Pen Test Diaries: Last One In
This story is part of the Pen Test Diaries series, you can read more about the series here.
Pentesting not your thing? Check out infosecdiaries.com for more real-life information security stories.
Introduction
My name is Laura Knight. When I turned twenty-one, I got a job in the intelligence community, defending the United Kingdom from Internet-based threats. When I turned twenty-two, I determined I couldn’t afford to buy a house on a civil service salary, so I got a job in the private sector that paid me twice as much, to do pretty much the same thing.
I’m a penetration tester. I get paid to use my creativity and technical skills to break into web applications, networks, and even people. That’s right, people.
I also have to write reports detailing findings for those companies, so that they can improve their security posture, or you know, argue with me about the severity of a discovered issue.
In reviewing some of the reports I’ve written over the years, I realised that behind each of the findings there is a unique experience and a cast of characters that are part of the parcel of a penetration testing engagement.
Penetration testing, when done right, is as bespoke a service you’ll ever purchase. Your adversaries will study you in great depth. I will too.
It’s for this reason I’ve decided to share some of the stories of my engagements so that you can understand this business, it’s highs and lows, the challenges and victories, and of course the inherent stupidity that still plagues the world of information technology when it comes to securing things properly.
Oh, one more thing, information security, and penetration testing are among the most interesting subjects on the planet; I just hope that I do these topics justice in my own work.
Chapter One
Sliding my Nissan Micra into another hairpin bend on my way through the Welsh countryside, I feel like Colin McRae at the height of his career. Although, I doubt anyone spectating from the side of the road would agree with my assessment that I look like a world rally champion. Not to be deterred, wheels straight, power on, my 1.2 litre engine working its heart out, I’m back up to sixty for about half a second before I have to slam the brakes on to make the next corner. It’s not a bad way to spend a Sunday afternoon, in the grand scheme of things, but conversely, I’d most definitely rather be sitting on my arse doing nothing. You see, this is a classic compromise one must make in this line of work. I was trading most of my Sunday afternoon, which would otherwise be spent sat on said arse, for not getting up at stupid o’clock on Monday morning, to make this drive early.
The A44 had been my wiggly, windy companion for the last couple of hours, but now, I was approaching the end of my journey. My destination was a small village just outside of Aberystwyth. “Aber”, a Welsh town which itself was hardly a bustling metropolis, was ultimately where I’d be heading to meet my client in the morning, however, for tonight, I’d be staying at a bed and breakfast about 15 miles to the east.
This penetration test had been a relatively late addition to my schedule, the story being that the client’s IT manager had neglected to get in scheduled in time to meet a compliance deadline. A mad scramble ensued a couple of weeks previously to get something on the books, and as a result, I was now in Wales. That late addition to the schedule, combined with the fact I was out in the ‘middle of nowhere’, had meant a room at my favoured accommodation, the always predictable Premier Inn chain of hotels was unavailable, and I’d have to make do with whatever the bed and breakfast had to offer.
My love of the Premier Inn was often the butt of many jokes back at the office, but when you travel a lot for work, consistency in your accommodation is high on the priority list. One thing you could always be sure of with a Premier Inn was the proximity of a pub, and as someone with a company credit card in my pocket, backed by lax accounting procedures, I’d frequently take advantage of this. I also enjoyed things such as doors that could be locked from the inside. It seems standard, but early on in my career, I stayed at a bed and breakfast in Oxfordshire, and let’s just say, it was clear that my room was normally occupied by a 17-year-old boy, whose parents kicked him out when guests came to stay. Sometimes, they forgot to tell him his room was occupied, and without a lock, he’d barge on in there. That happened, twice, during my stay. Since then, I’ve been extremely weary of such places, lest I should find myself unintentionally performing a striptease for a sixth former. I’d been sure to check, prior to my arrival this time, that my room would come with a lockable door, and I had been promised that it would.
Google Maps directed me to make the final turn down the dusty driveway that led to the bed and breakfast. A stone farmhouse, partially covered in ivy, I imagined it’d be the sort of place my parents would like to spend their time. I, on the other hand, was yearning for a cheeky Vimto and satellite television. Early indications were that I’d find neither here.
As I stepped out of the car, taking it all in, I thought to myself just how far removed this all was from where I thought my career in cybersecurity would take me. I thought I’d be spending most of my days in London, Birmingham, or Manchester, in fancy offices doing fancy pen tests on the latest and greatest tech. But no, I was on a farm, in North Wales, getting ready to spend a few days probing a network belonging to the Welsh government. I looked down to see an excited Border Collie brushing up against my legs.
“Well, maybe this’ll be ok”, I thought, petting him softly on the head.
I walked into the farmhouse, an action that triggered a series of lights and bells, similar to those you’d expect to find at a secure banking facility. In front of me a small makeshift reception desk, with probably one of the last remaining dot matrix printers in the United Kingdom sat atop it. Footsteps, coming from upstairs, were getting progressively closer.
“Coming!” A female voice called out from above.
An older lady emerged down some spiral stairs to the right of the desk.
“Prynhawn Da, my dear, Good Afternoon,” she said, flipping between Welsh and English as if to test the waters to see which language I’d respond in.
“Hello, Good Afternoon, Laura Knight, checking in for three nights,” I replied, in what was, for some reason, the most prim and proper English accent I’d ever deployed in my life. Perhaps I was just being sensitive to it.
“Hello Laura, welcome, we’re so glad you’re here!”
After the usual exchanging of pleasantries, including such standards as ‘is it your first time here?’ and ‘breakfast is served from 6 am to 6:15 am, if you wish to join us and be stared at the entire time’, I was handed the key to my room, and given instructions on how to negotiate the corridors to get there. When I say key, by the way, I mean “key”. This thing was a solid piece of iron, it probably weighed about 30 pounds. If any 17-year-old were to open the door on me during this stay, at least I’d have a deadly weapon that resembled the lead pipe from Cluedo at my disposal.
I had an important question for the lady at the desk.
“Do you have wireless internet I can use?”
“Oh no, dear. Most people who come up here want to get away from that type of thing, so we don’t have it available for guests. Just my husband, so he can pay the bills and gamble away the rest of our money on the horses,” she replied with a wry smile, which suggested that although she was mostly joking, there was also a small percentage of genuine annoyance thrown in.
“Oh, ok. Thanks.”
I moped off to find my room, knowing full well the first thing on my agenda would be breaking into that wireless network to get online. Life would be so much easier if people would just give me what I asked of them.
