Confessions of a Penetration Tester

1
Confessions of a Penetration Tester

• Andrew Pollack, NCT

2
Before We Start

• English is the only language I speak
• -- Unless you count programming languages
• I will try to speak clearly, but if I am moving
  too quickly, or too slowly, please make some kind
  of sign, so I can adjust!

3
Please Shut Them Off

• We will all point at you
• Set all noise making toys to Stun please
• If you need to type on a laptop or a Blackberry
  move toward the back please

4
Who Am I?

• Administrator Developer since version 2.0
• Products
• NCT Search, NCT Compliance Search, and NCT Simple
  Sign On, and now Second Signal
• Services
• Site Performance Reviews
• Application Development
• Administrative Overhaul
• Security Review Penetration Testing
• IBM Lotus Beacon Award Winner
• Firefighter
• Lieutenant of Cumberland, Maine Engine 1
• In firefighting, just like Server Administration
  it's all in the planning

5
Key Focus Points

• Security From A Big Picture Approach
• Big New Locks on Rusty Old Chains
• What do I look for in a Security Review
• Story Time
• Summary

6
Security From A Big Picture Approach

• Are you the weakest link?

7
Infrastructure Stability is the First Step to a
Secure Environment

• How good are your backups?
• A denial of service vector
• Have you switched to IP Telephony?
• Your telephones may now be programmable computers
• Who can access your server room?
• Can your LAN administrators access the file
  systems on your Domino servers?

8
How Secure is Too Secure?

• From a Security Officer Perspective
• There are only two levels of paranoia
  absolute, and insufficient.
• From an End User Perspective
• These are my friends and coworkers, I trust them
  completely
• There is no perfect balance. You must learn to
  assess the risk and apply security in layers

9
What Are You Protecting?

• Categorize Applications, then apply standard
  security practices based on the category
• This protects developers and administrators
• Some schemas Ive seen
• Green, Yellow, Red
• Open, Internal, Confidential, Executive
• Considerations for categorizing risk
• Employee contact data
• Customer list information
• Banking, tax, or medical information
• Company Planning information
• Company financial information

10
Who Are You Protecting it From?

• Most security problems come from inside, not
  outside hackers
• Most administrative failures are infrastructure
  related, but have security implications
• Sometimes, you need a way to fix it now and
  explain it later reporting is critical

11
The Source of Security Failures

• Internal Employee Mistakes
• Taking customer data to work out of the office
• Password Sharing
• Unattended Workstations
• Abuse of Administrative Authority
• Reading peoples mail files
• Sending communication on behalf of someone else
• Intercepting Logs, Complaints, or Bad News
• Altering metrics in help desk and other
  applications
• Insufficient Termination Procedures
• Former Administrators or Employees Retaining
  Access
• Unauthorized Copying of Data
• Employees taking the customer list as they resign

12
Big New Locks on Rusty Old Chains

• In Firefighting, we say Try before you pry!
• Youre only as secure as your certifiers
• Quit worrying about visible hash values unless
  everything else is locked down first
• When in doubt, log and report

13
What do I look for in a Security Review

• Policies Procedures Matter

14
Review vs. Audit

• In a REVIEW
• I ask you questions and believe your answers
• Typically 2 Days Talking a Document
• Cooperative Effort with the Administrative Team
• Cannot be certified
• In an AUDIT
• I assume you my be wrong
• Trust, but verify
• Tends to be somewhat adversarial
• Very Expensive, but certified accurate

15
Certifier Management

• From the Root Certifier on Down
• If youre not using the CA, every admin youve
  ever had probably has a copy
• If your certifiers are potentially compromised
  almost everything else we lock down is potential
  still vulnerable
• User Certificates (ID Files)
• Who can assign them?
• What is the process for recovery (lost password
  or ID)
• Do you REALLY still keep copies of them somewhere?

16
Application Review Ownership

• Do you track every database?
• Owner of the application
• Responsible developer?
• Expected size activity
• ACL Requirements
• Scheduled Agent Requirements
• Security Level Category
• Update tracking information every N months

17
Group Ownership

• People tend to accumulate group membership
• This makes them ideal targets
• Do you track every group?
• Owner of the group
• Security Level Category
• Update tracking information every N months
• Group owner should sign-off on the accuracy
  periodically

18
Unsupervised Developers

• Avoid Designer Manager Access in ANY database
  on Production servers
• VERY easy to crash servers
• VERY easy to destroy data
• VERY easy to exploit users

19
Execution Control List Policies

• ECLs are the single most important protection
  you have against intentional exploitation
• Use Design Signature ID files and allow ONLY
  those to perform higher risk activities
• Do not give Design Signature ID files to
  developers. An ADMIN must sign a changed
  application to move it to production

20
End User Leash Laws

• Never Allow End Users to Design or Manage their
  own databases
• Local Databases must be encrypted
• Local hard disks should be encrypted
• Use password management policies

21
Unmanaged Services

• I love being told
• HTTP Isnt Running on our Servers
• SMTP Isnt Running on our Servers
• LDAP Isnt Running on our Servers
• Translated, this means Were not bothering to
  manage the HTTP password
• I can usually find one of these running on at
  least one of their servers

22
Penetration Testing Process

• Set up exactly as a new temporary employee
• Repeat testing a new full time employee
• Bring a copy of Designer on USB drive
• Never assume Designer is unavailable
• ECL is the first thing I check
• If mine is set too open, most employees will be
  as well
• CATALOG.NSF makes a great shopping list
• Shows me important databases
• Shows me databases with groups in common
• Browsing Groups tells me whos got what access

23
Story Time

• Also known as There he goes again.

24
The Helpdesk Hack

• The most simple form of attack
• Ive forgotten my password
• Similar Human Engineering Attacks

25
The USB Drive Hack

• Not Domino Specific
• Very well secured network environment
• Very good physical security
• More than 75 success rate

26
The ECL Hack

• Send a message to someone with a link
• The link is actually a hotspot
• The hotspot actually opens the page indicated
• The hotspot also does other things
• User Impersonation Attack
• Very Difficult To Spot

27
ECL Hack Code
28
ECL Hack Result
29
The SMTP Hack

• 220 mail.domain.ext ESMTP Sendmail (version)
  (date)
• HELO local.domain.name
• 250 mail.domain.ext Hello local.domain.name
  loc.al.i.p, pleased to meet you
• MAIL FROM mail_at_domain.ext
• 250 2.1.0 mail_at_domain.ext... Sender ok
• RCPT TO mail_at_otherdomain.ext
• 250 2.1.0 mail_at_otherdomain.ext... Recipient ok
• Subject whatever you want
• 250 2.1.0 mail_at_domain.ext... Subject ok
• This is the message body...
• .
• 250 2.0.0 ???????? Message accepted for delivery
• Quit
• 221 2.0.0 mail.domain.ext closing connection
• Connection closed by foreign host.

30
Summary

• Stop using big new locks on rusty old chains
• Get control over your certifiers
• Get control over your developers
• Get control over your users their local data
  storage devices
• Get control over the databases groups youve
  got deployed on your servers