True tales of (mostly) white-hat hacking

Stings, penetration pwns, spy games -- it's all in a day's work along the thin gray line of IT security

By Roger A. Grimes, InfoWorld |  Security

I was working at a well-known computer security company at the time, and we had been hired to perform penetration testing on an IP TV device that a large cable company was considering producing. Our mission was to find vulnerabilities in the set-top box, especially if any of those vulnerabilities could lead to stealing porn for free, posting porn to, say, the Disney channel, or leaking private customer or company information.

Two coworkers and I were set up in a computer room within one of the cable company's remote offices. Our attack targets consisted of two televisions, two cable modems, and two new set-top cable boxes (the intended testing target). We were connected to a cable TV broadband connection in such a way that no one else would know the difference between our setup and any normal customer. We then played porn on one TV and Disney movies on the other.

Three guys sitting in a room, hacking away, watching porn, and getting paid to do it -- life was good. The only thing missing was the beer. In short order, using a port scanner, I had found a Web server running on a high TCP port, in the neighborhood of 5390. I ran Nikto, a Web vulnerability finder, and it came up with a few false positives. But it also identified the Web server as something I had never heard of. A little research told me it was an open source Web server that had stopped being supported nearly a decade before.

I wondered how likely it was that an old Web server was patched against vulnerabilities that were common 10 years ago. My hunch was correct. I was able to access the set-top box using a simple directory traversal attack (such as http://..//..//..//). I was in as root and had complete control of the device. It was running an old flavor of BSD, which was full of vulnerabilities by itself. In short order, we were able to steal porn, steal credit card numbers, and switch the Disney channel out with porn. We had accomplished all our goals, only a few hours in.

Later that week I learned that my success with a directory traversal attack would find its way up to the cable company's CSO and beyond. I was invited to talk about my finding ahead of the official written report. Many of the company's bigwigs flew in for the meeting. When I asked why all the hullabaloo for something they could fix in the new set-top box, I learned that the same Web server and setup was being used in millions of existing cable boxes around the world. I did a scan of the Internet looking for the high TCP port and found tens of thousands of them awaiting anyone's connection and hacking attempt.


Originally published on InfoWorld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question