I entered the room using the key to the entire town of Aberystwyth. Upon first inspection, things were looking pretty nice. It was smallish but fine. I guess you might say ‘cosy’. There was no television whatsoever, which further solidified my desire to get online as soon as possible.
I threw my bag on the floor, grabbed my laptop, fired up Aircrack-ng, my preferred wireless testing suite, and began the process of sniffing around the wireless networks to see what I could find. Of course, being in the middle of nowhere, my targets were limited, there was only one network in range, and it was secured by Wired Equivalent Privacy (WEP), which meant in about 5 minutes, if that, I’d have the security key and would be happily online.
Was this ethical? Was this something that I, as a defender of cyberspace, a sworn whitehat, should be doing? Probably not, but likewise, I’m fairly sure operating accommodation in the twenty-first century without providing access to the Internet or a television was also unethical. Additionally, I mean, not that they’d know, but if you have WEP on a wireless network, I consider that as good as wide open anyway.
Aircrack-ng finished doing its magic on the WEP key almost as quickly as I’d justified using the tool in my head, and within a few moments, I was online, by way of a horrifically slow internet connection, but online, nonetheless.
I completed a cursory check of social media, to confirm that I was once again the most anti-social of all of my friends, checked the news, and then turned my attention to my work email, where I would find all the details about my Welsh government clients that I’d be visiting tomorrow.
The scope of the work document told what was becoming an extremely familiar story. A divisional IT manager had been told to get a network assessment completed, to make sure things met required government security standards if not, they’d need to be fixed. Pretty standard stuff, however, there was a spanner in the works, a spanner known as “Dissitio”. Dissitio was an IT outsourcing company who specialised in government work. Like many departments, my client had outsourced a great deal of their IT support and development tasks to them and had limited staff of their own. I assumed, based on the email thread in which he was the only direct government employee to be seen, the IT manager did less IT managing and more vendor relations work than he’d probably anticipated when he took the job.
I’d come across Dissitio before at another client and was not impressed. They were a giant company, and as such, when it came to people, prioritised quantity over quality. It was the type of place people would take their first IT job, screw up a bunch of stuff, and then leave. That said, I’d not found any huge security problems left in their wake, so that was reassuring.
Skimming the details in the scope of work, I was happy to discover that this would be my favourite type of test. One that would include both networks and applications. Essentially, I’d have free reign to dig around and find whatever security problems I could, without being extremely constrained to an unrealistic scope of work. You see, some folks like ‘box-checking’ penetration tests that allow you to focus on a very narrow area, which is highly unrealistic for the most part. Attackers wanting access to an organisation will go after it however they can, they won’t limit their focus to a specific application or network because it suits their victim. For the next few days, I’d be free to adopt the same mindset.
With everything on the table, and since I had nothing else to do, I decided to do some pre-test research. At this point, since the test had not officially started, I’d have to limit my activities to open source information gathering, or to put it another way, simply digging around on the Internet for information. I found the website of my client, the Department of Agriculture, and began clicking around to see what was out there. I stumbled upon a variety of different applications beyond the initial website. There were various hideous form-driven applications for applying for different things and doing other boring government tasks. I found the names of a few key employees, which I saved, just in case it would be useful later. I found an Outlook Web Access link, where employees could go check their email remotely — the usual fare for a government department. Recording all the domains and IP addresses I’d stumbled across in a text file, I expected I’d get to know the web servers they were hosted on from the inside tomorrow. I love having multiple perspectives on a target, it really helps you understand how networks are laid out, and how they can be exploited by malicious outsiders, and insiders.
Back on the main website, I noticed a post regarding Dissitio, which explained exactly what services they’d be providing for the department.
“Agriculture signs contract with Dissitio to provide IT support services and custom application development,” read the by-line, providing further confirmation of the nature of their relationship.
Taking my open source digging outside of the confines of the website, I began to Google for ‘Dissitio’ and ‘Department of Agriculture’ to see what was out there. Alongside rehashed versions of the same blog post announcing the relationship, this time on the Dissitio website, I found something a little different. It was a news article, from what I assumed was a local paper, discussing the impacts of the contract.
“25 jobs to go at Department of Agriculture, as IT functions outsourced” read the headline.
“Oh, Great,” I thought to myself. The article was about six months old, and there is nothing quite like walking into a freshly gutted IT department to tell them all the things they are doing wrong.
The article was full of the usual bollocks government types say when they decide to bring in an outsourced provider. ‘Quality will not suffer’, ‘this is about getting value for our taxpayers’, etcetera. I’m sure the folks who lost jobs would probably disagree with the rationale.
I felt a little rumble in my stomach that disrupted my research. I was getting hungry. I would need to venture out in the car to god knows where to find something to eat, on account of not having an adjoining pub to stumble back from. It was time to explore. I shut my laptop lid, threw it under the bed, and grabbed the key of destiny. I figured if I’d head towards Aber on this fine Sunday afternoon, I’d at least find a kebab or something. After all, there was a university, so I knew there would have to be student food to sustain them all.
Walking down the corridor on my way out of the bed and breakfast, I came across a girl who appeared to be in her early teens passing in the opposite direction. She had the look of someone who’d been dragged to this place by her parents and was holding her smartphone up to the sky in an attempt to get the slightest trickle of mobile phone signal.
“I can’t believe they don’t have Wi-Fi,” she said, almost embarrassed that she’d be caught trying to connect with the outside world.
“Oh, but they do,” I said, recognising her pain. I beckoned for her to pass me the phone, which she did, in a remarkably trusting act. Remembering the WEP key I’d just entered on my own laptop; I connected her phone to the wireless network. “Remember, you didn’t get this from me,” I said, handing back the phone and smiling.
“Wow, no way — thanks! Thanks so much!” She said, ecstatically. I nodded and for a brief moment felt like the world’s coolest aunt.
I jumped back in the Micra and headed out on the open road once again. A vigilante wireless network hacker in search of sustenance, the world was my oyster. Well, this part of mid-Wales was my oyster, anyway.
Chapter Two
I was awoken by the sunlight glinting off of a plastic wrapper, which had encased a cheese and pickle sandwich purchased from a nearby Tesco Express the previous evening. I had set out last night with the greatest of intentions. I planned to procure warm food for dinner but ended up bored of driving around and simply pulled into a glorified petrol station for supplies. The aforementioned sandwich was accompanied by a bag of Monster Munch, and a Kit-Kat, which had served as dessert. In essence, I’d recreated a school lunch, but as an adult, so had washed it all down with a two-litre bottle of fruity cider, which might explain the mild headache I was now experiencing. This is glamorous work you see.
