Tuesday, August 15, 2006

How to Hack a Bank

To illustrate the points we have covered so far, I’d like to share a real-life story with you that happened to me a few months ago. We were hired by the CIO of a large bank in Texas to perform an internal and external penetration test and site assessment. What happened within the first 45 minutes will hopefully shock you. We have been talking about the first steps in building an Information Security Program that really works, and most importantly we are beginning to lay down the foundation of a “layered” security approach. This story will clearly illustrate why that is a good idea.

When I begin to perform a site assessment, I will usually arrive at the bank’s main administrative office 30 minutes before opening. While in the parking lot, I can easily check for wireless devices, and drive around the building looking for possible entrances. I especially look for employee entrances, designated smoking areas, and external telco closet doors. As the traffic begins to pick up in the morning, and the branch is fully open, I will attempt to “piggy-back” an employee into the institution.

So this is how I began at my client's site. After following an employee into the back door I found myself in the hallway of the building, but all the doors in the hallway were locked! Foiled. I tried the stairway, as this was a two story building, I thought I might get lucky. No luck, stairway was locked. I found the elevator, I tried to go the 2nd floor . . . no luck . . . keycarded. Next I pressed “B” for Basement. Viola! I was now heading downstairs, which, by the way, is where the data center was.

Once downstairs, I again started checking doorways. The doorway to the data center was locked and keycarded, I wasn’t going to be that lucky today! But, lo and behold, the stairway was not locked. I went into the stairway, and made my way to the second floor. On the second floor, I found the onsite hackers dream, the TRAINING ROOM! Yes! A room full of exploitable computers, just waiting for keyloggers and pstoreview (a program that gives me all of the usernames and passwords that someone has entered into Internet Explorer). Better yet, the machines were turned on, and logged in! I closed the door slightly, to gain a “moment of obscurity” as they call it in the CIA, cracked my knuckles, plugged in my USB with pstoreview and began . . .

I started with poking around the Network Neighborhood. I immediately found a server with an interesting name “mail-old”. Hmm, that looks promising. I browsed over to “mail-old” looked for some shares, found one called “users”. Went into the users folder, found the President of the Bank’s user folder, opened that (yes, I was surprised I could get this far), and found the CIOs annual performance review, complete with Salary and performance history. Total time: 30 minutes in the parking lot, 15 minutes onsite. It turns out that “mail-old” was a server that was used for a large file transfer, and then abandoned. The entire bank file system had been copied here a month earlier. Customer data, loan files, account numbers . . . all were mine for the taking. Luckily they were paying me for this.

This little story clearly identifies how a layered security model is supposed to work, and how each layer could have stopped me, or slowed me down enough to make my attempts unsuccessful. This is what security is all about – you’ll never make a system 100% secure. 100% secure = 0% usable. 100% usable = 0% secure. Somewhere in between is the right spot, but it is a continuum. Any system can be broken, as long as you have the time and resources to work on it. Our job as security experts is to increase the work factor for the attack to such high levels that attack is near impossible or not worth the effort.

In this example these are only some of the “layers” that could have thwarted my attempt:

  • Having a keycard that prevented access to the basement. (The stairway door had to remain open as it is the only exit from the basement.)
  • Training all employees to challenge un-badged or unknown people.
  • Calling the police when a suspicious person is sitting in the parking lot of your bank for 30 minutes with a laptop.
  • Segregating the Training and Production networks.
  • Removing old files from the network.
  • Keeping all file shares restricted to an “as needed” basis.
  • Not allowing training PCs to log in automatically.
  • Not leaving PCs logged in un-attended, or using auto-logoff features.
  • Restricting training PCs from browsing the Network Neighborhood.

The next few blogs will cover the building of the layers needed to create an Information Security Program that really works . . . .

I welcome all comments!

Technorati Tags:


Matt said...

Karn - great story and one that illustrates all-too-clearly the need for a multi-layered approach to security.

One such layer that could have 'thwarted' your attempts to use PSTORE or any other USB-based malware would be the ability to automatically block the connection of USB devices to company computers.

Solutions like DeviceWall can be an important part of a strategy that ensures only authorized staff can access and copy sensitive files from the network.

To (mis)quote Shrek, effective secruity is like an onion. It has lots of layers.

KDG said...

Thanks for the comment. Yes, the is another way it could have been thwarted. The complete lack of any defense was the amazing part of this story.

Thanks again,


Anonymous said...

step on hacking a bank or other password protected systems via laptop or computer?and also the name of the programs and the other requirements fo my computer that i will need,i really want to learn hacking.i've been reading different site's that can help me but i can't understand what they are saying..can you please help me with my problem? my e-mail is angelus_of_creed@yahoo.com i really want to learn please help me...

Anonymous said...

Pretty interesting post. I think you brought up several good points, and unfortunately several good points that were relevant to out IT environment here. I am currently CCNA and am looking to get into Net Sec. and do the things you seem to be doing - poking holes in clients networks. What certification path or education path would you suggest?

okiss said...

you are a god sent i really want to learn hacking.i've been reading different site's that can help me but i can't understand what they are saying..can you please help me with my problem? my e-mail is okissltd@yahoo.com i really want to learn please help me...

Anonymous said...

Have ever wanted to get stinky rich, join the illuminati today and get all your heart desires.
contact them at lopezmariam3@gmail.com

Anonymous said...

Lean how to hack a bank account, or buy softwares for hacking. Contact +23775559705

Unknown said...

Really amazing blog, I’d love to discover some extra information.
protect america review

Anonymous said...

Thanks for compiling such nicest information in your blogs. Articles are very informative and hope again I’ll find more like that.visit us