Security threats Toolkit

Keeping security in check

Tags:
Ethical Hacking

John Verry Tech Republic

Published: 11 Oct 2005 14:30 BST

...success was a reflection of the egregious security the ASP had provided on behalf of the client's data. The next section outlines our techniques.

The means to an end (game)
A Terminal Services login screen, that fronted the application, greeted us after connecting across the VPN. The ASP intended for the user to authenticate to the Domain, but had actually left the option of allowing the individual to log on locally to the system by selecting it in the drop down box. Selecting this option, under the assumption that local system security is usually weaker than domain security, we attempted to log in using the account "administrator" with a password of "password". Our second attempt was the combination "administrator"/"ASP" (where ASP was the name of the ASP.) Sadly, we were local administrators on the box. To our sheer disbelief, we proceeded to find that every device on the hosted segment was using the same password.

In many applications, hacking the application and network devices are only a means to reach the ultimate goal, which is often the database. Therefore, we set our sights on the Microsoft SQL Server. Noting the incredibly low security we had encountered to date, we joked that it would probably still be running with the default administrator account (user "sa" with a blank password). Our level of astonishment continued to rise when we found we were indeed correct. Perusing the database we noted the clients included republics, corporations, and royalty.

Before you bail out of the article at this point to click on the "TalkBack" link to blast this as an absolutely unbelievable story, consider our intention. Detailing our compromise of a system that a secretary could have hacked, does not provide us any true benefit. If we wanted to tout our capabilities I would regale you with a VoIP hack inside a governmental agency or some other more compelling tale. This article is intended to raise the awareness of those readers whose business critical data is in the hands of strategic business partners. Unfortunately, the level of security detailed in this narrative is 100 percent accurate.

Two for the price of one
The most compelling question asked during our conference call with management was, "Can another BC-client compromise our infrastructure, access our client data, and gain the ability to transfer funds, in the same way that you did?"

We jointly agreed that testing this scenario was critical, but were uncertain of the legal implications of the effort. We quickly convened a second conference call, which would include BC counsel and our counsel.

After considerable discussion with...

For more, click here...