By Edward Skoudis, Vice President, Security Strategy
As a developer in charge of securing your company’s information systems, you may have implemented an ethical hacking program. Like many people in IT today, you know bad guys hammer your systems looking for vulnerabilities day and night. So you scan your machines to find the holes before the attackers do.
You run an automated vulnerability scanner against your critical systems, such as your Web, e-mail, and DNS servers, on a regular basis. You even conduct port scans of your critical Internet-accessible servers and perform periodic war dialing tests to discover rogue modems connected to your network. These are definitely good moves. But to make sure you’ve covered everything, you may need to move your program up a level.
While useful and important, testing only your traditional network infrastructure systems falls short in some critical areas. Infrastructure ethical hacking looks for well-known flaws in common platforms. Finding security problems in your firewall configurations, operating system settings, and server program controls is crucial to your overall security program.
However, the security industry has seen a significant shift in focus by more sophisticated hackers. Many have moved beyond simply looking for misconfigured or unpatched Internet components and operating systems. A new arsenal of techniques used to steal information and to break in to systems is being deployed against Web-based applications, client-side Internet software, and wireless devices and services.
Hacking Web applications
Many organizations have custom-developed Web applications that are finely tailored to a specific business and environment. A variety of industries have Web-enabled customer and supplier interactions, offering services such as online banking, trading, healthcare, government, and other transactions via the Internet. Because they are often based on custom software, these applications usually have unique security requirements. Unfortunately, some are not fully tested before going into production.
In conducting assessments, Predictive Systems’ Ethical Hacking Team has uncovered numerous Web applications with major vulnerabilities. Even the most sophisticated e-commerce sites fell victim to their hacking techniques due to simple logic and coding flaws. For example, vulnerability in an online banking system was discovered that allowed the ethical hacking team to move money between arbitrary user accounts. In fact, one international banking application allowed the team to transfer $10 million from an existing customer account into their account. The transaction appeared to be completely legitimate in the system log files and went undetected by IDS engines due to the multiple layers of encryption used during the transport.
To discover these problems before attackers do, you should utilize a comprehensive methodology and an arsenal of custom tools for assessing Web applications. Strategies include:
- · Tracing the logic flow of an application to determine if any errors are present in the way the application flows as the user interacts with various transaction elements.
- · Analyzing the logon procedures and error messages to determine if account numbers or passwords can be harvested using brute-force techniques.
- · Analyzing methods used by an application to track the user through transactions and between Web pages. This analysis is done by examining the state variables used by the application, including cookies, hidden form elements, and URL rewriting. We actively attempt to undermine these “stateful” elements to usurp other users’ sessions or transactions.
- · Understanding and actively attempting to undermine all transactions in the application, including login, purchasing, trading, searches, etc.
- · Analyzing dependent third-party software for vulnerabilities that might allow access to the primary application.
Attacks against client-side software
Beyond attempting to manipulate the server-side components of a Web application, attackers are also targeting client software used in Internet applications. Many companies deploy Web-based applications that rely on Java applets sent to a user’s browser or utilize custom-installed programs on a user’s computer. Software developers often create programs using very insecure “shortcuts,” such as including passwords in client-side tools, not employing strong encryption, code obfuscation, or even skipping authentication of users. In many cases, an attacker can easily manipulate the software on the client system to retrieve sensitive information.
Ethical hacking teams can conduct detailed analyses of client-side components attempting to find holes in their armor. Reverse-compiling Java applets allows us to find security flaws that could expose sensitive information or allow unauthorized access. The team can exhaustively manipulate software configurations and attack local programs to force them to give up secrets, just like the attackers on the Internet.
For an interesting example, read this Web application security war story.
Wireless network components have become incredibly inexpensive. Base stations to connect to a network cost less than $300, while PC cards for laptops are less than $100. At this price point, employees in many companies are setting up wireless networks in their own offices so they can attend meetings and wander the halls while maintaining connectivity. Without careful configuration and maintenance by security personnel, these rogue wireless stations can be easily attacked. Many major corporations today would be surprised at the number of wide-open wireless access points connected to their networks.
An attacker can easily set up an antenna in a parking lot or on a floor in the building to gather sensitive data as it moves across the network, including e-mail, Web transactions, and database activities. Attackers are even rigging antennas to the roofs of their cars and driving through cities to find weak corporate wireless connections, a process known as “war driving.”
What you need to do
If you haven’t dusted off your own ethical hacking procedures in the last year to include Web application, client-side software, and wireless LAN tests, you should. Attackers are constantly refining their skills and tactics for getting access to your computers and information. You should do the same so you can spot the holes before they do.
Ed Skoudis is vice president of security strategy for Predictive Systems. His background includes performing security assessments, designing secure network architectures, penetration testing, and incident response. Skoudis graduated from the University of Michigan and holds a master’s of science degree in information networking from Carnegie Mellon University. His prior experience includes Bell Communications research.
Do you hack your systems?
How do you test the security of your systems? Do you use ethical hackers to attack your system? Send us an e-mail with your thoughts and experiences or post a comment below.