I glanced at the clock, and unsurprisingly, I’d missed breakfast by a couple of hours. I’d have to grab something on site, which was never a bad thing because if nothing else, it gave me an excuse to go wander around the location. Forcing myself to get out of the bed, which had turned out to be rather comfortable, I trotted towards the bathroom to begin my morning routine.
As I left the bed and breakfast, I realised I was walking behind the girl I’d liberated from her boredom with the wireless WEP key yesterday and her parents. She was, of course, glued to the phone and walking a few steps behind her family. Her dad turned around to bemoan her wireless use.
“Are you going to put that phone down? You’ve been on it for hours, I thought you couldn’t get a signal anyway?!” He said. Not wanting to get caught in any potential crossfire there, I slowed my walk, made an over the top ‘whoops I forgot something gesture’, and quickly dived back towards my room. I waited for a couple of minutes to be sure they’d gone before attempting to head to the car again. The fearless vigilante hacker who clearly had some fears, most notably at the present time, fear of someone else’s dad.
Clear of any other residents of the bed and breakfast, I successfully made my way to the car, and began the short drive down the road to Aber. The site I’d be visiting was on the main road in, so it did not involve any complex navigation to arrive. It was a modern facility, with a lot of glass walls, grey cladding, pristine areas of different coloured landscaping rocks that looked as though they were glued into place, and various imported shrubbery. I liked offices like this. I know they were designed to look the way they do to sucker people into staying at them to work for longer, but hey, if you’re going to be somewhere all day, better to be somewhere nice and modern, than some craphole.
I took full advantage of my ‘visitor’ status to park in a specially designated visitor parking spot close to the entrance and headed in. I was greeted by what appeared to be a 12-year-old boy on the front desk. I’m sure he was older, but he looked like he should’ve been studying for a maths SAT rather than signing people into a government facility.
I introduced myself and collected my visitor’s badge. Today, I decided to sign my name in the visitor log as ‘Tweetie Pie’. A call was made to my contact, the IT manager, a man named Aled Griffin, who emerged relatively quickly from a corridor off to the side of the desk.
“Hello Laura, nice to meet you, would you like some tea or coffee?” Aled asked, in a soft Welsh accent that was almost melodic.
As a general rule, if the first time we meet is before midday, and you offer me coffee, I’m probably going to like you.
“Yes, please, I’d love a Coffee!”
“There’s a cafe back this way, let’s go grab one and we can talk about what you’ll be doing while you’re here”.
Aled beckoned me down another corridor, it didn’t take long for the scent of coffee to hit my nostrils. As we were walking along the corridor, I noticed the first mention of Dissitio, the IT outsourcing company, in the building. It was on a poster advertising the first-line IT support phone number, which folks were to call if they had issues with their computers. I pointed it out to Aled.
“So, I see you’re a Dissitio shop then?”
Aled gave a little sigh.
“Yeah, they do a lot of our IT stuff now, a bit of a hot topic around here still. A lot of folks are still getting used to it all,” he replied. “No doubt you’ll be talking to some of their folks during your testing. I’ll walk you through how to handle them.”
We grabbed our respective coffees and sat down at a two-person table.
“So, what do you need from me to get going?” Aled asked. “As far as I’m aware you just need to plug in and start exploring the network, is that right?”
“Yes, pretty much,” I replied. “I’m planning on scanning the network, looking to see what applications are out there and will give them some more in-depth testing. Is there anything I should be extra cautious about when testing?”
“Not that I know of, I know the Dissitio folks are nervous about you poking around anything they’ve put out there, but it’s our network, so they’ll have to put up with it,” Aled noted. “They’ve built us a couple of apps. Including a Cattle birth tracking system, that is fairly new, you should definitely check that out.”
It was almost certainly going to be the first time I’d performed penetration testing on an app that was used to track the birth of cows or any animal for that matter. I searched around in my brain for some sort of cow and security related pun to get a read on Aled’s sense of humour but couldn’t come up with one. That annoyed me because I knew I’d be unable to stop trying to conjure one up the rest of the time I was on site.
“I can give you a list of domains for all the apps you should test. There are about a dozen unique applications that we host which I’d be very interested in getting reviewed from a security perspective,” Aled continued. “As far as I’m concerned, this test has been a long time coming”.
It was always refreshing to work with a client with that perspective. I certainly felt better knowing Aled was a supporter.
“I’m extremely glad to hear that,” I said, finishing up my coffee. “Well, I’m ready to get stuck in if you are”.
“Absolutely I have a hot desk set up for you in a quiet area. Let’s go.” Aled replied, beckoning me away.
“Music to my ears, thank you,” I said gratefully. When pen testing, the last thing you want is to be squeezed on a desk surrounded by noise and other distractions.
I was led through a maze of corridors to an isolated desk with a power strip and a network cable. I was given directions to the nearest restrooms, kitchen, Aled’s desk, and was otherwise left to my own devices.
I got my laptop online, and within a few moments received an email from Aled. A spreadsheet was attached, which listed the promised URLs of all the target applications, as well as an IP address allocation spreadsheet.
As was typical, the internal network IP address space was divvied up between various virtual LAN’s, known as VLANs, which were used to keep traffic of similar classification on the same network segment. There was a VLAN for private servers, a demilitarized zone (DMZ) VLAN used for servers that were accessible to the public via the internet, an IP phone VLAN, and of course, a series of VLANs used by the various client computers in the organisation.
VLAN’s alone are not a security control, they are more of a traffic management tool for networks. In order to have a positive impact on security, access control lists that define which traffic can pass between the various VLANs have to be in place, and those access control lists should be as restrictive as possible. Unfortunately, this isn’t always the case. It’s for this reason, one of the first things I like to do on a network like this is run a port scan.
Port scans take time to complete, which is another reason I like to kick them off as early as possible in an engagement. They can run in the background, while I look at other things. Technically, the way they work is by connecting to an IP address on all possible ports and listening to see if anything responds. A virtual game of knock-a-door-run, if you will.
Politically speaking, a port scan is essentially the first step in determining if the provided documentation is in any way, shape, or form accurate. Using a port scan, it’s possible to determine which types of hosts are on which VLANs, based on the nature of the services running on those hosts. If you find a host running a web application in a client VLAN, for example, it’s safe to say it’s probably in the wrong place. This happens just about everywhere, as new hosts are introduced to the network without going through the proper processes, and without ensuring that network switches are properly configured to deliver the right traffic to the right switch ports.
