Questionable Security Policy [WAS: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]]

["Veal, Richard" <rveal () westernpower co uk>]

I don't think that he missed the point atall - for starters
"tech-support" shouldn't even have access to /etc/shadow files, that
should lie with the root-access sys admins, now in my job if a secretary
(or even if tech-support) rang me up and asked for a shadow file I think
I would first be inclined to ask what they intended with it (or laugh at
them and say no way mate) (there would have to be a VERY good reason...)
- and the moment hotmail accounts were mentioned, out-of-office replies
as authorisation and sending this file externally well, you know the
rest... And even if I did think "hang on I will check just in case" my
first port of call would be the so called requestors mobile phone (CSO
or whatever he was)...

And any company that doesn't have a policy in place, or at least someone
experienced enough to think "That file is way too sensitive to even
consider sending out" well... They deserve all the security related
troubles they get



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Tim March
Sent: 15 September 2008 23:52
To: pen-test () securityfocus com
Subject: Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]


I didn't miss the point -- just found the story questionable.


T.

Pablo Cardoso wrote:
> Tim, I'm guessing you missed the point. The secretary called the 
> tech-support of Joe's company, she was the one requesting the 
> /etc/shadow file from the server :P!!!
>
> Excellent scenario, Jon, thanks for sharing!
>
> Regards,
> Pablo Cardoso
>
> On Mon, Sep 15, 2008 at 2:39 AM, Tim March <march.tim () gmail com>
wrote:
> > A secretary with access to the '/etc/shadow' file... and the means to

> > pull it off of the machine and in to her email client... *giggles to 
> > self*
> >
> >
> >
> > T.
> >
> > Jon Kibler wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Erin Carroll wrote:
> > > > List,
> > > >
> > > > Let's take Ray's tangent and run with it. What (if any) ways are 
> > > > OOO messages useful from a pen-test perspective? How would you use 
> > > > the knowledge that someone is away/on vacation in a pen-test? Would

> > > > you alter your techniques or target those accounts specifically in 
> > > > the hopes that brute force or other account specific techniques 
> > > > might have a window to go unnoticed?
> > > >
> > > > I'm just trying to get a conversational ball rolling here. I know 
> > > > where I would modify my tactics but I'm curious to see what members

> > > > say. I know that one area many companies are historically weak is 
> > > > in logging of security events. Or rather, in having someone 
> > > > actually pay attention to all those alerts.
> > >
> > > Okay, since I started this, you're on!
> > >
> > > Real world example...
> > >
> > > I was teaching a pen-test bootcamp several years ago. One of the 
> > > students (who I will call 'Joe') pooh-poohed the whole OOO message 
> > > issue. He even indicated that he used them all the time, that they 
> > > were harmless, and they saved him from getting calls to his cell 
> > > phone at roaming rates when he was out of town. (This was back in 
> > > the days before nationwide calling plans.)
> > >
> > > I then sent Joe a test email message at his work email address. I 
> > > got back an OOO message saying that he would be out of the office 
> > > for two weeks of training and would only have very limited email at 
> > > night. His signature line showed that he was the dep-CSO for his
organization.
> > > I then displayed the email for the whole class to discuss. Next, I 
> > > proposed that we demonstrate why OOO messages are an issue.
> > >
> > > What I proposed was to social engineer the help desk into providing 
> > > sensitive information. Rather arrogantly, he said, "Sure, why not? 
> > > Those guys are well trained and would never fall for anything you 
> > > could contrive." We then got permission (in writing) from the CIO, 
> > > the CSO, and the organization's legal department to do the social
engineering attack.
> > > Next, I wrote up a script for a secretary (who I will call 'Sue') at

> > > that ed center to use to call the organization's help desk. It 
> > > basically went as follows:
> > >
> > >   Sue: "Hi, I'm Sue with abc training company. One of your 
> > > employees, Joe, is taking a security course from us and he forgot 
> > > that he was supposed to bring the /etc/shadow file from the user
file store server.
> > > He needs it to use in class to test password cracking. He asked that

> > > you please gzip it and email it to him."
> > >
> > >   Help Desk: "Okay, but I will have to check with his manager
first."
> > >   Sue: "Oh, Joe said that if you needed to verify that he was taking

> > > a course from us, just send him an email and the OOO reply it will 
> > > have everything you need to know."
> > >
> > >   Help Desk: "Alright, give me a minute. (Pause) Okay, I guess this 
> > > has everything I need. But, it says that he has limited email 
> > > access; does he want it sent to his office email address?"
> > >
> > > (This just shows that help desks are trained to be helpful!!! 
> > > Despite continual security awareness training, the possibility that 
> > > this might be social engineering attack never even occurred to this 
> > > guy!)
> > >
> > >   Sue: "No, I was just about to tell you that he asked to have you 
> > > it send to his Hotmail address, which is: joe.... () hotmail com."
> > >
> > >   Help Desk: "Okay, no problem, he should have it in about 5
minutes."
> > > Needless to say, we had just created the hotmail account a few 
> > > minutes prior to the phone call.
> > >
> > > In just a couple of minutes, we owned the shadow file from the file 
> > > server where all user accounts have their data stored. In other 
> > > words, we now pwned the passwords for every one of his users.
> > >
> > > After that b-slap with a clue-by-4, Joe started singing a different
tune.
> > > Jon K.
> > > - --
> > > Jon R. Kibler
> > > Chief Technical Officer
> > > Advanced Systems Engineering Technology, Inc.
> > > Charleston, SC  USA
> > > o: 843-849-8214
> > > c: 843-224-2494
> > > s: 843-564-4224
> > > http://www.linkedin.com/in/jonrkibler
> > >
> > > My PGP Fingerprint is:
> > > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.8 (Darwin)
> > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > >
> > > iEYEARECAAYFAkjNccsACgkQUVxQRc85QlOwCwCgl54SNlQMmB6/USWoYaKXTGiz
> > > 74kAoIuGzu3M2pYIcOuiQNiVewO478Rd
> > > =BBer
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > >
> > >
> > > ==================================================
> > > Filtered by: TRUSTEM.COM's Email Filtering Service 
> > > http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > ----
> > >
> > > --------------------------------------------------------------------
> > > ----
> > > This list is sponsored by: Cenzic
> > >
> > > Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video 
> > > and PPT Slides
> > >
> > > www.cenzic.com/landing/securityfocus/hackinar
> > > --------------------------------------------------------------------
> > > ----
> > --
> > Tim March
> > P: +61 (0)406 577 276
> > E: march.tim () gmail com
> >
> > ---------------------------------------------------------------------
> > ---
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video 
> > and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ---------------------------------------------------------------------
> > ---
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Western Power Distribution (South West) plc / Western Power Distribution (South Wales) plc 
Registered in England and Wales 
Registered number: 2366894 (South West) / 2366985 (South Wales) 
Registered Office: Avonbank, Feeder Road, Bristol, BS2 0TB 

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify postmaster () westernpower co 
uk

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------