My goal with this paper is not to give a hacking cookbook to script kiddies so they can screw up big corporations real big instead of just defacing their websites. Neither is it to promote network intrusions. My goal is to give a reality check to the IT industry, and to the companies that employ them, about the situation regarding network security. To show how easy it is, and the impact on a business a security incident like this could cause. Having all the information that is available, a malicious person have limitations restricted only to his imagination (BTW, blackmailing is very unimaginative). My goal with this paper is also to outline why these hacks were so easily successful, in order to understand why this could happen in the first place. Only then will we be able to define corrective actions. So it is in this chapter that we will make the autopsy of these hacks, and find out what problems these companies, and many others, are facing.
In the case of XYZ Media Publishing Corporation, the problems are numerous, and do not simply involve technology. First of all, I made a lot of mistakes when I hacked this machine (the webserver), learning curve and all... For example, I did not erase the evidence of my intrusion in the IIS log files. A kiddie would probably have tought to erase to whole file, but an experienced intruder would have only deleted the entries belonging to him, to leave has little trace as possible. Not that it mattered in this case, because nobody looked at the log files. They only checked when they received my report, and they were astonished at how much noise I made that went undetected. Worse that that, there was 2 visual antivirus pop-ups (hk.exe) on the server's screen showing for 2 days without anybody noticing it, or actually they saw it, but didn't bother to care about it! But wait, there's more: the tech that spotted us while we were in a Winvnc session didn't even bother to report the incident to anybody! With this kind of security awareness, then what follows is not hard to understand. And the medias are still amazed at Code Red and Sircam type of stuff.
Another problem is the lack of experience of their IT staff. It is well known that these big corporations, in order to be cost-efficient (i.e. as cheap as possible, to keep shareholders happy), centralize their support to reduce costs, and doing so will hire those who costs less, who happens to be the less experienced on the market. I took a good look at the resumes of their staff, and it tends to confirm my theory. Most of them didn't even have a college degree, even less a university degree. They had a computer support course and a MCSE from a specialized school, in a word, they were green. These people knows only as far as what they have been shown, and will click were they learned to click, without any understanding of the concepts or implications of what they have just done. This is a direct effect of the big boom in the IT industry during the 90's. The demand was too high compared to the offer, so the industry had to generate more workforce, and doing so rushed out of schools diplomed computer illeterates to take care of the IT infrastructure of the nation's networks. Many people, having no or little computer experience, seeing the good salaries in IT decided to simply make a carreer change. It isn't rare these days to see someone of worked in a textile shop become a NT administrator in less than a year! So this company is plagued by this problem, they couldn't (wouldn't) retain experienced staff, who would have enough working experience and knowledge to take the security aspect in question and raise flags when needed.
This leads to the third problem, directly generated by the precedent one, which is the presence of unpatched, highly vulnerable servers on the Internet. And their problem is about 40-fold, since XYZ Media Publishing Corporation is really about 40 smaller companies, all owned by XYZ Media Publishing Corporation, and each of these companies have the same problem, and all requires urgent security measures. $$$
The fourth problem, in the same vein, is a really bad network architecture. XYZ Media Publishing Corporation cared enough about its network to at least put firewalls at each internet entry points. All serious firewall products include the possibility to have a DMZ, which is a separated part of your network, designed to receive the public access machines like a web server or a mail server. The idea is to keep these machines separated from the rest of your internal network. Since these servers are exposed to the Internet, than means that anyone can potentially compromise the server. The role of the firewall is to deny all access from the DMZ machines to the internal network, because these machines cannot be trusted and a connection initiated from one of these machines means that the machine as most probably been cracked. That way, you protect your internal network from Internet exposure, have your pulic servers, and make sure that the servers can't be used to access the internal network. In the case of XYZ Media Publishing Corporation, the picture was quite different. Both webservers that we layed our hands on were connected straight to the internal network. Even better, they were part of the NT domain architecture, which means that we could easily probe the PDCs for useful information about the internal network, and to authenticate.
The fifth problem afflicted both companies, and is spread everywhere in the networked corporate world, and it's the fact that the internal network, and especially the workstations, are completely unprotected. Many of the PCs have open shares, not even protected by a password (which could be broken anyway, especially on a Win 9x machine). Passwords are weak and easily broken. ACLs are rarely implemented on NT workstations, are implemented in the data portion of the servers (to prevent people to access other people's files), but not on the system portion, which means that anyone can grab the passwork file and crack it later. Antivirus are often out of date, even if auto-update features are now a common thing, and even if they were up to date, they can be easily circumvented. Let's just say that if your only protection is an antivirus product, then you shouldn't even bother to install it.
The sixth problem is the one that caught Trust-us e-commerce inc. pants down. Being an e-commerce company, they were serious enough about it to take good care of their systems. The ones exposed to Internet, that is. So besides having their internal systems completely open like XYZ Media Publishing Corporation, their physical security was inexistant. Beginning with the guy who manages the building who gives us the floor plans! He even offered to give us the plan of other floors. Then, it was easy to go inside the offices without being challenged by anyone, forcing the intruder to think quick and bullshit his way out, with the chance that he makes a mistake and give himself away. The floor had many access doors besides the main entrance, guarded by the secretary. There's no badge or ID or anything to differentiate an employee from an outsider. That was their weak spot. Ironically, I would say that XYZ Media Publishing Corporation was more protected in terms of physical security, but it could still be easy to bullshit his way inside and plant a bug. Especially since their network is over several different locations.
Then, there is the little security awareness from corporations high management. The finance director of XYZ Media Publishing Corporation was all shocked to see the results of my intrusion attempt, as he firmly believed that their network secure. Then, in true beancounter style, he complained about the amount of money they paid for the firewalls, that proved to be useless after all. But this guys only understands dollars, not technology. Is it possible to achieve a secure computing environment connected to the Internet without firewalls? Absolutely no, of course! But are they sufficient in order to securise the computing environment only by themselves? The answer is no again. But he thought that by simply buying an expensive band-aid, that would solve all their security problems. Which leads me to the last problem I can identify in this autopsy.
Pretty much like the IT industry growth of the 90's and the Y2K rush that later mutated in e-commerce, the computer security industry is also being the victim of a "gold rush effect". Since the enormous size of the vulnerable computing base in corporate IT, it is not hard to see a high revenue potential for any skilled business man. It is not rare then to see small professional security firms being purchased and merged with bigger IT companies, that were mostly in the MCSE business before that (what a surprise). Instead of seeing the knowledge of the security firm being applied the the MCSE shop's procedures, in order to increase the value of the services they provide, and thus doing better than the competition (which should get you to increase your market share and revenues), they want to keep the security department from bashing too much on Microsoft, because they are a business partner, and it isn't a good thing to bitch against a partner, because it might piss him off. Also, the MCSEs didn't appear to like to hear that they were not as competent as they thought they were, so we had to quiet down. So, in the process of company growth, the security firm hires new consultants, fresh out of school, with no or little previous IT experience, that they form into certified firewall installers. During this time, the more experienced security consultant are asked to keep quiet, failure of which could lead to demotion, or simply shown out the door. Of course, some others will not necessarily wait that long before leaving for greener pastures (where did I see this pattern before?). This has the effect of lowering the overall quality of the services provided by this firm, and will only maintain the present unsecure state of today's networks. And these people then say that security consultants don't understand the business side of a security project.
4. The second victim
6. Conclusion
Table of contents