How in­sid­ers could com­pro­mise any cor­po­rate net­work with a $20 de­vice

Kuwait Times - - TECHNOLOGY -

Kasper­sky Lab re­searchers have ex­am­ined pub­licly avail­able hard­ware and soft­ware tools for covert pass­word in­ter­cep­tion and dis­cov­ered that a pow­er­ful hack­ing tool can be cre­ated for as lit­tle as $20, and just a few hours of work by some­one with ba­sic pro­gram­ming knowl­edge. In an ex­per­i­ment they used a DIY Rasp­berry Pi based USB-de­vice, con­fig­ured in a spe­cific way, and car­ry­ing no ma­li­cious soft­ware. Armed with this de­vice, they were able to covertly col­lect user au­then­ti­ca­tion data from a cor­po­rate net­work at a rate of 50 pass­word hashes per hour.

The re­search started with a real story: in an­other in­ves­ti­ga­tion that Kasper­sky Lab ex­perts par­tic­i­pated in, an in­sider (the em­ployee of a clean­ing com­pany) used a USB-stick to in­fect a work­sta­tion in­side a tar­geted or­ga­ni­za­tion with mal­ware. Upon hear­ing the story, Kasper­sky Lab se­cu­rity en­thu­si­asts be­came cu­ri­ous about what else could be used by in­sid­ers to com­pro­mise a tar­geted net­work? And, would it be pos­si­ble to com­pro­mise a net­work with­out any mal­ware at all?

They took a Rasp­berry-Pi mi­cro­com­puter, con­fig­ured it as an Eth­er­net adapter, made some ad­di­tional con­fig­u­ra­tion changes in the OS run­ning on the mi­cro­com­puter, and in­stalled a few pub­licly avail­able tools for packet sniff­ing, data col­lec­tion and pro­cess­ing. Fi­nally, the re­searchers set up a server to col­lect in­ter­cepted data. Af­ter that, the de­vice was con­nected to the tar­geted ma­chine and started to au­to­mat­i­cally feed the server with stolen cre­den­tial data.

The rea­son why this hap­pened was that the OS on the at­tacked com­puter iden­ti­fied the con­nected Rasp­berry-Pi de­vice as a wired LAN adapter, and au­to­mat­i­cally as­signed it a higher pri­or­ity than other avail­able net­work con­nec­tions and - more im­por­tantly - gave it ac­cess to data ex­change in the net­work. The ex­per­i­men­tal net­work was a sim­u­la­tion of a seg­ment of a real cor­po­rate net­work. As a re­sult, re­searchers were able to col­lect au­then­ti­ca­tion data sent by the at­tacked PC and its ap­pli­ca­tions, as they tried to au­then­ti­cate do­main and re­mote servers.

In ad­di­tion, re­searchers were also able to col­lect this data from other com­put­ers in the net­work seg­ment. More­over, as the specifics of the at­tack al­lowed for in­ter­cepted data to be sent through the net­work in real time, the longer the de­vice was con­nected to the PC, the more data it was able to col­lect and trans­fer to a re­mote server. Af­ter just half an hour of the ex­per­i­ment re­searchers were able to col­lect nearly 30 pass­word hashes, trans­ferred through the at­tacked net­work, so it is easy to imag­ine how much data could be col­lected in just one day.

In the worst-case sce­nario, the do­main ad­min­is­tra­tor’s au­then­ti­ca­tion data could also be in­ter­cepted should they lo­gin to their ac­count while the de­vice is plugged-in into one of the PCs in­side the do­main. The po­ten­tial at­tack sur­face for this method of data in­ter­cep­tion is big: the ex­per­i­ment was suc­cess­fully re­pro­duced on both locked and un­locked com­put­ers run­ning on Win­dows and Mac OS. How­ever, re­searchers were not able to re­pro­duce the at­tack on Linux based de­vices.

