Infosec ruined my Saturday.

The correct approach for this post is swearing, kicking trashcans around the room and in general bringing the total chaos. OK, I did most of the things described above.

I used to believe that users trade off security for convenience. Well, this is not the rule since today I realized infosec pros do exactly the same thing. A team was assigned to pentest a critical infrastructure’s application and they did, almost. Well, honestly I wouldn’t pay them. Anyway, I wake up today and I sing in to my computer. For some mysterious reason (I’ve fallen asleep over my laptop last night, that’s why), my computer notifies me of a change in my Dropbox. A new file added. The same moment I was notified, the file is deleted.
Break. If Dropbox notifies you of new files, the files have been uploaded already to the Dropbox servers. End of break.

I log in to Dropbox’s web panel and I download the deleted file. It’s a doc file. Considering the source of the file and the title of the file CRITICAL_INFRASTRUCTURE_PENTEST_REPORT.doc it may be a prank. I open it sandboxed. Amazing… It’s not a prank, it’s an ongoing pentest. I start reading the pentest. There is a status field that’s written in bold confidential.
I ended the pentest report and my mind is blown to pieces.
Let me introduce you the worst pentest report of 2014.
First things first. Although they were supposed to try a black box approach they never did a passive recon for files/conversations/mails whatever would be useful to an attacker. Noope, there was not a single mention. I thought there was a tool to automate such tasks.
Moving on.

It is easy for an attacker to gain access. Passwords used are not strong enough.

Eeermm.. OK. Any solutions?

The developers should use sha-1 algorithm to store their passwords.

The trash can is already in circular orbit.

aDynamicPage.jsp is vulnerable to SQLi.

There goes the vase. Sorry grandma, I really loved your present. I won’t mention that there’s no proof of concept here since they used sqlmap but there should be a vulnerable parameter.

An attacker could possibly gain data.

And possibly he couldn’t. Like schrodinger’s cat. SQLi me and I could leak data or not. Risk and find out. I won’t mention that the team didn’t check the type of data and whether is stored encrypted or not. The DBMS is MySQL. MySQL implements the INTO OUTFILE. Since there’s a SQLi vulnerability an attacker could possibly upload a shell.

OK, my favorite part comes here.

The servers were attacked with nMap.

Attacking servers with nMap. Attacking+nMap==Killing people with water pistols full of Evian. nMap=n+Map=network+map<–{Network,Map} I see no attack here. Hint for the boys: Increase your chances of attacking something by 100% with the aid of armitage. Select the Hail Mary option
The final part is CVEs. If it wasn’t for a critical infrastructure I would copy and paste every page of that report.

CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx CVE-xxx

About 12 pages of that. If I was the sysadmin I would prefer to kill myself with a spoon than reading this.

After swearing for about an hour or so, I had some thoughts on the subject.

To all the organisations that need, want a pentest. Ask for previous work of that team. If you are not able to judge their work, hire a consultant. It will save you your money, your time and some of your sleep.

To all the infosec pros. Errmm… We should have already banned their presence. My approach was to inform both the organisation and the head of the team. For the record, the head didn’t really like what happened and started swearing more than I did.

General tips:

  1. Whatever is confidential is stored encrypted. Noone cares about your convenience. Store it encrypted. End of story.
  2. When you move a file make sure the destination is correct. Moving files randomly may bring chaos. Or an infosec jerk posting about you failing big time.
  3. If you violate any of the above,  I WILL FIND YOU AND MAKE YOU SUFFER that’s acceptable. Make sure you learn from your mistake and hope that noone will notice.

Going to mess with my new toy.

Leave a Reply

Your email address will not be published. Required fields are marked *