November 15, 2007

A Story of Stolen Data

Details of this encounter have been changed to help protect the identity of the company I did the work for. It is illegal to access computer information without permission, so please do not use the information provided to do anything illegal.

Everyday I deal with people who just don't seem to think security is that big of a deal. As a computer technician I am tasked with implementing policies that that allow staff to do their work, and at the same time keep their information secure. One particularly stubborn client refused to implement even some of the most basic security procedures because they didn't want to make it harder for the employee's to work (despite me showing them how it wouldn't) I got sick of just telling them how bad it was and decided to prove how easy it was to steal their companies information.

This is what I did:

To make sure what I was doing was could be applied to a real life scenario, I decided to set some rules for this challenge.

  1. I would only use software that was readily available for free download
  2. I would not use my user information (as a contractor, I already had admin level access)
  3. I would not use any proprietary knowledge of the company, any info I used must be attainable by an outsider with minimal effort.

The first step in trying to steal data from a company is to figure out who already has access to it. A pretty good assumption about very company is that the CEO and most of the senior management will have access to just about anything valuable that the company has, so I decided they would be my primary target. I hopped onto the company’s website to do some recon work. I was able to get the First and last name of all of their senior managers, the departments they were responsible for, and their email addresses. So in less than 2 minutes I had a good deal of the information you need to do some of the real work.

With manager’s names in hand, I went to Google and did a search on each. I was able to find the home addresses of each person, home contact info, contact info from the company and some more details about the people they work with (including 2 of their secretaries names and email addresses) I also searched the to get all the phone numbers listed for the company and the address of all their offices. (I knew this info already, but remember, I want to make sure any info I had could be obtained easily by others) I printed out some maps to the offices and took a drive by one of them.

I parked in the parking lot among a bunch of other cars, popped open my laptop and searched for available wireless networks. Conveniently, one popped up and the name was obviously there’s (while not the name of the company, anyone remotely familiar with the company could guess it was there’s). It was a good start. But the network was secure (good for them not for me) but luckily they were using WEP. I smiled as anyone familiar with network security would, because WEP, while better than nothing, is by no means good. I didn't have time to sit and crack the key right then and there so I left. I came back another day, parked my car, left my laptop running inside plugged into a power inverter, and used the AirCrack Package to capture the packets on the network while I went and had some lunch. I came back a bit over an hour later and had a sufficient amount of data to crack the WEP key. Wonderful, so I left. I went home (as I had other things to do that day) and cracked the WEP key so when I returned I could get some work done.

I went back a few days later, connected to their wireless network, and used NMAP to scan the subnet to see how many computers were connected. A bunch came up and by the ports that were open, I could tell they were using Windows Remote Desktop and running Windows XP. Perfect.

One of the cool things about remote desktop is, if you try to connect to a computer, and someone else is logged in, it warns you so you don't kick them off. This is good because it lets you know you have the right password without actually logging in. So I tried to connect to a handful of them using the default Administrator user name with no password (which is the default). It worked on 2 of the 5 computers I tried. At this point, I consider myself successful because I could easily plant a key logger on the computer and just let it capture user info for me, but I wanted to continue.

I searched the network for open shares. Most computers had the default shares open and available, I also found a couple of network shares, excellent, this is where the good data is. With the default shares being available, I was able to find the user names for people who logged in on the computers (if you look under documents and settings there is a folder for every user who ever logged in, their user name is what is used to name the folder) So now I was able to figure out the naming convention for user names (which is usually the same as email, but not always. In this case, it was not the same)

I also decided to try if a favorite tool of mine would work. It’s called GenControl basically what is does is remotely install a VNC client to the default share of a computer and then connect you to it. Once you disconnect, it deletes the install. For those of you who don't know, VNC is remote access software. Once connected to VNC you have full control over the computer as the user who is logged in. I successfully connected to a few computers without problems and without the users noticing as far as I could tell.

So let’s recap what I have done in about the span of a week (could have been done in a day had I dedicated the time to it)

  • Found the locations of their branches
  • Got information (including personal info like home address) about senior members
  • Cracked the key to their wireless network
  • Gained admin rights to several computers
  • Located several network share
  • Successfully installed remote access software on several computers

From here I had a few options. I could continue my exploration and actually steal data, or just write out the additional steps on what to do to get that data since by this point the hard work is done. I decided to just explain the damage I could do. Here are some things I could do with my current access.

  1. Install sniffer software on the computers and just wait to be sent the user names and passwords of everyone who logs in to the computers
  2. I could hijack one of the email accounts for one of the users I got access to (one was an assistant to a senior manager) and send messages from there to gather other info
  3. I could copy/delete data from one of the shares copying is the big danger, not deleting since most companies have backups.

If I wanted to do a little more work, I could head to one of the senior members homes. I guarantee each has a computer online and id guess half of them have wireless routers (I asked about it later, and actually all of them use wireless routers) and the thing about people is they are very habitual. If they have so little concern for security in the company they run, I guarantee their home security is worse. I can drop a sniffer on their home computer and capture their info if they ever log in to check their email from home (and what CEO doesn't?) and with that chunk of info, I would have pretty close to total access.

With all the information I gathered I went and met up with some of the senior management of the company. I showed them how easy it would be to get to their data, they were surprised and upset that I went and did this (no one likes when you point out their flaws). After a heated argument, I just asked "are you mad at me, or mad at yourself for letting this happening?" and we started to have a reasonable discussion. Over the next few months I was able to implement some basic security for them, and while not ideal, it would certainly take me longer than a day to break in the next time around.

Also, I never used it in this case, but gathering personal info about senior members helps when using social engineering to gather info. If you call and say “seniorVP said to call you and you can tell me how to access fileX” you are going to get helped. Or you could be really aggressive and just try to convince the IT department that you are the senior member and reset your password. (Although this will rarely work in a small company because they know the senior members)

In an upcoming post I will detail some of the changes companies can make with little effort that add a lot of extra security to their networks.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google