Identity Theft in the Corporate World
Identity theft takes many forms – exploiting weak passwords, keystroke capture, phishing, Trojan software, social engineering, password sharing and so on. Not every attacker is sitting at home with their computer, trying to break into the corporate website. Sometimes all they have to do is call up and ask! As Dorothy Denning, author of Information Warfare and Security says, “Any medium that provides one-to-one communications between people can be exploited, including face-to-face, telephone and electronic mail. All it takes is a good liar.”
Organisations make very dangerous assumptions about the security of data on their networks. Noone considers, or more importantly tests, who might be able to view or steal mergers and acquisitions data, business plans, payroll information or BACS payments. On a typical corporate Windows network, anyone with an administrator account can see or copy anything. Putting information on a network server is not the same as locking it in your desk drawer.
Today, access to information is almost always controlled by a password. Users, even technical experts and senior staff, frequently use incredibly easy-to-guess words, such as ‘password’, ‘holiday’, or even their own name. The use of trivial passwords to secure ‘service accounts’ – highly privileged accounts used by backup programs, network control software and anti-virus tools – is so common that gaining control of an entire network frequently takes take no more than a few minutes.
Plug in a Windows laptop anywhere on the corporate network – this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a dial-up connection. Browse the network using Windows Explorer and you will see all the Windows machines on the network – there is no need to log-on or join a domain for this to happen.
Select a server (they are usually named in an obvious fashion) and attempt a ‘null session’ connection. The null session is a standard feature of Windows that enables you to list users, groups and group memberships, without any form of authentication whatsoever. Naturally there is plenty of free software on the Internet that will help you to establish a null session and then interrogate this information.
Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned. Service accounts are administrator-level accounts used to enable applications to log on to servers and domains – applications such as Backupexec, Arcserve, Tivoli are obvious examples.
Select each of these service accounts in turn and try to guess its password – it’s not as hard as you might think. Frequently, network administrators will select something obvious, such as a password that is the same as the account name! Beware that you don’t exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up. If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least 50% of the time you will gain Domain Admin access, allowing you to create your own administrator account, join the domain legitimately and help yourself to any information on any server.
Social engineering by impersonation is very common. For example, an attacker will call the help desk pretending to be an employee, claim to have forgotten their password and ask the help desk to reset it or give it to them. The help desk will frequently do this without verifying the identity of the caller. Our testing shows that this is a very common scenario – successful at most organisations in all business sectors.
Another technique involves visiting the premises in person. As a bogus employee, visitor or cleaner, it is simple to look for information lying on desks, overhear conversations, plug in a keylogger or even just use a vacant desk and PC. In one case, I was able to gain access through the building’s back door, walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers.
The office cleaner wanders around the IT department emptying bins into a black plastic sack. He bends below each desk to look for stray sandwich wrappers and plastic cups. While he’s under the desk, it is a matter of seconds for him to attach a hardware keylogger between keyboard and system unit. These small keyloggers are effectively invisible on the back of the computer, and record every keystroke the IT staff make for the next week. They will capture usernames and passwords, as well as every e-mail and browser entry. Often this will include credit card information from Internet shopping, home address details, bank account details – in fact whatever the individual typed into the computer during that week.
Of course there are plenty of similar opportunities throughout the organisation – the CEO’s secretary’s PC for instance, or the finance director’s. Most organisations are vulnerable to this type of attack and will never know that it has taken place. The truth is that virtually noone conducts proper staff vetting, and they certainly don’t check the cleaner’s credentials!
Industrial espionage and organised crime are a real threat, but most surveys show that the more significant risk is from inside the organisation. An employee can often see far more corporate information on the head office network than anyone realises. If hacking were to be defined as: “attempting to gain unauthorised access to sensitive information,” then most organisations have several hackers on their staff. Disgruntled employees (and ex-employees) present a very serious threat to business through access to critical data and personal information. Suppose an employee, with just a little Internet research, discovers how to read everyone’s e-mails or even send mails as if they were the CEO!
Removing and studying the contents of bins marked ‘For Shredding’ or ‘For Recycling’ proves very interesting too, as a source for passwords, network diagrams and personnel information. Shoulder surfing – looking over someone’s shoulder to see door entry codes, their password, information on their screen or what they are writing – is also extremely successful. Sometimes the simplest techniques are the most successful and often do not involve any technology at all.
Another successful technique involves using one of the oldest and slowest methods of communication – the postal service. It is easy and inexpensive to set up a PO box, providing an ideal way to hide and fake a business. Of course the mail has no content security so there are no technical controls to bypass. People are more likely to respond to a survey they receive in the post, since it appears much more legitimate when printed on paper. If a stamped, addressed envelope is included, then there is little effort or cost on their part. Of course, you offer cash or other prizes for completed and returned surveys.
Mail attachments and web links remain very popular among criminals, enticing users to click to gain access to something appealing or illicit while silently installing Trojan software on their computer. Once installed, this software can capture every keystroke and mouse click, and even take screen shots, then quietly mail everything to the attacker somewhere else in the organisation or even in another country.
Staff using laptops away from the office are a particular threat, since the opportunities for them to be infected with Trojan software, keyloggers and other malware are much greater than within the corporate environment. Where staff are permitted to use a home wireless network to access the Internet or head office networks, attackers may target an individual at home and use the unsecured wireless connection to sniff traffic or plant malicious software.
