Introduction
This report is a description and analysis of a security incident to a bank by a hacker called Gabriel. The story is extracted from “The Art of Intrusion” book. The attack started with no initial purpose of attacking the bank system in the first place. Gabriel was just looking up in a website which listed the IP address ranges of particular organizations. When he noticed the net-block (range of IP addresses) of a bank, it instantly caught his attention. Gabriel started looking up for bank network vulnerabilities and as a very skillful person, he soon discovered some vulnerabilities that he could exploit [2].
This is a typical case from which we can learn how several security holes in a network can create paths for hackers to compromise the whole system. Although in Information Security, tons of studies are made to offer possible countermeasures and different kind of tools that everyone should use in order to protect their systems, this is a case which shows us that even banks cannot be highly secured. Moreover, the bank discussed in this report did very amateur mistakes such as using weak passwords and keeping sensitive data unencrypted [2].
Here is thoroughly explained how the 21-year-old hacker from a small town in Canada initiated the attack and how he gradually expanded his access to the bank’s system in Dixie.
Organization affected
The main affected organization of this attack was a bank located in the Southern United States. This bank had more national and international ties which made the hack even more intriguing. They were using an online web application for wire transfers and possibly other services. Moreover, other organizations were accessible from the bank internal network that made them be affected by the attack as well. From the internal network, the attacker had access to reports from “Equifax” a Consumer Credit Report Agency and Tribunal Justice. He also could access the computer database of the state’s Department of Motor Vehicle. This means that Gabriel was capable of breaching the privacy of millions of citizens on the United States. Like so, Gabriel had access to reports and information about personal credit rating, criminal records, civil penalties, vehicle registration and driver licenses of United States citizens [2].
Threat model
The bank threat model was mainly focused on the physical aspect of security, which according to the attacker they had done a great job on this part. But, they did not implement good security regarding the protection against network attacks and intrusions. Yet, they contracted every year some external security consultants to do a routine check on their network and servers. This made them get the untruthful feeling that they are secure. But, in overall they did not pay much attention to network protection. [2]
The attacker and attack type
Even though Gabriel as most of the kids at that time was just playing computer games, he was very different from his generation. Gabriel began getting into hacking at the age of 15 and soon he got obsessed with computers. Concentrating on computers was a huge comfort to him from the hard time he was spending in high school, since being a “geek” is not considered a good social status. He expanded his knowledge by taking some Cisco courses at a local College, although by being a self-learner, most of the time he was more knowledgeable than his teachers. At the time when bank hack attack took place, he was 21 years old equipped with highly sophisticated hacking skills. Some of the best skills included the usage of keyloggers and exploitation of Citrix MetaFrame vulnerabilities. These skills came up as a result by practicing attacks and hacking systems, sometimes just for fun or when got bored. [2]
The attack that Gabriel did on the bank was mostly the kind of a passive network attack type with active reconnaissance [3]. That’s because he gathered information, analyzed the network and implied that they were using Citrix Services. Then the attack advanced by scanning ports for each network’s computer/server. After that on all the compromised computers he was looking up for password files. All of these actions denote passive attacks by making sure that at all times the data was intact and there were no changes. In the same time, the attack was doing active reconnaissance since it was collecting information from systems by interacting with them in a legitimate way (e.g. port-scanning). Attacking in this manner, while ensuring the data integrity makes it very hard to detect [4].
Exploited vulnerabilities
The bank’s network had many vulnerabilities which made the intrusion very easy, as Gabriel also says “was so easy it was pretty dumb.” [2].
First of all, the bank was not using any Intrusion Detection System (IDS) or a stateful firewall inspection on their network. This leaded to easily identifying all the systems which were using Citrix Terminal Services by using port scanning attack [5]. Citrix MetaFrame services are popular tools and very suitably enclosed by corporations which benefit from them by allowing users to access their workstations remotely from outside of the network [6]. From Gabriel’s experience, systems that used Citrix Services usually don’t have good passwords. Anyway, the intrusion was possible since most of the identified systems were not having any password set at all, and this allowed him free access to the system.
Another vulnerability that made the attack progress even further was the fact that the staff, including also the network administrators, were not educated enough to understand that storing the clear text passwords of the main firewall in a file on the computer is the worst thing they could do [7]. As Gabriel mentioned, 99% of bank employees were using simple passwords and also anti-viruses were not used properly by them [2]. So the attackers file search containing the word “password” resulted successfully. They also did not have good policies to change and define passwords either. They left the main router with the default credentials [8]. This was of course used by the attacker to make his connection more sustainable.
The next exposure was that the bank had a flat network architecture, which gave Gabriel connection to all other network devices without any network level authentication and authorization [9]. Except this, the bank did a penetration test earlier by some company and did not take any countermeasure. The pen-test report & instruction manual for wiring funds, as being sensitive data, were saved on a server. So anyone who could access the server could easily see the vulnerabilities of the network and take advantage of them. This server had a default password enabled, which made possible for Gabriel to easy access it. For worse, the bank was not running any background antivirus, allowing him to freely install a key-logger to take the local administrator password [10]. After that, since the bank did not have good password policies, he extracted and cracked the password hash of the Primary Domain Controller administrator without much effort since the password was no longer than four letters [2].
