Ethical hacking: Getting inside the minds of cyber criminals

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com.au/article/548503/ethical_hacking_getting_inside_minds_cyber_criminals/

Just when you think you’ve got yourself all covered on the security front,
an attack comes out of nowhere and bites you on the arse. You think to
yourself: How did I not see that coming?

That’s where penetration testing, or ethical hacking, comes in. The idea is
to get a third party to think (and act) like a hacker to test your
organisation's resilience to attack.

And the stakes are high, says Hacklabs senior consultant Jody Melbourne.
“Nobody is concerned with targeting websites or going after your database –
that’s old,” Melbourne says. “The real bad guys are trying to steal your
IP, your business intelligence or business information. [The criminal] is
going after you internal network.

"You make a lot more money if you find out that large corporation A is
about to acquire large corporation B in a few months, for example. If you
hack some board members of a large corporation and find out all of their
secret information, read their emails, then that is far more serious than
stealing credit cards.”

Melbourne has been employed by both private sector and public sector
organisations to test their security, with sometimes alarming results.

He said he's found it "frustratingly easy" to just walk into many
organisations. "I just wave my hand and say ‘I’m walking in here, it’s
fine’ and walk straight in," Melbourne says. "I’m wearing the right
clothes, I’m confident, and I look like I’m supposed to be there.”

All it can take then is swapping out a desk phone for a tampered-with
handset of the same model. “I plug in a device behind a phone; or I swap
out the phone entirely for the exact same model and say ‘I’m here to change
the phone, there’s something wrong with it’ and the receptionist says ‘OK’."

"That whole network and organisation is compromised with a spy phone that I
was able to make for $50," Melbourne says.

Melbourne gave another hypothetical scenario for compromising a network — a
hacker dressed like, and acting like, a regular employee just strolls in
and connects a Wi-Fi or 3G dongle to an organisation's network.

“[Then] I’m sitting in a hotel room 500 metres away with full access to
your internal network reading your executives’ emails," Melbourne says.
"That’s the landscape now."

A network could be compromised with just $100 worth of innocuous-looking
hardware that most employees wouldn't even recognise as a threat.

Melbourne said that when engaged by a government department to test their
security he was able to compromise the entire agency after gaining access
to a computer on its network – with no special tools required.

“A business insider at a corporation might only have mediocre hacking
skills, but might actually guess the password of the CEO and get access to
all of that information," Melbourne says.

"That’s far more devastating to an organisation than the most advanced
hacker in the world sitting inside that network who has absolutely no
business experience, doesn’t know anything about the corporation.

“The hacker could get access to all the corporate documentation, all of the
board members, meeting minutes, all kinds of internal IP and emails. But
the hacker doesn’t know how the business works so he/she doesn’t know what
is valuable and what isn’t.”

Daniel Cabezas, IT security testing services leader at Macquarie Group,
says that when he does test email campaigns, he still finds many users
clicking on links, downloading files or installing untrusted applications.

"We are doing security awareness courses, but whenever we do testing by
sending ourselves email campaigns, there’s still more percentage of our
user base who click on things," he says.

One issue that security teams have to deal with is that hackers are also
not necessarily looking to directly break into a company's systems. Cabezas
says they may have more success in hacking a personal computer of an
employee to find business information or a work password or account.

"If the malware is trying to target the users at their homes, the reality
is that I don’t have that many security controls in my laptop at home. So
[criminals] are most successful attacking the home laptop of the users to
try and get information about the company they work for. They go to
LinkedIn and look for potential employees from the company to attack their
personal laptops."

The rise of bring-your-own device (BYOD) schemes – under which employees
can use their own smartphones, tablets and notebooks for work – and an
emphasis on flexible working only further complicate the situation.

Cabezas says that there's usually a struggle to balance user demand for new
technology with security.

"We have to determine what the risk of [introducing] the new technology is,
but our users are already asking us to implement it," he says.

"You might have a very functional, well-defined application, and you might
think ‘it works the way we expect it to’. But what happens when somebody
finds something unexpected?

"Criminals don’t work for X hours a day and then go home. They keep working
during the night, during the weekend and they just have to find one hole.
So you have to think the way they do. You might say ‘this vulnerability is
really difficult to exploit’, but they will take the time and whatever the
means to exploit it."

Pentester’s toolbox

Many of the tools used by pentesters to assess an organisations'
vulnerability to attack are freely available. Here are six of the most
commonly used.

Metasploit

The Metasploit Framework can be used for both discovery and execution of
vulnerabilities. The open source project bills itself as the "world's most
used penetration testing software". The current version is 4.9.3, released
in March this year. There's a non-free 'Pro' version edition based on the
freely downloadable 'Community' edition

Burp Suite

Burp is a platform for testing Web applications. It includes a proxy for
monitoring traffic between your browser and a website, a scanner for
vulnerability discovery, a tool for testing the randomness in an
application's session tokens, and 'Burp Intruder' for "automating
customised attacks against Web applications, to identify and exploit all
kinds of security vulnerabilities".

Phishing Frenzy

Phishing Frenzy allows pentesters to manage email phishing campaigns. The
tool, built using the Ruby on Rails Web framework, allows campaign creation
and execution. Phishing templates can be backed up, restored and shared.

John The Ripper

John is an open source, multiplatform password cracking tool. It is able to
identify the type of hashing and can use a variety of methods to determine
a password.

Nmap

Nmap is open source tool that can be used for mapping a computer network,
identifying hosts and services. Scan types include SYN Stealth; FIN, Xmas,
Null; UDP Scan; IP Protocol Scan; ACK Scan; Window Scan, and more.

Wireshark

Wireshark is an open source network packet analyser. It can be used for
network troubleshooting, analysis, and software and communications protocol
development, but pentesters essentially use it to eavesdrop on an
organisation's network traffic.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!