Summary of the Attack
So, let's put this all together. The attacker wanted to gain access to AMS's database. So, they found one of a handful of people that would be guaranteed to have full access to the data they desired — Dr. Smith. They followed Dr. Smith around and discovered that she used a public hotspot every day for about a half hour. The attacker then waited until a vulnerability was found for Internet Explorer, and injected an exploit into her browser using a freely available program called airpwn. This allowed the attacker to infect Dr. Smiths computer with a Trojan and keylogger. Later that day, Dr. Smith took her laptop home and logged into AMS's network, all of which was captured by the keylogger. The customized Trojan allowed the attacker to connect to the infected computer, read the keylogger file, and log in to the corporate network via the VPN. Then using the borrowed credentials, was able to connect to the database, and download the records for 80,000 people.
The attack was made possible due to three main issues. First, antivirus programs are not fool proof. The Trojan slipped through the cracks because it was customized, and as such, not recognized by the protection software. Second, using a public hotspot is dangerous. There are several ways for an attacker to hijack or inject malicious content into a connection. Third, while there were complex security controls in place, the weakest link was a simple username and password — and these forms of credentials are often guessable or easy to steal.
Fortunately for AMS, the attacker was apprehended because they failed to notice a security camera at the ATM outside the coffee shop. In addition, the website that the data was posted to was within the United States, and was quickly shutdown. The logs for the web server were reviewed and each person who had viewed the content was questioned. While it was still possible that the data could be leaked at a later date, AMS and the FBI were fairly certain that the breach had been plugged and the threat of identity theft was minimal.
But what if the attacker had gotten away with it?
domingo, febrero 25, 2007
Cyrus Peikary y Seth Fogie, autores de la guía de seguridad de Informit, explican el seguimiento y detección de un caso de acceso ilegal a una red, y cómo se obtuvo su base de datos completa de clientes: