Software Integrity

 

Red teaming a holistic view of security

Software pervades our everyday lives: cellphones, tablets, fitness monitors, websites, networked home appliances, medical equipment, drones and automated vehicles. We expect software to work, often overlooking the need for the software running these systems to be secure. While we stress the importance of building security in throughout the SDLC there are outside vehicles like rogue wireless points, cloned cellphones, tailgating, social engineering, stolen laptops, phishing attacks or planted malicious USB sticks which can put an organization at risk. This is where an activity like red teaming can help. If you are unfamiliar with the concept of a red team, it is when an outside/independent group is brought in by an organization to emulate an adversary and identify weaknesses that would allow sensitive assets to be compromised. This goal oriented testing identifies those things outside the scope of the SDLC an organization needs to address to stay more secure.

Recently I had the opportunity to pwn a cell phone belonging to an unnamed university network architect, who I’ll call Bob, and thought I’d share the story of how easy it is to infiltrate an organization thus highlighting the importance of software security, mobile phone security, and personal identity security!

While at a pub with friends one Friday night I found myself talking to the group at the next table, they are a part of the network security team at a local university. Having introduced myself as a penetration tester, Bob challenged me to hack his Facebook and upload a specific picture to his profile within a week. As there aren’t many ways of completing this task legally, I planned to consult with a few colleagues the next day to see what we could do. Within a few minutes of talking with Bob I knew his email address which is a useful starting point. A few minutes later I noticed Bob check his phone and put it down on the table screen light still lit up and unlocked. Seizing the opportunity I picked up a coaster and dropped it over the screen giving the appearance of being off and locked. I swiped his phone while we were talking (right in front of him I’ll add) and went into the toilet. In just a few minutes I sent a password reset from his Facebook app, logged into Gmail, clicked the link to change the password, logged into Facebook, uploaded the picture and returned to the table with the phone less than 5 minutes later. Once reseated I asked Bob if I should add him on Facebook, at that point he logged back into his phone and much to his surprise saw the updated photo.

When I shared my “Bob story” with colleagues, they pointed to the similarities in what I did to what they do with clients on a regular basis. I hit every point in their goal oriented testing strategy, starting with an objective (i.e., getting the picture on his account) and then moving into scheming and coming up with a variety of ways to accomplish the objective, and then of course the execution. A red team should consider security from a holistic perspective relative to the target objective. The composite attack approach is so effective because it highlights the risk associated with individual bugs/flaws in various (perhaps seemingly unrelated components), rolls them all together, and shows how a real world attacker can piece these things together to achieve their goal.

For all intents and purposes Bob’s mobile phone was secure, it was watched by him, required a pin, applications required usernames and passwords, and usernames and passwords were salted and hashed (delicious!) Thanks to my red team associates I could see and link a series of unrelated components to achieve the end goal of obtaining critical “internal use only” data or intellectual property. Oftentimes, corporate email and other services are accessible from our mobile devices, significantly increasing the attack surface with easily carried out vectors.

In this situation nothing bad actually happened, but with a malicious attacker you could see corporate infrastructure breached, bank accounts cleared, or purchases made on your credit card, all in less than 5 minutes with no real technical skills involved. For a great example [1] of what can go wrong click here to read about a journalist who lost his Google account, Twitter account, AppleID and all of the data on his iPhone, iPad, and MacBook. This story isn’t unique, the news is peppered with stories of data loss centered on lost or stolen corporate cellphones and laptops [2][3]. The next time you’re out for dinner or drinks remember to keep your laptop and cellphones safe.

[1] http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
[2] http://en.wikipedia.org/wiki/List_of_UK_government_data_losses
[3] http://abcnews.go.com/Blotter/government-loses-laptops-hold-secret-info-passports/story?id=12449956