Top Five Internal Security Vulnerabilities Peter Wood Chief Executive Officer First • Base Technologies …  and how to avoi...
Who is Peter Wood? <ul><li>Worked in computers & electronics since 1969 </li></ul><ul><li>Founded First • Base   in 1989  ...
Traditional thinking <ul><li>Firewalls & perimeter defences </li></ul><ul><li>Anti-virus </li></ul><ul><li>SSL VPNs </li><...
Thinking like a hacker <ul><li>Hacking is a way of thinking: </li></ul><ul><ul><li>A hacker is someone who thinks outside ...
No.1 – Helpful Staff
Why “Helpful Staff”? <ul><li>Social engineering can be used to gain access to any system, irrespective of the platform </l...
Andy’s remote worker hack <ul><li>Buy a pay-as-you-go mobile phone </li></ul><ul><li>Call the target firm’s switchboard an...
Impersonating an employee
Cloning HID cards http://rfidiot.org/
Impersonating a supplier
Do-it-yourself ID cards
Impersonate a cleaner <ul><li>No vetting </li></ul><ul><li>Out-of-hours access </li></ul><ul><li>Cleans the desks </li></u...
Data theft by keylogger
Keyghost log file Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD> fsmith <tab><tab> arabella xxxxxxx <tab>...
Helpful Staff <ul><li>People security is weak in most organisations </li></ul><ul><li>If an attacker has confidence, they ...
No.2 – Stupid Passwords on Privileged Accounts
Windows null session
Find service accounts and guess the password
Stupid Windows Administrator passwords <ul><li>67 administrators </li></ul><ul><li>43 simple passwords </li></ul><ul><li>1...
What we’ve found using Windows service accounts <ul><li>Salary spreadsheets </li></ul><ul><li>HR letters </li></ul><ul><li...
Grab password hashes …
…  and crack them for impersonation
Stupid Passwords <ul><li>Too many service accounts (with admin privilege) </li></ul><ul><li>Obviously named service accoun...
No.3 – Unprotected Infrastructure
Scan for default SNMP
Hacking a router Read-Write strings revealed Now we have full control of network infrastructure Default Read string in use...
Stupid LAN switch password
Stupid fibre switch password
Unprotected Infrastructure <ul><li>SNMP on by default when not used </li></ul><ul><li>SNMP default community strings in us...
No.4 – Unused and Unpatched Services
HP/Compaq Insight Manager gives remote control of a server
Missing RPC patch gives remote shell on Windows
Missing Webmin patch gives remote shell on Linux
Unused & Unpatched Services <ul><li>Internal systems not patched up to date </li></ul><ul><li>Default services never revie...
No.5 – Unprotected Laptops
If we can boot from CD or USB …
Become Local Administrator Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the met...
Change the Windows Administrator password
Simply read the hard disk <ul><li>“ Without a username and password I was able to use a boot CDROM to bypass the login pas...
or take out the hard disk …
.. and read it in our laptop!
Laptop Security <ul><li>Physical security on laptops doesn’t exist </li></ul><ul><li>Windows security is ineffective if yo...
<ul><li>Peter Wood </li></ul><ul><li>Chief Executive Officer </li></ul><ul><li>First • Base Technologies LLP </li></ul><ul...
Upcoming SlideShare
Loading in …5
×

Top Five Internal Security Vulnerabilities

2,117
-1

Published on

The top five internal security vulnerabilities ... and how to avoid them.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,117
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
68
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Preventing loss and theft of data is key to corporate survival Criminals and competitors don’t want your network - they want your data I’ll show you some real-world examples from our experiences as ethical hackers
  • Physical access to the majority of organisations is also pretty easy. The example on the slide involves me dressing up as a BT engineer. I downloaded the BT logo from the web, and made my own business cards using M$ Word and laser printer business card blanks. I also bought a reflective jacket and a do-it-yourself t-shirt kit and simply ironed the logo on to the jacket (although it did leave me with a yellow ironing board!) I also designed and had delivered a realistic ID badge using an online service for 10 quid. Of course, it’s not necessary to dress up to get inside. Our most successful method is to simply walk back in with the smokers, or pretend to be on a mobile call and ask someone to hold the door open for you. Once inside we find an empty meeting room (yes, they do exist!) and plug in a laptop and off we go. Or steal output off printers. Or steal laptops. Or go through the rubbish. Or plant keyloggers …
  • This is a hardware keylogger – one of many you can but quite legitimately on the web. You can see it comes with some complex installation instructions  The manufacturer’s site says “KeyGhost SX is available in 3 memory capacities 512KB, 1MB, 2MB. (2MB = 2,000,000 keystrokes which is an average of 8-12 months worth of typing)” There are versions for both PS2 and USB keyboards, and of course the receivers for wireless keyboards still use one or the other of these too. Since it is so small and hidden behind the computer or docking station it’s effectively invisible.
  • If the data thief wants to log on to the laptop – perhaps to install a Trojan for later use or to access the corporate VPN, then they’ll need a legitimate logon. One of the easiest first steps is to download a program such as Ophcrack and just boot it in the laptop.
  • Top Five Internal Security Vulnerabilities

