John Kaminski is the 28-year-old IS manager for DataGlobal. He heads a team of 10 techies.
He has a BCom, BEng and an MCSE, so should know his stuff.
Kaminski (not his real name) knows his firm has some vulnerabilities in its systems, which he hopes to fix when his busy crew get around to it. DataGlobal has experienced port scans from Korea and elsewhere, but they have got no further. Initially, Kaminski rated DataGlobal’s security as 6/10. He admits the firm’s server sits between the firewall and the net, placing it in danger, but this is to allow free flow of data. Ports 137 and 139, which allow servers to talk to each other, are also open.
DataGlobal has no back-up web service supplier, which is risky, as its internet service provider has fallen prey to recent denial of service (DoS) attacks. The web server also has "holes" but “everything else should be okay”, Kaminski says.
Srinivasan Vanamali is senior technical consultant of the field services group for Computer Associates in Auckland. Mali performed a simple version of his usual test one recent weekend while at home. It took him just two hours and he awarded DataGlobal 2 or 3/10.
Mali, as he prefers to be called, talks about the “anatomy of an attack”. You establish the motive and the target and then move into reconnaissance mode to identify information about the target (websites, nature of business, trading partners, phone numbers, address). Then, identify components (network, systems components, externally map networks with tools such as NMAP) and determine what ports/services are available (using port and security scanners).
Checking for vulnerabilities and cross referencing comes next, by using tools such as Nessus to identify vulnerabilities and searching the web to find more.
The final stage is running exploits, where the hacker takes advantage of a vulnerability. After this, the hacker tries to elevate his or her access to the system's admininstration and create a back-door entry to try and cover their tracks, Mali says.
Starting his probe, Mali established his motive, looking for vulnerabilities on the DataGlobal internet gateway (web server, router, FTP site, firewall). He used a range of freely available tools, some of which can be downloaded from the internet. Going to the Domainz website, Mali found contact names at DataGlobal, name server (DNS) details and the name server IP address.
“This would probably lead into the gateway as well. This is the starting point of mapping your network externally,” he says.
Mali used a name server look up to find DataGlobal’s ‘MX” record (the SMTP gateway) as part of mapping. Mapping the network is a technique used to identify the list of IP addresses allocated to a domain that can be seen from outside (the internet) and also inside the network.
This info is used to see if a gateway can receive spam and to gain a list of targets for receiving a trojan horse virus in the form of an email attachment.
“I also used NMAP to perform a ‘pingsweep’, a technique used to identify a list of ‘live’ hosts in a given range of IP addresses and picked up four hosts directly pointing to [DataGlobal] as my targets,” he says.
A tool called Trace Route was used to find the logical path to the target host.
“While hacking, if you cannot get into a system directly, a hacker would go after another system within the environment. Most of the time these systems implicitly trust each other. The best way to get in to the target host is through another trusted system,” says Mali.
“In this case, maybe the ISP router would be one possible trusted host in the environment to be considered for cracking if the target host is too hard to break,” he says.
However, since DataGlobal’s host was weak and he had identified the network, Mali was able to use port scanning to identify the host services and assess how much the system is exposed. Mali likens this to having found a house to enter, the thief is now looking for an easy way in.
He uses NMAP on Linux for port scanning, which provides multiple scan methods to probe a host or network, including methods to avoid setting any intrusion detection alarm while performing a scan. “I picked up that the web server is poorly configured and lots of unwanted services are open,” he says.
The 11 open ports included www (80/tcp), Lotus Notes port, which allows an anonymous user to retrieve information from the Lotus Domino server: users, databases, configuration of servers, logs of access to users (which could expose sensitive data if GET HTML forms are used). "Everything is open," Mali says.
A Nessus security scanner also found vulnerabilities on port 1352. "I have access as an anonymous user. I have access to the Notes database. If I was a hacker, I could go in and download these databases," he says. Mali also brands the website “poorly configured” but is uninterested in that “as I have access to the operating system”.
Default configurations in the server were not "hardened", opening up a “big hole” in NetBIOS port 139, which the NT server uses for communications, allowing access to information on users, groups and shares in the system.
Other sectors such as PC Anywhere could also be used, including the administrator, by using a dictionary attack to find the password. The FTP port was also vulnerable.
“If I was distributing child porn, I could tell the guys I publish the stuff [here]. This becomes a host to distribute child porn,” he says.
Mali thus gave DataGlobal its low mark, summing up by saying having the server outside the firewall was like leaving your windows and doors open in a poor neighbourhood. The insecure web server might create problems, and access to Notes may be significant, he says. But at least by using an uncommon web server it has few known vulnerabilities, unlike Microsoft IIS. The FTP site write access was “a significant breach”, placing it at risk from “inappropriate use”.
Mali says no system can ever be 100% safe, it is a matter of risk assessment, weighing up the costs of providing extra security against the value of the accessible information, the costs of a "downed web site and so on."
Firms also need to see security as an investment, a business enabler, not expenditure. They should also be more pro-active, he says.
“Having found some holes in less than two hours, the last thing I want to hear from the IT operation is that it will go and fix those holes now and it knows how to do it,” Mali says.
Kaminski was impressed with the test and would have liked a lengthier one. The main “surprises” were the FTP breach “which I have now fixed” and gaining the list to the Lotus databases.
He now rates his security as 5/10, saying his firm plans an extra firewall by the server or packet filtering on the router. To make it worthy of 8/10 would cost $100 for parts and $1000 for labour.
“We know the problem. We know how to fix them. We just need to get the time. But Mali got far enough to almost control our machines,” he says.