The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (20 page)

I wanted to show [the client] that good security practices are not

just about computer security.

This was a lot easier than going through all their trash stuff

because they had a compactor. But they couldn't fit the desk in the

compactor.

I still have that desk somewhere. Chapter 6 The Wisdom and Folly of Penetration Testing 121

The physical team also entered the company premises using a simple and, in the right circumstances, nearly infallible method known as tail- gating. This involves following closely behind an employee as he or she goes through a secured door, and it works especially well coming out of a company cafeteria or other area mostly used by employees, into a secured area. Most staff members, particularly lower-ranked ones, hesi- tate to confront a stranger who enters the building right behind them, for fear the person might be someone of rank in the company.

Another l0pht team was conducting attacks on the company's telephone and voicemail systems. The standard starting point is to figure out the man- ufacturer and type of the system the client is using, then set a computer to war dialing -- that is, trying one extension after another to locate employ- ees who have never set their own passwords, or have used passwords that are easy to guess. Once they find a vulnerable phone, the attackers can then listen to any stored voicemail messages. (Phone hackers -- "phreakers" -- have used the same method to place outgoing calls at the expense of the company.)

While war dialing, the l0pht telephone team was also identifying company phone extensions answered by a dial-up modem. These dial-up connections are sometimes left unprotected, relying on the security-through-obscurity approach, and are frequently on "the trusted side" of the firewall.

Blackout The days were rolling by, the teams were recording valuable tidbits of infor- mation, but Mudge still hadn't come up with a brilliant idea about causing the Apache system to reboot so that he could gain access to the network. Then a misfortune occurred that, for the team, had a silver lining:

I was listening to the news and heard there was a blackout in the

city where the company was located.

It actually was tragic because a utility worker had died in a

manhole explosion across on the other side of town, but it had

knocked out power for the whole town.

I thought, if they just take long enough to restore the power, then

the server's power backup system most likely will run out.

That would mean the server would shut down. When the city power was restored, the system would reboot.

I sat there checking the Web server constantly and then at some

point the system went down. They had to reboot it. So the timing 122 The Art of Intrusion

was perfect for us. When the system came up, lo and behold

Apache was running as root, just as we planned.

The l0pht team at that point was able to completely compromise the machine, which then became "our internal stepping stone to scan an attack out from that point." To Carlos, this was "a field day."

The team developed a piece of code that would make it unlikely they could be shut out of the system. Corporate firewalls are not usually con- figured to block outgoing traffic, and Mudge's lightweight program, installed on one of Newton's server, made a connection every few min- utes back to a computer under the team's control. This connection pro- vided a command-line interface like the "command-line shell" familiar to users of Unix, Linux, and the old DOS operating system. In other words, the Newton machine was regularly providing Mudge's team the oppor- tunity to enter commands that bypassed the company's firewall.

To avoid detection, Mudge had named their script to blend into the system's background language. Anyone spotting the file would assume it was a part of the normal working environment.

Carlos set about searching the Oracle databases in hopes of finding the employee payroll data. "If you can show the CIO his salary and how much bonus he was paid, that usually drives the message home that you've got everything." Mudge set up a sniffer on all email going in and out of the company. Whenever a Newton employee went to the firewall for maintenance work, l0pht was aware of it. They were shocked to see that clear text was being used to log in on the firewall.

In just a short time, l0pht had fully penetrated the entire network, and had the data to prove it. Says Mudge, "You know, that's why I think a lot of companies don't like to have pen tests of the inside of their networks. They know it's all bad."

Voicemail Revelations The telephone team discovered that some of the executives leading the negotiations to acquire the l0pht had default passwords on their voicemail boxes. Mudge and his teammates got an earful -- and some of it was funny.

One of the items they had requested as a condition of selling l0pht to the company was a mobile operations unit -- a cargo van they could equip with wireless gear and use during other penetration tests for cap- turing unencrypted wireless communications. To one of the executives, the idea of buying a van for the l0pht team seemed so outrageous that he started calling it a Winnebago. His voicemail was full of scathing remarks from other company officials about the "Winnebago," and the l0pht team in general. Mudge was both amused and appalled. Chapter 6 The Wisdom and Folly of Penetration Testing 123

Final Report When the test period was over, Mudge and the team wrote up their report and prepared to deliver it at a meeting to be attended by all the executives of Newton. The Newton people had no idea what to expect; the l0pht crew knew it would be an incendiary session.

So we're giving them the report and we're just ripping them open.

And they're embarrassed. This wonderful systems administrator, a

really nice guy, but we had sniffers in place, and we had watched

him trying to log onto one of the routers, trying a password and it

fails, trying another, it fails, trying another, and it fails, too.

These were the administrator passwords for all the different internal systems, which the pen testers got all at once from that one span of a few minutes. Mudge remembers thinking how nice and easy that was.

The more interesting part was for the voicemails where they were

talking about their purchase of us. They were telling us, "Yeah, we

want all you guys." But on the voicemails to each other, they were

saying, "Well, we want Mudge, but we don't want these other

guys, we'll fire them as soon as they come on."

At the meeting, the l0pht guys played some of the captured voicemail messages while the executives sat their listening to their own embarrass- ing words. But the best was yet to come. Mudge had scheduled a final negotiations session on the buyout so that it had already taken place at the time of the report meeting. He shared the details of that meeting with obvious glee.

So they come in and say, "We're willing to give you this, it's the

highest number that we can go up to, and we'll do all these

things." But we know exactly what parts they're saying that's

true, what parts they're saying are lies.