    1. 1. Top Five Internal Security Vulnerabilities Peter Wood Chief Executive Officer First • Base Technologies … and how to avoid them
    2. 2. Who is Peter Wood? <ul><li>Worked in computers & electronics since 1969 </li></ul><ul><li>Founded First • Base in 1989 (one of the first ethical hacking firms) </li></ul><ul><li>CEO First Base Technologies LLP </li></ul><ul><li>Social engineer & penetration tester </li></ul><ul><li>Conference speaker and security ‘expert’ </li></ul><ul><li>Chair of Advisory Board at CSA UK & Ireland </li></ul><ul><li>Vice Chair of BCS Information Risk Management and Audit Group </li></ul><ul><li>Vice President UK/EU Global Institute for Cyber Security + Research </li></ul><ul><li>Member of ISACA Security Advisory Group </li></ul><ul><li>Corporate Executive Programme Expert </li></ul><ul><li>Knowthenet.org.uk Expert </li></ul><ul><li>IISP Interviewer </li></ul><ul><li>FBCS, CITP, CISSP, MIEEE, M.Inst.ISP </li></ul><ul><li>Registered BCS Security Consultant </li></ul><ul><li>Member of ACM, ISACA, ISSA, Mensa </li></ul>1969 1989
    3. 3. Traditional thinking <ul><li>Firewalls & perimeter defences </li></ul><ul><li>Anti-virus </li></ul><ul><li>SSL VPNs </li></ul><ul><li>Desktop lock down (GPOs) </li></ul><ul><li>Intrusion Detection / Prevention </li></ul><ul><li>Password complexity rules </li></ul><ul><li>HID (proximity) cards </li></ul><ul><li>Secure server rooms </li></ul><ul><li>Visitor IDs </li></ul>
    4. 4. Thinking like a hacker <ul><li>Hacking is a way of thinking: </li></ul><ul><ul><li>A hacker is someone who thinks outside the box </li></ul></ul><ul><ul><li>It's someone who discards conventional wisdom, and does something else instead </li></ul></ul><ul><ul><li>It's someone who looks at the edge and wonders what's beyond </li></ul></ul><ul><ul><li>It's someone who sees a set of rules and wonders what happens if you don't follow them </li></ul></ul><ul><ul><li>[Bruce Schneier] </li></ul></ul><ul><li>Hacking applies to all aspects of life - not just computers </li></ul>
    5. 5. No.1 – Helpful Staff
    6. 6. Why “Helpful Staff”? <ul><li>Social engineering can be used to gain access to any system, irrespective of the platform </li></ul><ul><li>It’s the hardest form of attack to defend against because hardware and software alone can’t stop it </li></ul>
    7. 7. Andy’s remote worker hack <ul><li>Buy a pay-as-you-go mobile phone </li></ul><ul><li>Call the target firm’s switchboard and ask for IT staff names and phone numbers </li></ul><ul><li>Overcome their security question: Are you a recruiter? </li></ul><ul><li>Call each number until voicemail tells you they are out </li></ul><ul><li>Call the help desk claiming to be working from home </li></ul><ul><li>Say you have forgotten your password and need it reset now, as you are going to pick up your kids from school </li></ul><ul><li>Receive the username and password as a text to your mobile </li></ul><ul><li>Game over! </li></ul>
    8. 8. Impersonating an employee
    9. 9. Cloning HID cards http://rfidiot.org/
    10. 10. Impersonating a supplier
    11. 11. Do-it-yourself ID cards
    12. 12. Impersonate a cleaner <ul><li>No vetting </li></ul><ul><li>Out-of-hours access </li></ul><ul><li>Cleans the desks </li></ul><ul><li>Takes out large black sacks </li></ul>
    13. 13. Data theft by keylogger
    14. 14. Keyghost log file Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD> fsmith <tab><tab> arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella <CAD> <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 cisco
    15. 15. Helpful Staff <ul><li>People security is weak in most organisations </li></ul><ul><li>If an attacker has confidence, they will succeed </li></ul><ul><li>Help desks are too helpful! </li></ul><ul><li>If an attacker is in the building, they’re trusted </li></ul><ul><li>People are too polite! </li></ul><ul><li>Solid policies and lots of training is the defence </li></ul>
