7 – Walk-in

[the italicized section below is a security control from NIST SP 800-53]

Control: The organization controls all physical access points (including designated entry/exit points) to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facilities. The organization also controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.

Guidance: The organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems. The organization secures keys, combinations, and other access devices and inventories those devices regularly. The organization changes combinations and keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or individuals are transferred or terminated. After an emergency-related event, the organization restricts reentry to facilities to authorized individuals only. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being appropriately controlled.

[the following is the PHA response to the security control described above]

Implementation: Physical controls include: locks and keys, combinations, badge access controls systems, guards, raised computer room floors, uninterruptible power supplies, smoke detectors, alarm systems, sprinkler systems, fire extinguishers, air conditioning systems and more.

Note – the defenders seem to have mixed in some environmental controls with the physical controls, but at least they are from the same family.

[the italicized section below is a security control from NIST SP 800-53]

Control: The information system prevents further access to the system by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures.

Guidance: Users can directly initiate session lock mechanisms. The information system also activates session lock mechanisms automatically after a specified period of inactivity defined by the organization. A session lock is not a substitute for logging out of the information system.
[the following is the PHA response to the security control described above]
Implementation: The system will use a 15 minute timeout to initiate a session lock with the Windows screensaver mechanism.

This will be consistently applied across the organization by using global policy settings.

NOTE – A corollary to this control is AC-12 SESSION TERMINATION which sets another timeout factor for ending an unattended session.

[the italicized section below is a security control from NIST SP 800-53]

Control: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.

Guidance: The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.

[the following is the PHA response to the security control described above]

Implementation: PHA policy directs the IT Manager for the site to establish controls that separate duties to ensure least privilege and establish accountability. This process must be monitored and periodically updated.

D. Scenario (Walk-in)
Most public hospitals are open to the public and this creates special security issues. For the third vector, the attackers simply walked into the hospital and proceeded to penetrate network systems in a variety of ways. From previous experience, they knew that physicians’ work rooms pose a serious risk in most hospitals. Most hospitals provide their doctors with some kind of work room in which they can access the internet to search for medical research information and print it out. The typical work room has one or two networked printers in it and four to six workstations with network access. There is usually no security at the door to the workroom. The doctors walk in and sit down at the workstation and do their work, then leave and often leave the workstation logged in with their credentials.

The attackers’ basic plan was to walk into the hospital, proceed to the physicians’ work room, which had been located either by the Google general reconnaissance collection or by a previous walk around reconnaissance, and sit down at a system that had been left logged in by a doctor. In some cases, they used fake ID badges that matched the ones used by the facility; in other cases they included a white overcoat like the doctors wear. In none of the intrusion attempts was any attacker ever challenged or even spoken to, and in all facilities, the intrusions were successful. In about half of the attempts, a logged in workstation was available immediately, but in the rest of the attempts, it only took a 5-10 minute wait until a doctor left a workstation that was still logged in. The attackers reported that it was very rare to notice a doctor actually logging out of a workstation after using it.
Once the attacker was seated at a logged in workstation, they would usually insert a USB flash drive into a USB socket and begin executing tools from it. The first step was to run an information collecting batch file that dumped system and network information back to the flash drive in the form of text files. While the batch was running, the attacker would determine if the user account had administrative privileges by right clicking on the start button. If the popup window included “Open All Users” and “Explore All Users” the account had admin rights. If the account had admin rights, the password hash dumping batch file would also be run. In either case, the next step was to install a root kit and a collection of tools that would be hidden inside it. All of this activity normally took less than three minutes and often it was possible to move to another vacant workstation and repeat the process.

If the physician’s work room was too crowded or the attackers felt they had exhausted its potential, they would move on to other systems. There were also systems available in some public waiting rooms and even unattended systems in various parts of the hospital. It would be much riskier to sit down at a computer in some place like a nursing station, unless a good cover story was ready to be used, such as a technical support procedure or system updates that needed to be run. But in most cases, the attackers resorted to leaving a flash drive loaded with their tools just sitting nearby and counted on the hospital personnel to put it into the system for them. They were pre-configured to auto-play a program that showed the user some flash screens about hospital administration while it loaded the root kit and tools in the background, then deleted most traces of its activity, including scrubbing the tool files from the flash drive, so that any forensic investigation would not produce much.

The attackers also carried with them several hardware key-logger devices to be installed at the end of a keyboard cable. The key-logger is similar in size and appearance to the plug at the end of the keyboard cable and is installed by simply pulling the keyboard cable out of the computer, inserting the key-logger between the cable plug and the socket on the computer and reconnecting the keyboard. The process takes a few seconds. The key-logger records every keystroke typed on the keyboard and it can be dumped later. The attackers planned on returning in a few days to retriever the key-loggers and the data they held.

Most of the accounts that were used for access did not have admin rights, but eventually the attackers would find one that did, and then would dump the password hashes for later cracking. Pwdump is a utility that can extract password hashes from a windows system. It requires admin access to run. The current version is pwdump6 and it comes with a “wrapper” program called fgdump that makes it work more effectively. The fgdump wrapper adds the ability to stop then restart anti-virus software and also adds a cachedump tool. When you run pwdump successfully, it produces a text file output of the hashes that can be imported into most password cracking tools.

The attackers had already determined from the earlier google reconnaissance what brand of anti-virus software the defenders used and knew that it would recognize and automatically quarantine the pwdump.exe program normally used to extract and dump password hashes. They had tracked down an alternative version, PWDumpX.exe and tested it in their lab against current anti-virus DAT files. Since the alternative version was a re-write of the more widely known code in the original pwdump, the existing signatures did not recognize it.



[PWDumpX running – note – the attackers lab could have easily produced many such variants themselves]

The walk-in attack team had also volunteered to help the wireless attack team by installing some rogue access points. When they found a network port that would respond without requiring any authentication (and that was nearly all of the ports tested) they plugged in a wireless access point and turned it on. The team had debated whether or not to attempt to conceal the equipment by taping it underneath tables, but in the end decided to simply leave them out in plain site, under the assumption that most people would not touch a piece of computer equipment that they knew nothing about. This strategy apparently worked, because all of the rogue access points remained in operation throughout the penetration.

A variety of simple consumer equipment was used, so that each rogue had a different appearance, but they were all selected for use because the wireless radio card inside could either be set to extra channels beyond the standard eleven channels licensed for use in the U.S. or they could be flash updated to accommodate that feature. In Europe and Japan, channels 12 and 13 are also allowed and in Japan only, channel 14 is allowed. The rogues were all set to channel 14 to make it more difficult for any rogue hunting defenders to find them.

Leave a Reply

You must be logged in to post a comment.