By Winn Schwartau
Network World, 2/2/98

This story is based on an actual experience with a client in the banking industry. Names and other details that could reveal the client's identity have been changed, but the story is otherwise accurate.

James Fallsworth, vice president of corporate security at Big American Bank, was in a panic. He had just learned that the bank soon would debut a suite of Web-based remote banking services for seven million global customers. BABank Online would let customers access their accounts, make payments and transfers, and remotely manage their finances.

Incredulous that he wasn't previously informed about a technical move rife with staggering security implications, Fallsworth was in a quandry. The beta program already had begun and the new online services would be globally deployed in less than two months. BABank's president assumed Fallsworth had been in the loop and asked him to handle the situation.

Fallsworth quickly needed to know how secure BABank Online was. Break-ins or even Web graffiti would undermine customer confidence in the service and diminish the bank's revenue and profit. It didn't take long for him to decide what to do: Hire a company to test the external security controls of the bank and determine the company's real vulnerabilities.

Once Fallsworth hired our firm, we worked together to understand the goals of the penetration testing, also known as a friendly hack. These goals included assessing the integrity of the new services and how they relate to the rest of the bank's operations; determining what vulnerabilities exist; offering solutions to boost security; and demonstrating the possibility of losses due to system intrusion.

Chart the method of attack

When you plan security assessments and simulated attacks against your company, you need to identify potential perpetrators. Most companies view the bad guy as a professional criminal, foreign national, spy, competitor, terrorist or maybe just a 16-year-old with a keyboard. After Fallsworth identified international criminals with profit motives as the likely enemy, we decided how we would carry out the friendly hack on BABank's networks and Web sites.

Naturally, it's important to understand how far real hackers might be willing to go to penetrate your network. Social engineering is a tactic for acquiring information that can be useful in compromising the defenses of a company under attack. This could take the form of anything from a friendly telephone query about a new mainframe service pack to a probing inquiry of specific security operations.

Dumpster diving is another common dirty trick. All too often, a company's garbage contains a gold mine of customer information, internal phone directories, technical documentation, disks and other resources.

In addition to gaining access via telephone systems, maintenance ports and any other electronic doors we could find, we deemed phone-based social engineering, posing as an employee or supplier over the phone, and dumpster diving off the bank premises as fair game for the simulated attack.

Mail-based social engineering, on-site dumpster diving, posing as an employee on-site and penetrating business partners were off limits, along with more nefarious methods such as extortion, blackmail, coercion and investigating the backgrounds of bank personnel. Many out-of-bounds behaviors were eliminated because of legalities; others were simply too hard for the bank to stomach and allow an outsider to do. Unfortunately, these limitations keep the exercise from providing a full representation of what real bad guys could do.

Hacking itself often is illegal and sometimes even considered a felony, so be sure to give the security assessment company written permission to complete the exercise. In the unlikely event that certain activities are discovered, misunderstood and reported, this is the security firm's only way out of trouble. But you can only authorize the team to hack into your own company's systems, not others'.

Any efficient attacker assembles information about the target through public documents, financial reports and technical documentation. Hackers can benefit from information on operating systems in use, major products used in the corporate enterprise, phone exchanges and physical addresses of data and phone centers. BABank handed this information over to our assessment team to save time and money.

Naturally, a real attacker would do anything possible to get closer to his target, regardless of the nature of the business. Fallsworth gave us a legitimate bank account with $1,000 in it. We could access the account by telephone or via a pilot Web banking site that a small number of employees could access.

Find the Achilles' heel

Once the preliminary research is complete, the attack team begins to map the target network. This nonintrusive picture of the target's electronic peri-meter includes IP addresses, physical locations, maintenance and dial-up ports, telephone numbers, voice response units, SNA networks, servers supporting Microsoft Corp.'s Routing and Remote Access Service, routers and other remote authentication pathways.

Several commonly available analysis methods and tools aid the external mapping process. For example, a search of InterNIC yields an in-depth look at a company's IP structure. Programs called demon dialers scan tens of thousands of telephone numbers in search of modem tones to indicate the presence of a computer. Network sniffers are used to read traffic along the company's known IP paths; once hackers are inside the network, they can use sniffers to monitor traffic, passwords or other activities at the root level.

It's critical for the security assessment team to log auditible events throughout the process. If something goes wrong and a system is adversely affected, an activity log is instrumental in understanding what went wrong and how to fix it.

Another mapping step is to manually examine the target's IP range - that is, the Class B or Class C service dedicated to the company - through InterNIC and other facilities.

For example, we used the nslookup command to find IP addresses that could be viable targets for our attacks. We then used telnet to lead us to a Unix machine running Sendmail 5.x, which has a number of security holes that might let us penetrate the mail server.

In BABank's case, we also discovered that a systems operator hadn't been online for 19 days, which looked like lax security. We found two people online and decided to wait to launch our attack until they were gone. We also used software to hide our true IP address and identity.

We used Internet Security Systems, Inc.'s Internet Scanner and the public domain Satan security assessment tools to begin finding and exploiting more weaknesses. You also may wish to consider using other tools, such as Netect, Inc.'s Netective, Secure Networks, Inc.'s Ballista and Wheel Group Corp.'s NetSonar, many of which are available as free downloads. Because each product has different strengths and weaknesses, it's wise to stock your arsenal with several different tools to cover your bases. The tools can help find poorly configured servers, routers with holes, Windows NT registry problems, misconfigured operating systems, protocol spoofing, poor passwords, improper upgrades and outdated patches.

In the meantime, we also tried some social engineering. Posing as an engineer who worked for a vendor, one of our employees called BABank's engineering and development group several times and learned about the institution's internal connectivity. We also learned a lot of personal information about one of the bank's workers, and then one of us posed as him to gain additional access to electronic resources.

