Coffee Space


Listen:

The Great Loss

I must express that the following article is theoretical and has not yet been exploited. I have to exaggerate that if you come across this and think "this could be my organization", that you simply fix it and warn others. Potentially, this is a real threat. The weakness I will describe here will be on the order of Sony's 'great leak' of 2014 for any company.

I often write as if I'm training you to do this, but of course it's simply easier to think in this manor when explaining how to do something and I hope you understand that I don't want you to go out into the wide world and do this. There is no need to speak of application, again, I'm telling you not to. Just because you could, doesn't mean you should...

Background

This whole idea is based off of the fact that humans are usually a weakness in any system and social hacking is still a very effective manor of gaining entry into any system. Most hacks of large corporations are going to be due to employee mistake and it's this that we rely on.

The scene is set with a disgruntled employee, leaving a company with a bad taste after having learned how to use their systems after the many years they had been there. They are not required to have any hacking capability, merely an ability to use their systems and think like a company user.

Assumptions

The following reasonable assumptions are made about the companies system, but are not completely relevant to exploit it:

Sending an Email

First things first, the good old email protocol is often forgotten as this "old thing that just works". In the mail protocol, you are allowed to define your own From address.

This means that by using a simple Linux email program, such as mailutils we can easily send an email with our own From field and html attachment to whomever we wish, a feature normally hidden by our now default email services by locking the From field. An example like the following would work:

echo "Email body" | mail -s "Subject line" /
-aFrom:From_Name\<From@email.com\> To@email.com

Note that the -a option may no longer work on newer machines, if I remember correctly you specify the fields directly in the message body followed by a new-line before starting the message body.

Now we have a basis for sending an email to a person and having it look like it is from a good source, say for example no-reply@company.com.

What to Send?

This is where the social hacking comes in. In my experience, if something looks nice and shiny, people just tend to role with it. It's the craziest thing. I propose an email like this would suffice:

________________________________________
|                                      |
| [Company logo here]                  |
|                                      |
| Dear valued employee,                |
|                                      |
|   We invite you to join us in        |
| celebrating the release of our new   |
| ___ website, please register [here]  |
| to get awesome stuff.                |
|                                      |
| Lots of Love,                        |
|                                      |
|   Mr Trust-worthy xxx                |
|______________________________________|

This is simple enough - and with a legitimate address who is a faithful employee to question the great hand of corporate authority? Of course, little do they know that you're little link will lead to somewhere of your choosing, where the battle-field is yours to take.

The Site

This is where your user will continue or your users will run away. It's important that the registration page isn't overly designed (because from a company perspective it'll only ever be used by each user once) and that it looks official enough to be passed as part of the usual company design. Make sure it's not exact, otherwise that will raise suspicion too. After all, the is a 'new' and 'improved' layout.

It's important to make sure that the domain looks official, but at the same time you wouldn't want to associate yourself with it or pay for it (on the assumption you will do something bad). Something like company-new-thing.freedomain should do the trick, it only has to survive the eye glance test.

On this site you will want to collect user details, as a normal registration would. The important thing here is to ask for their company username and a password, but the wording is important. Only ask for one passsword and simply ask Password:. This increases the probability they will enter EXACTLY the same password as the one they use for their company account. Users really hate having multiple passwords and tend to choose to keep it the same if possible, specially if they think it ought to be the same.

Remember, as soon as the email goes out emails will flood in, so it is important to make sure the data is acted on fast. We're talking about access to emails, user accounts, company data, everything. At a guess, if the company isn't expecting this attack you will get at least an hour before they realise they are being hacked. There will be a number of failed login attempts, I highly recommend that when a few good ones are found these are stuck with instead of trying them all as to prevent suspicion at first.

Bettering

There are many ways that this can be bettered - here is to name a few:

Safe Guarding

These are a few things you can do to safe guard your system...

It's not possible to make a perfect system as far as I'm aware, but you can certainly make a better one. Security is often extremely under-estimated.

Conclusion

As long as users know their passwords, they'll always be able to give them away. The only true way to prevent a user from becoming a flaw in a security system is to simply stop them from knowing their identifying credentials. I'm surprised that finger-print logins are not made more use of, they tend to be very good and for a work-station login - potentially very effective.

Once logged in, a computer should then store highly randomised passwords on behalf of the user as browsers such as Chrome are already capable. This way, the user is not responsible for either password generation or remembering of such passwords - preventing them from unwillingly becoming a point of entry. Of course they could still cause damage themselves, but it brings an element of accountability and therefore deters such action. I'll let somebody else much more clever figure out how to get around that one.