They start off with this low-ball number. And they're like, "Yeah,

what do you think?" And we countered with, "Well, we don't

think we can do it for less than ..." and named the number we

knew was their top figure.

And it's like, "Oh, oh, we'll have to talk about this, why don't you

give us a few minutes, can you leave us alone in the room?"

If it wasn't for those sorts of things, we would have thought very

seriously about it. But they were trying to pull a fast one. 124 The Art of Intrusion

At the report meeting -- the final sessions between the representatives of the two companies -- Mudge remembers that "we just wanted to make sure we could convince them that there wasn't a machine on the network we couldn't have full access to." Carlos remembers the faces of several executives "turning kinda red" as they listened.

In the end the l0pht team walked away. They got to keep the $15,000 but didn't sell the company that time around.

ONE ALARMING GAME For security consultant Dustin Dykes, hacking for profit is "exhilarating. I understand the adrenaline junkies, it's an absolute high." So when he arrived in the lobby conference room of a pharmaceutical company that we'll call "Biotech" to discuss doing a penetration test for them, he was in a good mood and looking forward to the challenge.

As the lead consultant for the practice of security services of his com- pany, Callisma, Inc. (now part of SBC), Dustin had called for his team to attend the meeting dressed in business attire. He was caught off guard when the Biotech folks showed up in jeans, T-shirts, and shorts, all the more odd because the Boston area at the time was suffering one of the coldest winters in memory.

Despite a background in computer administration -- in particular, net- work operations, Dustin has always considered himself a security person, an attitude he probably developed while doing a tour of duty in the Air Force, where, he says, "I cultivated my latent paranoia: the security mind- set that everybody is out to get you."

Hooking up with computers in the seventh grade was his stepmother's doing. Back then, she worked for a company as a systems administrator. Dustin was fascinated by the foreign-sounding language she used when talking business on the phone. When he was 13, "One night she brought home a computer that I took to my room and programmed to create Dungeons and Dragons characters and roll my dice for me." Delving into books on Basic and picking up whatever he could glean from friends, Dustin developed his skills. He taught himself how to use a modem for dialing into his stepmom's workplace to play adventure games. At first he only wanted more and more computer time, but as he grew up he real- ized that his free spirit wouldn't be a good match for spending his life at a terminal. As a security consultant, he could combine his talents with his need for freedom. This was definitely "a nifty solution."

The decision to make a career in security turned out to be a good one. "I'm thrilled to be in this profession," he says. "It's a chess game. Every move, there's a counter move. Every move changes the entire dynamics of the game." Chapter 6 The Wisdom and Folly of Penetration Testing 125

Rules of Engagement It makes sense for every company to be concerned about how vulnerable they are -- how good a job they're doing at protecting their intellectual property, protecting against the loss of public confidence that inevitably follows a highly publicized break-in, and guarding their employees against electronic intruders sneaking a look at personal information.

Some companies are motivated by reasons even more pressing, like not running afoul of government watchdog agencies that could mean losing an important contract or setting back a crucial research project. Any com- pany holding a Department of Defense contract is in this category. So is any firm doing sensitive biotechnology research that has the Food and Drug Administration looking over their shoulder -- which is the category that Callisma's new client fell into. With dangerous chemicals around, and labs where scientists were conducting research the hackers-for-hire didn't want to know about, this one was going to be challenging.

At the initial meeting with Biotech, the Callisma team learned that the company wanted to be hit with every possible attack that a true adversary might try: simple to complex technical attacks, social engineering, and physical break-ins. The company IT executives, as is often the case, were certain the pen testers would find their every effort defeated. So Biotech laid down their scoring rules: Nothing short of solid documentary evi- dence would be acceptable.

A "cease and desist" process was established for the test. Sometimes this can be as simple as an agreed-upon code word from any designated employee to stop an attack that is negatively affecting the company's work. The company also gave guidance on the handling of compromised information -- how it would be contained, when it would be turned over and to whom.

Since a pen test carries the possibility of events that might interfere with the company's work, several what-ifs also need to be addressed up front. Who in the chain of command will be notified when there might be a service disruption? Exactly what parts of the system can be compromised and how? And how will the testers know to what extent an attack can be carried out before irreparable damage or loss of business occurs?

Clients often ask only for a pen test involving a technical attack and overlook other threats that may leave the company even more vulnerable. Dustin Dykes explains:

Regardless of what they say, I know their primary goal is to iden-

tify their system weaknesses, but usually they are vulnerable in

another way. A true attacker will go for the path of least resist-

ance, the weakest link in the security chain. Like water running 126 The Art of Intrusion

downhill, the attacker is gonna go for the smoothest method, which

is most likely with people.

Social engineering attacks, Dustin advises, should always be part of a company pen test. (For more on social engineering, see Chapter 10, "Social Engineers -- How They Work and How to Stop Them.")

But he would be happy to forgo one other part of the repertoire. If he doesn't have to attempt physical entry, he won't. For him, it's a last resort, even carrying his get-out-of-jail-free card. "If something's going to go badly wrong, it'll probably be just when I'm trying to slip into a building unnoticed by the security force or some suspicious employee."

Finally, the pen-test team also needs to know what the Holy Grail is. In this high-stakes game of electronic sleuthing, it's vital to know that pre- cisely. For the pharmaceuticals company, the Holy Grail was their finan- cial records, customers, suppliers, manufacturing processes, and files on their R&D projects.

Planning Dustin's plan for the test called for starting by "running silent" -- keeping a low profile, then slowly becoming more and more visible until someone eventually noticed and raised a flag. The approach grows out of Dustin's philosophy about pen-test projects, which he refers to as red teaming.