The means to an end (game)
A Terminal Services login screen, that fronted the application, greeted
us after connecting across the VPN. The ASP intended for the user to
authenticate to the Domain, but had actually left the option of
allowing the individual to log on locally to the system by selecting it
in the drop down box. Selecting this option, under the assumption that
local system security is usually weaker than domain security, we
attempted to log in using the account "administrator" with a password
of "password". Our second attempt was the combination
"administrator"/"ASP" (where ASP was the name of the ASP.) Sadly, we
were local administrators on the box. To our sheer disbelief, we
proceeded to find that every device on the hosted segment was using the
same password.
In many applications, hacking the application and network devices are only a means to reach the ultimate goal, which is often the database. Therefore, we set our sights on the Microsoft SQL Server. Noting the incredibly low security we had encountered to date, we joked that it would probably still be running with the default administrator account (user "sa" with a blank password). Our level of astonishment continued to rise when we found we were indeed correct. Perusing the database we noted the clients included republics, corporations, and royalty.
Before you bail out of the article at this point to click on the "TalkBack" link to blast this as an absolutely unbelievable story, consider our intention. Detailing our compromise of a system that a secretary could have hacked, does not provide us any true benefit. If we wanted to tout our capabilities I would regale you with a VoIP hack inside a governmental agency or some other more compelling tale. This article is intended to raise the awareness of those readers whose business critical data is in the hands of strategic business partners. Unfortunately, the level of security detailed in this narrative is 100 percent accurate.
Two for the price of one
The most compelling question asked during our conference call with
management was, "Can another BC-client compromise our infrastructure,
access our client data, and gain the ability to transfer funds, in the
same way that you did?"
We jointly agreed that testing this scenario was critical, but were uncertain of the legal implications of the effort. We quickly convened a second conference call, which would include BC counsel and our counsel.
After considerable discussion with...
For more, click here...
Talkback
Nothing new under the sun. This is reality the world over. Not common practice but still plentyfull around. It makes one wonder what kind of (business) reasoning and mindset was behind it all to make it all become reality. "GUI geil" some call it. Anything under the conceptual level is simply blocked out in the decision making proces as being irrelevant or not meaningfull enough. Those that agree with such attitude are pushed up to decision making powers. Those that don't are left to get blamed later given that they're not in a position to really do something meaningfull about it all. Human error that wasn't suppose to happen, you've heard of it. Reward the guilty, punish the innocent.
Thing to note however is that 'easy hacks' make for great news making but are still the tip of the iceberg. There's so much more but it isn't easy reading the average human can relate to at all.
Had a similar episode with a client, who had a teminal server with good Domian protection, yet had a blank password for a local logon. This was thier main Lotus notes mail server!