The list below summarizes all the exploited vulnerabilities:
- No usage of any Intrusion Prevention or Detection system (IPS/IDS)
- Not setting passwords on many systems that were using Citrix Services
- Storage of clear text passwords in files
- Missing policy for defining and storing passwords
- Usage of default passwords for routers and servers
- Flat network architecture
- Not considering security vulnerabilities seriously
- Saving confidential files unencrypted
What was lost
Even though Gabriel had penetrated the whole network, and had access to the main systems of the bank, he never had any malicious intent. He describes himself as a white-hat hacker, driven mostly by enthusiasm, and his intentions were only to see how far he can breach the security. Even though he had such a wide access into the bank’s system, there is no evidence that he tried to harm the bank or to take any profit for himself, nevertheless, he used the idea of helping some friends by improving their credit rating. Although, saying that you are a white-hat hacker, does not grant you with the “Go out of jail free card” in case you access any corporate network without permission and authorization. There should exist a detailed legal agreement, including all the specifics of the penetration test beforehand in case you want to assess someone’s security, otherwise, you can get in trouble. Fortunately for him, he did not have to be concerned since nothing was lost and detected on the bank side. Basically, the data integrity was intact with few exceptions and no traces of intrusions was detected. However, if his intentions were bad, and instead of Gabriel would be some black-hat hacker, this case could be fatal. The malicious could cause great damage because of the enormous network access vulnerabilities that were there. It could sabotage them by using and/or selling the information to other corporations or even wire transfer funds to any international bank. [2]
Details of the attack
As soon as Gabriel got the IP range of the bank, as well as noticed that they were using Citrix MetaFrame Services, the attack was initiated. He used a port scanner tool to detect open ports on a system. Specifically looking for any system on the network range, having the port 1494 open, which means that it can be accessed remotely with Citrix terminal service.
Most of the systems he found, had free access (with no password), and on each of them, he was searching for any file containing the word “password”. Lucky enough, he found the firewall password. After that he tried to access the router, and easily guessed the password since it was the default one (never changed). From there, he added a firewall rule to allow VPN services, by allowing incoming connections on port 1723. Hence, he managed to get his computer connected to the bank internal network, by associating it as a part of the network. Considering the bank’s network was a flat architecture, he accessed the Citrix Server (model IBM AS/400) by guessing the password with the default IBM password as “administrator”. There were stored confidential documents like the penetration testing report by the contracted consultants and also a detailed instruction manual for wire transfers, information which became very profitable in proceeding his attack. [2]
Next, since he already had access to the default IBM account as a Citrix user (a lower privilege user) and there was no anti-virus set-up he was able to install a key-logger on the server. The key-logger was specifically special for Citrix servers. He did that and waited for the local administrator to log-in, so later he can use his credentials to access the Primary Domain Controller. After a while, when the administrator logged in, Gabriel captured his password. Now with higher privileges he could do the same actions as every single bank employee could, like wiring funds, accessing customer information, checking loans and ATM activity. Not to mention that he could also access reports from the Consumer Credit Report Agency, Tribunal Justice and the database of state’s Department of Motor Vehicles. [2]
Later, he went even further by extracting all password hashes from the Primary Domain Controller by using the PwDump3 tool [11]. As now having local administrator privileges, he has done that by camouflaging the tool as something legitimate, and making it run at system start-up. So when the Domain Administrator would log-in into the system, it will collect all the password hashes from the registry. At a later time, he got the hashes and since the password was very short, it got decrypted in a matter of seconds [11].
Figure 1 – Abstract network design of the bank
In overall, the attacker used many vulnerabilities of the network. Starting from network scanning, which leads to discovering the Citrix workstations, that later he accessed without much effort. This was the first phase of the attack and it was initiated by gathering information and finding the weakest link. After that, the access on firewall and router by also connecting his computer to the network using VPN. At this point, he tried to make his connection more persistent, and also allowing himself to do the attack more comfortably by not using the Citrix workstations anymore. Next, by accessing the main server with different attacking techniques, which included a lot of waiting, we can denote that his intention was to get as much as he can from the server. This was the main part of the attack, since at this point he did not just gain the abilities of a bank teller, but exceeded that by even having access to network security reports and technical details. At the end, granted with highest privileges he was able to do anything he wanted.
Conclusion
In overall, in this case, we noticed many issues related to network security on the bank. Starting from the lack of staff education, which made them unaware of security vulnerabilities. Mostly, they did not understand the importance of authentication and authorization mechanisms by being careless of their credentials. Contrary, they even had the false feeling of being well protected since they contracted external consultants. Moreover, they did not respond quickly to the consultant’s suggestions by ignoring the penetration test report. Besides that, they even had severe problems in network architecture as having a flat network design, which made the attack more feasible. Finally, they did not have any policy about defining and managing passwords.
