The Spider Labs division of security firm Trustwave conducts over 2,000 penetration tests a year looking for IT security risks. While some audits find normal flaws, there are some that lead to the discovery of extraordinary types of enterprise security risks.
Speaking at the SecTOR security conference in Toronto last week, Nicholas Percoco, senior vice president and head of SpiderLabs explained that penetration scans need to look beyond the surface to find business logic and other deeply ingrained flaws.
One of the more interesting hacks that Spider Labs has done is called "Do You Want Fries with that Hack?" The penetration testing team was conducting a test for a large restaurant chain that does take-out orders over the Internet. The initial penetration testing sweep revealed that the Web application used Java and Flash and was not at risk from any common exploits or SQL Injection issues.
Another interesting flaw discovered by Spider Labs is one that they call, "One PBX to Rule Them All." Percoco explained that researchers found an unprotected field tech account on a Siemens PBX and were able to access the voice mailbox of the corporate help desk. From there, the rest of the attack was pure social engineering, with Spider Labs researchers responding to a help desk calls, getting user credentials and even more network access.
Spider Labs research also encountered an interesting exploit of a company by way of IP cameras. Percoco said that the penetration test was for a large multi-national company. The analysis found 20 IP cameras that were at risk from an undocumented way to bypass the authentication system with the username: root and the password: m. Once the researchers had control of the IP cameras they were used to watch people enter information and discuss corporate activities. Percoco noted that all that info could be used to compromise the whole organization.
Overall, the goal of Spider Labs penetration testing efforts weren't just about seeing how far they could get, it was aslo about seeing what organizations were able to detect. Linn stressed that persistence in penetration testing is key in order to dig deeper just like real criminals would do.
"These types of vulnerabilities are not the things that an automated scan will find," Percoco said. "The things we find commonly through the manual process ends up getting us awesome results in the end."