Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

[Tim March <march.tim () gmail com>]

I was possibly a little blaze with the wording in my original email. Let 
me clarify my understanding for you:

The "secretary" mounted a scripted social engineering attack via 
telephone against the "helpdesk" to obtain the /etc/shadow file from the 
"user "file store server.

Again; I didn't miss the point -- just found the story questionable. 
Reasonable, maybe, for illustrative purposes -- but questionable from a 
practical viewpoint.




T.

Hill, Pete wrote:
> Sorry Tim, but I think you have missed the point a little as have a
> number of others.
>
> The secretary was not the one with access to the file.  The secretary
> was the secretary at the education centre that staged the attack.  All
> she did was request the file from "Joes" companies helpdesk.  
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Tim March
> Sent: 15 September 2008 23:52
> To: pen-test () securityfocus com
> Subject: Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]
>
>
> I didn't miss the point -- just found the story questionable.
>
>
> T.
>
> Pablo Cardoso wrote:
> > Tim, I'm guessing you missed the point. The secretary called the 
> > tech-support of Joe's company, she was the one requesting the 
> > /etc/shadow file from the server :P!!!
> >
> > Excellent scenario, Jon, thanks for sharing!
> >
> > Regards,
> > Pablo Cardoso
> >
> > On Mon, Sep 15, 2008 at 2:39 AM, Tim March <march.tim () gmail com>
> wrote:
> > > A secretary with access to the '/etc/shadow' file... and the means to
>
> > > pull it off of the machine and in to her email client... *giggles to 
> > > self*
> > >
> > >
> > >
> > > T.
> > >
> > > Jon Kibler wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > Erin Carroll wrote:
> > > > > List,
> > > > >
> > > > > Let's take Ray's tangent and run with it. What (if any) ways are 
> > > > > OOO messages useful from a pen-test perspective? How would you use 
> > > > > the knowledge that someone is away/on vacation in a pen-test? Would
>
> > > > > you alter your techniques or target those accounts specifically in 
> > > > > the hopes that brute force or other account specific techniques 
> > > > > might have a window to go unnoticed?
> > > > >
> > > > > I'm just trying to get a conversational ball rolling here. I know 
> > > > > where I would modify my tactics but I'm curious to see what members
>
> > > > > say. I know that one area many companies are historically weak is 
> > > > > in logging of security events. Or rather, in having someone 
> > > > > actually pay attention to all those alerts.
> > > > Okay, since I started this, you're on!
> > > >
> > > > Real world example...
> > > >
> > > > I was teaching a pen-test bootcamp several years ago. One of the 
> > > > students (who I will call 'Joe') pooh-poohed the whole OOO message 
> > > > issue. He even indicated that he used them all the time, that they 
> > > > were harmless, and they saved him from getting calls to his cell 
> > > > phone at roaming rates when he was out of town. (This was back in 
> > > > the days before nationwide calling plans.)
> > > >
> > > > I then sent Joe a test email message at his work email address. I 
> > > > got back an OOO message saying that he would be out of the office 
> > > > for two weeks of training and would only have very limited email at 
> > > > night. His signature line showed that he was the dep-CSO for his
> organization.
> > > > I then displayed the email for the whole class to discuss. Next, I 
> > > > proposed that we demonstrate why OOO messages are an issue.
> > > >
> > > > What I proposed was to social engineer the help desk into providing 
> > > > sensitive information. Rather arrogantly, he said, "Sure, why not? 
> > > > Those guys are well trained and would never fall for anything you 
> > > > could contrive." We then got permission (in writing) from the CIO, 
> > > > the CSO, and the organization's legal department to do the social
> engineering attack.
> > > > Next, I wrote up a script for a secretary (who I will call 'Sue') at
>
> > > > that ed center to use to call the organization's help desk. It 
> > > > basically went as follows:
> > > >
> > > >   Sue: "Hi, I'm Sue with abc training company. One of your 
> > > > employees, Joe, is taking a security course from us and he forgot 
> > > > that he was supposed to bring the /etc/shadow file from the user
> file store server.
> > > > He needs it to use in class to test password cracking. He asked that
>
> > > > you please gzip it and email it to him."
> > > >
