RSAC 2015: Live Hacking Demo Compromises eCommerce Website; Dumps Credit Card Data
One of the more interesting sessions I attended last week at RSAC in San Francisco was Killing the Kill Chain: Disrupting the Cyber Attack Progression, with panel members and a moderator from Tripwire.
They had one white hat hacker (defender) - Alex Cox, Channel Systems Engineer at Tripwire, and one black hat hacker (malicious) - Tyler Reguly, Manager of Security Research & Development at Tripwire. They live demoed how to find and compromise a vulnerable system, and then how to move laterally through the breached network.
First, Reguly tried to find a vulnerable system by scanning a subnet (subnetwork). A subnet is the practice of dividing a networking into two or more networks - it’s the logically visible subdivision of an IP network, according to NetworkAppers.com.
One of the most common vulnerabilities is Shellshock, which allows an attacker to grant remote code execution to the shell. Other threats and vulnerabilities may grant remote privilege access or just give out a bit of information about your network.
Scanning is the first step in the kill chain; it’s the reconnaissance phase to identify a vulnerable system. In the demo, Reguly located an ecommerce store that allowed him to place online orders. He instead ran an exploit on a CGI (Common Gateway Interface) script, leveraging the Shellshock vulnerability.
In a matter of seconds, he was able to get root access to a box that was vulnerable to Shellshock. And after running a few internal scans, it’s possible to hunt for credit card data within the system.
Tripwire’s white hat defender was using their log management system to look at Apache logs and get information about people visiting their website. And after the black hat hacker ran an exploit on a CGI script, it’s possible to see a very identifiable pattern within the access logs that indicates they’re trying to break into the shell. With a log management system, it’s possible to customize logs to watch for these types of patterns on your networks.
The next step in the kill chain is for the black hat hacker to ensure he has persistent access to the systems by backdooring the host and adding new users. By running scans, he can find out what’s on the internal network, as well as compromise credentials to see how he can move around the network. The moderator made a good point - since companies often don’t secure the internal network as well as the perimeter, attackers can move deep through the network to find the crown jewels (in this case, credit card data).
Reguly was able to dump the entire database to a public one and steal all of the credit card data from the ecommerce website. All because he used default administrative credentials (sounds like a job for two-factor authentication). Main takeaways? You can kill the kill chain quicker with the help of logs that identify patterns of known exploits, in addition to monitoring your host and endpoints with logging.
Want to learn more about how to protect your company against modern retail data risks? Check out our 115-page guide complete with infographics, technical solutions, and customer stories.
Ideal for CISOs, security, compliance and risk management officers, as well as IT admins and professionals, our free eBook: A Modern Guide to Retail Data Risks provides guidance on:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model