Ethical hacking is one of the most intriguing and exciting elements
of our work at Pivot Point Security. A recent engagement for an International Bank took us a bit by surprise as the level of security provided by an Application Service Provider (ASP) to protect the identities of the banks clients and hundreds of millions of dollars was notably less than one would expect. I'll show you the techniques that we used and how our efforts turned from hacking their critical application, to hacking the Application Service Provider, to hacking another bank's hosted network.A call to arms
On a Monday morning in the not-too-distant past, we received a call
from an Information Security engineer at a major international bank,
who we will refer to as Bank Client (BC) from this point forward. An
industry colleague that frequently worked with us in support of our
projects (and vice versa) on network and security architecture
referenced them to us. This was not a typical introductory call to vet
our capabilities; this was a call to engage our services.
"We have a few concerns regarding the security of an application that is hosted by a third party on our behalf. How soon can you come on site and perform an ethical hack against the application?" he queried. Still surprised by the directness of the call, I offered, "I think we could get resources on site early next week."
He replied: "We were really hoping that we could get this done no later than the end of the week" reinforced the urgency of the call.
"If it's that important I think we can move some personnel around and get there on Thursday," I said quietly as I prayed that I wouldn't take too much grief from our project manager for reallocating his resources, but it's not every day that an opportunity this intriguing rears its head.
"OK, let me confirm everything with our management," he said. "We'll be in touch, shortly."
On Tuesday morning a signed purchase order...
For more, click here...
Talkback
Nothing new under the sun. This is reality the world over. Not common practice but still plentyfull around. It makes one wonder what kind of (business) reasoning and mindset was behind it all to make it all become reality. "GUI geil" some call it. Anything under the conceptual level is simply blocked out in the decision making proces as being irrelevant or not meaningfull enough. Those that agree with such attitude are pushed up to decision making powers. Those that don't are left to get blamed later given that they're not in a position to really do something meaningfull about it all. Human error that wasn't suppose to happen, you've heard of it. Reward the guilty, punish the innocent.
Thing to note however is that 'easy hacks' make for great news making but are still the tip of the iceberg. There's so much more but it isn't easy reading the average human can relate to at all.
Had a similar episode with a client, who had a teminal server with good Domian protection, yet had a blank password for a local logon. This was thier main Lotus notes mail server!