The Spider Labs division of security firm Trustwave conducts over 2,000 penetration tests a year looking for IT security risks. While some audits find normal flaws, there are some that lead to the discovery of extraordinary types of enterprise security risks.

Speaking at the SecTOR security conference in Toronto last week, Nicholas Percoco, senior vice president and head of SpiderLabs explained that penetration scans need to look beyond the surface to find business logic and other deeply ingrained flaws.

One of the more interesting hacks that Spider Labs has done is called "Do You Want Fries with that Hack?" The penetration testing team was conducting a test for a large restaurant chain that does take-out orders over the Internet. The initial penetration testing sweep revealed that the Web application used Java and Flash and was not at risk from any common exploits or SQL Injection issues.

Ryan Linn, senior security consultant with SpiderLabs, noted however that the credit card processing was handled by a third party via JavaScript and the testers were able to manipulate payment info as it passed to the third party processing firm.

"What was missing was JavaScript validation," Linn said. "So we adjusted the price of the food and we were able to get a meal delivered for $.50 cents."

Another interesting flaw discovered by Spider Labs is one that they call, "One PBX to Rule Them All." Percoco explained that researchers found an unprotected field tech account on a Siemens PBX and were able to access the voice mailbox of the corporate help desk. From there, the rest of the attack was pure social engineering, with Spider Labs researchers responding to a help desk calls, getting user credentials and even more network access.

Spider Labs research also encountered an interesting exploit of a company by way of IP cameras. Percoco said that the penetration test was for a large multi-national company. The analysis found 20 IP cameras that were at risk from an undocumented way to bypass the authentication system with the username: root and the password: m. Once the researchers had control of the IP cameras they were used to watch people enter information and discuss corporate activities. Percoco noted that all that info could be used to compromise the whole organization.

Overall, the goal of Spider Labs penetration testing efforts weren't just about seeing how far they could get, it was aslo about seeing what organizations were able to detect. Linn stressed that persistence in penetration testing is key in order to dig deeper just like real criminals would do.

"These types of vulnerabilities are not the things that an automated scan will find," Percoco said. "The things we find commonly through the manual process ends up getting us awesome results in the end."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

<p>The Spider Labs division of security firm Trustwave conducts over 2,000 penetration tests in a year looking for technology security risks. While some audits find normal flaws, there are some that lead to the discovery of extraordinary types of enterprise security risks.

 

<p>Speaking at the SecTOR security conference in Toronto last week, Nicholas Percoco, Senior Vice President and Head of SpiderLabs at Trustwave explained that penetration scans need to look beyond the surface to find business logic and other deeply ingrained flaws.

 

<p>One of the interesting hacks that Spider Labs was able to execute is one they called, "Do You Want Fries with that Hack?."  The penetration testing team was conducting a test for a large restaurant chain that has take-out orders over the Internet. The initial penetration testing sweep revealed that the web application used Java and Flash and was not at risk from any common exploits or SQL Injection issues.

 

<p>Ryan Linn, Senior Security Consultant with Trustwave's SpiderLabs noted however that the credit card processing was handled by a third party via JavaScript. An analysis revealed that the JavaScript did not have enough checks in places. As such the security testers were able to manipulate the payment info as it went to the third party processing firm.

 

"What was missing was JavaScript validation," Linn said. "So we adjusted the price of the food and we were able to get a meal delivered for 50 cents."

 

<p>Another interesting flaw discovered by Spider Labs is one that they call, 'One PBX to Rule Them All'.  Percoco explained that the researchers found an unprotected Field Tech account on a Siemens PBX and were able to access the voice mailbox of the corporate help desk. From there the rest of the attack was social engineering, where the Spider Labs researchers responded to a help desk call, getting user credentials and even more access to the network.

 

<p>Spider Labs research also encountered an interesting exploit of a company by way of IP cameras. Percoco said that the penetration test was for a large multi-national company. The analysis found 20 IP cameras that were at risk from an undocumented way to bypass the authentication system  with the username: root and the password: m.  Once the researchers had control of the IP cameras they were used to watch enterprise users enter information and discuss corporate activities. Percoco noted that all that info could be used to have a large compromise of the whole organization.

<p>Overall the goal of Spider Labs penetration testing efforts weren't just about seeing how far they could get, it was aslo about seeing what organizations were able to detect. Linn stressed that persistence in penetration testing is key, in order to dig deeper just like real criminals would do.

 

<p>"These types of vulnerabilities are not the things that an automated scan will find," Percoco said. "The things we find commonly through the manual process ends up getting us awesome results in the end."

 

<P><em>Sean Michael Kerner is a senior editor at <a

href="http://www.internetnews.com/">InternetNews.com</a>, the news

service of <a href="http://www.internet.com/">Internet.com</a>, the

network for technology professionals.</em>