I, like most other people in this field, leverage Nmap as my port scanning tool of choice. Nmap is reliable and just gets on with the job. I copied and pasted the IP ranges from the spreadsheet provided by Aled into a text file, one network subnet per line, and directed Nmap to run a massive port scan of everything it could find in that file. Since I had no restrictions in my way, I was casting a wide net.
While the scan was running on the network side of things, I began the process of looking at the application URLs I’d been provided with.
The first application on the list was called ‘Eforms’. I connected to the application’s URL and was presented with a page that simply included the logo of my client, the Department of Agriculture, with no other content. I guessed that Eforms was probably used to host forms that were embedded in other websites, and as such, didn’t have anything of interest on its own base URL. In a new browser tab, I quickly googled the URL for the application, to see if I could validate my hypothesis and sure enough, I found links to a few dozen pages on the site. It became clear, this was a publicly accessible application that contained a variety of forms for applying for various services through the department. I picked a random link from the search results and was presented with some sort of feedback form.
I noticed the URL for this form ended with the file extension ‘.aspx’, which meant it was highly likely this application was written in the Microsoft ASP.Net programming language and running on a Microsoft Windows Server. For a government entity, this was an extremely common find.
I did a few checks to see how the form handled my input. In a new tab, I opened 10minutemail.com to generate a temporary disposable email address I could use with the form. When working with forms, you always want to see how they validate what you are telling them. For example, do they validate that all required fields are filled out properly, and do they do that on the client or server-side? If it’s done on the client-side, then validation can be bypassed — then what? Does that cause things to break and fail in an ugly fashion? Can you inject JavaScript, HTML, or any other type code into the form that could lead to a cross-site scripting (XSS) vulnerability? It’s all about probing every possible interaction point to get a feel for how things are configured.
This form seemed to be well set up. It was validating server-side, properly encoding any of my attempts to inject JavaScript, and generally just being boring. Blargh. I was thinking of moving on to the next application on the list of URLs when I figured I should slow down and not give up so easily.
On any public website, I always take a moment to look for a ‘robots.txt’ file in the base URL. Robots.txt files are used to manage web crawler traffic. Essentially, you can use them to direct search engines to crawl, or not crawl, over a given directory on a website. Given that they can often list a bunch of places that the website owner doesn’t want the prying eyes of search engines, as a penetration tester, these are exactly the places my prying eyes are drawn too.
Eforms had a robots.txt file. It had one entry, “Disallow: /eforms_test”. Uh oh, could it be that there was a test version of the Eforms site on the same server? This little artefact seemed to suggest that because it demonstrated a desire to keep search engines out of the /eforms_test directory.
I quickly hit /eforms_test in my browser to see if anything was there. Bingo. ‘Everything’ was there. The server was misconfigured to allow me to explore the contents of this directory because there was no defined index page. This misconfiguration can be dangerous, as it can allow an attacker to explore files that otherwise would not be exposed. In this case, the directory seemed to include a full-blown copy of the entire Eforms application.
My eyes homed in on one particular file in the directory, ‘web.config’. In ASP.Net, the web.config file is an XML document that is used to store the configuration of the website and can sometimes contain sensitive information. Typically, it’s not something that should be accessible.
I opened up the web.config file and knew I’d just landed my first finding on the test. The web.config file contained a connection string for a database, which included the username and password used by the application to authenticate to said database. Essentially, I’d just stumbled on a sticky note with secrets on it that had been left out in the open, the open in this case being a public webserver.
As I recorded the finding, I noticed something that hadn’t registered the first time I’d laid eyes on the connection string. The password used by the application to authenticate to the database was ‘Dissitio’.
“Probably could’ve guessed that one,” I thought to myself.
My next step was to validate that the connection string I’d uncovered was still valid because to give the developer the benefit of the doubt, this was potentially just something used for testing. I opened a tool called DB Visualizer, one of my favourites for exploring different types of database. I created a new connection based on the discovered connection string, and sure enough, I was able to gain access to the database behind the Eforms application, which included values submitted through those forms.
“Yikes,” I said aloud. “Well done guys, good one.”
It certainly seemed like our friends at Dissitio would be getting a slap on the wrist for that one.
A good early finding indeed. My adrenaline had kicked in off of it, and as a result, my mini hangover was barely registering at this point. Things were looking up.
“Laura,” said a voice from behind me.
I turned around to see Aled accompanied by another man.
“This is Mark Bell, he’s the site lead for Dissitio. I wanted to introduce you two.”
I stood up and shook Mark’s hand, he was probably in his early forties, with a goatee beard and a Manchester United tie.
“Nice to meet you, Mark,” I said.
“Hello Laura, nice to meet you, I understand you’re with the penetration tester?” He replied.
“No, she is the penetration tester,” Aled interjected.
“Oh right, sorry, well, yeah nice to meet you.”
I believed that Mark had just fallen into the age-old trap of assuming that I was in marketing or sales since I was female. If I had a penny for every time this happened, I’d have an awful lot of pennies. I gave him a quick glare, but honestly, I was still excited about my most recent finding, so I decided to let things slide more than I might otherwise have done so.
“Well, just by way of an introduction, I am in charge of all the Dissitio employees working here at the department, so if anything comes up in any of our systems that you find, and you think we should know about, feel free to let me know. Security is very important to us, so I think we’ll do extremely well on this test!” Mark continued, smugly.
“Nice probably should start by not storing your database username and password in the clear on a public webserver then,” I said, spinning my laptop around to show the finding. “And probably best if that password is not the name of your company.”
“Jesus Christ!” Aled exclaimed, raising his hands in an exaggerated motion as he did.
“Oh, erm, well that must’ve been an accident, something that was set up during development. That Eforms application is still pretty new, so..”
“It’s been four months!” Aled interrupted.
“Yes, of course, don’t worry I’ll get that fixed. Erm, Laura, is there going to be a report at the end of this with details?” A concerned Mark asked.
“Absolutely,” I responded.
“Great, well erm, yes, I can fix that quickly, so we can probably keep that out of the report, right?”
“Everything goes in the report,” I said sternly. “If you want, I can send you the details you need to tidy this up.”
“Please do — thanks!” Mark said. “I’m sure this was a simple mistake, and you’ll probably not find anything else like this, but let me know if there is anything else you think we should know about.”
“Will do, thanks!” I said with a smile.
By now, Mark was pretty red in the face, and turned around, presumably to rush and yell at someone to fix their sloppy web.config file, and maybe change a password or two.
“Not bad for the lady who is with the penetration tester,” Aled said with a wink, clearly having picked up on Mark’s earlier comment. We both smiled at one another.
