Penetration Testing (How to break into a bank)
How to Break into Banks – without Breaking the Law.
How to Break into Banks – without Breaking the Law. By Kumar Gaurav,B.Tech(E.C.E),New Delhi.
Greggory Peck’s nightmares began just days after he broke into the computer network of the Bank of Fubar. (The name of the bank has been changed.)
He was a new hire at KPMG, one of the world’s biggest accounting firms. Bank of Fubar was unhappy with security tests run by Peck’s predecessor, Vlad, a hacker who wore a vampire costume at work. Vlad is not the real name. I’ve changed it so I don’t have to worry about Vlad defacing a bunch of websites with a rant against me.
Peck’s manager said that Bank of Fubar was threatening to cancel their contract with KPMG. It was Peck’s job to deliver something better than Vlad the Hacker’s tests. All Vlad had allegedly done was to scan the bank’s firewalls with a commercial vulnerability detection program. This was a test almost anyone who could navigate a keyboard could have done. As Greggory recalls, “It was important to bring value to the client and simply providing such canned tests and reports was not substantiating the fees of conducting such an engagement.”
What Bank of Fubar needed to know was whether somebody could take advantage of their computer system to exploit the clearinghouses that route money from one bank to another. If a criminal understands the Secure Electronic Communications (SET) protocol, and if the criminal was able to break into the bank's computer system where these transactions are carried out, it would be possible to steal a huge amount of money before anyone discovered the theft.
Relationship between Clearinghouses and Secure Electronic Transactions (SET) Protocol Figure 1: How the settlement system transfers funds from one bank to another through a clearinghouse (yellow oval).i When someone deposits a check at a bank that is different from the one used by the person who wrote the check, the payee’s bank sends the check to the payer's bank. The actual transfer of funds is made a settlement system. In the United States, the Federal Reserve (the FedWire service) and several private clearinghouses provide settlement services. Then along came the Internet and ecommerce. In February of 1996, Visa and MasterCard announced joint support of a new protocol, Secure Electronic Transactions (SET), for Internet credit card transactions. SET can operate in real time, which is essential for ecommerce, or where there are delays in the system, as in emailed transactions. Automated Clearinghouse (ACH) transfers use a network of computerized processing centers, often run by the Federal Reserve, to transfer funds between ACH member institutions. ACH transfers take longer than FedWire transfers, do not make funds immediately available, but cost less. ACH transfers may be returned, but FedWire transfers are final.
Under the rules of engagement for Peck’s test, he had to start with no inside knowledge of the Bank of Fubar. He also wasn’t supposed to run any exploit programs against the bank’s computers. And if, ahem, maybe by accident, he were to find himself inside one of their computers, “I was supposed to notify them the minute I got root.”
“I was barely old enough to drink,” recalls Peck. “There I was on the 28th floor of the Embarcadero #3 Building, overlooking the San Francisco Bay. I had a salary of $120K/year, corporate housing, and a laboratory with lots of tools.” It was his first big test in a dream job, “Something I would have done for free. Breaking into computers was my hobby.” It was a job he could lose if he played it safe.
He had two weeks to make his magic. “I wrote the penetration methodology and test from scratch.”
He began with reconnaissance, working from 9PM to 4AM every night, a time slot when his probes would be less noticeable. He determined what phone lines the bank possessed and scanned them for rogue modems. Nothing turned up. He ran whois and nslookup queries, teased out zone transfers with “hosts –l” against carelessly configured DNS servers, trying to enumerate computers that hid behind the bank’s firewalls. Still he couldn’t find a fault in the bank’s defenses.
Next he scanned the perimeter of its networks, and there he struck gold, a computer running the Linux operating system. By now he had figured out that the bank did not use Linux for any of its systems. It had to be a rogue computer, and it was outside the bank’s firewalls. Further tests and probes confirmed that the computer was a rogue system which had been set up by one of the bank’s employees to host his personal website, vacation photos, and other information about himself, including pictures of the server sitting under his desk at his cube inside one of the bank’s buildings.
Peck thought a few seconds, and what the heck. The rules of engagement couldn’t apply to a rogue computer, right? Besides, if he were to break in, he could learn more about this maverick box, perhaps get kudos for foiling some dire scheme. Like most Red Team types, hesitating until 9AM to confer with his customer wasn’t something that would exactly pop into his mind.
Peck probed the Linux box further and identified several vulnerabilities. He found a matching exploit program on a hacker website, compiled and ran it. When he saw the pound sign prompt that meant he had spawned a root shell on the rogue box, he felt that same old rush that had been driving him since he was a kid breaking into electronic bulletin board systems. “It’s addictive,” he said.
Peck took screen shots to document the break-in and chronologed his activities in detail to provide a good set of work papers. He soon determined that this Linux box was simply a personal toy, and quite against the bank’s rules. The culprit had made no effort to hide who he was, for inside, Peck found the name and address of the fellow who had set it up.
Next Peck looked for additional network interfaces. Sure enough, the Linux box was dual homed, meaning it had two network interface cards (NICs). He quickly bridged a route through the second NIC and discovered the bank’s entire network spread naked before him. He had gotten inside the firewall. “It made me feel like an elite hacker,” he said. “I was 22, expensive office.” He spread his arms out like a Pentecostal preacher: “I had a head this big.”
The client was thrilled with Peck’s report. Although the owner of that rogue computer had meant no harm, it had opened up a highway into the bank’s most sensitive systems. If Peck could break into the bank through it, so could a criminal. Later, Peck demonstrated to the customer how easily an attacker could use that kind of access to transfer funds out of the bank.
However, after this success, Greggory Peck’s nightmares grew worse.
“At some point in each dream,” he said, “I figure out how much money it would take to make stealing it worthwhile, $10 million. Then I would plan to move somewhere that there was no extradition. And then in my dream I’m running a penetration test. It’s so real, I see my commands on the screen, and I’m breaking into a clearinghouse. I understand how it works, SET, that’s secure electronic transactions.”
“Right about the time I prepare to flee the country,” said Peck, “That’s when I always wake up. Sometimes that’s when, in my dream, I get caught. Then in my next dream I’m better, I don’t make the same mistake. But I always wake up before I get to dream that I’m living the high life. Often I’m drenched with sweat.
“Even when I’m awake I would get the temptation. I’ll think it though, step by step. You get a god complex when you’ve had several successes breaking into banks.” along with such detailed knowledge of various computer security methodologies. These include staying active in both commercial and Federal research teams where the labors of your efforts are recognized by your peers and personal gratification in your work is obtained. He further removed himself from temptation by moving to the east coast taking a job with a Washington, DC area contractor protecting Department of Energy computers. In this role, he evaluated Symbiot Security’s risk based graduated response capability appliance, essentially a device capable of providing automated strike-back and cyberattack capabilities. Yes, an appliance that, when once configured, is fully automated, so the software has an available strike back technology. It takes some degree of understanding and training to enable the strike back features and a comprehensive understanding of TCP/IP networking etc.
One of Symbiot’s staff confessed to Peck that he was the one, back in July of 2001, who defaced a Defcon hackers’ convention website with faked photos featuring a hacker who used to wear a vampire suit.
Greggory Peck has now documented 10+ years of helping protect and defend both commercial and government sector clients. Today he has his own company, All Safe Computers, headquartered in Waco, Texas. According to his company's website, “All Safe Computers specializes in providing a full complement of IT Services to fit a variety of needs for both residential and business customers. This includes services for your PC or laptop, computer repair, computer networking, computer and network support & much more.”
