We also found a variety of corporate domains to target. Later we
learned that the people responsible for managing the company's
Internet presence didn't know about some of these domains, which
provided back doors into the company. Along the same lines, our search
turned up more than 100 Web servers, though the IT staff had figured
there were fewer than a dozen. We learned of the discrepancy when we
informed someone from the CIO's staff of our findings at a breakfast
meeting our first day on-site.
As happens in about half our reconnaissance efforts, we found evidence
of illicit employee activities. For example, one employee was using
his company E-mail account to sell information on how to perform
After a day and a half of this preliminary investigation, we ventured
on-site. Three of us were involved in the internal test: Kevin, a
technician familiar with attacks on Unix and Windows (the company's
typical environments); Jeff, who would focus on social engineering and
could assist on the technical side; and me. My focus was on the "black
bag" aspects of the test--physically going into a high-risk
environment to steal information or perform other high-risk tasks to
support the espionage operations.
Our first job was to get into the building complex, which housed
multiple tenants sharing a common entrance. An outside firm handled
the facilities management and physical security.
The reception desk was in the center of the main lobby, roughly 20
feet from the door. The lobby was wide open, so when we arrived I told
my accomplices to act as if we were talking about something important
and ignore the receptionist as we walked through the lobby toward the
main building. The receptionist tried to get our attention, but we
proceeded without being stopped.
There was a proximity-card sensor on the door to the offices, and the
door was locked, so we waited for someone to come out and walked on
in. We found the office our breakfast contact had assigned to us. Our
team had its own gear--hubs, Ethernet cables, and so on--and we set up
a small LAN inside the office off the room's Ethernet port. At this
point, I thought we should get company badges.
I called the company operator and asked to talk to the people
responsible for issuing badges. She connected me to the reception
desk. I told the person who answered that I was the CIO and I had
subcontractors who needed to be issued badges. She told me, "Just send
them down now."
Jeff and I went back downstairs, at which point the receptionist
recognized us and said she had tried to talk to us when we came in. We
apologized, saying we didn't know we had to stop and were there to
make everything right. A uniformed guard, who'd been standing next to
the desk, led us to a room with a machine. There, we filled out a form
requesting name, company, and contact information, which the guard
didn't verify, and had our pictures taken. We made small talk with the
guard, who asked what type of work we were doing. I told her it was
computer work, and she asked, "Will you need access to the computer
"Definitely," I replied. She then made sure our badges were authorized
to open computer-room locks.
When the badges were finished, the guard handed them to us and told us
the access privileges might not take effect for a couple of hours.
Back in our office, Kevin told us he'd identified more than 250 Web
servers through network scanning. The preponderance of Web servers
indicated that the company had lost control of the internal
architecture and was wasting resources. Most important, these systems
were poorly maintained. These and the end-user PCs were vulnerable to
viruses, worms, and other attacks. The file and mail servers were
generally secure but still had some vulnerabilities.
Next we decided to scope out the computer room. The three of us headed
to the basement, where we spotted a door in a back corner labeled
"Computer Room." Duh. We entered the server room, which was
unattended. We walked around, looking at the monitors, most of which
were labeled. Kevin noticed that one was labeled "PDC," likely for
primary domain controller. Kevin found that the system was logged on
as the administrator. He quickly opened the User Administration tool
and added a new user to the system, then added the user to the
Administrator group. Then we left, quite unnoticed.
Back to our office, Kevin logged on to the PDC and had control of the
company's entire Windows infrastructure. He downloaded the password
file and proceeded to crack passwords.
Jeff started calling people he'd identified in his research and used
several ruses to get them to disclose their passwords. He claimed to
be an administrator investigating a security incident in which an
outsider had called the help desk to change people's passwords. Of
course, the employees then had to tell him their passwords.
Jeff then pulled up the names of key employees and started to focus on
the cracked passwords. Because the company's user IDs were
predictable, Jeff and Kevin identified the CEO's and pulled up his
password. They logged on to his account. They also learned the CEO's
secretary's name and pulled up her account.
We acquired information critical to the company's success, such as
financial information, key project status, multibillion-dollar
proposals, and other insider information. We also accessed information
that could have compromised the CEO's personal safety, such as the
tail number of the private jet he uses to fly into high-risk areas.