Certainly, after all of the successful attacks are done by Gabriel, we can conclude the same with the author of the source Kevin Mitnick as the bank was suffering from serious network security vulnerabilities. [2]
Recommendations
Based on the conclusions, we can indicate that the attack was mostly successful because of poor password security, bad network design, and no constant monitoring. Therefore having good password policies and mechanisms to apply them into systems are some of the most crucial things in security. Like reaching a high level of password complexity so theoretically it would be almost impossible to crack it by exhaustion, and changing passwords periodically [12]. There are also plenty of tools to use for defining and managing passwords, like KeePass [13]. From many functionalities that KeePass offers, two are the main ones. It gives the ability to the user to generate strong passwords by using specific rules and the other is storing and managing passwords by putting them in a safely encrypted vault.
Improving the network design by using the defense-in-depth methodology is another recommendation. That can be achieved by separating security responsibilities into layers. And each layer should implement security countermeasures for its importance [14]. That can be achieved by using sub-networks and/or virtual local area networks (VLAN), so the network could be separated into different layers either logically or physically. With layered networks, the management of security rules would be easier since you can set different rules for different networks.
Apart from that, constant network monitoring and auditing should take place. Intrusion Detection System (IDS) could be used to automate this process, and potentially avoid IP and port scanning attacks. IDS-es can also detect any unusual or malicious activity on the network, based on the rules which may be configured. For example, limiting the network activity after the business hours, or distributed connectivity to the same IP address etc. [15].
Another considerable countermeasure is to apply the principle of least privilege to all the employees. This implies that the user will operate only with the least amount of privilege needed necessary to accomplish their activities. So, in the case of an attack, this will limit the damage that can occur from it [16].
After all, installing latest patches and updates for operating systems and applications, as well as using real-time antivirus, is the best way to be protected from any form of malware like trojans, keyloggers, viruses etc. [17].
References
[1] | Cisco Systems Inc. “Cisco 2014 Annual Security Report”. [Online] Available: http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf [Accessed: January 16 2016] |
[2] | K. D. Mitnick and W. L. Simon, “The Art of Intrusion: The Real Stories behind the Exploits of Hackers, Intruders & Deceivers.,” Indianapolis, Wiley, 2005, pp. 139-151. |
[3] | Institute, SANS, “Network Reconnaissance: Detection and Prevention,” Global Information Assurance Certification Paper, 2003. |
[4] | M. Rouse, “Passive Attack,” Techtarget, August 2014. [Online]. Available: http://whatis.techtarget.com/definition/passive-attack. [Accessed 16 November 2015]. |
[5] | W. Fuertes, P. Zambrano, M. Sanchez and P. Gamboa, “Alternative Engine to Detect and Block Port Scan Attacks using Virtual Network Environments,” International Journal of Computer Science and Network Security, vol. XI, no. 11, pp. 15-18, 2011. |
[6] | Nathan Lineback, “Citrix Metaframe” [Online] Available: http://toastytech.com/guis/remotecitrix.html [Accessed: January 16, 2016] |
[7] | S. Institute, “Clear Text Password Risk Assessment Documentation,” SANS Institute, InfoSec Reading Room, 2002. |
[8] | K. Scarfone and M. Souppaya, “Guide to Enterprise Password Management,” National Institute of Standards and Technology, no. 800-118, pp. 9-31, 209. |
[9] | K. P. Wimmer, “Secure Network Zones,” Atsec Information Security GmbH. |
[10] | C. Harley and D. Florencio, “How To Login From an Internet Cafe Without Worrying,” Symposium on Usable Privacy and Security, pp. 1-2, 2006. |
[11] | B. Ewaida, “Pass-the-hash attacks: Tools and Mitigation,” SANS Institute – InfoSec Reading Room, 2010. |
[12] | Hitachi ID Systems, Inc., “Password Management Best Practices,” Hitachi ID Systems, 2015. |
[13] | D. Silver, S. Jana, E. Chen, C. Jackson and D. Boneh, “Password Managers: Attacks and Defenses,” Stanford University. |
[14] | A. Shamim, B. Fayyaz and V. Balakrihnan, “Layered Defense in Depth Model for IT Organizations,” International Conference on Innovations in Engineering and Technology, pp. 1-4, 2014. |
[15] | H. Debar, “An Introduction to Intrusion-Detection Systems,” IBM Research. |
[16] | J. Langford, “Implementing Least Privilege at your Enterprise,” SANS Institute, 2003. |
[17] | J. Madden, “Avoiding security risks with regular patching and support services,” OVUM. |
Co-Authors
Shkelzen Vishi – http://vishi.website/
Sihana Nuredini – [Link-to-be-added]