“Keep doing what you’re doing, let me know if I can help,” Aled said, as he headed back to his desk.
I sat back down and checked on the progress of my Nmap port scans. They hadn’t finished but were plodding along nicely. That was fine, I was fairly sure I was going to find a few more poorly configured applications in the list to keep me occupied while they ran.
Chapter Three
The Cattle birth tracking application was also written in ASP.net. Unauthenticated, the only thing it did was present me with a login page. I was prompted for a username and password, under a picture of what I will say was a very cute baby cow. There was also an option to register for the application, but I had a sneaking suspicion that registering wasn’t going to be necessary. You see, this was a Dissitio application, and by now I knew how they operate.
I tried a few username and password combinations, including ‘admin’ and ‘Dissitio’, ‘administrator’ and ‘Dissitio’, before finally, on my third attempt, hitting the jackpot. The username and password were both ‘Dissitio’, which was of course, extremely predictable, and downright insecure.
Once in the application, I realised I had what appeared to be administrative level permissions. I could see details on user accounts in the system. This was clearly a backdoor account the vendor had created to allow themselves the ability to manage their application in production.
I was actually starting to get frustrated at this point. This was too easy. I felt like I was finding ‘low hanging fruit’ issues that were indicative of poor security culture, but not actually being able to stretch my mind technically. I wanted to spend some time going deeper. Not just to do something more interesting, but as a sort of insurance policy to quell my imposter syndrome that would likely rear its ugly head if I kept coming up with all these basic findings.
I wanted to see if it was possible to jump from the Internet-facing application to a host within the Internal network. I clicked on a user record in the application and was taken to a page that displayed user details. The page was suitably called ‘userdetails.aspx’. The page selected a user record by way of a GET parameter called ID included in the URL. I was looking at userdetails.aspx?id=162456, which referred to a user by the name of ‘Phylip Rease’. I decided to prod that GET parameter to see how it’d handle input that was not a number, so added a single tick to the URL. In my address bar, userdetails.aspx?id=162456 became userdetails.aspx?id=162456’. I hit return, and the application responded with an ugly, highly detailed error message. These types of error messages, provided by Microsoft Internet Information Services (IIS), were called ‘verbose’ errors, and should normally be turned off in production as they gave away a bit too much information.
In this case, the error told me that on line 269 of the code behind this part of the application, there had been an error triggered by my simple single tick. It showed me a snippet of the code that had broken, and I knew instantly this application was in huge trouble. The ID parameter value, used to select the user record within the application, was being passed directly into a database query, without any form of sanitisation or checking to make sure it was a sensible value. In this case, “sensible” would be a numeric value, which of course, my single tick was not.
As a result of this poor practice, this application was at risk from a type of vulnerability called SQL Injection. A simple check to make sure that the ID parameter only contained numbers would’ve done the trick to prevent this, but the developers were too lazy, or simply unaware of the risks of not doing so. How much damage this could do depended on some configuration decisions that had been made on the database server, but it was not beyond the realms of possibility that it could be used to execute commands remotely, the holy grail of compromise for any malicious actor.
I grabbed a couple of screenshots of my verbose error, and then using a SQL injection cheat sheet I had saved on my laptop, tried a couple of different injection patterns. A couple of tests revealed some interesting information about the database and confirmed the presence of SQL injection. The string, ‘userdetails.aspx?id=162456%27%20UNION%20SELECT%20username%28%29%20%20WHERE%20%271%27%20=%20%271’, showed me that the application was connecting to the database server with a username of ‘Dissitio_User’, which came as no huge surprise. Using similar strings, I was able to pull the exact operating system version and patch level the database server was running.
Fortunately, it seemed that the ability to execute system commands on the database server had been disabled, which prevented the worst potential impacts of this vulnerability from being realised, but it was clear it still needed some work.
It hit me that out of the two applications I’d looked at so far, both had horrific security problems. Directory browsing, secrets in an exposed web.config file, easily guessable usernames and passwords for administrative accounts, and now SQL injection. This was shaping up to be one of the more interesting tests I’d done in terms of findings, after all, I was just getting started.
Given that I’d already found significant issues with the Cattle birth registration application, I moved onto the next application on the list, which was simply labelled ‘VPM’, not ‘VPN’ as I had first thought when I skimmed it earlier.
I opened the application, which again was accessible via the internet, and was directed to a landing page for a piece of software called ‘Voyager Password Manager’. Clearly, this is where the abbreviation ‘VPM’ came from. This seemed to be a commercial product that was connected to the department’s active directory domain. It appeared to be a self-service portal that allowed authenticated users the ability to manage their active directory user accounts. For me, as an unauthenticated user, my only option was to login via username and password, so of course, I tried the familiar combination of ‘Dissitio’ and ‘Dissitio’. This time, however, I wasn’t able to login. I tried ‘Admin’ and ‘Dissitio’, and that didn’t work either. Next, I tried ‘Administrator’ and ‘Dissitio’ and got a different error, this time, I was unable to login because the account was disabled. Disabling the built-in Active Directory Administrator account is considered a best practice, so I was surprised to see it being followed here based on my experiences so far.
One thing I’d noticed, is that the URL for this particular page ended with the path ‘/VPM/User’. Knowing what I knew about how these folks liked to configure their web servers, I decided to see if I could traverse up a level to the directory ‘/VPM/’. I could, and once again, directory browsing was possible. Another web.config file was present, which I inspected, but fortunately found no sensitive data at this time.
“Thank god for that,” I said to myself, half expecting there to be some active directory credentials stored in an internet facing file.
In addition to the /User directory that I’d just been in, I noticed a directory called /Helpdesk, which is where I headed next. Opening the directory link, I was taken to a page with a search box, ‘Search for user:’ read the label next to it. I typed in ‘Aled’ and hit return. The application spun for a second or two, and then returned details about Aled Griffin, including his job title, ‘IT manager’.
“Well this is weird,” I said, thinking out loud once again. “Bit of information disclosure there.”
I scrolled down the page a little and saw a button. It was labelled ‘Reset Password’. It was at this point that I figured out what this part of the application was for. It was designed to enable the outsourced helpdesk folks the ability to remotely manage active directory user accounts. Of course, I still hadn’t authenticated to the application, so I assumed that I’d be asked to do so as soon as I hit the reset password button on Aled’s account. I hit the button, no authentication prompt appeared, but instead I was provided two input boxes, one to enter a new password, and the other to confirm my entry.