We got to the CEO's information through other means as well. Our
espionage simulation included physical walkthroughs, and we
specifically targeted the information-systems and human-resources
departments and the executive offices. Again, the card-access systems
gave us access to all the necessary facilities. Although some people
didn't leave anything that could give us access to sensitive
information, more than enough people had their passwords hidden in
plain sight--taped to monitors or under keyboards--that we could
access their accounts and, therefore, other people's information.
In the executive offices, keys and passwords, while not universally
available, often were easy to find. For example, the CEO's secretary
had the CEO's password written on a piece of paper inside her desk,
even though the password was his first name. We gained access to the
secretary's desk by finding a set of keys in another desk in the
executive area. Also inside the secretary's desk was a key to the
CEO's office. We had similar success getting data from the offices of
the CFO and general counsel.
Then there were the Unix systems. By the second day, the CIO thought
we could take some chances that I advised him we wouldn't take in real
life because we already had the ability to control all the systems
remotely. He specifically wanted me to get physical access to the
network operations center.
Jeff found out the name of a technical support person who was away for
a week. Sporting our headquarters access badges, we drove over to the
network operations center, walked up to this building's receptionist,
and told her we were there to see the person we knew was away. She
told us he was out for the week. I replied that we were with the audit
staff and needed to make sure we had all the systems cataloged in
advance for the upcoming audit. I said we'd been told that person
would show us around the center so we could count the systems. She
volunteered to show us the facility.
We had planned how the attack would go. Jeff was to stay near the
woman, and I would wander out of sight. As in most such operations
centers, system names and IP addresses were taped to the system boxes.
We recorded the names and addresses. While Jeff was distracting our
escort and I was out of sight behind an equipment rack, I pulled
something out of my bag and put it in the racks as if it were a
network tap. After a couple of minutes, we told the woman we had
everything we needed, and we left.
>From a technical perspective, Kevin had found critical vulnerabilities
in the network operations center's main servers before our visit. The
systems appeared to be well-patched. However, staff members didn't
check the servers regularly for vulnerabilities and missed
reinstalling all patches when they reloaded operating systems. Because
of the nature of the vulnerabilities found, we would have had to
reboot the systems to finish the compromise and get root privileges on
the critical servers. We didn't want to bring down the system, so
Kevin came up with an alternative attack.
Thanks to the password-cracking Kevin had performed, he compromised
the Sun admin's desktop system, which was actually a Windows system.
He installed spyware that let him watch the administrator's activities
and control the system. We waited for the admin to perform a remote
logon to the Unix systems, which would let us capture the admin
accounts and passwords. Although we didn't need to do this because
Kevin had identified vulnerabilities on the servers, it was a way to
get root access without bringing down the systems. We eventually got
the admin accounts for the Unix network. This, of course, provided an
immense amount of engineering and project data.
All in all, this was a busy two days--yes, two days. Generally, all
company information was available to us. We didn't have any
information that a malicious party couldn't have found independently
and with minimal effort.
Although some might say we were just lucky, my teams consistently have
this level of success in this time frame. The people who will cause
you the most harm are the professional and malic-ious criminals who
want to access your information or cause you damage without being
detected. Although these criminals might not get the same results as
we did in two days, they very well may have more funding and time than
we did and could use those to their advantage.
Our simulated espionage yielded the following recommendations:
Demand authorization and verification from a company employee or
sponsor for a person to receive a facility access card.
Require special approval of the manager responsible for a facility for
extra access privileges and notify that manager when such access has
Establish security-awareness programs that include both physical and
Perform regular vulnerability scans on all network systems. Maintain
audit logs for critical systems and review them regularly.
Log out of critical systems when not in use and activate screen savers
with passwords, even when they're in supposedly secured areas.
Never assume you can hide keys or passwords. There are just so many
places they can be hidden, and people will find them.
Perform regular walkthroughs to find obvious vulnerabilities.
Ira Winkler, CISSP, is president of the Internet Security Advisors
Group and the author of Spies Among Us (Wiley, 2005). This article
originally appeared inSecure Enterprise, an InformationWeek sister
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
More information about the ISN