Equifax Did Three Simple Things Wrong and Hacked Us All

Glenn Norman hacking

So Equifax was hacked not once, but twice? No way. I don’t believe it. If you’ve been hacked twice, you’ve been hacked at least 3.6 million times (or pick any other really big number you like). And notification of this new hack, like the last one, came at a languid pace. I’ve gotta give it to Equifax: if I did something like this, anything like this in my own business, I’d quickly go to prison. Their people are just walking out the door.

What irritates the devil out of me is that Equifax took an equally languid attitude toward the security of my personal information by violating three simple tenets of security. I know it’s not easy to manage a corporate network; I’ve been there. But there are fundamental measures anyone with a brain or responsibility has to take in this field, and Equifax outright failed to do these obvious things.

Principle One: Isolation

Not every system needs to touch the internet. Of those that do, none of them should have access to anything but the absolute minimal resources (meaning other systems) they need to do their job. Production networks should always be totally isolated: human resources, accounts payable, management, customer service and every other production operation should be utterly isolated from each other. Even if systems within them are compromised via email or the internet, they should provide no ingress – absolutely none – across functions. Your deepest assets (consumer records would qualify) should be deeply isolated.

“But customer service needs access to records, and so do the customers!”

Yes, and that functionality is still available. You’ll do it via strongly encrypted, strongly authenticated, highly secured connections. In other words, the segregation cannot be simply VLANs on a switch or even casually configured internal routers. No. Every production network should be encapsulated, firewalled, filtered and logged as an independent unit, one that considers itself surrounded by hostile would-be intruders. If I can walk through your DMZ to your online-data network, that’s a problem. But if I can then pivot to other production networks, it’s time for a firing squad.

Principle Two: Patch Management

All the mainstream security firms will hound you about this: stay patched right up to the minute! There is a tiny minority who would dispute this, arguing that proper isolation makes urgent patch management a useless exercise in anxiety. For my money, I’m going to do both (and a lot more).

The likely culprit here was an unpatched Apache Struts installation. Frameworks like Struts are popular with developers but eventually have to be managed by sysadmins, who may not love or follow them as closely. This is where tight collaboration between these teams has to ensure things that need to be patched (which includes practically everything that’s installed) are included in patch management lists and applications. I shouldn’t have to say it but those lists and apps must be intensively managed. That’s a pain, but lawsuits are a bigger pain, and really big lawsuits can be fatally painful for organizations.

Principle Three: Competent Management

Repeat after me: a degree in music does not qualify you to be CSO. (A degree in music does not qualify ….) Experian did not get this memo, and hired as Chief Security Officer one Susan Mauldin, music major, whose LinkedIn profile was edited and made private shortly after the hack was revealed, likely because she listed no relevant qualifications whatsoever.

I have been working, studying and teaching in this field for some 20 years, and I consider myself hardly qualified for a job like CSO. You’re playing with blood and money in that job. Even if you’re a brilliant poker player, this is 3D chess played with lions. If you can only play Whack-a-Mole on the computer, you should not be managing computer security for a major corporation. You’ll need to be a fanatical, deeply involved security fiend to play cop or Batman for a company like Experian.

This whole question of qualifications goes far beyond this field. A Chief Scientist should, for instance, be a scientist. This quickly gets political (at least for me), so I’ll stop now. But what Experian has done is not political, and not forgivable. They’re doing something that affects far too many people to approach it lackadaisically.

Now, the kernel: if you’re a malicious hacker, you’re going to be looking for exactly these weaknesses. During the Reconnaissance stage, finding a weak CIO or CSO would be a whiff of blood in the water. If a simple scan reveals unpatched vulns, bingo. And if weak or nonexistent network segmentation lets me go bounding through the corporate cyberverse, oh joy, oh glad (assuming I’m that malicious hacker). If I’m NOT a cracker, I’d be testing exactly these same limits because I’d be a pen tester or researcher or bounty hunter or whatever. Right?

[ CEH Training ] :: [ Day 7 ]

Chapter 15

Wifi cracking

BSSID, SSID, ESSID

WEP cracking with Kali: p. 420

WPS cracking with Kali

Chapter 16

Mobile pentesting

Applications and tools

Chapter 17

Evasion, firewall running, honeypots

Exercises

  • Firewalking with Kali: p. 472
  • Nmap with the Firewalk script
  • Fragmentation with Nmap

Tools

Aircrack-ng

nmap

firewalk

[ CEH Training ] :: [ Day 6 ]

Chapter 13

Web server vulnerabilities and exploits

DDos

SYN flooding

Banner grabbing

XSS

Wikto: a website vulnerability tool:
http://sectools.org/tool/wikto/

Tools

Burp Suite

“Brute Force a Website Login Page with Burp Suite”:
https://www.youtube.com/watch?v=25cazx5D_vw

“Brute force attack (form, ssh, ftp) using burp suite and hydra”:
https://www.youtube.com/watch?v=y3Oh54BUN0U

“Brute Force Router Password using BurpSuite”:
https://www.youtube.com/watch?v=gSVM65_pLfA

Chapter 14

SQL injection

SQL Injection with Burp Suite and Sqlmap”:
https://www.youtube.com/watch?v=2C2G6P9xrGQ

Cheat sheet:
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

OWASP guide:
https://www.owasp.org/index.php/SQL_Injection

Dumping a complete database:
http://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/

 

[ CEH Training ] :: [ Day 3 ]

Chapter 7: System Hacking

Stage 4 of a hack: Exploitation

Cracking for Fun and System Penetration

Hash-cracking communities:
https://hashes.org/crackers.php

Password dictionaries:
https://wiki.skullsecurity.org/Passwords

I will supply you with several wordlists and hash lists.

John the Ripper

Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”
https://www.youtube.com/watch?v=eAn8dYdn1eY

Exercises

  • Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt

Hashcat

Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:
http://www.adeptus-mechanicus.com/codex/crkpass/crkpass.php

“HOW TO CRACK MD5 HASHES USING HASHCAT”:
https://www.4armed.com/blog/hashcat-crack-md5-hashes/

Exercise: Dictionary Attack

  • Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:
gunzip  /usr/share/wordlists/rockyou.txt.gz

I will supply you with a hash file called win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.

  • Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat.

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:
https://www.4armed.com/blog/hashcat-rule-based-attack/

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

  • Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:
https://hashcat.net/wiki/doku.php?id=mask_attack

And see this page for examples (halfway down the page):
https://www.4armed.com/blog/perform-mask-attack-hashcat/

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

  • What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]

The LinkedIn hashdump and more instructions:
http://adeptus-mechanicus.com/codex/linkhap/linkhap.php

https://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit