Hacking - A case study

The Organization

A seller of quality model cars based in the UK. The company involved was small, employing fewer than six people. It originated as a mail order company, and saw upgrading to include Internet-based sales as a natural step. They went into this field early, and used their normal Internet Service Provider to develop their online payment system.

What Happened

The company was infiltrated online by hackers, who altered prices on the site's catalogue. They were able to set any price they wanted for any product - and they did, reducing prices to one tenth of the original.

Impact

The company suffered substantial losses as a direct result of the attack. Fortunately, they recovered from the event quickly and prevented a recurrence by employing a specialist e-commerce oriented consultancy. This involved additional expense, but less than the amount they lost in the hacking attack.Such infiltration can go beyond embarrassment and financial loss. A website can be taken over and used to host illegal sites (including pornographic and warez sites). A warez site is one that provides illegal stolen software. It also provides the means to use copy-protected and similar programmes illegally.

Lessons?

• If you use the Internet for trading, ensure your website is secure. (See our section on online trading for further information.) • If you do not have IT staff 'in house', seek information security advice from a specialist company

Ethical Hacking - A case study

The Organization

A public organization in the UK that holds and processes extremely sensitive (in some cases political) information. The organization was subjected to a deliberate penetration test (known to some as 'ethical hacking') by a specialist company.

What Happened?

The network was scanned to determine what services were available on application and data servers. Conversations with the client revealed that a data server was used to store highly sensitive information.
Testers obtained information from the data server using a tool designed to retrieve information from Windows machines. Windows will reveal a lot of information without requiring any user identification. The output revealed: • The system password policy (that password lockout was not set, allowing unlimited attempts to guess passwords) • Login times • Usernames and groups • Shared drives

Impact

This information was sufficient to mount a password guessing attack. Testers found that there were two accounts within the administrator group and that password lockout was not enabled. This allowed the testers an unlimited number of login attempts.
It took 11 guesses to reveal the administrator password, the most powerful ID on any Windows system. Knowing this allows the user to do anything, change anything and then cover their tracks.
All machines on the site were connected to an open network. This meant that any user (authorized or otherwise) within the building who could access a workstation on the network could easily gain access to data stored on the data server. At this point testers reported the finding to their client as they had gained access to extremely sensitive information.

Lessons?

• If your computer systems are used for handling sensitive information, ensure that adequate security measures are in place • Ensure that password controls are stringent. In the above example, locking a user out of the system after two or three failed attempts to enter a password would have prevented unauthorised access to systems • Do not use passwords that might be guessed by other users. For example, never use personal or company names • Use network access and permissions to restrict internal access as appropriate