“There are two ma­jor things that we are wor­ried about as a re­sult of this ex­per­i­ment: firstly - the fact that we didn’t re­ally have to de­velop the soft­ware - we used tools freely avail­able on the In­ter­net. Se­condly - we are wor­ried about how easy it was to pre­pare the proof of con­cept for our hack­ing de­vice. This means that po­ten­tially any­one, who is fa­mil­iar with the In­ter­net and has ba­sic pro­gram­ming skills, could re­pro­duce this ex­per­i­ment. And it is easy to pre­dict what could hap­pen if this was done with ma­li­cious in­tent. The lat­ter is the main rea­son why we de­cided to draw pub­lic at­ten­tion to this prob­lem. Users and cor­po­rate ad­min­is­tra­tors should be pre­pared for this type of at­tack”, said Sergey Lurye, a se­cu­rity en­thu­si­ast and coau­thor of the re­search at Kasper­sky Lab.

Al­though the at­tack al­lows for the in­ter­cep­tion of pass­word hashes (a ci­pher-al­pha­betic in­ter­pre­ta­tion of a plain­text pass­word af­ter it has been pro­cessed by a spe­cific ob­fus­ca­tion al­go­rithm), the hashes could be de­ci­phered into pass­words, since the al­go­rithms are known or used in pass-the-hash at­tacks. In or­der to pro­tect your com­puter or net­work from at­tacks with help of sim­i­lar DIY de­vices, Kasper­sky Lab se­cu­rity ex­perts rec­om­mend the fol­low­ing ad­vice:

For reg­u­lar users:

On re­turn­ing to your com­puter, check if there are any ex­tra USB de­vices stick­ing out of your ports. Avoid ac­cept­ing flash drives from un­trusted sources. This drive could in fact be a pass­word in­ter­cep­tor. Make a habit of end­ing ses­sions on sites that re­quire au­then­ti­ca­tion. Usu­ally, this means click­ing on a “log out” but­ton. Change pass­words reg­u­larly - both on your PC and the web­sites you use fre­quently. Re­mem­ber that not all of your fa­vorite web­sites will use mech­a­nisms to pro­tect against cookie data sub­sti­tu­tion. You can use spe­cial­ized pass­word man­age­ment soft­ware for the easy man­age­ment of strong and se­cure pass­words, such as the free Kasper­sky Pass­word Man­ager. En­able two-fac­tor au­then­ti­ca­tion, for ex­am­ple, by re­quest­ing lo­gin con­fir­ma­tion or use of a hard­ware to­ken. In­stall and reg­u­larly up­date a se­cu­rity so­lu­tion from a proven and trusted ven­dor.

For sys­tem ad­min­is­tra­tors:

If the net­work topol­ogy al­lows it, we sug­gest us­ing solely Ker­beros pro­to­col for au­then­ti­cat­ing do­main users. Restrict priv­i­leged do­main users from log­ging into the legacy sys­tems, es­pe­cially do­main ad­min­is­tra­tors. Do­main user pass­words should be changed reg­u­larly. If, for what­ever rea­son, the or­ga­ni­za­tion’s pol­icy does not in­volve reg­u­lar pass­word changes, be sure to change this pol­icy. All of the com­put­ers within a cor­po­rate net­work have to be pro­tected with se­cu­rity so­lu­tions and reg­u­lar up­dates should be en­sured. In or­der to pre­vent the con­nec­tion of unau­tho­rized USB de­vices, a De­vice Con­trol fea­ture, such as that avail­able in the Kasper­sky End­point Se­cu­rity for Busi­ness suite, can be use­ful. If you own the web re­source, we rec­om­mend ac­ti­vat­ing the HSTS (HTTP strict trans­port se­cu­rity) which pre­vents switch­ing from HTTPS to HTTP pro­to­col and spoof­ing the cre­den­tials from a stolen cookie. If pos­si­ble, dis­able the lis­ten­ing mode and ac­ti­vate the Client (AP) iso­la­tion set­ting in Wi-Fi routers and switches, dis­abling them from lis­ten­ing to other work­sta­tion traf­fic. Ac­ti­vate the DHCP Snoop­ing set­ting to pro­tect cor­po­rate net­work users from cap­tur­ing their DHCP re­quests by fake DHCP servers. Be­sides in­ter­cept­ing the au­then­ti­ca­tion data from a cor­po­rate net­work the ex­per­i­men­tal de­vice can be used for col­lect­ing cook­ies from browsers on the at­tacked ma­chines.

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.