> > > >   Help Desk: "Okay, but I will have to check with his manager
> first."
> > > >   Sue: "Oh, Joe said that if you needed to verify that he was taking
>
> > > > a course from us, just send him an email and the OOO reply it will 
> > > > have everything you need to know."
> > > >
> > > >   Help Desk: "Alright, give me a minute. (Pause) Okay, I guess this 
> > > > has everything I need. But, it says that he has limited email 
> > > > access; does he want it sent to his office email address?"
> > > >
> > > > (This just shows that help desks are trained to be helpful!!! 
> > > > Despite continual security awareness training, the possibility that 
> > > > this might be social engineering attack never even occurred to this 
> > > > guy!)
> > > >
> > > >   Sue: "No, I was just about to tell you that he asked to have you 
> > > > it send to his Hotmail address, which is: joe.... () hotmail com."
> > > >
> > > >   Help Desk: "Okay, no problem, he should have it in about 5
> minutes."
> > > > Needless to say, we had just created the hotmail account a few 
> > > > minutes prior to the phone call.
> > > >
> > > > In just a couple of minutes, we owned the shadow file from the file 
> > > > server where all user accounts have their data stored. In other 
> > > > words, we now pwned the passwords for every one of his users.
> > > >
> > > > After that b-slap with a clue-by-4, Joe started singing a different
> tune.
> > > > Jon K.
> > > > - --
> > > > Jon R. Kibler
> > > > Chief Technical Officer
> > > > Advanced Systems Engineering Technology, Inc.
> > > > Charleston, SC  USA
> > > > o: 843-849-8214
> > > > c: 843-224-2494
> > > > s: 843-564-4224
> > > > http://www.linkedin.com/in/jonrkibler
> > > >
> > > > My PGP Fingerprint is:
> > > > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
> > > >
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.8 (Darwin)
> > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > > >
> > > > iEYEARECAAYFAkjNccsACgkQUVxQRc85QlOwCwCgl54SNlQMmB6/USWoYaKXTGiz
> > > > 74kAoIuGzu3M2pYIcOuiQNiVewO478Rd
> > > > =BBer
> > > > -----END PGP SIGNATURE-----
> > > >
> > > >
> > > >
> > > >
> > > > ==================================================
> > > > Filtered by: TRUSTEM.COM's Email Filtering Service 
> > > > http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
> > > >
> > > >
> > > >
> > > >
> > > > --------------------------------------------------------------------
> > > > ----
> > > >
> > > > --------------------------------------------------------------------
> > > > ----
> > > > This list is sponsored by: Cenzic
> > > >
> > > > Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video 
> > > > and PPT Slides
> > > >
> > > > www.cenzic.com/landing/securityfocus/hackinar
> > > > --------------------------------------------------------------------
> > > > ----
> > > --
> > > Tim March
> > > P: +61 (0)406 577 276
> > > E: march.tim () gmail com
> > >
> > > ---------------------------------------------------------------------
> > > ---
> > > This list is sponsored by: Cenzic
> > >
> > > Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video 
> > > and PPT Slides
> > >
> > > www.cenzic.com/landing/securityfocus/hackinar
> > > ---------------------------------------------------------------------
> > > ---
> > ----------------------------------------------------------------------
> > --
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes in
> > Securing Web Applications
> > Get 45 Min Video and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ----------------------------------------------------------------------
> > --
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
> Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file 
> attachments.  Check your e-mail security settings to determine how attachments are handled.
>
>
> A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where 
> personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails 
> that ask for confidential, personal security information or details regarding your account status.
>
> The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.
>
> The contents of this message and all attachments have been sent in confidence for the attention of the addressee only.  
> If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the 
> sender immediately of the error in transmission.
>
> "sit-up ltd, registered in England No: 03877786.
> Registered Office: sit-up House, 179-181 The Vale, London W3 7RW.
> sit-up ltd is wholly owned by a subsidiary of Virgin Media."

--
Tim March
e: march.tim () gmail com
p: 0406 577 276

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------