AusCert 2010: Defence illusion hack rooted in reality

A government agency was almost crippled after an employee opened a Trojan-infected PDF file, exposing some 40 adminstration passwords to a hacker.

That's the hypothetical scenario posited by a Defence Signals Directorate (DSD) cyber security technical investigations expert - who did not wish to be identified - speaking to the AusCert conference in Queensland this week. His job is one of response, where he conducts forensics on a compromised agency to reveal possible data loss or exploit methods used by hackers - essentially maintaining the latter part of the DSD motto "reveal their secrets - protect our own".

The scenario was complied from actual breaches and security incidents that the 24 x 7 DSD team had worked on. The fake agency, dubbed govtenders, had come close to suffering a catasophic breach after a user fell victim to a targeted phishing attack - something the agency sees often along with targeted attacks on client-side and third-party applications.

Once the rogue PDF was executed, the phoney attack could have exploited adminstration rights, made available by common and large-scale systems and network management tools like HP Openview, the DSD spokesman said.

"The point to take home is that if you are running on one machine [both] local adminstration rights and domain adminstration on a management agent, you're stuffed," the DSD spokesman said.

"Govtenders had a Standard Operating Environment (SOE), so if the attackers had pulled back the hash of the box, and cracked it offline, they would have access to every computer in the environment.

"Adminstration passwords should be removed from users; they should be removed from yourself. Dodgey PDFs can still cause haovc if they are opened by helpdesk."

However, he refuted findings in a Beyond Trust survey that 90 per cent of vulnerabilities in Microsoft Windows 7 can be mitigated by eliminating administration rights.

The spokesman replicated the attack live to the AusCerT audience in less than three minutes.

He said the extent of data loss could not be determined because proxy logs recorded only the size of the response form the HTTP server.

"The attackers could have grabbed valuable data. There is no way of knowing what or how much was lost," he said.

The spokesman recommended security officers implement a Sender Policy Framework to block the PDF-laden email; ensure anti-virus programs have updated, efficient heuristics; use whitelisting; and ensure third party applications are properly patched.

He said security managers should follow the DSD guide, dubbed the 35 Strategies to Mitigate Targeted Cyber Intrusions, and added that whitelists, a long-touted recommendation of the organisation, must accompany blacklists.

"If you take anything away from this, it is that you should know your SOE, know your applications, settings, versions, and why they are that way. It will allow you to help your change and desktop management teams to get out patches faster," he said.