Big doors, bad locks

Big doors, bad locks

How secure is your home?

I am an InfoSec aficionado;

Never formally taught on the topic but learning about hacking (whatever the color of the hat) since the age of 6.

The need to publish this piece has been building up for almost 2 years now, and do not get me wrong: I am not trying to teach anything to anyone, I am just expelling my demons.

I will tell you a real story that will, hopefully, make you review your product’s security at least once.

Let us begin.

All rights reserved. Jeremy Thorpe — flickr

All rights reserved. Jeremy Thorpe — flickr

I’ve always liked lock picking. Probably because it is the physical equivalent of breaching a server or owning a box in the digital world.

Please imagine this imposing, 2-meter tall, steel double door protecting a nuclear bunker that has a single pin tumbler lock.

It is protected against huge impact projectiles or even biochemical weapons… But not against a clip and a Uni Ball pen.

This brings us to a tech retailer store, about three years ago, that, like many other stores, has multiple laptops on display, all turned on with bright screensavers telling you why you should spend all your money on them.

They are all connected to a local WiFi network protected with WEP encryption. This network has several in-store servers connected to it: some hosting intranet webpages for setting up the laptops’ screensaver, others streaming music to the store’s CD trial players, some MySQL databases with info on the CD’s, other servers controlling the TV displays around the store and a myriad of other minor servers with archives and backups.

By now you have probably realized this wireless LAN had all kinds of sensitive information on the store and that you wouldn’t like it breached if the store was yours, right?

This random morning, I’m checking out the new gadgets that had arrived that week and I got myself thinking about how to pick this (metaphorical) lock. So I started trying out one of the “on-display” laptops and just hopped from one to the other until I found one logged in as an admin account. I then went and got the password for the WiFi LAN.

This is the moment you say:

“But you just got lucky right there.”

To which I respond:

You’re right! And you know what? I got lucky on lots of other occasions, too.

And that, my friends, is the problem I’m talking about here.

If you just still ain’t believing me, let me sum up really quickly how this whole thing snowballed:

  • I enter the WLAN

  • After scanning the network I find several flaws including remote root of a really outdated MySQL server

  • From there I upload a PHP shell to a MySQL table and create a file from that same table (weak system configs)

  • I run system commands from the PHP shell (weak PHP configs) and own the Windows box

  • In that server there were plaintext files containing all the international domain’s admin credentials

  • By now** I own it all**, and I mean it ALL (credit cards’ details, transaction databases, control of the stores’ ticketing system, LCD displays, you name it!)

So once again you’re saying I just got lucky and that I am not some *“1337 wiz that wrote his own 0-day” *and once again I tell you that those exact thoughts were crossing my mind at the time: how can someone be so careless?

They were obviously too trusting of their store’s LAN and that nobody ill-intentioned would ever access it, let alone mess with their outdated, unsecure code and software.

The world of black hat hacking is not pretty and filled only with people that write their own 0-day exploits. It is instead filled with everyone from script-kiddies to social engineers with a single drive: money.

I’ll rewind.

How secure is your home?

Do you leave your jewelry just hanging in your living room walls, waiting for the first burglar to easily scoop them up?

Or do you instead buy a safe to hide behind a painting in your corridor if you’ve got some valuable asset that justifies it?

You’ve got the point right?

Summing it all up:

  • Update your software

  • Don’t just leave credentials lying around in plaintext

  • Don’t think that no one will ever reach your safe haven

  • Always lock the doors behind you, even if it is the living room door and not the big entrance door

  • Don’t overlook security in your products

I will soon publish part two with another true story and some other perils of disregarding security when thinking about UX.

Hope you enjoyed your time reading this. Stay tuned! ;)

Should we fear hackers? Intention is at the heart of this discussion. — Kevin Mitnick

DISCLAIMER: All the involved were immediately warned about the breaches and readily patched up the whole system.