Monday, June 27, 2011

Customer Wow Factor = 100, Customer Value Factor = 0

The netragard guys have an interesting post on their blog. Due to an *extremely* limited scope they ended up creating an USB switchblade/rubber ducky/USB keyboard HID/personnel autopwner. They called it a Hacker Interface Device (HID).

I don’t want the rest of the post to take away from the coolness of them building that, its friggin cool, and I want one...so hook a brother up [1]. But why of ALL the options that exist to break into a network were they forced to go that route. Now they mentioned "a rather restricted scope" and go on to say:

"The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas"

and:

"With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a *remote threat*"

They didn’t go into detail on if the client had a class B of crap and it was just "off limits" or if they really just had 1 IP with no services acting as the company’s NAT'ing gateway. I've been there (I had one client that had their outbound proxy (offering no services) and a static html site and that was it). They also didn't go into detail on why phishing or telephone SE wasn’t allowed or why merely walking into the facility was also not possible/allowed.

Maaaaaaybe both of those options were technically or financially infeasible to the average bad guy ( or maybe just for the *remote threat* they were emulating) and spending a few hours/days building a hardware device to snail mail to users was more “feasible” or maybe the client sat around and tried to figure out the least best way to spend their security budget. I don’t know.

I do know that unless there were some extreme extenuating circumstances the role of the attacker they were forced ( but really more agreed ) to play was a flawed role. I think its unrealistic to think that someone wanting to get in to a company’s digital infrastructure will spend hours/days making a tool/device, mail it to some users, and wait undetermined amount of time to plug in and pwn users as a first course of action instead of just phishing someone (need proof?--> RSA, Aurora, Sony). I’ll leave out the GIGANTIC trail leading back to the attacker by snail mailing anything (would you send something that critical without delivery confirmation?)[2]. Again, not to downplay the coolness of the HID, its very cool, too bad the client didn’t allow them to spend that time and creativity figuring out multiple plausible attack paths to break into their site vs one really neat but not the path of least resistance (and therefore most probable) attack vector.

Attackers tend to keep as far away of physical items for use in their attack as possible. Attackers use coffee shop or hacked wifi, TOR, and multiple VPNs as a means of providing as little digital forensic evidence as possible, which isn’t hard to do, yet as law enforcement is still figuring out digital forensics. On the other hand, physical forensics is an ancient art. It’s doubtful the Netragard guys used rubber gloves while creating the device and boxing it. Did they pay cash for the items they made the device out of? Did they have their phones on them if they went to a store to purchase the items? Even if they paid cash phone records could put them at the location of purchase. Was there any sort of trail that someone with resources could use to trace back to them? These steps weren’t mentioned in the post and if they were truly trying to help the client with such an attacker (essentially the mindset of a bomb maker) there would be a lot more steps involved, vice ‘look what I can do’.

We need to do our best as security professionals, as people that sell security services and as people who give advice to do away with asinine scope restrictions like the one mentioned above. Scopes like this one provide little value to the client because it it isn’t how 99% of the attacks against them will happen. Protecting against an attack that will happen 1% of the time just isn’t cost effective. (Perhaps all the normal paths of entry have been thoroughly tested and mitigated against and the client really needed a creative approach to breaking, but I doubt it.) If the ease of which companies have been getting owned lately has not clued everyone in to the overall lacking of testing and security posture I'm not sure what will.

However, I don’t think its the testers that are lacking, or even a lack of methodology on how to go after clients, that stuff is out there. How "APT", "determined bad guy", "buzzword term" have been breaking into these companies is WELL documented. What testers are lacking is the ability backbone to stand up and tell the client that testing with that type of scope is highly unrealistic to the actual risk and the threat they are facing and that their money would be better spent doing X,Y or Z instead of some silly unrealistic scenario where the client gets to control the outcome or its such an obscure scenario that its going to happen 1% of the time, if ever, and thus promptly ignored by management.

Nickerson (and others) have said it many times "Attackers don’t have scopes" and as much as possible neither should your testers.


[1] Actually Darren from Hak5 did hook me up with a demo one and its awesome:

“The HID attack is a lethal favorite as it exploits the inherent trust between man and machine. Since sharing our proof-of-concept with Irongeek at Shmoocon we have been excited to see a new era of physical attacks evolve. After months of R&D we know everyone will soon share in our excitement as we debut the Hak5 USB Rubber Ducky - the next evolution of the USB Switchblade platform. --Darren Kitchen”


[2] I had a lengthy discussion about if you’d actually insure/delivery confirmation your payload. The person said no one would do that because its “CSI Miami Dumb”, which I agree with but I cant image if you were to place your success of breaking into a company on a snail mail/user assist attack you wouldn’t find some way to know if the package even made it to the target or not. Arrived and target didn’t plug the device in is way different than device getting lost in the mail. I’m positive the boss of the guy responsible for the operation would want to know too :-)

4 comments:

  1. What do you do then when faced with a job with such restrictions? Tell them they are stupid and walk away?

    Seems like there will always be a consultant who wants money so they will pull off the "movie plot" attack vectors to get into a company... and as long as someone will do it, they will get the job.

    The market forces are seemingly driving the consultants to be stupid...

    ReplyDelete
  2. Actually dehaul, yes. We walk from jobs all the time where we can anticipate the lack of value for the customer. there are plenty of companies willing to compromise their morals and better judgement for the all mighty dollar. We take a stand against that. I am not saying everyone should, but we most certainly do.

    ReplyDelete
  3. Here here. So many of the so called "pen-test" scopes end up having organizations hone their security on such a narrow attack surface, that when it comes to a real attack, it reminds of that scene in Indiana Jones where the guy whips all those swords around all fancy and then Indy just shoots him. Most pen-testing scopes is all about swordplay while attackers use guns.

    ReplyDelete