Ethical Hacking Jay Abbott, Director of Threat & Vulnerability Management at PwC, spoke at the joint ACCA/IIA networking forum on 24 November 2011 on Ethical Hacking. This is an overview of his talk. What makes a hacker a hacker? Most people get into this subject matter through pure interest – they take things apart, they put them back together. Designing and building IT systems is fun but operating them is not and working in IT support is definitely not fun. However breaking IT is fun. Take any system of control, think about how it works, now think about its deficiencies, now exploit those deficiencies – that’s what hackers do. A hacker’s system of control is a computer system, a network, a web application, an ERP system, etc. It does not matter - whatever the technology is, however it works – that is what a hacker attacks. That is what makes a hacker a hacker – that ability to take a system apart and put it back together. What makes a good hacker a good hacker and what makes a bad hacker a bad hacker when we talk about good and evil is malicious intent. Cyber Attacks This is a formula for any cyber attack and can be applied to any attack that ever happens. Attacks can be broken down into four key elements:    

Threat agents (Enactors – the bad guy) Attack vectors (Actions) Attack Surfaces (What you want to attack) Vulnerabilities (Exploitable Weaknesses within the Attack Surface)

This model applies to any attack that you have ever read about. For example, the original News of the World phone hacking stuff – the threat agents were private investigators, the attack vector was actually phoning the mobile phone number with a number in front of it (it used to be this simple – they have fixed it now), the attack surface was the voicemail system provided to you by your mobile phone provider. The weakness was that the very first time you set up your voicemail, you did not need a PIN – you just needed the phone number – then they added a PIN but it was always a standard default. The vulnerability in that context was the way in which it was pinned together – the way that they had set up the system. A counter measure has now been put in place you now have to phone up and enable your voicemail and set a complex PIN. A system was designed with a series of controls to make your life easier which was then identified, analysed, understood and exploited. That methodology – agent, vector, surface, vulnerability – can be applied to any hack that you have ever read about and it will work. You will be able to identify across those categories which is useful because if you understand the threat

agents abstracted from the attacks, then different agents might run different attacks because one agent might be more complex or intelligent than another. Then you can start thinking about breaking this down and understanding it. Once you start understanding it, you can start controlling it. Threat Agents ATTACKER Hackers Spies Terrorists Corporate raiders Professional criminals Vandals

     

MOTIVATION Exploration Agenda Terror / War Competitive edge Financial gain Thrill / fame



GOAL Knowledge





Political





Financial



Damage

CERT Coordination Centre Research www.cert.org

At the top of the tree are hackers. Hackers are not bad – they tend to be very moral people who have a real issue with people doing wrong. There is an irony to this but consider an example – an expert hacker who enjoys the intellectual challenge of reverse-engineering a system finds a vulnerability and is instantly annoyed with the vendor who made the software because they should have known better. The hacker emails the vendor notifying them of the vulnerability and demanding that they fix it but the vendor considers it too expensive to fix immediately and is only prepared to schedule it into the release cycle. The hacker becomes very upset and decides to force the vendor’s hand by releasing the vulnerability so that the vendor has no choice but to patch it because now it affects the entire customer base. The problem is that whilst the hacker has done what he thought was morally right, the vulnerability is now in the wild and the vendor will take six weeks to patch it – a period known as zero day. The rest of the tree now enters the picture – spies, terrorists, etc. These attackers will use the vulnerability to get access to your system for their goals. They do not need to know how it works, they just need to have access to it and our friendly neighborhood hacker has released it on all the hacker forums to let everyone else know and force the vendor’s hand so now the other attackers do not need skill to use the issue. Enter corporate raiders like the NoW private investigators – they want information and you’ve got it. They will use that vulnerability to gain access to you. Enter professional criminals – they can monetise that vulnerability by gaining your information and turning it into revenue for them. No-one at this point down the tree has had to do any work – they just went onto Google, found the issue, figured out how they would use this issue in their attack vector, and went ahead. At the bottom of the tree are vandals. They are at the bottom of the tree because they are easy to pin down because their intent is either pure malice (they just want to break it because they can break it) or more typically it is the kudos element. eg. website defacement where the original webpage is replaced with a vandal’s tag or some random statement and graphics. They have a stable set of goals and intent so you can work with them. At the top of

