New Year, Old News.

The top 4 errors found by Hut3 Penetration Testers

By Edd Hardy, Testing Manager, CNS Hut3

It's 2013 and our Penetration Tests are still finding the same old errors. 

Every year at Hut3, we sit down and look through the reports for the year, looking for trends and patterns and new issues that we need to be talking to customers about.  Its always an interesting exercise.  This year we looked back a bit further as well, and the news isn't really very surprising to those of us who do this for a living, but its still a huge disappointment. 

Ten years on,  people are still making exactly the same basic errors.  Systems have got much more sophisticated, you can now do so much on the internet that you couldn't think of ten years ago.  There is a huge amount of free, simple and easy security advice and guidance on the internet, organisations are employing security specialists at a rate never seen before and yet we still find the most basic errors on both internal and external systems, the same ones we found 10 years ago.

#1 - Default Passwords - We still find, on a worryingly regular basis, a huge number of default passwords.  We find devices that are plugged into the internet with the credentials the manufacture set when the device left the factory.  These credentials are really well known, they are built into automated tools that hackers and pen testers use, and there are databases of them on the internet (http://www.cirt.net/passwords), this means that anyone on the internet can access and control these devices (they dont need to be a hacker , they don't need to understand networks or even care about what your organisation does, they just need to be able to type).  The other point to think about here, is these are often high end device bought to secure networks (like big commercial firewalls), if they have the default credentials on them not only are they actually making your security worse but they are clearly not being used and represent a waste of money.  We find default credentials on everything from high end CISCO devices, to door control systems, security cameras, printers, switches, power controllers, database servers, web servers, laptops, video conferencing systems, pretty much on anything.

#2- Insecure Communication - Plaintext Bad, Encryption Good.  Its not rocket science and we have known it for a long time ago, everyone has.  Julius Caesar used a basic form of encryption.  Given that and the fact that using encrypted communication over the internet is simple and virtually all systems support it, its really worrying that we still on many test find insecure communication methods.  So for example on a typical external penetration test we will find organisations using telnet to manage a device (as well as being unencrypted so anyone who can access that message can read it , meaning they can get the username and password, its an immediate attention grabber for attackers, telnet will make them look in more detail as its a reasonable guess that the target hasn't thought about security), we will often find HTTP being used instead of HTTPS (HTTPS is encrypted) on websites to transmit sensitive information, e.g usernames and passwords.  This is security 101, its one of the reasons the PCI DSS was created, to provide a basic list of security requirements, as the standard was first launched in December 2004 , its depressing that almost 10 years later we still find the same issues. 

#3 - Patching - This is the number one issue, particularly in Windows environments.  Everyone knows they should patch, they know how to patch, but we still constantly find a huge number of systems that are not patched.  Sometime its due to simply not understanding that tools like WSUS can make a mistake. But often its due to simply not patching.  For an attacker its like taking candy from a baby, if systems are missing old critical patches, then you simply use an automated tool like the metasploit framework, point it at the target and deploy the payload, it doesn't require any skill or technique and the majority of the time it will give you access to that box, then its a simple matter of escalating privileges and you have full control of the environment. 

#4 - Guessable Passwords  - Just like the default passwords, we will find on a regular basis , stupid passwords.  Passwords that are easy to guess , i,e the name of the individual, the name of the company, one of their products, the name of the building they are in.  As pen testers we are targeting a specific company, one of the first things we do is build a custom dictionary, things we know about the company, key words from the website etc.  Whats also really interesting is that password complexity is not solving this, e.g if you require that a passwords is multi case and alpha numeric, Password1 fits that and we will try it, we frequently find that.  Password complexity just gives us a pattern to work with.  Its also incredibly noticeable that people simple iterate their passwords, e.g Password1, Password2, Password3  as the solution to being asked to change their passwords.  What is also really worrying is when people adjust systems to have weak passwords or even remove them!  We occasionally find that systems that come with reasonably secure passwords (e.g a random password is supplied out of the box) just have the password removed!

The point to take from all of these is that its very common for organisations to fail at the most basic security steps, they spend a huge amount on security, both people and equipment.  However we still find these issues.  Whats the cause of this? People!, its the human element of security that is flawed.  This is not actually about technical issues.  All of these issues are well known and understood, we know how to fix them, there are tools and methodologies.  This is simply a procedural failure, we are not doing the things that need to be done, we are spending the time looking at really sophisticated security methodologies and not doing the best.  This is the equivalent to fitting security to your house and then just leaving the key in the lock.  All of the advanced security and technology is worthless if we don't cover the basics.  If you ever watch pilots preparing to take off you will see them run through a check list, they all know what they are doing and could easily do it without the check list, the check list just stops them forgetting something really simple but vital.  That's what we need to do in InfoSecurity, fix the basics, we know how to do it but we actually have to do it.