There was now just one more opportunity for this application to stop me, a completely unauthenticated, unprivileged user connecting to an internet-facing server, from seemingly resetting the IT manager’s password at will. Surely it would freak out when I entered a new password and prevent me from making the change?! I wasn’t sure if I should go ask Aled before attempting a password change on his account, normally I would, but I just couldn’t bring myself to believe that such a shocking misconfiguration and gaping security hole would exist on a government network like this, so I felt there wasn’t a need.
I generated a random, strong, password, and pasted it into both boxes before pressing ‘change password’. The application paused for a couple of seconds, before returning a popup that read ‘password successfully changed’. I couldn’t believe it. I didn’t believe it! I’m not authenticated! This is an internet-facing server! I can’t just reset the password of any active directory account?!
I decided to return to the /Helpdesk page, with the search box. I searched for ‘Administrator’, and was shown the profile of the built-in domain Administrator account. This one had an extra button, above ‘reset password’, it was labelled ‘enable account’.
“No way. Just, no way.” I said aloud.
I hit ‘enable account’ and waited with bated breath. The application responded with ‘Account Enabled’. I hit reset password and changed the administrator password to another random strong password. Once again, ‘password successfully changed’.
I looked up and saw a workstation on a desk across from where I was working. The workstation was at the familiar Windows login screen. I ran across to the workstation, entered the username Administrator, and the password I’d just generated. The machine was slow, but sure enough, I was logged on as the built-in domain administrator. I had enabled the account and changed the password, all from across the public internet. Suddenly, the SQL injection finding didn’t seem that significant anymore. This was, by some margin, the single biggest security issue I’d found in my entire career. I couldn’t believe it. I needed to find Aled and have him pull this application off the Internet, as soon as possible.
Vaguely remembering the directions, I grabbed my laptop and ran to Aled’s desk. As I was about halfway there, I realised that I’d just screwed up my running port scans, but that didn’t matter.
“Uh oh, this doesn’t look good,” he said jokingly.
“It isn’t. It really isn’t.” I replied, slamming my laptop down on his desk. “Watch this.”
I walked Aled through how I’d discovered the /Helpdesk folder, and how I’d been able to reset both his password and that of the administrator account.
“No, that’s not possible, not at all,” he said in disbelief.
“Try that new password on your account, log out and log back in again?” I suggested as a way of proving that I had in fact made a very real change.
Aled did just that, and sure enough, we confirmed the new password that I’d set was valid.
“Shit,” he said, in just as much disbelief as I’d been. “This is bad, isn’t it? This is just…really bad.”
“Yeah,” I replied. “This is about as bad as it could be! How long has this password manager application been out there, exposed like this?”
“Six months, Dissitio deployed it early on,” he replied. “I’ll have them shut it down until we can figure out what is going on. Do you think that anyone would have used this to gain access?”
“I’d assume I’m the last one in using this vector, not the first,” I surmised.
I took the opportunity to take screenshots and document the finding while Aled ran around to various members of his visibly panicked team.
The reality for the department was that anyone could’ve had domain administrator access by way of this portal over the course of the last six months, and as such, what they needed right now was not a penetration test, but a forensics investigation to determine if that was, in fact, the case.
Aled confirmed the site had been taken down and brought Mark over to discuss the finding with me.
“Well that clearly is very concerning,” Mark said. “Of course, we’ll look into how that happened, but in the meantime, we need to get this site live again as quickly as possible, so the helpdesk can continue to support users, and meet our support level agreements. Aled, what do you need from us to feel confident about re-enabling the application?”
“Well Mark, how about, you have to be an authenticated user, and a member of the helpdesk team to reset anyone’s password? I think that might be a good start, right?” A clearly frustrated Aled responded.
“Well, even that won’t be enough now,” I interjected. “Who knows who’s had access via that system over the course of the last six months? My advice, you should perform a full audit of the domain, possibly bring in someone to help you look for evidence that any accounts have been compromised. It’s going to be very hard though since anyone could’ve taken the domain administrator account for a spin.”
“She’s right Mark, this is an extremely bad situation to be in. I need to go and discuss this with Gwen right now. Laura, Gwen is the assistant director of the department, my boss. I might need you to help walk her through the finding, and what the risk is,” Aled replied. “Mark, please go and make sure that people know VPM will be down for the foreseeable future. Laura, please write up a brief report on this issue and send it my way.”
I agreed and started back to my hot desk. I was still shocked at the discovery I’d just made, and decided I needed to share it with my boss, Tom Barley. I got out my phone and made the call.
“Hi Laura, is everything ok?” Tom said as he answered.
“Kind of, I just had to tell you about the finding I just made.”
I explained in detail the discovery of a helpdesk password management application, on the public internet, that required no authentication to reset the password for any active directory user, including the administrator account. Tom couldn’t believe it.
“There is no way, just, no way! That’s not real?!”
“Oh, it’s real Tom, I don’t know what to say, this is the worst thing I’ve ever found.”
“Well, awesome job, they’ll be glad you went there I’m sure!”
“Thanks, Tom!”
As I sat back down at the hot desk to write up my findings. I felt a presence behind me, it was Mark from Dissitio, looking expectedly stressed.
“Hi Laura, erm, the guys are working on the application right now, can we chat about a couple of things?” He asked.
“Sure, what’s up?” I replied, somewhat naively.
“So obviously this is a very embarrassing situation for us, and there will clearly be some fall out from all of it. I’m just wondering what you think the real risk is here. And also, is there anyway, that perhaps, it doesn’t go in a report? Say we fix it before you leave, and can prove that no one gained access, at that point, I’d assume you wouldn’t have a need to report it, right?” Mark asked, in an extremely slimy fashion.
It was only a few minutes after the discovery of a massive screw up that placed an entire network at risk, and already, Mark was more focused on damage control for his company, than fixing the issue. This pretty well-confirmed everything I’d seen and heard about Dissitio to this point.
“I’m going to report on this Mark, we can’t ignore the fact that the integrity of the whole environment has been at risk for six months!” I retorted. I couldn’t believe this man’s attitude
“Okay, understandable, thanks,” Mark said, sulking off.
I hoped that my dealings with Mark, and his company, would soon be coming to an end since so far, I’d not enjoyed them at all. However, my intuition told me they were only just beginning.
Chapter Four
I’d hastily written a summary report of the critical vulnerability in the Voyager Password Manager application, and sent copies to Aled, his boss Gwen, and CC’d Tom, my boss, to make sure everyone knew the full extent of this issue. Within a few minutes of sending the report out, I was summoned to a meeting in a conference room.