Armed with the scanner results, the competitive intelligence we gleaned from public sources and the information we got via social engineering, we were ready to penetrate BABank's networks. Naturally, the actual break-in is the most sensitive part of any security assessment, and teams need to be careful not to cause any damage. Don't try this at home unless you know what you're doing - it takes far more expertise to conduct a safe and successful penetration than merely running a scanning tool and generating a report.

Breaking in

Our strategies included using weak passwords, finding old versions of send-mail programs with well-known weaknesses that weren't patched, telneting to unsecured ports, FTPing and modifying password files. This may sound overly simple, but most security holes result from a failure to continually employ common-sense practices.

TCP/IP services, maintenance ports on internal computers and PBXs linked to data lines all provide entrances to the corporate infrastructure along with the means identified in the mapping exercise.

We found two easy entry points to BABank's network. A dial-up maintenance port on an AS/400 used the manufacturer's default passwords, giving us complete control over the system. And the e-mail server used an old version of Unix that hadn't been patched very well. We found several holes there, including a classic send-mail and the ability to write files at the root level. The vulnerabilities let us gain control of the server and communicate with other servers at the administration level.

The next step was to map the internal infrastructure. We used password-crackers to identify weaknesses and found poor controls on application resources, system controls, system utilities and operating systems controls at the kernel or root.

Look at this example of a potential vulnerability: Say an external TCP/IP path connects to a com-pany's Windows NT Box 1, one of eight NT servers. The only connection that NT Boxes 2 through 8 have to the outside world is through Box 1. There-fore, Box 1 is the only available path to penetrating the rest of the enterprise. Administrators often assume that their systems are secure if they offer strong protection on their external security mechanisms. Thus, they implement internal security in a much less rigorous manner, which makes our hacking jobs much easier.

Calling all intruders

Don't forget to assess the security of your corporate PBX, which may have undocumented connections to the data network and could give intruders a way in. But fortunately for BABank, we didn't have much luck getting in that door.

Penetrating a PBX or voice response unit yields an abundance of useful information, such as access points, direct inward service administration and maintenance ports, internal voice recognition applications and PBX voice mail forwarding services. This data ultimately helps hackers penetrate accounts and control systems.

To keep hackers out of your PBX, change the default passwords and examine your audit logs to get a sense of normal activity. Verify updates and system patches so you don't add new vulnerabilities. It's also critical to scan for unwanted modems. Remember, all it takes is an unwitting secret modem and a PC set to Remote Server Mode and your entire network opens up.

We used a demon dialer to find a small number of modems within the bank's range of phone extensions. We launched an attack and examined the security mechanisms in place. Several were password-protected so we launched automatic password-guessing schemes to see how weak or strong they were. Although we didn't find an access point there, we were able to mount a manual attack using easily guessed passwords on a router's maintenance port. Bingo!

The port let us enter the network and use the AS/400 to transfer a small amount of money into our account from an account that didn't belong to us. If we could move $1,000, real hackers could move $1 million or $1 billion. However, we knew BABank had a lower threshold for financial fraud detection thanks to our social engineering results.

By penetrating the AS/400, we also gained access to the mainframes and began to penetrate the Resource Access Control Facility security system. But because we already had compromised the Web-based systems, BABank halted the security assessment exercise.

We had won as usual, but there was more work to do. We recommended policies, procedures, methods and technologies to solve security problems.

For example, we helped the bank institute a Web security policy and method for monitoring newly discovered weaknesses and vulnerabilities. We also worked with BABank to relate different password-access systems and encourage better password choices. We advised the bank's IS staff to upgrade some operating systems and migrate a few systems from Unix to Windows NT because certain applications run more cleanly on NT.

The most important change was to isolate some services onto separate servers to improve security. Loading services such as File Transfer Protocol or Web server hosting onto a single box compromises security.

However, Fallsworth wisely recognized that these steps weren't quite enough to protect the bank. Although we shored up the network confidentiality, integrity and access control, we still needed to address another key aspect of information security - availability.

BABank was going online to use the Internet as a source of revenue, profit and customer confidence. The site had to be running 24x7. If hackers attacked the site and the services were no longer available to customers, BABank undoubtedly would suffer on the financial and public relations fronts. What's more, site graffiti can quickly mar the public's perception of your company's image, products and services, particularly when the electronic etchings are pornographic.

Our team decided to see how easy it would be to launch a denial-of-service attack against BABank's Web site. We used extensive custom tools because little else was available. Although some hacker-developed denial-of-service programs are available on the Internet, they require lots of tweaking to be effective.

We made the bank network choke by using mailbombs; SYN flooding, a type of synchronization packet overload; and the ping of death, which is a nasty ping attack that makes certain servers crash. Make sure your security assessment team conducts denial-of-service attacks with you because the target systems are likely to completely fail. You also should evaluate how long it takes to restore operations.

It's never over

Once the hired help has broken into your systems, your work has just begun. Above all, don't assume that your networks are secure because they were tested. A security assessment such as BABank's describes the condition of a network at the moment it was evaluated. Just like the rest of your corporate infrastructure, security is a dynamic condition that requires constant vigilance (see story above).

Use the first comprehensive test of your network as a benchmark and continue to sponsor periodic reviews of the system. Just as important, test your new systems before they go online - not after you suffer the consequences.

Remember the credo, "Do unto your systems before someone does unto you.'' In the meantime, good hacking!

The author would like to thank the following firms and individuals for their contributions and assistance in the preparation of this article: Axent Technologies, Bob Ayers, Department of Defense, Fred Cohen, Strategic Gaming Partnerns, Internet Security Systems, Jim Kates, The Security Experts, Inc., Carolyn Meinel, The Happy Hacker, NetectSecure Networks, Inc., The Wheel Group.