Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/25/2008
09:28 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tiger Team Member Attacks Developers, Not Apps

Expert shows how he can get into a Web app without touching the application itself

Chris Nickerson can gain access to a Web application without ever touching it -- with just the right amount of reconnaissance, the so-called Tiger Team hacker can infiltrate the development team and compromise their machines.

“I can get into the application from the back side while on the outside, without touching” the app, says Nickerson, who gave attendees of the Open Web Application Security Project (OWASP) USA conference in New York today a taste of what he considers the big-picture cyber threats to organizations, targeted attacks for money or corporate espionage. “Closing all the holes in a Web application doesn’t make you secure,” he says.

Most Web application security testing is focused on searching for vulnerabilities, he says, but that’s not as comprehensive as his brand of tiger team, or red team, testing that assesses physical and electronic security as well as social engineering weaknesses. “Red teaming provides comprehensive testing."

Nickerson, who along with colleagues Ryan Jones and Luke McOmie starred in the reality TV show Tiger Team that aired briefly on CourtTV, says the red team testing approach is more realistic for assessing the risks to an organization.

“Instead of spending time going through the application first, I figure out who the developers are," he says. “If they have Twitter accounts, MySpace pages, personal email accounts, and phone numbers... I start profiling them. I can guarantee I will find code faster than those who are directly touching the code” looking for vulnerabilities. (See Pen Testing Goes Reality TV and The Perfect Jewelry Heist .)

Online developer forums are one of the first places to look, he says, because developers often post snippets of their code to get help from other developers.

“Going out to forums... you start to see the different flaws in the apps they’re trying to fix,” says Nickerson, who is CEO of Lares Consulting, which performs penetration testing, social engineering, red team, and other risk assessments for organizations. “And you can start manipulating the developer” online by posing as a helpful developer, but instead giving them fixes that give you inside access to their machine. “I’ll embed exploits into PDFs, etc.,” he says.

Attackers who really want to make money or gather information for industrial espionage aren’t likely to spend hours trying to find holes in a Web application, Nickerson observes. “They take the path of least resistance... They’re not going to spend 100 hours on an application when they can walk into the [victim’s] facility in two minutes and use their technologies... or flat-out steal them."

You can find details about a member of a development team by pulling the metadata off a PDF file he posts on line, for instance. Or you can assess the physical makeup of the organization with Google Maps: “Are you on top of a hill? I can look at Google Maps and see that you have nine doors, and I can get into two of them,” he says. “We are testing all of these kinds of real-world vulnerabilities.”

After profiling the developers, a full-scope penetration test can be conducted, including client-side attacks and hijacking browsers. “If you can’t get in when testing the app, you can go on-site” and perform a social engineering caper -- use a USB U3 key to siphon user credentials, plant a sniffer on-site, or use other handy hacking tools.

The bottom line is gauging whether your organization has a culture of security or not, he says. “Even if you closed all the holes in your software, you did nothing for the security of your company” if someone can still walk through the door and gain access to your valuable data or assets, he says.

One of Nickerson’s clients, which he describes as a “well-known luxury brand,” learned that its main rival had assembled a team dedicated to finding out what his client has in the works. “They were all hackers... [Our client was] getting so concerned because they had found they were beating their ‘front door’ every day,” he says.

So Lares's client tried out a tiger-team honeypot method -- they posted phony documents and PDF files with a fake username wrapped inside the metadata. “Then they started seeing log-ins coming from that that [phony user] account,” Nickerson says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .