Originally posted by Sy Phul on blog.andera.com. Follow us on twitter @AnderaInc.
A couple of weeks ago I wrote a short post about my experience working as an ethical hacker before I came to Andera. During that time, I infiltrated a financial institution using social engineering techniques, gaining me access to customer information.
Although I don’t have more bank break in stories to share, I did also hack into two other data rich institutions during my tenure as an ethical hacker: a university and a hospital. Both types of institutions have loads of sensitive information that a hacker could resell on the black market.
Operation Animal House
Step 1: Find Vulnerability
The first step was to scan their system for vulnerabilities; I looked at different applications used by the university as well as the network at large. After searching for some time, I found a vulnerability. Through this vulnerability, I was able to access the web application source code.
Step 2: Exploit Vulnerability
I found login credentials in the source code, and I used one of the credentials to remote control into the system. From there, I could download the encrypted windows password file I needed in order to compromise the host. I used a common hacker toolkit to decrypt the encryption and read the password in clear text. I used those credentials to access other servers on the network, where I found sensitive data. GAME OVER.
Mission Infirmary
Step 1: Phishing
First, I gathered information, including email addresses, from their website and through Google searches to better understand the structure of the hospital. Using the information gathered, I wrote phishing emails to hospital personnel. It worked as a few of my targets clicked on the link in their email.
Step 2: Remote Control
Clicking the link in the phishing email automatically downloaded a software agent onto my targets’ machines.The software agents then “phoned home” to the command center (me) for further instructions.
I instructed the agents to log my target’s keystrokeswhich enabled me to collect passwords and access critical systems. GAME OVER.
So what can your institution do?
First, patch the vulnerabilities in your network.
Second, implement anti-virus and spyware protection on your hosts.
Third, consider implementing intrusion detection and prevention systems on your network.
Fourth, educate your employees about phishing scams, and consider flagging messages from unknown senders. Most of us now know to avoid the obvious request for an unsecured international money transfer, but more sophisticated phishing scams may be harder to distinguish.