Most large organizations and enterprises at least try to take security pretty seriously. This means that the front door is not only usually locked, it is fortified and reinforced. This makes it hard for the bad guys to get in. So, do they give up? Of course not! What they do instead is look around back and start rattling the door knobs on the shed and cellar and the servants entrance and try to work their way in that way.
High value targets are usually locked down and secured pretty well, but this is not always the case for lower value targets. Once compromised, these lower value targets can provide a useful platform from which to attack other systems. For example, while traffic from the internet to internal hosts may be tightly limited, in many cases traffic between machines in the DMZ may not be as well regulated. Thus if you can own one machine in the DMZ, it can be easier to compromise other systems.
A common approach, one that was used in the HBGary breach, is to go after a web server. In the case of HBGary an old standby, the SQL Injection attack, was used to own the server, which was powered by a database driven CMS. Although passwords were encrypted using MD5, a couple users chose simple passwds that were relatively trivial to crack using rainbow tables. Once the attackers had these accounts, the first thing they did was to try them on other HBGary systems and accounts, both HBGary as well as personal. It was here that they struck gold, as the same userids and passwords were used across multiple machines and multiple accounts.
Another approach is to go after personal email accounts. Phishing attacks using real looking password reset messages are one approach. Once you have an email account userid and password, other accounts are often trivial to compromise. For example, many people use the same password or simple variants of that password on other accounts, like accounts at work. A primary personal email account is also the key to many other accounts because that email account can be used to gather information on what other accounts that person has (bank, credit card, and otherwise). The account can also be used to reset passwords on those accounts because confirmation links are often sent to the primary personal email account.
While security professionals are well aware of the dangers of stepping stone attacks, these risks are often not top of mind for many users and even IT professionals who are not focused on security. Like many of the more profound problems in security, there are relatively simple things that can be done to provide far better protection for you and your organization. One is to use longer passwords that don’t contain words that are likely to appear in a dictionary or rainbow table, particularly passwords that contain numbers, punctuation, and other ususual characters. Another is to avoid using the same passwords across multiple accounts. If all your accounts share the same password, the compromise of a single account could result in the compromise of both personal and corporate resources.
The latest SecureX Files video, on breaches and stepping stone attacks, can be found on the SecureX Files page. We provide these videos in an effort to make it easier for those in the IT and Security community to share best practices and raise awareness of security-related issues in the end-user community and we are eager for your feedback.
Stay secure and thanks for reading!