With our foot already planted within the ASP infrastructure, we set out on behalf of BC to see if their data was at risk to another hosted bank. The ASP had done a good job of segregating their clients from each other. Via ICMP ping sweeps we could confirm the existence of duplicate infrastructures for dozens of other banks. We attempted to enumerate other clients' hosted servers on the ASP network but to our disappointment, all we could do was ping them.
Fortunately, one of our Test Team members came up with the clever idea of writing and deploying a quick script that would feed periodic netstat output back to the console we were sitting at. Netstat is a windows utility that displays active TCP connections and the ports a computer is listening on. We had noted several "interesting" ports that multiple systems were listening on and our hope was that we may catch a connection in progress.
After an hour or so, we observed a connection to one of the boxes that we were watching from a network we were not aware of previously. Fingers crossed, we attempted to telnet to the new found IP address with no success. Our second attempt to establish a secure shell connection (SSH) to the box was more promising as we were challenged for a user name/password combination. As you likely guessed — "administrator"/"ASP" put us on the box with root privilege.
It was a Linux system running Little Brother, an open source network monitoring tool that was monitoring all of the ASP's clients. We SSH'd from the Little Brother box, into another hosted bank's network, and were not surprised to find that the "administrator"/"ASP" combination was...
For more, click here...
Talkback
Nothing new under the sun. This is reality the world over. Not common practice but still plentyfull around. It makes one wonder what kind of (business) reasoning and mindset was behind it all to make it all become reality. "GUI geil" some call it. Anything under the conceptual level is simply blocked out in the decision making proces as being irrelevant or not meaningfull enough. Those that agree with such attitude are pushed up to decision making powers. Those that don't are left to get blamed later given that they're not in a position to really do something meaningfull about it all. Human error that wasn't suppose to happen, you've heard of it. Reward the guilty, punish the innocent.
Thing to note however is that 'easy hacks' make for great news making but are still the tip of the iceberg. There's so much more but it isn't easy reading the average human can relate to at all.
Had a similar episode with a client, who had a teminal server with good Domian protection, yet had a blank password for a local logon. This was thier main Lotus notes mail server!