Wednesday, January 16, 2008

Physical and point of access security

I'm going to put remote security on hold for a post or two and talk about physical and point of access security. That is, security that protects the physical servers and business computers tied to them.

If you were to ask the average office worker if their machine was secured against unauthorized use, they would say "yes, I have a password on it!"

And indeed they will have a password of dubious quality. Now, there are ways to circumvent their password, such as checking their desk for a password, or listening in on their conversations. However, this is marginally successful, and even if you do acquire their login credentials, their system rights my be inhibitive to your ultimate goal of full server access.

So, how would an attacker attempt to gain system access, and then server access?

Well, lets lay out the steps that are required:

1. Gain access to building.
2. Gain access to a computer on the network.
3. Make changes/acquire information in short amount of time.
4. Leave little or no trace and ex filtrate building.

Okay, so the attacker knows he needs to find a method of infiltrating the company, which involves some social engineering (unless you're James Bond's little brother). The difficty of this step depends on security measure in place at the location the attackers wishes to strike. There are three classes of businesses that the attacker needs to be aware of for this purpose:

1. Small: One or two floors of a building that is staffed only during working hours.
2. Medium: One entire building with staff that generally work during business hours.
3. Large: A multi-building corporation that has staff who potentially work different shifts.

Now, the small and large businesses are actually the most difficult. A small business will not have full time security, but will be fully staffed during business hours, and everyone will be familiar with each other. A stranger will raise suspicion very quickly. Also the building will be locked and an alarm set after everyone leaves.

A large corporation will have full time security, most likely with a reception desk and security cameras, ID badges, key card locks, and security points.

Medium size businesses, however, are at the transition point. They are large enough that a new face is not unexpected, but they cannot afford a large security staff.

So, we have our list of obstacles for the attacker. Let us define them, working from the outer perimeter, inwards:

Physical Obstacles
1. Perimeter Fence: If the company has a fence, I would advise against trying to jump over it. The chances are they have cameras watching it. Also, why have a fence if you don't have a gate house?

2. Gatehouse: Guardhouse, security checkpoint. whatever you desire to call it, the function is the same. Larger companies have them to control traffic that is entering close proximity to the building. However, many of these do not monitor outgoing traffic, and have only a single guard that is checking ID's. If they are not checking ID's, circumventing this security layer requires only a can of turtle wax, a sports jacket and tie, and a latte. The attacker uses the turtle wax (on their car...) and rolls through the checkpoint looking like upper management. Its amazing how people act when you look like a respectable businessman.

If ID's are being check, the attacker's next best option is right behind the gatehouse. This strategy requires roller blades. Using a skate board will make the attacker look juvenile, and therefore attract attention. A bicycle might be useful, but it is large, and the attacker would need an expensive bike/gear to look the part. Trying to roll in with a sideways turned baseball cap and hoodie will arouse suspicion. Running, likewise, will make it look like the attacker is trying to sneak in.

The attacker can then wait for a busy hour, such as 8:45 am, when the gate is backed up with employees trying to get through. The attacker simply waits until the guard is focusing on someone's ID, and slides through the "out" side of the gate.

Note that this is not the only method, but one that will attract far less attention that trying to cut through the fence, and is less sophisticated than trying to produce a copy of the company's ID.

This is a good example of a guard house that an attacker can circumvent.

3. Outer Door locks: These are heavier than inner doors and door locks. Keeping in mind that the ultimate goal of this attack is to leave as little trace as possible, the attacker would be mostly powerless against them. However, most all companies keep their doors open during business hours. Also, if people go in, they must come out. Standing behind a door is a viable (though dangerous) solution to the problem. Door open, person walks out, attacker grabs the door just before it closes and steps inside.

Like so:

creepychris from bittner on Vimeo.

4. Inner Doors: Once inside, the attacker may or may not face another series of locked doors. In a small company, this will not be an issue. For the sake of this situation, our attacker has to get to networked computers in an unoccupied room. The solution? Pick up a magazine in the lobby and pretend to read it close to the target door. When someone exits the door, the attack can nonchalantly slip through, while still pretending to be preoccupied by the magazine.

5. Small companies: Small companies are a difficulty in their own right, simply because they do not operate 24 hours a day, almost always have an alarm system and full locks on the outside doors, and none of the computers are going to be secluded. However, this will not deter a dedicated attacker. Most small companies will hire contractors for technical support. If not, there is always the cable company (the TV in the employee break room never works right). It may require 2 visits to successfully get into the company, but this is not a problem with small, low security companies. If the attacker can pose as a member of an IT technical support company, they will have no problem accessing whatever computer they desire.