    16. 16. No.2 – Stupid Passwords on Privileged Accounts
    17. 17. Windows null session
    18. 18. Find service accounts and guess the password
    19. 19. Stupid Windows Administrator passwords <ul><li>67 administrators </li></ul><ul><li>43 simple passwords </li></ul><ul><li>15 were “password” </li></ul><ul><li>The worst of the rest: </li></ul>
    20. 20. What we’ve found using Windows service accounts <ul><li>Salary spreadsheets </li></ul><ul><li>HR letters </li></ul><ul><li>Usernames and passwords (for everything!) </li></ul><ul><li>IT diagrams and configurations </li></ul><ul><li>Firewall details </li></ul><ul><li>Security rotas </li></ul>
    21. 21. Grab password hashes …
    22. 22. … and crack them for impersonation
    23. 23. Stupid Passwords <ul><li>Too many service accounts (with admin privilege) </li></ul><ul><li>Obviously named service accounts </li></ul><ul><li>Ridiculously easy-to-guess passwords </li></ul><ul><li>Too much access for too many accounts </li></ul><ul><li>No idea how to make a strong password (LM hashes!) </li></ul><ul><li>Clear standards, regular penetration tests and lots of training is the defence </li></ul>
    24. 24. No.3 – Unprotected Infrastructure
    25. 25. Scan for default SNMP
    26. 26. Hacking a router Read-Write strings revealed Now we have full control of network infrastructure Default Read string in use Open door for attack Out-of-date router OS Permits break in
    27. 27. Stupid LAN switch password
    28. 28. Stupid fibre switch password
    29. 29. Unprotected Infrastructure <ul><li>SNMP on by default when not used </li></ul><ul><li>SNMP default community strings in use </li></ul><ul><li>Ridiculously easy-to-guess passwords </li></ul><ul><li>Passwords shared between staff & never changed </li></ul><ul><li>No idea how to make a strong password </li></ul><ul><li>Clear standards, regular network discovery checks and lots of training is the defence </li></ul>
    30. 30. No.4 – Unused and Unpatched Services
    31. 31. HP/Compaq Insight Manager gives remote control of a server
    32. 32. Missing RPC patch gives remote shell on Windows
    33. 33. Missing Webmin patch gives remote shell on Linux
    34. 34. Unused & Unpatched Services <ul><li>Internal systems not patched up to date </li></ul><ul><li>Default services never reviewed or challenged </li></ul><ul><li>Minority systems not properly administered </li></ul><ul><li>No internal vulnerability scans conducted </li></ul><ul><li>No internal penetration tests conducted </li></ul><ul><li>Clear standards, regular checks and lots of training is the defence </li></ul>
    35. 35. No.5 – Unprotected Laptops
    36. 36. If we can boot from CD or USB …
    37. 37. Become Local Administrator Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
    38. 38. Change the Windows Administrator password
    39. 39. Simply read the hard disk <ul><li>“ Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.” </li></ul>
    40. 40. or take out the hard disk …
    41. 41. .. and read it in our laptop!
    42. 42. Laptop Security <ul><li>Physical security on laptops doesn’t exist </li></ul><ul><li>Windows security is ineffective if you have the laptop </li></ul><ul><li>Everything is visible: e-mails, spreadsheets, documents, passwords </li></ul><ul><li>If it’s on your laptop - it’s stolen! </li></ul><ul><li>Encryption is the best defence, coupled with lots of training! </li></ul>
    43. 43. <ul><li>Peter Wood </li></ul><ul><li>Chief Executive Officer </li></ul><ul><li>First • Base Technologies LLP </li></ul><ul><li>[email_address] </li></ul><ul><li>Twitter: peterwoodx </li></ul><ul><li>Blog: fpws.blogspot.com </li></ul><ul><li>http://firstbase.co.uk </li></ul><ul><li>http://white-hats.co.uk </li></ul><ul><li>http://peterwood.com </li></ul>Need more information?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×