Stealth penetration test reveals weakness
(3 May 2010 – USA) A research team at cyber-security specialist firm Netragard managed to successfully takeover an entire IT infrastructure of a client bank by tapping into information found at online sites such as Facebook and Linkedln.
The firm was hired by a ‘mid-sized’ bank to conduct an advanced stealth penetration test to see how far they could worm their way into the client bank’s IT infrastructure without being detected.
SNOsoft’s boss, Adriel Desautels, said that his firm gathered valuable information from Facebook, and then mapped relationships between employees, vendors, friends and family.
The social networking site also helped the firm to identify key people in accounts receivables/accounts payable at the bank, Mr Desautels said in a blog.
In addition, LinkedIn and job sites such as Monster and Dice, where IT positions at the bank were advertised, provided ‘interesting and useful technical information’ on things such as intrusion detection technologies and operating systems for desktops and servers.
To assist in the process the SNOsoft team applied for an IT security position advertised at the bank and used the subsequent screening call to pump the bank for details on its anti-virus technologies and policies on controlling outbound network traffic.
The firm then crafted a PDF document and then sending it to the victim's AR/AP department from its trusted IT services provider.
The PDF was sent, undetected by anti-virus software, and was opened by a bank employee, compromising their computer. Once it had control of the computer, SNOsoft installed its own back-door technology and deployed a suite of tools before scoping out the internal network. Eventually the team cracked the bank's passwords and gained access to desktops, servers and Cisco devices used by the bank.
Mr Desautels said that the firm, as a result of their strategies, were able to penetrate into their customers IT Infrastructure and effectively take control of the entire infrastructure without being detected.
SNOsoft’s boss, Adriel Desautels, said that his firm gathered valuable information from Facebook, and then mapped relationships between employees, vendors, friends and family.
The social networking site also helped the firm to identify key people in accounts receivables/accounts payable at the bank, Mr Desautels said in a blog.
In addition, LinkedIn and job sites such as Monster and Dice, where IT positions at the bank were advertised, provided ‘interesting and useful technical information’ on things such as intrusion detection technologies and operating systems for desktops and servers.
To assist in the process the SNOsoft team applied for an IT security position advertised at the bank and used the subsequent screening call to pump the bank for details on its anti-virus technologies and policies on controlling outbound network traffic.
The firm then crafted a PDF document and then sending it to the victim's AR/AP department from its trusted IT services provider.
The PDF was sent, undetected by anti-virus software, and was opened by a bank employee, compromising their computer. Once it had control of the computer, SNOsoft installed its own back-door technology and deployed a suite of tools before scoping out the internal network. Eventually the team cracked the bank's passwords and gained access to desktops, servers and Cisco devices used by the bank.
Mr Desautels said that the firm, as a result of their strategies, were able to penetrate into their customers IT Infrastructure and effectively take control of the entire infrastructure without being detected.
Subscribe