RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s