the tree, hackers also have a stable set of goals and intent so it is really just the bit in the middle where it gets a big dangerous because those people have all sorts of agendas at play. Clients often mistakenly believe that they would not be a target because they just produce widgets. However if you make money selling widgets and you have clients and you have a bank account then an attacker can make money out of you somehow. It depends on the attacker’s intent – maybe the widget goes into a nuclear reactor but the client would not know because that is ten points down the supply chain. Maybe it has been traced back to the client and the client is vulnerable. There are a million reasons why you can be attacked – the idea that you would never be a target is ludicrous. In today’s world, you are a target – if you participate in the internet for any reason be it checking Facebook, getting news or doing business – you are a target or your business is a target. Depending on what your business is, you might fall into the APT category – Advanced Persistent Threat. APTs are the attacks that worked and were caught – they worked for a period of time but then someone noticed. They are advanced because very high tech latest zero day exploits are used. They are persistent because they go into the environment and they stay in the environment – most people think that hackers are smash and grab artists but in reality an attack is getting a foothold within an organization and poking around until you find what you are looking for. There are recorded incidents of hackers being insider computer systems for two, three or even four years before they were discovered. They just set up shop and became part of the IT landscape doing what they wanted to do. A prime example was the TK Maxx attack of 2005-6 that lasted two years. The initial loss was data from 45 million credit cards but further investigation for the previous two years found that another 45 million credit card details had been stolen. There is no smash and grab in IT – although stuff can be extracted very quickly, large scale attacks tend to happen over a very long period of time. At any given time, anybody can go to a certain website (which shall remain nameless) and that website will give you a list of all the current unpatched issues and the source code for them so that you can download them and try them against any organization in the world and they would have little or no defence. In that respect, there is nothing advanced about APTs. Common attack vectors To put it into perspective, there are approximately 50,000 known vulnerabilities in the world today. Outside of the known vulnerabilities, there is the flip-side to the original hacker statement which is the state-sponsored activity of which China is the best example. China has productised its entire hacker army – the People’s Liberation Army has a cyber division with brilliant talent who work for the State to research and come up with vulnerabilities. Those vulnerabilities could potentially be used in an aggressive manner. Israel and America also engage in such activities and the UK is investing in this area too. The next war will be a cyber war!

Attack vectors can be loosely categorised as follows: Most disruptive

Denial of service

Most public facing Most FS targeted Most likely to succeed Most common Least common Most prevalent

Defacement/vandalism Eavesdropping Social engineering Indirect attacks Direct access attacks Malware

Stopping legitimate services offered by a system through exhausting its available resources with illegitimate requests A malicious change to a public service for kudos. Can result in serious legal or PR damage Listening to or intercepting sensitive information between two or more points An attack designed to gain sensitive information inadvertently disclosed via the human element An attack by a malicious threat via a medium such as the internet, a modem or other network An attack by a malicious threat directly on the system with physical proximity Malicious codes such as Virus, Worm or Trojan Horse designed to perform a malicious action or assist in another attack type

Denial of service In recent times, denial of service has been the most likely to occur or is at least the most reported of attacks. Most simply, denial of service is where you build something that people can use and I exhaust of all its resources for you illegitimately. For example, you build an e-commerce solution to sell your wares. When you build that solution you have a finite amount of money. You allocate that budget through technical architecture as best you can and someone somewhere says that much cash equals that much service – maybe 1000 transactions per second. The system is operating fine and does not normally exceed 800 transactions per second on a normal day. But then an attacker comes along and uses nefarious tactics to simulate real users. There is no hacking – you are just load tested through someone simulating a 10,000 user load to your system and the system collapses. The 800 legitimate users who were going to give you money, can no longer do so because the attacker’s 10,000 requests are keeping your system busy – that is denial of service. Denial of service is very easy to do. As an example, around 12 months ago, the BBC rented a botnet that got them into a lot of trouble, as it is technically illegal. A botnet is a collection of compromised computers – typically in people’s homes. Victims do not know that they have been compromised but there is a piece of software running on their computer that makes the attacker (the bot herder!) its real owner and makes the computer his zombie. A bot herder may have 100,000 zombies at his disposal and may sell a percentage of his zombies for a certain period of time (say 24 hours) to another attacker who wants to impose a denial of service on an organisation. The bot herder is given the target url and that url will be off the internet for 24 hours. Anyone trying to shut down the attack has to shut down 25,000 legitimate requests – 25,000 individual computers – which is completely infeasible from a technical perspective. That is why denial of service is effective 100% of the time. It is one of the most disruptive but one of the easiest of attack vectors.

