By Peter Wood, Chief of Operations, First Base Technologies www.fbtechies.co.uk
Anyone who steals the identity of a user becomes that user and has access to their most sensitive systems and data. If just one userís identity is compromised, corporate systems are vulnerable. This is the threat posed by ìcorporate identity theftî.
Identity theft takes many forms ñ exploiting weak passwords, keystroke capture, phishing, Trojan software, social engineering, password sharing and so on. Not every attacker is sitting at home with their computer, trying to break in to the corporate web site. Sometimes all they have to do is call up and ask! As Dorothy Denning, author of Information Warfare and Security said, ìAny medium that provides one-to-one communications between people can be exploited, including face-to-face, telephone and electronic mail. All it takes is to be a good liar.î
Organisations make very dangerous assumptions about the security of data on their networks. No-one considers, or more importantly tests, who might be able to view or steal mergers and acquisitions data, business plans, payroll information or BACS payments. On a typical corporate Windows network, anyone with an administrator account can see or copy anything. Putting information on a network server is not the same as locking it in your desk drawer.
Password Guessing
Today, access to information is almost always controlled by a password. Users, even technical experts and senior staff, frequently use incredibly easy-to-guess words, such as ëpassword,í ëholiday,í or even their own name. The use of trivial passwords to secure ìservice accountsî ñ highly privileged accounts used by backup programs, network control software and anti-virus tools ñ is so common that gaining control of an entire network frequently takes take no more than a few minutes.
Plug in a Windows laptop anywhere on the corporate network - this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a dial-up connection. Browse the network using Windows Explorer and you will see all the Windows machines on the network ñ there is no need to logon or join a domain for this to happen.
Select a server (they are usually named in a obvious fashion) and attempt a null session connection. The null session is a standard feature of Windows which enables you to list users, groups, group memberships, etc. without any form of authentication whatsoever. Naturally there is plenty of free software on the Internet which will help you to establish a null session and then interrogate this information.
Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned. Service accounts are administrator-level accounts used to enable applications to log on to servers and domains - applications such as Backupexec, Arcserve, Tivoli are obvious examples.
Select each of these service accounts in turn and try to guess its password - itís not as hard as you might think. Frequently, network administrators will select something obvious, such as a password the same as the account name! Beware that you donít exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up. If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least fifty percent of the time you will gain Domain Admin access, allowing you create your own administrator account, join the domain legitimately and help yourself to any information on any server.
Impersonation
Social engineering by impersonation is very common. For example, an attacker will call the help desk pretending to be an employee, claim to have forgotten their password and ask the help desk to reset it or give it to them. The help desk will frequently do this without verifying the identity of the caller. Our testing shows that this is a very common scenario ñ successful at most organisations in all business sectors.
Another technique involves visiting the premises in person. As a bogus employee, visitor or cleaner, it is simple to look for information lying on desks, overhear conversations, plug in a keylogger or even just use a vacant desk and PC. In one case, I was able to gain access through the buildingís back door, walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers.
The office cleaner wanders around the IT department emptying bins into a black plastic sack. He bends below each desk to look for stray sandwich wrappers and plastic cups. Whilst heís under the desk, it is a matter of seconds for him to attach a hardware keylogger between keyboard and system unit. These small keyloggers are effectively invisible on the back of the computer, and record every keystroke the IT folk make for the next week. They will capture usernames and passwords, as well as every e-mail and browser entry. Often this will include credit card information from Internet shopping, home address details, bank account details ñ in fact whatever the individual typed into the computer during that week.
Of course there are plenty of similar opportunities throughout the organisation ñ the CEOís secretaryís PC for instance, or the Finance Directorís. Most organisations are vulnerable to this type of attack and will never know that it has taken place. The truth is that virtually no-one conducts proper staff vetting, and they certainly donít check the cleanerís credentials!
Industrial espionage and organised crime are a real threat, but most surveys show that the more significant risk is from inside the organisation. An employee can often see far more corporate information on the head office network than anyone realises. If hacking were to be defined as ìattempting to gain unauthorised access to sensitive informationî, then most organisations have several hackers on their staff. Disgruntled employees (and ex-employees) present a very serious threat to business through access to critical data and personal information. Suppose an employee, with just a little Internet research, discovers how to read everyoneís e-mails or even send mails as if they were the CEO Ö
Removing and studying the contents of bins marked ìFor Shreddingî or ìFor Recyclingî proves very interesting too, as a source for passwords, network diagrams and personnel information. Shoulder surfing - looking over someoneís shoulder to see door entry codes, their password, information on their screen or what they are writing - is also extremely successful. Sometimes the simplest techniques are the most successful and often do not involve any technology at all.