I was introduced to Gwen, who had short black hair and appeared to be a few years younger than Aled. Mark was also present, as well as another man.
“Laura, this is Adam, he’s a representative of our legal team. I’ve asked him to sit in on this discussion,” Gwen said.
“Nice to meet you, Adam,” I said, shaking hands. Secretly, I was reflecting on how I’d not been in many rooms with my client’s legal representation, so I was a little nervous, to say the least.
Mark received a text message on his phone and reached for a speakerphone in the middle of the conference room.
“Jackie is available, I’m going to dial her in,” he said.
“Very well,” Gwen said. “Jackie is Dissitio’s lawyer, Laura.”
“Ah,” I replied. “Er, do I need a lawyer?” I asked half-jokingly. No one else appeared to be in the mood to joke. I was a little alarmed.
The phone connected with Jackie and Mark gave a brief introduction to everyone in the room over the phone.
Gwen started the conversation.
“Everyone knows why we are here, earlier today a significant security problem was discovered, by Laura, and as I understand it, that security problem was introduced by Dissitio when they configured the Voyager Password Manager application, negligently..”
“Let’s not use words like negligent, Gwen, I don’t think this is the time to make those kinds of statements,” the voice on the phone interrupted.
For the first time, I realised just how tense a situation this was. I was concerned that I was about to be in the middle of two warring factions, and there were probably other things at play that I was not aware of. I felt deeply uncomfortable. I got into this business to make things more secure, not be a pawn in some sort of political back and forth.
“Ok, well, this security problem,” Gwen continued, “has placed the department at significant risk, and as I understand it, likely means we’re compromised. Is that right Laura?”
“Erm, yes absolutely. I mean if I could find this as quickly as I did, it’s worth assuming that someone else, with malicious intentions, could’ve,” I replied, feeling a bit ‘put on the spot’.
“So you’re making an assumption, you can’t prove anything?” The voice on the phone interjected.
“Erm, well, I haven’t investigated, I mean, that’s not what I’m here for,” I replied, sensing myself becoming more and more defensive in tone.
Fortunately, Aled jumped in.
“It’s not up to Laura to investigate this, she’s done her job excellently and highlighted a major security problem. The investigation needs to be done by myself, and Dissitio. If you ask me, until we can say for sure that every account in our domain is legitimate and secure, I think we consider ourselves deeply compromised.”
“I agree,” said Gwen.
“And obviously, any remediation work will need to be paid for by Dissitio,” Adam, who’d been quiet to this point, made sure to mention.
“That’s fine,” squawked the voice on the phone.
The back and forth continued, with Gwen once again riling up Dissitio’s lawyer by accusing them of incompetence, and suggesting that maybe they shouldn’t be trusted to remediate their own screw-up.
Then the topic moved on once again to how I’d proceed in the test. Would I continue testing the various applications on my list, now that I’d discovered such a significant problem? What about the report? Clearly, it would not read favourably for my client or Dissitio, and they seemed extremely concerned about who would have access to it. Typically, the reports were submitted to a central government agency for review, something that would likely be a disaster for Dissitio if it happened in this case.
Eventually, Gwen, Aled, and Adam, the three Department of Agriculture employees left the room to huddle outside, which awkwardly left me and Mark in the room, with Jackie, the other Dissitio employee on the phone.
“You know, security is a big focus area for us at Dissitio, Laura, and I’m sure this’ll only accelerate our plans in the space,” Mark said. “Not sure what sort of money you’re making right now, but I’m sure we could exceed it if you’d like to join us, and help us make all our apps more secure?”
“Erm,” I said, carefully considering how to respond.
“We could probably set you up with a leadership position right out of the bat if that would interest you, that would come with a company car, private medical coverage.”
“Are you trying to bribe me with a job so I’ll go easy on you in the report I’m going to have to write on this? Because, that’s a little, sleazy, Mark,” I said sternly. “I’m surprised you’re asking me with your lawyer on the phone.”
“Oh no absolutely not the intent, just very impressed by your work.”
“Mmmm…,” I replied, unconvinced. I needed to get out of the room. “Excuse me.” I stood up and left, walking past the three Department of Agriculture employees on my way out.
“Sorry, getting a little too sleazy in there for my tastes,” I said. “Aled, what should I be doing here? Did you want me to continue testing, or did you want me to take a break while you figure this all out?” Ultimately, it was his call, but I really just wanted to get back to my quiet desk, where I could continue probing around the other applications on my list and maybe even restart my disrupted port scans.
“Yeah, I might be a little out of pocket as I deal with the fallout here, but feel free to carry on unless you hear otherwise,” Aled answered.
“Sounds good, I’ll come find you if I discover anything else critical.”
“Please don’t!” Aled said with a wry smile.
I felt for the guy, he seemed to have a great attitude, and I could tell he’d been dealt a pretty rubbish hand with the Dissitio arrangement. I made my way back to the hot desk where I’d been based for the morning. I needed to get back to doing what I came here for, penetration testing.
The next application on the list was a diary quota management system. I began the familiar routine of probing around the site. Once again, I found verbose error messages, more directory browsing, another web.config file, and generally bad security hygiene. I had a feeling this was going to be an extremely long report. I wasn’t even halfway through the list of applications yet. I was just getting back into my rhythm when I was once again interrupted by a voice.
“Hi Laura, sorry to interrupt.” I turned around to see Adam, the lawyer who’d been in the conference room. “You need to suspend testing for the time being, sorry.”
“Oh, okay, erm will do,” I replied, surprised. I’d never been asked to stop a test I was in the middle of before. “Is everything okay?”
“Well, we’re having some issues with Dissitio,” Adam explained. “They’re making some legal threats, and asserting some rights concerning the tests you’re performing, so we think it best if you stop until we resolve the situation.”
“Wow, okay,” I replied. I got the sense things were escalating behind the scenes extremely quickly. “If only they put as much effort into securing things properly as they did legal threats, perhaps we wouldn’t be in this mess!”
“Quite. So no more testing until I give the green light, ok?”
“Sounds good, I suppose I’ll standby until further notice then,” I said dejectedly.
This was such a bizarre situation, and I was very much at a loose end. Then, I remembered the cafe where Aled and I had met first thing. It seemed like the perfect place to take cover while the behind the scenes legal battle was raging.
I headed to the cafe and ordered a jacket potato with baked beans and cheese. I had just sat down to eat when I saw Aled walk in, he headed in my direction.
“Thought I’d find you in here, the jacket potatoes are good, aren’t they?” He asked.
“Very nice, how are things going? I heard I’m not allowed to test anymore. Am I being sued yet?” Again, I said half-jokingly.
“Not quite,” Aled replied. “We do have some bad news, however. We think we’ve identified some active directory accounts that shouldn’t be there, and we’re trying to figure out if they are legitimate or not.”
I wasn’t entirely shocked to hear that. When you open up your active directory domain to the public internet and allow anyone access to manage it, I’d say this outcome was to be expected.
“So, because we assume, we’ve been breached, it’s unlikely that we’re going to need to continue the test. Honestly, we’ll probably have to burn a lot of this down and start again. That’s why Dissitio is so worried,” Aled explained.
“Well, I’m genuinely not sure what to do next. This has never happened before,” I explained. “I mean I can just call it a day if you don’t think I’ll be able to do any more testing today?”
Aled agreed that I could call it a day, but that I should try and come back on-site the following day, assuming that the all-clear to begin testing again would come. I felt odd.
“I’m sorry,” I said to Aled, which felt like a strange thing to say since all I’d really done is my job. “I mean, I’m glad I found this, but..”
“I know what you mean,” Aled said. “No need to apologise at all, you found something that was significant, and will clearly make us more secure when it is addressed. Thank you.”
As I left the building, I handed my visitor badge back to the small child on the front desk.
“Thanks, Tweetie Pie,” he said with a smile, referencing my earlier entry in the visitor log. I nodded back. That was probably the most security-aware thing I’d seen all day. Perhaps there was still hope for security at the Department of Agriculture.
Outside, as I headed to my car. I walked past a man smoking a cigarette in the drizzle. It was Mark, the Dissitio employee who’d I’d come to know so well. I nervously acknowledged him.
“See you tomorrow, hopefully I’ll have some less dramatic findings,” I said with a smile, hoping to break through the awkwardness that was very apparent.
“Yeah, sure. Thanks,” he replied in a muted tone.
As I continued to walk to the car, I heard a further comment uttered under his breath.
“Smug bitch.”
My heart began to beat several times faster. I was angry. Did I want to react? Or did I let it go?
“Screw it,” I thought to myself, remembering how I’d already allowed him one free pass earlier in the day. “I’m sorry? Did you say something?” I asked, turning around to face him.
“No,” Mark said, looking embarrassed that I’d called him out for his comment.
“Ok good, because I thought I heard you call me a smug bitch, which would probably not be something that ended well for you. No need to take an already extremely bad day, and turn it into something much much worse,” I said with a smile. “Have a good afternoon!”
He just stared at me emptily as I continued towards the car.
“I’m sorry. I’m just fairly sure I’m about to lose my job because of this,” he called out as I walked away. I turned around to face him.
“Well, I understand why you’d be worried about that Mark, but it’s no excuse for personal attacks like that. I appreciate your apology, however.”
Emotions run high in situations like this, so although Mark was clearly not my favourite person, I decided to cut him some slack. I shouldn’t have, but I knew I would.
In the car, I decided to head down towards the town centre, I didn’t want to head back to the farmhouse just yet. I’d read that Aberystwyth had a nice beach, and despite the rain, after the way the day had gone down, some sea air and an ice cream seemed like a great way to take my mind off of the drama.
I wanted to give my boss, Tom, an update on the situation, and explain why I was leaving a little earlier than expected. I called using my hands-free kit. After providing a run down, and explaining how bad I felt for Aled, and even telling Tom how I’d apologised for finding exactly what I was supposed to find, he offered some reassurance.
“This is a funny business Laura,” he explained. “We feel bad when we don’t find anything. We feel bad when we find something so obvious and horrific, it feels like it should have already been found. Remember, you’re a scientist using scientific, repeatable techniques to discover and report hard facts. That’s all there is to it.”
As he usually did, Tom had spoken a great deal of sense, and it made me feel better about things. I parked up and found an ice cream shop. Cone firmly in hand, I walked along the seafront, seagulls circling above me. I was trying to think of any other than security, but my mind had me trapped in a loop.
I took a seat on a seafront bench, and a young seagull with a vested interest in my ice cream cone landed a couple of yards in front of me. As it so often does, my brain decided to put together a nerdy pun related to my surroundings.
“Seagull injection,” I thought to myself, making a play on SQL injection, the same type of vulnerability I’d found in the Cattle birth tracking system. Then I remembered, I never did come up with Cattle based pun. This served as the perfect distraction. For the next few minutes, I sat, enjoying my ice cream, and trying to finally come up with that pun.
I used my tongue to push the ice cream down to the bottom of my cone so that I could be assured of ice cream to the very end, which is when it finally hit me.
“Moo-ti-factor authentication.” That was it. That was the pun. Much like my penetration test finding today, it felt too simplistic, like an easy way out, but additionally, just like the finding, it did the job, and that, my friends, is all that matters.
Epilogue
The next day, I got word that the Department of Agriculture decided to postpone the rest of the testing until they could get on top of their rather fundamental security problems. This ultimately meant rescheduling to a date a month later, which happened to be when I would be in Spain on holiday, so I never did go back to see my friends at Dissitio, at least, not at this client. I ran into them at a couple of other places and was able to confirm they had a penchant for using their company name as a password just about everywhere they were.
Ultimately, the Department of Agriculture decided to rebuild their domain, from scratch, since a forensic investigation could not determine beyond all doubt that it hadn’t been compromised.
Unsurprisingly, rebuilding the domain was the last project that Dissitio was involved in for the department. Their contract was terminated, and the department took a stance of only using in-house IT personnel to operate their development and support functions.
Mark, the Dissitio representative on-site at the department was reassigned to another government agency nearby. A new stomping ground for him to spread the Dissitio influence, I’m sure.
When it came to filing the final report, we made sure to include the details of the original critical finding of the Voyager Password Manager, along with a note explaining how it had subsequently been fixed. We wanted the report to be a record the Department could use when referring back to all the horrific security problems that Dissitio had introduced.
The Department did ultimately end up disclosing that they had been breached to the Information Commissioner’s Office, and our test report was included in the submission. A fine was issued to the Department, and since they couldn’t provide a solid answer about the possible scope of exposure, the fine was higher than it probably would have been if they’d had all the right auditing mechanisms in place.
A legal battle ensued, as the Department tried to hold Dissitio responsible for paying the fine. Ultimately, the courts decided that they shouldn’t be, and the department ended up footing the bill.
One thing we often say in this field — you can outsource the function, but not the risk, and this test was a perfect illustration of that in full effect.
Enjoy this story? Check out https://infosecdiaries.com.
