A common compromise

The Background No one is secure. It is impossible to maintain complete security. Security is a process and processes break down. It's a law of nature, I forget which one, but I know it's one of them. There is always some part of the process overlooked or broken down. In a full system security audit it is your job to find out what broke down, document how it broke down, and recommend how to fix it. This job can either be a lot of fun or very boring. You find a broken process by utilizing another methodical process that is designed to detect breaks in the process being tested. You have to be methodical. You have to document everything, no matter how small. That can be boring. But, sometimes it can be fun, too. Most people think of a penetration test as sitting at a computer, mapping the network with a ping sweep, enumerating services on the responding machines, and searching for vulnerabilities in those services. It's also true that this is a frequent order from companies, just test them virtually. It's even truer that there exist some security companies where this is all they offer, remote testing. This is not a proper test, and those companies that request it are better off doing it themselves, it's just a process. There are hundreds of sites that explain this process. It's a do it yourself job. To be honest, remote testing is boring. There is no sport to it, there is no real room for creativity. I'm sure some will disagree with me here, and it's true that there are those occasional times you get to be brilliant, but the plain fact of the matter is that remote testing is a methodical process. It is not willy nilly scanning, poking probing. It is a structured process that a trained monkey could do. A set of steps you follow. A set of scripts and tools you run. Paint by numbers. As such, it's boring. Besides being boring, remote testing is such a small part of system security, that it's like companies making sure the windows are closed and locked, so they can proclaim they are secure, when in reality their doors are wide open. Very few, if any, companies are completely secure. I've never run into one, but at the same time I have not performed a security audit on a place like Fort Knox. But I have tested big banks, brokerages, fortune 50 companies, among others. None of these places are 100% secure. It may be a bold statement, but it is one based upon twelve years of industry experience working or consulting for over thirty five companies,many of them top industry. Places like GTE Internetworking, Arthur Anderson, Data General, InSight, Digital, NYSE, Citicorp, Bank of Boston, University of Massachusetts Medical, Bringham and Womens, Hanscom AFB, DEA, FBI, State of Massachusetts Governors Office, and others. I've worked designing and supporting systems for academic research, commercial enterprise, and health care industries. My government and military experience stems from a training gig I had where I spent a year doing on-site training in basic computer skills to government and military desk jockeys under contract with another company. While not doing security work, I still saw the process in action at these places. That is where it was actually attempted by staff. Even my hobbies are technical, I started Cotse as my hobby. I'm not bragging, but rather answering that "Who is this guy and why should I believe any of this?" question forming in your head. Don't get me wrong, some of these places are tight, but no one is totally secure, not even us. Companies that test only virtual security are missing the largest part of system security...internal and physical security. In order to get a proper gage of how secure a company is, they must run a full system security audit. This means both remote and on-site, because it is on-site that will be the weakest link. On-site tests are the fun ones. This is because you get to be creative. It's not going to be a simple script that gets you into these companies, it is going to be your brain. This is a story of a common compromise, it is based upon information gained through performing numerous security audits against some world class corporations. All entities contained within are fictitious to protect my butt from being sued to the point where I end up living out of a cardboard box. The story itself is fictitious, it was created from situations that were common in numerous companies and often the exact same thing was done at each. As such, this story can in no way point to any specific individuals or entities that can sue me. That covered, we'll get to the story. The Story One of the most enjoyable security audits I participated in was at a fictitious top global investment broker. This company lived on security. Their processes for securing their networks were technologically superior. DMZ's properly set up, layered security model, everything locked and patched, PKI, full monitoring, the works. I was locked out from the outside, it was currently as secure as it could be. There were some minor issues, but nothing that would get me into the core of their systems. I had to find another way in. Being that it was a full test, it meant both on and off site, they were local so I decided to go look at the place and apply for a job. They were not hiring, but I didn't care, I just wanted to see inside. It was guarded and the guards were checking badges. I told them I was there to apply for a job. They told me to sit over in the waiting area and someone would be with me. They buzzed HR who brought me into a room so I could fill out a resume that they could file away after I left. I got a slight feel for the layout. No opportunities to shoulder surf and I filled out the application and left. I even filled it out with current info, including the fact that I was currently a systems security auditor. I sat out in my truck, it was the end of the day and people were getting out of work. I was somewhat secluded from those exiting and I'd always wanted to try something. I'd seen it done in movies many times and it was always one of those "hmmm, it could work" deals. So I gave it a go. I started to take some pictures. In companies that require badges, many often wear them in one of two places, around the neck or clipped to the pocket, either shirt or side pants pocket if the door controls are low. I looked at each place. I took pictures, zooming in best I could on the badges. I got some ok front views but had to wait before someone came out wearing a badge with the back facing forward. I got a picture of the back. It wasn't the greatest picture, but it would do, considering that the back looked to be plain white. I took the pictures into photoshop and used them as a model to create a badge, the font was at least close, wish I had a better camera. When I finished, I