Social networks offer the keys to your network
As social networks continue to grow in popularity, security professionals may want to factor them into their security profile. Why? The information that government employees populate on their profiles could be used by nefarious individuals to help crack into the systems these individuals use at work.
Last week, I took a new SANS Institute class on advanced web application penetration testing (Security 542)
, which was taught by Kevin Johnson, of Intelguardians
. Organizations pay Intelgaurdians to break into their systems and produce a report of the security holes found.
And there are a lot of ways in gain surreptitious entry. Johnson said he has yet to encounter a Web site that he couldn't crack.
In the class he shared some of the techniques he uses. Some are technical cracks, obviously, but a surprising number merely required lots of careful data gathering, observation and analysis.
Among Johnson's less-technical procedures is to take a trip through LinkedIn
and other social networking sites.
There's a lot of valuable information to be gathered from these sites. Each member gets a profile page, which can be populated with details such as that person's age, marital status, where they work, what their hobbies are, and so on.
What could all this trivia for be used for? Well, plenty, if you find a profile of an individual who works at a government agency, and you just happen to be trying to gain entry onto that agency's networks.
For one, you get hints for possible passwords. Also, you get answers to questions asked by the password challenge mechanisms that many organizations use, Johnson noted.
These are the programs that, should the user forget his or her password, will ask that person a number of personal questions that he or she previously supplied the answers for. What city were you born in? What was your mother's maiden name? What is your favorite hobby? Get the right answers and the program will grant you access.
And the answers to at least a few of these questions could be found in the profiles at these social network sites, assuming you can do the legwork to match the user profile with the work log-in name.
And Johnson wasn't speaking hypothetically. He actually gained entry to one system by finding a MySpace profile of one employee who used that system. On her page, the individual professed a love for various hobbies of a nondescript sort. But it turned out that one of the questions on her company's password challenge asked for these same entertainments!
Once Johnson successfully answered the question, he then reset the user password, and went on to find valuable information in other parts of the internal network.
"It was beautiful," he said.
Johnson also offered some clever tips to help guess the user names themselves. It's no surprise that most organizations use the first-initial-last name format for user names. And if they don't, you could probably figure out the format by looking on the Web site or some user groups or mailing lists for an employee's e-mail address.
How can you verify a user name actually is valid? Enter it in a log-in system, using a deliberately bogus password. Sometimes there will be subtle differences between a response to log-in that has a wrong password and a response to a non-existent user name.
Sometimes the difference will be glaringly obvious (a "this password is incorrect" versus "user not found" response).
Most log-in software is smarter than that though. Still, there are subtle ways of getting that bit of information. The response time, for instance, can be telling. If the user name is incorrect, it may take one second for the system to respond. If the user name is correct but the password is wrong, it may take the system two seconds to respond.
Think of verifying the password as a two-step process, Johnson explained. The process first checks the user name, which could take, hypothetically speaking, a second of time. The second process checks the password itself, which may take an additional second. So if the user name is wrong, the password will not be checked, and the response will be quicker.
In this subtle way, you can verify if a user name is valid. Compare it against the response time of a known user. If it doesn't take as long to respond, you know its not a real user name. It's a tell, in poker-speak. Check it out on your own system!
The SANS class was not designed to make you a malicious hacker, of course, but rather trains you to think like an attacker in order to better defend from such attacks. It's not just knowing the vulnerabilities, but understanding the methodical thinking of someone who had a real intent of breaking into your system.
Posted by Joab Jackson on Jan 24, 2008 at 9:39 AM