Penetration Testing: Why What You're Doing May Not Be Adequate Protection

By Special Guest
Adriel Desautels, CEO of NETRAGARD
  |  November 02, 2016

OurMine made headlines by accessing major social media accounts, taking Pokémon Go off-line with a distributed denial of service attack, and exploiting an authorization vulnerability in Mojang (among others). To date, their attacks have been nothing short of elementary and in most cases don’t even qualify as legitimate hacks. The question is: Do OurMine’s hacks represent poor technical capability, or do they represent a failure on the part of the security industry?

When investigating compromise of Mark Zuckerberg’s (News - Alert) Twitter account, Netragard found no evidence of a hack despite the fact that a hack was widely reported. Instead, Netragard found that OurMine simply logged into the account using a password stolen during the 2012 LinkedIn (News - Alert) breach. This is corroborated by a tweet that OurMine sent to Zuckerberg that reads,  “Hey, @finkd You were in Linkedin Database with the password “dadada” DM for proof.”. 

When investigating OurMine’s access to Shuhei Yoshida’s Twitter (News - Alert) account, the president of Sony Worldwide Studios for Sony Computer, Netragard found that the theme remained the same. No actual hack took place.  OurMine apparently logged in using Yoshida’s stolen password. 

The DDoS attack against Pokémon Go was only slightly more complex than the aforementioned Twitter account compromises. This type of attack does not require any advanced technical capability and can be carried out by anyone with sufficient motivation. The required tools are readily available for purchase on the dark web and once purchased allow an attacker to direct massive volumes of network traffic to a single target. This, in turn, saturates the target’s resources, rendering it unavailable and denying service to its users. While the attack is technically uncomplicated, it’s highly effective, disruptive, and damaging.

Many security experts are critical almost to the point of mocking OurMine for their elementary attacks but fail to consider two important points. The first is that the attacks were successful despite their technical simplicity.  The second is the attacks did not need to be advanced because the targets that they compromised were exceptionally soft. Experienced hackers (ethical or malicious) will always take the path of least resistance. Why expend valuable resources hacking something with complex attacks when the most rudimentary methods, like password reuse, will suffice?

Netragard leverages this exact same password reuse vulnerability when testing its customers. Our team is often able to gather valid passwords from the dark web (just like OurMine did). These passwords provide a very effective method for gaining access into a targeted customer network under the guise of a legitimate user. During these engagements if a customer fails to detect and respond to Netragard’s breach within 30 minutes, then the chances of the customer being able to eject Netragard from the network are almost nil. When the engagement concludes, Netragard withdraws from the network and provides its customers with an effective defensive plan. The plan provides methods specifically designed to enhance incident response capabilities and to prevent hackers from breaching.

Businesses that process credit cards like Mojang, Target (News - Alert), Sony, Home Depot, Ashley Madison, etc., are required to undergo regular penetration testing to comply with the Payment Card Industry Data Security Standard (PCI (News - Alert)-DSS or PCI). Unfortunately these standards (and others) do not define any realistic level of threat at which testing should be done. As a result, most penetration testing vendors deliver the minimum testing needed to satisfy regulations; that leaves major risks unchecked. We can safely assume that this is why OurMine so easily identified and exploited the authorization vulnerability in Mojang’s website. That vulnerability would have been identified if Mojang had undergone genuine rather than political penetration testing. 

When we explore the high-profile breaches from the past decade (not just related to OurMine) we find the same unfortunate truth. Every one of the breached businesses existed in a vulnerable state and maintained a dangerous false sense of security that contributed to their breach. Their false sense of security was, in almost all cases, perpetuated by the security industry and associated with some form of regulatory requirement (like PCI). This is clearly illustrated by this quote from Gregg Steinhafel, Target’s former CEO: “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.”

Business managers need to be made aware of the differences between genuine penetration testing and political penetration testing. While both classes of test play important roles in the industry, purchasing the wrong class can significantly harm a business.

Adriel Desautels is the CEO of NETRAGARD.

Edited by Alicia Young