An example of how this could be monetised is the Blue Square attacks in 2004. Blue Square was online gambling – a high value business that was transactionally intensive so if they were not online then they were not making any money. Denial of service attacks randomly took Blue Square off line and then the attackers demanded wire transfers of money to stop the denial of service. This happened three or four times before the attackers were caught. Defacement/vandalism These attackers will run scripts and mass-scan the internet looking for anything that is vulnerable. Of the 50,000 known vulnerabilities, they go with one that is likely to be common that will help them achieve their goal of compromising a web server. They write a script in their favourite hacker operating system and say “scan the internet” and log any vulnerabilities that they find to exploit at their leisure so that they can alter the web page or redirect a web server. A malicious attacker could re-direct a website to pornography or some other distasteful website that could cause PR damage to an organisation. It could be more discreet though and not involve a re-direct – there was in instance where an attacker changed a small amount of text half way down the page of a Middle Eastern Government’s website to declare war on Canada. This went un-noticed for quite some time and although this incident did not cause any harm, imagine how that technique could be used if shareholders of a company were involved and the website was changed to say that the outlook was poor. Eavesdropping Listening to electronic communications – one laptop talks to another laptop and an attacker listens to them having a chat. Cryptography protection is not necessarily effective – anything that can be engineered and be reverseengineered. For example, e-commerce is built on SSL (Secure Sockets Layer) that results in the padlock in the corner of your browser. You see the padlock and you feel safe and enter your credit card details but SSL was compromised and broken two to three months ago and there are two known attacks against it right now. As time moves on, secure systems become insecure and then fixes come out which fix them. The SSL fix came out very quickly but there are still many sites out there that have not been fixed and how can a customer know? The padlock is still showing but there is no way to know whether the fix has been applied unless you know what to look for in the certificate. Using complex encryption standards is not necessarily the way to go - the data you are trying to protect is only commercially valuable or only has a protected interest life cycle of about three weeks. You could still use Data Encryption Standard (DES) encryption (which was broken in the mid-1980s) because it still takes four to six weeks to crack each package so by the time an attacker gets your data, it is no longer valuable anyway. DES requires less processing power and is more efficient than a complex encryption standard.

Social engineering There are three sub-categories – technical, verbal and physical. An example of physical social engineering is someone pretending to be a British Gas engineer knocking on the door of a business and telling them to evacuate because of a suspected gas leak. Employees assume the engineer is genuine because of the uniform and leave the office unattended and exposed. Verbal social engineering would be more around receiving a telephone call and being convinced to divulge information. It could involve getting one piece of information from one person in an organisation and using that piece of information to get further information from a second person and so forth. Technical social engineering is best illustrated by phishing where emails are sent to people asking them to change their login details (most commonly for their bank) via a link that is fake. In all three aspects of social engineering, basic human nature is exploited – the basic human need to trust. Indirect and Direct Access attacks An indirect attack is where one computer is used to attack another computer via a connection medium which could be wireless, wired, infared, Bluetooth, etc. A direct attack is where the attacker physically walks up to a computer and starts typing. Physical social engineering is a great way to get direct access to a computer and a computer is at its most vulnerable when an attacker is physically present. To get access to a computer with no username and password is as simple as re-booting it. I go in single user mode because it is Linux and I reset the admin password and it is job done. Indirect attacks are not as simple as you need a vulnerability as discussed earlier. Malware There is so much malicious software out there. The CTO at Sophos recently said that they find 100,000 new pieces of malicious software every day in their labs and that is just one vendor. The making and using of malicious software is big business. Malware is what an attacker puts on your computer to maintain access to your organisation. It is a little piece of code that your system cannot detect and gives your attacker a virtual private network with no need for login systems or remote access systems which are inefficient by comparison. A lot of attacks these days start with social engineering such as phishing. An email is sent containing a document which when opened, installs some code in the background using a zero day vulnerability in your browser. That dials home to the attacker who now has direct access to that person’s network. That attack is what took down RSA and has taken down nine out of ten companies for the past ten years. It is one of the simplest attacks in the market - you chain a couple of different things together to get a victory. Attacks are often chained together to complete a much more complex attack vector.

Attack Surface(s)

Vulnerability Total Attack Surface 











NETWORK The attack surface of a network is a combination of its servers, devices and systems, listening for connections and communications attempts

SOFTWARE The attack surface of a software environment is the scope of its functionality that is available to users

HUMAN The human attack surface is quantified as the knowledge and security consciousness of the populous of your organisation

The attack surface is more than just technology. It is the physical access to the technology, it is what the technology does (the software), where it is on the network – that all forms part of the attack surface. Even the users form part of the attack surface through social engineering – it is easier to hack the user than to hack the system. Combining all those things, the overall attack surface for any environment is a lot bigger than you might think. Understanding the attack surface is very important – if you do not understand that then you do not know where the vulnerabilities could be therefore you do not know what the attacks are, therefore you do not know who the threat agents are. You need to start at this end and work backwards. Think of any key information asset that you are currently charged with using or protecting, then think of its attack surface – how do you use it and how do you get access to it? How does admin use it and how does admin get access to it? What is it? Where is it? How would you attack it? That is the thinking here and if you start pulling it all together then it is quite simple.