Friday, September 28, 2007

Be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Caveman

I just read a great story by InformationWeek's Sharon Gaudin titled Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services:

Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.

Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m through a separate company. While prosecutors call co-conspirator Edwin Pena cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mastermind of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operation, Moore acted as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacker, admittedly scanning and breaking into telecom companies and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r corporations around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world.

"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."
(emphasis added)

So easy a caveman can do it? Just what happened here?

The government identified more than 15 VoIP service providers that were hacked into, adding that Moore scanned more than 6 million computers just between June and October of 2005. AT&T reported to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 court that Moore ran 6 million scans on its network alone...

Moore said what made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacking job so easy was that 70% of all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

"I'd say 85% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m were misconfigured routers. They had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default passwords on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m," said Moore. "You would not believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of routers that had 'admin' or 'Cisco0' as passwords on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. We could get full access to a Cisco box with enabled access so you can do whatever you want to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box...

He explained that he would first scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network looking mainly for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco and Quintum boxes. If he found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, he would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n scan to see what models cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn't find default passwords or easily exploitable bugs, he'd run brute-force or dictionary attacks to try to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 passwords.


So, we have massively widespread scanning, discovery of routers, and attempted logins. No kidding this is caveman-fu.

And Moore didn't just focus on telecoms. He said he scanned "anybody" -- businesses, agencies and individual users. "I know I scanned a lot of people," he said. "Schools. People. Companies. Anybody. I probably hit millions of normal [users], too."

Moore said it would have been easy for IT and security managers to detect him in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir companies' systems ... if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y'd been looking. The problem was that, generally, no one was paying attention.

"If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were just monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir boxes and keeping logs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could easily have seen us logged in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re," he said, adding that IT could have run its own scans, checking to see logged-in users. "If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had an intrusion detection system set up, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could have easily seen that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se weren't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir calls."
(emphasis added)

Didn't someone tell Robert Moore that "IDS is dead?" Apparently all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se victim companies heard it, and turned off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir visibility mechanisms.

My advice? Be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 caveman. Perform adversary simulation. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simplest possible way to pretend you are a bad guy and get realistic, actionable results.

  1. Identify all of your external IP addresses.

  2. Scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

  3. Try to log into remote administration services you find in Step 2.

  4. Report your findings to device owners when you gain access.


How difficult is that? This methodology is nowhere near to being effective against targeted threats who want to compromise you specifically, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would work against this opportunistic threat.

PS: If I hear one more time that "scanning is too dangerous for our network" I will officially Lose It. Scanning of external systems happens 24x7. If you really don't want an authorized party to scan your external network, try setting up a passive detection systems like PADS and wait for a bad guy to ignore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fragility of your systems and scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for you. Gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r his results passively and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n act on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

6 comments:

John Ward said...

Rich,

Doesn't that continue to promote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 negative stereotype that cavemen are dumb... I mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did discover fire for us. For shame ;)

Joe said...

It's funny. You wouldn't believe how many devices get screwed up by internal nmap or qualys scans. Brocade Silkworms would lock up because of a telnet bug. HP JetDirect printers would print PAGES of garbage until power cycled or out of paper.

One admin asked me to halt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scans because it was causing his Brocade switches to lock up. I gave him 2 weeks to test and deploy software updates. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n reminded him that just because it's "internal" does not mean its safe.

Marcin said...

PS: If I hear one more time that "scanning is too dangerous for our network" I will officially Lose It. Scanning of external systems happens 24x7.

hahaha, Me and you both. I said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same thing in my post on PCI requirements. If a tool you've downloaded has been tested on a lab network and audited for backdoors, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re should be no qualms about scanning prod systems. ;)

I hate hearing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 words “We don’t scan against production.” Frankly, I don’t care to eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. There’s just something annoying about, “If you bring down production with your tests, you’re dead meat/fired/a goner.” Well, if your production environment was built properly, you shouldn’t have this problem. People who say this are likely responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most delicate, insecure network or system around. Seriously. -- More on ambiguous security standards

Unknown said...

Thanks for linking to that! Excellent article, in fact, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better ones I've read in some time from InformationWeek!

Anonymous said...

I think it's worth differentiating between Richard's comments on external scanning and Marcin's, which seem to be directed toward scanning on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company network in general. There are thousands of DoS-type attacks daily against our internet-facing servers, but rarely inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company. It seems reasonable to prohibit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security team from running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se types of attacks/scans.

Also, anyone who says "this attack could never bring down a machine" or "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web server gets hit with this stuff all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time" hasn't been involved with an enterprise scanning operation for long. As Joe mentioned above, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are all kinds of side effects that you'd never expect. I've seen "run of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mill" scanning activity take down an external server against everyone's expectations due to very minor differences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type of check that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor had provided us with (vs. that which was circulating in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild).

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day, it doesn't matter how "delicate" or "insecure" a security geek thinks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networks is--it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security professional to remediate vulnerabilities while maintaining network availability, and any security professional who would racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r score points by taking out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own network probably shouldn't be employed for long.

Anonymous said...

Anonymous said:
>anyone who says "this attack could never bring down a machine" or
>"cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web server gets hit with this stuff all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time" hasn't been
>involved with an enterprise scanning operation for long.

ummmm - have you read Richards stuff much? I suspect he's been at least a little involved with enterprise scanning for at least a little while