Six hours to hack the FBI (and other pen-testing adventures)

Computerworld - It takes a lot to shock Chris Goggans; he's been a pen (penetration) tester since 1991, getting paid to break into a wide variety of networks. But he says nothing was as egregious as security lapses in both infrastructure design and patch management at a civilian government agency -- holes that let him hack his way through to a major FBI crime database within a mere six hours.

Goggans, currently senior security consultant at security firm PatchAdvisor Inc. in Alexandria, Va., says his adventure started when, during a routine network scan, he discovered a series of unpatched vulnerabilities in the civilian government agency's Web server, as well as other parts of the enterprise.

Goggans used a hole in the Web server to pull down usernames and passwords that were reused on a host of enterprise systems. In those systems, he found further account details that allowed him to get Windows domain administrator privileges -- a classic escalation-of-privileges attack.

Using this privileged access, he was able to gain full control of almost all Windows-based systems in the enterprise, including workstations used by the on-site police force. He noticed that several police workstations had a second networking card installed that used the SNA protocol to directly talk to an IBM mainframe.

By covertly installing remote control software on those workstations, he found programs on their desktops that automatically connected the workstations to the FBI's NCIC database. "That software, coupled with a keystroke capture program, would allow an attacker to grab the credentials needed to log into the FBI's National Crime Information Center database," he says.

Like most vulnerabilities he's found over his years of paid ethical hacking, this one could have easily been eliminated with some basic security strategies, he says. For instance, the police network should have been firewalled off from the main enterprise network, and the investigators' workstations kept out of the larger domain.

Also, he says the agency should not have allowed those workstations both NCIC and general enterprise network access, since they were connected to something with such obvious national security implications. Finally, the system administrators should have monitored and blocked the common reuse of passwords.

Not as SOX-y as they thought they were

Chris Nickerson, CEO of Lares Consulting, is also amazed by the simplicity of most hacks -- especially in this era of compliance, which should demand tighter controls. In fact, he says when he was sent to do testing for a Big Four company, he was able to immediately gain full administration access to all the organization's applications.

"This was a company that had maintained they were Sarbanes-Oxley compliant for several years. Yet I had control of the business within the first 20 minutes. I could actively change general ledgers and do other critical tasks," he says.

He also has found problems with companies that claim to be in compliance with the newer Payment Card Industry (PCI) standard. "I've had people who have spent millions of dollars on security to say they are compliant, and I walk in and pop open their main credit card processing system within 10 minutes."

The problem, he says, lies with compliance rules themselves. "The government has narrowed the scope of compliance so much to make it cost affordable that it overlooks a lot of things that are real-life security vs. paper security," he says. And the keys to a solid vulnerability-management program? "Scanning, verification of results, patching and fixing, and starting all over again."

He encourages his clients to focus on two technology tasks: managing patches and hardening their operating systems. "You should always make sure you're up to date on patches and turn off ports and services you're not using."

Nickerson is also a fan of automated penetration-testing tools, such as Core Security's Core Impact. "I like to show people, through the use of software like Core Impact, how easily I can get through their whole network. I even let them drive the tool so they can see how someone with zero knowledge can attack them. That's usually when they realize security is something they have to do," he says.

He recommends that even after the initial testing is done, organizations continue to use the automated penetration tools to audit their environments to pick up problems with new applications or configuration changes.