How to put cybersecurity defences to the test
- 7 June 2013
- From the section Technology
In the second part of this series about ethical hackers, the BBC gets a glimpse of some of the tricks these skilled researchers use to test cyber-defences.
There are few jobs in which you can get away with copying techniques and tricks used by criminals, but being a professional "penetration tester" is one such trade.
Penetration testers are ethical hackers who by both reasonable and unreasonable methods try to defeat the digital defences set up by companies to keep out spammers, scammers and other cyber-villains.
The BBC was given a demonstration of some of the tricks and techniques used by the so-called "pen testers" by professionals from security firm Sentor and Trustwave's SpiderLabs.
Kalle Zetterlund from Sentor said pen testers were generally trying to persuade someone inside a company to make a mistake that, inadvertently, would let them in.
Sometimes, he said, this mistake could be as simple as choosing a weak password, such as password01, which is easily found by a computer that can make thousands of guesses every second.
However, he said, there was a whole host of other errors people made that, at first glance, looked innocuous but could prove dangerous.
One technique developed by the Sentor researchers exploits "water-holing" ie targeting the places where employees gather outside work.
Ideas for targets can be gleaned from social media where people regularly betray details about what they do in their spare time and where online they talk about it.
The websites and discussion forums they mention in connection with a sport or hobby rarely have decent digital defences, said Mr Zetterlund.
Some of those sites permit what is known as cross-site scripting which, in effect, lets an attacker run their own code on that web location. That can make it easy to booby-trap messages on a forum and trap the real target.
Others did a poor job of protecting the code behind a site or forum and inspecting that often yielded clues about vulnerabilities to which it might be susceptible.
Another route can be the weak algorithms used to generate random numbers as a "seed" for a password.
"It's a fairly common mistake," said Mr Zetterlund. "And even those that use proper random number generators get so little input that you can use that to guess them."
A site could be taken over using these weaknesses allowing an attacker, or ethical hacker, to start seeding chat forums with malicious messages or simply booby-trapping the site itself.
These traps work best when people do not keep Java and Adobe programs up to date.
One attack developed by Sentor's Bjorn Johansson strikes when an innocuous message is simply viewed on a compromised forum. If a machine running an old version of Java visits, it risks falling victim to the instructions contained in computer code added after the words in the subject line. Mr Johansson's code snippet opens up a connection directly to a target machine.
"I can do anything you can do sitting in front of your computer," said Mr Johansson who then turned on the webcam on the compromised machine to spy on its owner.
Given such access, scooping up login details for a corporate network or stealing documents would be trivial, he said.
Not all techniques depend on compromising a site, others work with spoofed emails sent to a few people inside a target company.
To make these look convincing, said Michele Orru, senior security consultant at Trustwave's SpiderLabs, pen testers might send a legitimate query to a company to generate a formal response. The resulting automatically generated message would have all the images and other details needed to make a spoof look authentic.
If this were coupled with a fake webpage that posed as a company's webmail gateway it could be a powerful way to trick people into handing over login details. Even if people spotted that the fake webmail page was an attempt to trick them, they could fall victim to a separate attack developed by Mr Orru that strikes when they visit the page.
"As soon as they land on our page we can see a list of information about them," said Mr Orru. That list is generated by quizzing a computer about what software it is running. That could betray known vulnerabilities that ethical attackers can capitalise on.
In addition, the attack tool created by Mr Orru can generate fake prompts which ask a victim for login details to websites and social media networks. Anything a victim types into those fake login boxes can be grabbed by the attacker and used to steal further information.
"We rely on social engineering or tricks to make people click on something and do something on our behalf," he said.
But not all penetration testing relies on technical knowledge. Some is much more brazen and involves testers using more physical methods to try out security.
These techniques include scattering booby-trapped USB drives in a company car park or leaving CDs in receptions which have "payroll" or some other trigger word written on them. Few can resist slotting them in a drive to see what they contain. Once they do, the code on the gadget springs to life and gives the attacker access.
Christian Angerbjorn, who carried out security testing for one of the UK's high-street banks, said he regularly documented how far he got inside a building using an iPhone in a Starbucks cup that had its camera peeping through a hole in the side.
Typically, he said, physical pen testers have a particular location in mind when they target a building. Reaching the IT director's desk unchallenged is usually enough to make the point, he said.
Other physical pen testers say getting past reception areas can often be accomplished by taking off your jacket, rolling up your sleeves and carrying a big box.
Sometimes, though, a pen tester just has to be lucky. Mr Angerbjorn remembered one job which involved him and his team being asked to get inside a large hosting facility in America. On day one of the assignment they turned up en masse to carry out reconnaissance and wondered just how they would get in to such a tightly monitored building.
As they watched, an alarm sounded and staff poured out of the building as a fire alarm test was carried out. The team bundled out of their car and tailgated their way inside. Job done.
Said Mr Angerbjorn: "My only thought was, 'What are we going to do for the rest of the week?'"