“This would be heaven if you were on the other side of the fence,” says Rob Cotton, opening the door to the “lab” in a secure section of NCC Group’s Manchester, UK, headquarters. “You could do anything from here.”
The room is little bigger than the back bedrooms where, according to urban myth, hackers ply their trade. Here the IT services company showcases the latest technology for pen (penetration) testing, or ethical hacking – helping companies and individuals identify weaknesses in the security of their computers, networks or websites by trying to hack into them.
Visiting the lab can be unsettling for NCC’s clients. “We’ve had IT directors say to us ‘You’ll never get in to our network.’ They’ve turned up here late for a meeting to find we’re in already,” says Mr Cotton, chief executive.
With Mr Cotton assisting and Paul Vlissidis, head of risk services, acting as master of ceremonies, Lloyd Brough, one of NCC’s 14 pen testers, plays the hacker to demonstrate three common attacks that are keeping NCC and its peers busy:
Pharming: using a simple technique for spoofing an e-mail address, Mr Cotton sends an e-mail to Mr Vlissidis, purporting to come from the president of a well-known newspaper wine club. With the e-mail is an attachment promising a free case of wine if the recipient visits the wine club website.
Simply by opening the e-mail, Mr Vlissidis has activated malware in the attachment, which tricks the computer into accessing a spoof site as soon as Mr Vlissidis types the real website’s name into his web browser. He tries, without success, to log in, and unwittingly sends his log-in and password details to Mr Brough’s computer.
In a real attack, thousands of spoof e-mails would be sent out, and the hacker would “pharm” a rich harvest of online identities. These could be used automatically to access the real site for credit card details, or tried out elsewhere on the web, exploiting the fact that so many of us use a common password for different sites.
Pharming has only recently emerged as a threat and, unlike the more common phishing scams, the victim does not need to click on a web link embedded in the e-mail. But there are some tell-tale signs to avoid being duped, says Mr Vlissidis: look carefully in the header of the original e-mail or watch out for a yellow padlock symbol at the bottom right of the real web page.
Web application attack: in this demo, replicating a real incident, Mr Brough hacks into an online games retailer’s site through the site search facility. Using a technique called SQL injection, he inserts a series of increasingly complex suffixes to his search word, targeting the database, then product details and finally customer and purchase data.
Transactional websites such as this are currently one of the richest sources of vulnerabilities for hackers to exploit, says NCC. “A lot of applications are very weakly coded,” says Mr Vlissidis.
Internal network attack: in this more traditional attack, Mr Brough plays a temporary worker who logs on to a corporate network as an ordinary user. He uses a feature of some computers’ original software to run the machine with higher privileges, then hunts for the passwords of any other users of that computer, in particular a helpdesk or IT services user. In many companies the same helpdesk user details could be on every computer in the network, to make it easier for the helpdesk to fix a problem remotely.
First, a hacking tool called pwdump is used to extract password information from the Windows registry, then an open source cracking tool called Rainbow Tables to check the password’s “hash” – a long stream of encrypted numbers and letters – against billions of potential passwords. Within six minutes, the password is revealed, despite having upper case and lower case letters, digits and symbols.
“It’s as good as over now,” says Mr Vlissidis. The hacker can roam around the network at will as a helpdesk user.
Alternatively, armed with this identity, he could seek the password of everyone on the network, including the network administrator, using a “dictionary attack” method.
All three demos are real attacks, albeit contained in the lab. Their target is two laptops protected by a firewall and updated with the latest security patches – “so there can be no cheating,” says Mr Vlissidis. The UK Computer Misuse Act and other legislation is strictly adhered to. “It is a very twitchy world, and we do nothing for a client without their full permission,” he says.
Speed is a common feature – NCC’s fastest record from switching on a computer at a client’s site to gaining control of its network is seven minutes. Another is passwords. “Ultimately the weakness is the fact that we still use them,” says Mr Vlissidis. “We are a long way from not having to – years away – but I am sure that day will eventually come.”