Security Experts:

A Hacker in a Candy Store

We all stumble across the occasional Bluebird - an upgrade to first-class on a trans-country flight, a parking spot just in front of the mall entrance, or a scratch-off lottery ticket that helped pay off this month’s mortgage payment - just some random event that makes the day a bit better.

During a recent security review of a local small, family owned bank, I stumbled across a hackers dream: Bluebirds in the form of a set of hacking opportunities that set the bar for security naivety across the financial as well as any number of other industries.

Web SecurityI started my review thinking I would find a few easily addressed problems, but walked away realizing I had stumbled on the face of security at its worst. It was an eye-opening experience that is, no doubt, duplicated at any number of companies centered on private data.

The following article is not so much an exposé of my bank review, but rather a chance for the little, limited-funded organizations across the country to look up and realize they may have the same critical security issues.

Hacker Bluebirds

Key Loggers - As I entered the lobby of the bank, I noticed a public terminal in the lobby – a service to customers who want to check their balances before making deposits and withdraws. I do not know how many customer login credentials pass through that public terminal a day, but I do know every one of those credentials would be fair game for a simple USB keyboard logger.

All a hacker would need to do is sit down at the public terminal (yep, the one with the PC sitting below the desk) with a big shopping bag to hide his actions, drop his cell phone, and connect the USB keyboard logger between the PC and the keyboard. On next Tuesday’s visit, he would retrieve the keyboard logger, along with the names and passwords of hundreds of customers. On a Bluebird scale, this would be a 10. With the unsuspecting customer’s credential in hand, all he needs to do is make a few transfers to his own account and cash out at the end of the week.

The tellers’ terminals behind the counter presented a bit more of a challenge, but a challenge easily solved with a little creativity and a tie. Start by asking yourself if, in your wildest imagination, your evening cleaning crew has had any social engineering security training. Take your obvious "no" answer and wonder whether a harried looking executive (a guy with a tie) would be stopped by that same cleaning crew as he bustled through the open door (oh, you want the crew to relock the door while they are inside) talking about his forgotten papers.

A quick sit down at the teller’s stations and the key loggers are in place for next week’s pickup. This time around, the hacker will retrieve the login credentials to the entire financial network. Let’s give this one an 8 on the Bluebird scale, only because someone may have warned the cleaning crew about strangers stealing office equipment.

Tell me this: When was the last time you checked the connection between your PC and your keyboard cable?

To push this just a bit further, I found the public and teller terminals to have complete Internet access. Perhaps, instead of installing a USB keyboard logger, I install PC monitoring software (check out the Spectra Pro product) and have every PC action (i.e., keyboard, screen display, websites visited) sent to my private email address. No need to come back. This installation has a Bluebird score of 7, as anti-virus software may block it.

Post-It Notes

I kid you not – in my travels through the bank offices I ran across several post-it notes securely attached to a PC with the login name and password for the system behind that PC. Remember, the bank is headed into the Holiday rush - the staff is at best overworked and understaffed, and at worst ready to implode.

A well placed post-it note that keeps the frantic staff from having to remember the credentials to the customer accounts database must seem like the a great idea, at least to the staff that has to do all the remembering. After all, who (except the bank staff and the cleaning crew and the copier repair guy and the water cooler bottle deliverer) is ever going to see that note?

On the hacker Bluebird scale this is a 7; on the classic security tale scale, a 10 – a post-it with login credentials is a story told over and over at family dinners throughout the land.

Single-Level Access

Banks, like most high customer-volume businesses, live off masses of information snippets, some of which will be private - and a hacker’s treasure trove. When I walked over to one of the teller’s terminals (by the way, it never timed out to the login page) I was able to access every piece of customer data on the network – credit checks, loan applications, scans of driver’s licenses. If I had taken 30 minutes, I could have copied this trove of data to the 20 Gigabyte flash drive that I had plugged into the USB port (conveniently placed by my feet) and spent the afternoon selling that data on the hacker black market.

There are two issues at play here. First is the fact that this private data was not encrypted or at least placed behind a secure login environment. The second (and far more common problem) is the fact that, rather than try to intelligently figure out which users should have access to which types of data, the bank chooses to simply make all data available to everyone. These security problems reflected the ‘data of convenience’ attitude many companies are forced to take. There just isn’t the time and budget to do thing right. On the Bluebird scale, this is an 8. A $1,000 donation to one of the tellers would have gotten me every piece of private data within the bank's system.

Backup Storage

The bank used two services vendors, each running their own systems within the bank. Each system required a periodic backup; one to a tape drive, the other to a USB hard-drive. This collection of backup units sits in a box in the unlocked server room next to its respective systems (yep, there's a whole another article’s worth of discussion there). I have no doubt that a stolen backup tape would not have been missed in my lifetime. Perhaps far subtler is the fact that both systems were old enough to have either missed the concept of encrypting backup files, or, if the files were encrypted, they were encrypted using algorithms that had been broken years ago. For all practical purposes, the bank had packaged up their private data in pocket-sized containers for anyone to take home and use for identity theft, if not outright cash extraction. Another 8 on the Bluebird scale – a tie, a harried look, a smile for the cleaning crew and I’m the new owner of enough identity information to keep me busy for a year.

Conclusion

If you’re one of the many small businesses across the country running just as fast as you can just to stay even, you can probably relate to most of the security issues described above – they’re sitting just outside your office. While you are hardly alone, that will not make your looming security breach any more palatable. Even worse, it’s the little guys (like you) that will suffer the most after a security attack. You probably do not have security risk insurance, the concept of a security officer is a dream, and the negative PR (and potential fines) will eat you alive.

You’re not going to solve all of your security problems in the next 30 days, but you can and should fix the big ones, those Bluebirds that make it easy for hackers to kill your company. Identify your security problems, triage based on your risks and budget, prioritize your problems based on their level of risk and your ability to solve them, and do something now.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.
view counter