Security, Art of Hacking, & the Worst 2014 Security Breaches

Hacked TargetSecurity is hot; no doubt about it. Consider the fact that between 2011 and 2013, venture investors put nearly $3 billion into cyber security companies, resulting in new funding for some 300 firms (Source: Thomson Reuters). Worldwide security software revenue alone totaled $19.9 billion in 2013, a 4.9 percent increase from 2012 revenue of $19.0 billion (Source: Gartner). According to Gartner, global cybersecurity spending is to reach $76.9 billion in 2015 and $80 billion in 2016; in 2011 it stood at $55 billion.

Estimated Global Cybersecurity Spending

Estimated Global Cybersecurity Spending

Yes, security is hot and considering how much companies are willing to spend on security, it’s amazing how some of these same companies still get hacked and infiltrated. A report sponsored by Experion last year and conducted by the Ponemon Institute stated that a staggering 43% of companies have experienced a data breach.

Also, consider the fact that many security breaches go unreported; the ones we hear about are usually the ones the respective company disclosed or was obliged to inform its customers about. The worst intrusions are those that have yet gone undetected, as the overall damage of such cases may never be discovered or discovered at a point where the damage is incalculable and irreversible.

In fact, Michael Bruemmer, the vice president of the data breach resolution group at the credit information company, Experian, stated that only about 15% of all data breaches that occur are reported and make the media. One of the worst breaches last year at Sony was only discovered when on November 22nd employees received skulls pictures/artwork on their screens and messages on their computers threatening public distribution of stolen data; it is still unknown how long the network may have been compromised.

So how do security breaches at big behemoth companies still happen despite numerous precautions and investment in security software/infrastructure?

First, most security breaches are not from shadowy hacker figures from far off lands breaking through hardened security perimeters. Michael Bruemmer, stated that more than 80% of the breaches that his group works with at Experian had a root cause in employee negligence. This can be as simple as losing important documents with sensitive information or unknowingly downloading a file with malicious code attached. Social engineering, where one is duped out of revealing sensitive information has been a long-time favorite and is still utilized today. Two of the largest breaches from last year, Target and Home Depot, were initiated from hacked accounts of legitimate third party users.

Now, hackers who are dead-set in breaking into a specific target, can be very ingenious, and, of course, will usually target areas where the surface area is large or where there are known security flaws or mechanisms for gaining access; one such area is web applications where one can employ anything from SQL injection to brute-force tactics.

Firewalls are great devices, but they are really a given, and, for any hacker, it goes without saying every target they select will have a firewall implemented in one way or another. It’s seen as an expected first line of defense. Also, extremely important is the configuration of the firewall. I’ve seen firewalls deployed and then horribly misconfigured; in many cases this was due to trying to get a specific application to bypass or work with the firewall.

Although a firewall can thwart most novice hackers, more sophisticated hackers will simply attempt to bypass the firewall and even some malware/spyware detection software by simply blending in as legitimate users/traffic. This can be done just by compromising one legitimate system and then using it to deploy malicious software that may go undetected for months or even years depending on the sophistication of the software. Point-of-sales (POS) systems are a favorite in this scenario as they process electronic payments for good/services. In 2013, Visa reported that restaurants accounted for 73% of the data breaches in the United States, up from 29% just three years ago.

Some of the largest security breaches of 2014 (Goodwill industries, JP Morgan, Michaels, Neiman Marcus, and Target), involved compromised/infected point-of-sales systems. What’s interesting in all these cases is that, out of the companies that disclosed it, a third party such as a government agency, bank, or consultant informed the respective company about the security breach – not the company’s own security systems.

Micro-segmentation is another great security tool, because even if the network is compromised, different segments of the network can still be secure and protected due to the security enforced at the segment/subnet level. However, if the traffic is seen as legitimate and coming from an already compromised system that has access to the specific target, micro-segmentation is not going to help. You can read more about firewalls and micro-segmentation on my prior blog.

There are many tools that can be used to hack systems, and it is appealing to attack and gain access to the network first, but that would only be the first step. From there, one can do some host scanning, traffic sniffing, packet injection, and security exploitation. For example, the Home Depot security breach last year, which put 56 million credit cards and 53 million email addresses at risk, was accomplished first by gaining network access via a hacked third party account and then exploiting an unpatched Windows flaw.

Typically, a hacker must be versatile with many tools as once an environment is breached, it is unknown what tools may be at disposal for use. For example, a hacker can almost be certain he/she will not have access to a full-blown commercial sniffer sitting their for the purposes of him/her to use; likely, he/she won’t even have access to a compiler. Hackers learn to become experts on the most basic of tools that they know they can find on the majority of networks/systems.

Some network/system administrators don’t realize just what little tools a hacker needs. I’m not talking about a denial of service (DOS) attack, worse I’m talking about compromising systems and stealing valuable information, all while going unnoticed for some unknown period of time.

Let’s take, for example, tools like the editor VI and the Perl or Python programming languages, easily found on just about every Linux distribution; this alone is enough to write a backdoor script, trojan, proxy server, etc., running as a disguised process. This can even be initiated through a front-end web attack.

Let’s take a look at one such very simple example. Once, I compromise a system and realize I have access to common tools, VI and Python, I write a backdoor script to enable me access via connecting to the port of the respective machine. If the password is changed, I can capture it through the script, however, just connecting to the the machine’s open port allows me to bypass the security password prompt.

Keep in mind this is a very simple, novice example; in a real-world situation more care would be used in implementing robustness and cloaking visibility. I’m on my local RedHat Linux Enterprise machine. I first enable the executable Python script to run in the background with the ‘nohup ./ -l -p 8888′ command, instructing the scripted server to listen for connections on port 8888. I can verify the script is running with the ‘ps aux | grep “hacked”‘ command; below, I show a snapshot of the output.

Python script running in background

Python script running in background

Now, from the same machine, within another terminal, I can run a quick test to see if I can connect to my script, which is really a quick & dirty server, which gives me backdoor access to the machine. Here, I run another Python script which will act as the client and pass it the respective target IP/hostname and port number.

Accessing target host via Python scripted client

Accessing target host via Python scripted client

As you can see, once I connect to my Python scripted server simply with an IP and port number, the prompt changes, and I can access the local directory and any data on the machine without any security checks. This was a quick 20 minute project; a seasoned hacker can write a utility to encrypt traffic and connect to a malware server running in the cloud or a remote server. I recently came across this blog by Fortinet, which shows a clever example of a malicious loader used from the cloud; a fake PDF is used to initiate the hack.

Follow me on Twitter: @Humair_Ahmed


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply


nine − 5 =