Despite the publicity over ‘phishing’ attacks, people are still vulnerable to spoof e-mails and websites. In one recent project, we crafted an e-mail with a link to a web page purporting to be a survey on information security hosted by our customer. We used graphics and links from the genuine corporate website on our own server to ensure the pages looked realistic. Using simple web forms, we harvested user names and passwords, as well as valuable information about the organisation’s security procedures and mailed the results to our own e-mail server. No-one noticed that the site was unencrypted, nor that it was hosted on an unrecognised IP address with no DNS name. Until a senior member of staff challenged the e-mail and instructed staff to ignore it, we were receiving mails containing names and passwords from innocent users.
Normal web browsing can also help steal identities. For example, a specially crafted pop-up window on an otherwise innocent website can reap rich rewards. Staff using the corporate network to browse a website will often respond to a pop-up box saying ‘Your connection to the network has been lost – please re-enter your username and password’. They continue using their network and the Internet none the wiser, while their credentials have been harvested by the website.
When members of staff are travelling, unattended laptops can easily be infected without any obvious evidence of intrusion, or data may be stolen and later used to compromise the office network. This can undermine even the best VPN security by simple impersonation. Even when two-factor authentication is used (such as SecurID tokens), access still depends on good staff education. It is not uncommon for an individual to keep their token and their PIN with their laptop, thus undermining a secure system and providing a back door for attackers. Since the type of traffic permitted through a VPN connection is seldom restricted, the attacker can use any tool they wish to compromise the corporate network without even visiting the target office.
There’s a common thread here of course – the password. Passwords are a hassle for users, with multiple passwords that always need changing. They are highly vulnerable and you can never know if passwords have been stolen until it’s too late. And of course they’re a dream for your enemies – whether internal or external, techie or not – passwords are easy to steal by shoulder surfing, social engineering, simple guesswork or by snooping, sniffing, hacking and cracking.
Management must understand that all of the money they spend on software patches, security hardware and audits will be a waste without modifying staff behaviour and their susceptibility to social engineering. So what countermeasures can we implement?
Firstly, policies – one of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding an attacker’s requests. If the requested action is prohibited by policy, the employee has no choice but to deny the attacker’s request.
You need to ensure that everyone shreds unwanted phone lists, e-mail lists and other important documents. Some documents will obviously need to be locked away, so you must provide employees with sufficient lockable storage space to enable this. In the end, best practice is to have a clear desk policy that is enforceable and workable.
All staff must use screen savers with password controls and be instructed to lock their PC every time they leave their desk – opportunist access to unattended PCs is very common. Any sensitive information stored on desktops, laptops and PDAs must be encrypted. Smartphones and PDAs should have infrared and Bluetooth disabled by default and the organisation must have a policy restricting their use or the sensitivity of information stored on them.
Wireless local area networks (LANs) must be properly configured and tightly secured, whether in the office or at an employee’s home. Sensible guidelines must be issued to all staff regarding the risks of using wireless hotspots and Internet cafes. The organisation must ensure that all remote access is secured using VPNs and that no sensitive traffic, including e-mail, is transmitted anywhere in the clear.
A process and policy should exist to ensure that all hard disks, CDs and other media are physically destroyed rather than recycled or simply thrown away. A recent survey of 100 hard disks purchased on eBay and at car boot sales showed around 40% had sensitive data easily recoverable and a further 40% had not even been formatted.
Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including SecurID, Smart Cards, smart USB keys and even mobile phone SMS texts.
Provide thorough end-user training on secure communications, including what can be discussed over the telephone, what can be discussed outside the building and what can be written in an e-mail. Try not to use e-mail notification or voicemails when away from the office – it sets up the replacement as a target. Most importantly, ensure everyone knows how to report an incident and to whom – most people do not.
Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all help desk staff, together with clear escalation procedures for everyone in the incident chain. Help desk staff should be encouraged to withhold support when a call does not feel right. In other words – just say no.
Train all employees – everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees when they start. Give extra security training to security guards, help desk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.
Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisations’ IT security defence. If your organisation is using a Windows network (and most are) and if you have upgraded to Windows 2000, XP or Server 2003, then you can use passphrases rather than passwords. A passphrase of 15 characters or more is easier to remember than a complex eight-character password, yet infinitely more secure. Compare “I would love to own a big red Ferrari” (29 characters and almost unbreakable) with “nUaY6zOs” (eight characters and impossible to memorise, yet easily broken with today’s password crackers).
Finally, have a security assessment test performed and heed the recommendations. Test the company’s ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.
Passwords simply will not die. No matter how often industry experts tell us that passwords are the single biggest problem with authentication systems, we seem to be addicted to them. Perhaps it’s because every computer system and application we encounter expects us to use a username and password. No-one wants to spend the money to switch to two-factor authentication – the cost of the tokens and the administrative overhead is deemed too great.
Biometrics seemed like a good idea, but then Tsutomu Matsumoto proved that fingerprint readers are utterly fallible using his ‘gummi fingers’ experiment, and anyway there’s the cost issue again.
Some imaginative solutions, such as Passfaces, appear from time to time. Unfortunately, the inertia of the corporate ‘standard build’, the perceived cost of implementation, the anticipated admin costs and most of all the absence of any real understanding of the issues leads to a continuation of the password legacy.
I had hoped that the corporate enthusiasm for identity management would facilitate a sea change in authentication mechanisms, but no. In fact it appears to simply multiply the risk without enhancing the log-on process at all.
There are a number of ways that identity security might progress in the future – maybe smart cards with simple and cheap smart card readers in every desktop and laptop? Perhaps USB tokens with a PIN number? Or perhaps the continuation of the password, enhanced into a passphrase and assisted by password safe software?
1‘Fun With Fingerprint Readers’, Bruce Schneier, 15 May 2002.