If this is not the case, then posing as a cable repairman will allow them to carry the tools they require for this attack. First, it must be done around lunch hour. The attacker will simply observe how many people leave work for lunch. It may be that only a couple people actually remain. In this case, a cubical will give the attacker all the privacy they need to execute the attack. If not, they must observe conversations in the break room. Is someone not feeling well, and thinking of taking tomorrow off? Their computer would be free for use then, so long as they work in a cubicle. When is a large company or staff meeting going to occur? The office will be deserted during that time period.

Some unobtrusive questions can be asked as well, such as half days or company picnics, etc. Once the attacker discovers a day that the company will be open, but not well staffed, they will keep this information in their mind, pretend to work for another 5 - 10 minutes and... suddenly they need a part they don't have. The attacker establishes that day to return, and shows up to a mostly deserted office.

I am not going to dig any further into social engineering. However, more information can be found at Security Focus and the US-CERT website.

Alright, let us assume that the attacker was able to gain access to a networked computer. What good will it do them? Well, as you will never know what an attacker is planning to do, or how they are planning on doing it, I waited to give that information.

The plan is to hijack the servers by hacking into the administrator account on a machine, and inserting a Trojan that will then execute when a user logs into their roaming account, and copy itself to the server. Once on the server, it will scan for credit card, bank account, SSID, and payroll numbers, and also attempt to add a user name and password with administrator privileges so that the attacker will have a back door into the company.

A great example of how this is done frequently is the controversial, if not short lived, Special Forces unit called Red Cell. The unit was created under the command of Vice Admiral James Lyons and led by Captain Richard Marcinko. It was used as "white hat" infiltrators to test the security of the America's most restricted bases (such as those that store nuclear munitions).

More information can be found at the Special Operations Website. The book "Red Cell" by Richard Marcinko underlines the poor security and oversight that plagues even the most "secure" installations, and how easy it is to circumvent the security.

Now, remember that the attacker is at a computer which is on the network. They use a program called ERD Commander in an attack that looks like this:

Now that they have infected a computer, they restart the machine and leave. The entire network is now compromised. The infected computer will not be known until something requires the administrator password to be entered. This may be a year or more. Meanwhile, even if the Trojan is detected and removed, it will once again install itself on the server. The IT staff (if any) will have to isolate the entire network and check every computer in the entire company that has access to the server in order to end the attack.

Lets retrace the steps and consider options for preventing this attack.

1. Perimeter Access: Unless you own all the land around the building, it is not likely that you will be able to sufficiently protect this area. However, this gives smaller companies an advantage. Their parking lots are smaller, and so a few cameras can identify anyone who parks, their vehicle make/model and license plate. This may not prevent an attack, but can lead to the arrest of the attacker.

Larger corporations can station 2 guards at the security check point at all times, and monitor exits with the same quality that they monitor an entrance. A motion sensor should be set up, along with a scale. If a certain weight is not registered on the scale when the motion sensor is tripped, an alarm is sounded.

2. Outer Door Access: All doors should have a window on them, and on either side of them so that employees can see out of them. Also, employees should be restricted from using side or back doors unless there is an emergency. Only doors that access another security check point should ever be used during normal operation.

3. Inner Door Access: This is the hardest line of defense to protect, because it is completely reliant on employees. Only sufficient training and motivation on the part of employees can prevent the attacker from reaching a target computer. While security personnel might maintain a certain level of proficiency, most businesses give them other tasks. This is a grave mistake, as the only focus of security should be to limit access to your building. They are not running an information booth. Hire receptionists for that task. They are not medical staff. Hire a few nurses, if need be.

There should be no reason that security is distracted from doing its job, and attackers are counting on any kind of distraction to pull attention away from them and the door that blocks them from their target.

Training employees to properly spot and question anyone without an ID, or anyone that seems suspicious or should not be in the area they are. This has its own complications, such as impending discrimination charges. The answer may be to hire these two guys:

4. Security on the Computer: This is pretty difficult, as there are a number of methods to hack into a computer. There are a handful of programs that will re-write Windows passwords, and all can be found on the internet with a little time. This is exactly why physical security is so important for a network.

However, there are a few methods to slow down or foil attackers at this point. First, never set the cd rom/floppy drive as the default boot device. Second, always password protect the BIOS. This is not sure fire. Resetting the bios is as easy as popping the battery on the motherboard. However, this does require opening the computer case, which in turn, requires more time and raises the chance that the attacker will be caught.

So, is physical security really that important? I mean, is someone really going to bother going through all the trouble of infiltrating your company just to access one of your computers?

Well, maybe this clip can answer a little better:

That was a Nedap e-voting computer which is used extensively in Ireland and Netherlands. The ROM chips were swapped out in less than 60 seconds. Given the average time it takes Starbucks to brew a latte, at least 15 of these machines could be hacked before anyone on staff returns from their coffee break.

No comments: