Stories from the Pentesting Trenches
This may come as a shock, but hacking in real life is nothing like the movies or tv shows. There aren’t blinking firewall boxes that show a completion percentage for your hacking progress. There aren’t fancy, 3-D visual displays of hex data. Two people never type on the same keyboard while windows flash rapidly on and off the screen. And a special light doesn't turn deep in the computer's hardware when malware activates.
In reality, penetration testing is mostly patient research. Very patient research. For every moment of excitement (in this case, “excitement” meaning the two dimensional, black and white text on the screen changes), there are hours and hours of research, coding, and troubleshooting.
Thus, we were a little apprehensive when our manager asked to sit in on the start of a penetration test one day to learn more about how it was done. We assumed it would take hours to find anything interesting, at which point, our manager would either be asleep in his chair or have moved on to other, more exciting projects, occasionally glancing back at us with a mixture of pity and amusement.
This time, though, we got lucky.
We started testing at the login screen. After testing a few default credentials, we noticed that the error message “Invalid credentials” displayed on the login form was also in the URL as a query parameter. We immediately changed the parameter in the URL to “Testing error message injection” and watched as our message was displayed in big red letters. As we explained the possible cross site scripting ramifications to our manager, we started testing HTML tags, such as “Invalid <a href=”https://craftcompliance.com”>credentials</a>” and script blocks. Sure enough, everything executed as expected.
At that point, we called our client directly and explained the finding. A few days later, they asked us to retest the login page to validate that their update fixed the vulnerability. Security crisis averted.
Moral of the story: never rely on user controllable URL parameters for error messages and sometimes exciting things happen - even when your manager is looking over your shoulder.
Kroll’s research team analyzed data breaches in 2020 and found that industries that were previously less frequently targeted have caught up. In the food and beverage industry, breach notifications rose by 1300% compared to 2019, while notifications in the construction industry rose by 800%. Other industries that saw massive spikes in notifications were utilities, entertainment, agriculture, and recreation.
Moreover, the data breach numbers across all industries continue to rise, with more data breaches in the past few weeks:
Carnival Corp, a cruise ship operator, reported that hackers gained access to their systems back in March, 2021. Affected data includes personal details of guests and employees, according to their report. The company also suffered a ransomware attack last year, but no indication so far whether or not the attacks are linked.
CVS exposed over a billion records of health related queries and events. Identified by security researchers, the data includes session ID’s, device data, and health inquiry data that could potentially be used to cross reference and identify specific user inquiries.
EA was breached, allowing hackers to get away with the source code for the new FIFA 2021 game. While no personal or player data was affected, according to reports, this is not the first time that hackers have managed to capture source code for upcoming video games.
A tech contractor with the Department of Energy and National Nuclear Security Administration reported a data breach that occurred last month in which hackers exfiltrated undisclosed documents. Little information has been shared on the nature of the breached documents, but the NNSA helps manage the safety of the United States’ nuclear stockpile.
Sometimes, though, data breaches are not a result of malicious action and simply a common, user mistake. Onewheel regretfully reported that when a new customer asked for the link to register his skateboard’s warranty, the support analyst instead emailed the inquiring customer a link to the customer’s responses to the registration form, a google sheet that included customer names, contact details, and home addresses.