Another successful technique involves using one of the oldest and slowest method of communication ñ the postal service (snail mail). It is easy and inexpensive to set up a PO box, providing an ideal way to hide and fake a business. Of course snail mail has no content security so there are no technical controls to bypass! People are more likely to respond to a survey they receive in the post, since it appears much more legitimate when printed on paper. If a stamped, addressed envelope included, then there is little effort or cost on their part. Of course, you offer cash or other prizes for completed and returned surveys.
Trojans and Keyloggers
Mail attachments and web links remain very popular amongst criminals, enticing users to click to gain access to something appealing or illicit whilst silently installing Trojan software on their computer. Once installed, this software can capture every keystroke and mouse click, and even take screen shots, then quietly mail everything to the attacker somewhere else in the organisation or even in another country.
Staff using laptops away from the office are a particular threat, since the opportunities for them to be infected with Trojan software, keyloggers and other malware are much greater than within the corporate environment. Where staff are permitted to use a home wireless network to access the Internet or head office networks, attackers may target an individual at home and use the unsecured wireless connection to sniff traffic or plant malicious software.
Despite the publicity over ìphishingî attacks, people are still vulnerable to spoof e-mails and web sites. In one recent project, we crafted an e-mail with a link to a web page purporting to be a survey on information security hosted by our customer. We used graphics and links from the genuine corporate web site on our own server to ensure the pages looked realistic. Using simple web forms, we harvested user names and passwords, as well as valuable information about the organisationís security procedures and mailed the results to our own e-mail server. No-one noticed that the site was unencrypted, nor that it was hosted on an unrecognised IP address with no DNS name. Until a senior member of staff challenged the e-mail and instructed staff to ignore it, we were receiving mails containing names and passwords from innocent users.
Normal web browsing can also help steal identities. For example, a specially crafted pop-up window on an otherwise innocent web site can reap rich rewards. Staff using the corporate network to browse a web site will often respond to a pop-up box saying ìYour connection to the network has been lost ñ please re-enter your username and passwordî. They continue using their network and the Internet none the wiser, whilst their credentials have been harvested by the web site.
Laptops
When members of staff are travelling, unattended laptops can easily be infected without any obvious evidence of intrusion, or data may be stolen and later used to compromise the office network. This can undermine even the best VPN security by simple impersonation. Even when two-factor authentication is used (for example SecurID tokens), access still depends on good staff education. It is not uncommon for an individual to keep their token and their PIN with their laptop, thus undermining a secure system and providing a back door for attackers. Since the type of traffic permitted through a VPN connection is seldom restricted, the attacker can use any tool they wish to compromise the corporate network without even visiting the target office.
The Password Problem
Thereís a common thread here of course ñ the password. Passwords are a hassle for users, with multiple passwords always needing changing. They are highly vulnerable and you can never know if passwords have been stolen until itís too late. Gartner (September 2001) said that 65% of all helpdesk calls relate to password problems and that each call costs at least 25. And of course theyíre a dream for your enemies - whether internal or external, techie or not - passwords are easy to steal by shoulder surfing, social engineering, simple guesswork or
by snooping, sniffing, hacking and cracking.
The solutions
Management must understand that all of the money they spend on software patches, security hardware, and audits will be a waste without modifying staff behaviour and their susceptibility to social engineering. So what countermeasures can we implement?
Firstly, policies - one of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding an attackerís requests. If the requested action is prohibited by policy, the employee has no choice but to deny the attackerís request.
You need to ensure that everyone shreds unwanted phone lists, email lists and other important documents. Some documents will obviously need to be locked away, so you must provide employees with sufficient lockable storage space to enable this. In the end, best practice is to have a clear desk policy which is enforceable and workable.
All staff must use screen savers with password controls and be instructed to lock their PC every time they leave their desk ñ opportunist access to unattended PCs is very common. Any sensitive information stored on desktops, laptops and PDAs must be encrypted. Smartphones and PDAs should have infrared and Bluetooth disabled by default and the organisation must have a policy restricting their use or the sensitivity of information stored on them.
Wireless LANs must be properly configured and tightly secured, whether in the office or at an employeeís home. Sensible guidelines must be issued to all staff regarding the risks of using wireless hotspots and Internet cafes. The organisation must ensure that all remote access is secured using VPNs and that no sensitive traffic, including e-mail, is transmitted anywhere in the clear.
A process and policy should exist to ensure that all hard disks, CDs and other media are physically destroyed rather than recycled or simply thrown away. A recent survey of 100 hard disks purchased on eBay and at car boot sales showed around 40% had sensitive data easily recoverable and a further 40% had not even been formatted.
Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including SecurID, Smart Cards, smart USB keys and even mobile phone SMS texts.
Institute thorough end-user training on secure communications, including what can be discussed over the telephone, what can be discussed outside the building and what can be written in an e-mail. Try not to use e-mail notification or voicemails when away from the office - it sets up the replacement as a target. And most importantly, ensure everyone knows how to report an incident and to whom ñ most people do not.
Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all help desk staff, together with clear escalation procedures for everyone in the incident chain. Help desk staff should be encouraged to withhold support when a call does not feel right. In other words ìjust say no...î
As a politician might say: ìTraining, training, training.î Train all employees - everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees as they start. Give extra security training to security guards, help desk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.
Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisationsí IT security defence. If your organisation is using a Windows network (and most are) and if you have upgraded to Windows 2000, XP or Server 2003, then you can use passphrases rather than passwords. A passphrase of 15 characters or more is easier to remember than a complex 8-character password, yet infinitely more secure. Compare ìI would love to own a big red Ferrariî (29 characters and almost unbreakable) with ìnUaY6zOsî (8 characters and impossible to memorise, yet easily broken with todayís password crackers!).
Finally, have a security assessment test performed and heed the recommendations. Test the companyís ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.
The future of authentication
Passwords simply will not die. No matter how often industry experts tell us that passwords are the single biggest problem with authentication systems, we seem to be addicted to them.
Perhaps itís because every computer system and application we encounter expects us to use a username and password. No-one wants to spend the money to switch to two-factor authentication ñ the cost of the tokens and the administrative overhead is deemed too great.
Biometrics seemed like a good idea, but then Tsutomu Matsumoto proved that fingerprint readers are utterly fallible using his ìGummi Fingersî experiment (see Bruce Schneierís article at http://www.schneier.com/crypto-gram-0205.html#5), and anyway thereís the cost issue again.
Some imaginative solutions like Passfaces appear from time to time. Unfortunately, the inertia of the corporate ìstandard buildî, the perceived cost of implementation, the anticipated admin costs and most of all the absence of any real understanding of the issues leads to a continuation of the password legacy.
I had hoped that the corporate enthusiasm for identity management would facilitate a sea change in authentication mechanisms, but no. In fact it appears to simply multiply the risk without enhancing the logon process at all.
So the future - maybe smart cards with simple and cheap smart card readers in every desktop and laptop? Perhaps USB tokens with a PIN number? Or perhaps the continuation of the password, enhanced (if anyone will listen) into a passphrase and assisted by password safe software Ö
Step-by-step checklist for securing authentication in your firm
Desktop Security
ï Shred old phone lists, email lists and other important documents you no longer need
ï Some documents will need to be locked away ñ make sure everyone has a lockable drawer or cabinet
ï Basic best practice is to have a clear desk policy
IT Security
ï Use screen savers with password controls and short timeouts
ï Encourage the use of passphrases rather than passwords
ï Encourage the use of password management software to overcome the problem of written passwords
ï Encrypt sensitive information on desktops, laptops and PDAs
ï Secure mobiles and PDAs - switch off infrared, wireless and Bluetooth when not in use.
ï Secure wireless LANs ñ use the latest security measures and implement VPNs over wireless
ï Physically destroy unused hard disks, CDs and other media
User Guidance
ï Say what can and cannot be discussed over the telephone
ï Say what can and cannot be discussed outside the building
ï Say what can and cannot be written in an e-mail
ï Donít use e-mail notification or voicemails when away from the office. It sets up the replacement as a target.
ï Ensure everyone knows how to report an incident and to whom
Help Desk
ï Permit password resets only with call-back and PIN or cherished information authentication
ï Ensure there are clear incident reporting and response procedures
ï And clear escalation procedures
ï Help desk staff should be encouraged to withhold support when a call does not feel right. In other words ìjust say no ...î
Training, training, training
ï Train all employees - everyone has a role in protecting the organisation and their own jobs
ï If someone tries to threaten them or confuse them, it should raise a red flag
ï Train new employees as they start
ï Give extra security training to security guards, help desk staff, receptionists, telephone operators
ï Keep the training up to date and relevant
Compliance
ï Have a security assessment test performed and heed the recommendations
ï Test the companyís ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack
ï Have the first test performed when the company is expecting it
ï Do a blind test the second time around
First Base Technologies is exhibiting at Infosecurity Europe 2007, Europeís number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products and services, over 300 exhibitors and 11,600 visitors from every segment of the industry. Held on the 24th ñ 26th April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.
Identity Theft In The Corporate World
By Peter Wood, Chief of Operations, First Base Technologies www.fbtechies.co.uk