printed out the badge on a decent printer. I had another plastic badge the same shape and size (thank god they buy from common vendors) from a previous job so I stuck the picture onto it and carefully trimmed it to fit. It wasn't the greatest job and it certainly would not open any doors, but it might work for my purposes. So the next day I went back with my newly made badge. I knew that the badge would likely not stand up to a guard, so I did not want to go in the front door, besides, there were far easier ways in. I walked around the building until I found the smoking area. It was empty. I stood there and lit up a cigarette. I had not even finished it before someone came out the door to join me. I stood there smoking while they lit up, then stuck out my hand and said, "Hi, I'm Steve Gielda, I'm a new consultant, it's my first day here". The person that joined me shook my hand and we made small talk. He asked who I worked for, I replied "Hell, it's my first day, I'm lucky I found the smoking area, I have not begun to remember names or figure my way around this maze yet". He laughed. "It's the same for everyone", he said, "don't fret it, it may look complex, but it's easy once you figure it out". I muttered about taking his word for it. Just the standard BS everyone seems to follow. He finished his smoke and turned to head in. I said, "yeah, I better get my butt back to work too" and he held the door for me as I entered. I was in. Large companies are often so big that one hand does not know what the other does. It's common for one department not to know what consultants another hired. With consultants it is not even uncommon for HR to be left in the dark when one is hired. This means that it is not unusual to see new faces, especially new lost looking faces. People are often pretty helpful, too. One of them even held open the door to a lab for me as they headed in and saw me rushing to catch it before it closed. This was an SQA lab. They were apparently developing their own management software in house and this room was where it was tested. Perfect. I saw a number of empty machines. I stopped at one, it was locked. Basic passwords did not work (most internal test machines have no password or stupidly simple passwords because many utilize them), so I moved to another terminal. Bingo, this one was logged in as root. I brought up a shell window and ran ifconfig so I could see what network it was on and what it's address was. I checked to see what services were running. I made myself a quick account. I copied tcsh to the lib directory under an obscure name and made it suid root. Ok, so it's not very glamorous, but it works. I started another term and closed the first then started to poke to see if it was mounting anything.. At that moment the woman who had been working at that terminal came back to it. I heard "can I help you?". I turned around a bit red-faced and said "I'm sorry, it's my first day, I didn't know which terminals were in use and I forgot the password to log in, this was logged in..." I faded off. She smiled and said I could use the machine against the wall, that it was normally Johns, but he was out of work with an injury. She mentioned that I must have been brought in to cover for him. I said that I didn't really know, I just knew they wanted me to get familiar with their test tools. She gave me a login. I sat down and asked where I could find the standard tools. She mounted some drives for me. I was off. Damn, I left my tools disk in the truck. I was stuck using what I could find. But as you'll see, it really did not matter. I telnetted back to her box with the account I created and launched my root shell. I thought about erasing my tracks for a second, but decided that I'd rather leave a trail. It would be useful for the report and to test internal security by finding out if anyone even reads logs. It was a Solaris box, so I ran snoop to see if I could catch her logging in anywhere else. I grepped for logins. While the sniffer was capturing, I checked file mounts. I found some auto mounts and some static mounts. I saw that it was also exporting file systems. That was good, I'd also catch others. I then checked the .rhosts, figuring that, combined with the mounts, would give me many other machines to poke at. It did. It was a typical lab, I was able to get all over it without any problems. I never even had to actually crack anything, I just followed the logins. The lab had access to the internal network and people were checking their mail from the lab. This was good, because most of the lab systems were Unix based, but I had noticed that desktops and such were Windows machines. It was very easy to grab logins and passwords off the lan. I used them to log into different systems and began to monitor those using only what I found or could copy over, thank god for default installs. I had machines all over looking for passwords. I also got very lucky. I caught a domain admin. I also caught network admins working on network devices. Not one admin was using encrypted protocols. I got a login to one of their Fluke monitors. Hell, I got control of their main OpenView install. With virtually no effort I had control of the lan and the whole domain. I created a couple of flag files to mark how far I had penetrated. I never covered my tracks, instead I logged out and walked out. Part of the test would be finding out if they noticed this, they didnt. Tunnel Vision All their security from the Internet and they left their doors open. This was a breakdown in policy and procedures at it's most basic level. Tunnel vision, focused on the external network. The weakest link is internal. Employees did not follow policy. They should challenge unknown faces. In the entire time I was there, no one challenged me at all, in fact they helped me. Corporate policy was missing or broken. They should have better stressed the physical security to their employees. The company ended up creating the atmosphere that lead to this by not properly managing consultants. They should have a central registry and better managed them. Internal system configuration and security was lax, the entire setup was hard on the outside, soft and chewy in the middle. They were layered, but their admins did their job without using encryption. Plain text across the wire as they went from lan to lan, giving me logins all the way. People forget, security is only as strong as the weakest link. The people that you have to worry about will find that link. Tunnel vision in a security model is a waste of money. Tunnel vision will embarrass you every time, because the best way in is also the easiest and fastest. You've heard that security is a process. When even one part of that process fails, the entire process is worthless. Stephen K. Gielda 01/25/02