Satykam Acharya, Director Red Team, Infopercept Consulting Pvt Ltd on offensive security and why it is important today.
English grammar is a comprehensive subject, and we all have faced a strict grammar teacher at some point in our lives. The typical attribute of a strict grammar teacher is that he or she is well trained in pointing out silly mistakes.
One thing that is common between adversaries and a grammar teacher is their eye for detail which helps them find errors which otherwise go unnoticed. While the silly mistakes found by our grammar teacher are better for our careers, they can be lethal if found by adversaries in the cyber world. Adversaries capitalize on silly mistakes found in the entire IT landscape and establish a foothold in any network they want and then do lateral movement to launch a sophisticated cyberattack.
At Infopercept, offensive security is one of our main offerings. Offensive security is a field of cybersecurity, which focuses on security testing and training. Its main goal is to help organizations improve their cybersecurity posture by identifying vulnerabilities and weaknesses in their systems through ethical hacking and penetration testing.
While leading Infopercept’s offensive security, I have been lucky to act and think like an adversary, but for the improvement and benefit of the overall cybersecurity posture of our clients. Working on many such assignments, we have realized that organizations often make silly mistakes in their cybersecurity, which attract adversaries.
Hardcoded Credentials in Applications
While doing penetration testing for one of the largest banks in Mongolia, we started our task with downloading their internet banking mobile app from the play store. Penetration testing is an exercise where our clients invite us to break their systems to check for vulnerabilities. Under this particular project, we were not given any information other than publicly available entities like their apps and website.
After downloading the app, we decompiled the APK file. When any application is developed, the original source code is compiled in the Android Packaged Kit (APK) file, a binary file, which runs on an Android Device. Decompiling an APK file means we reverse engineer it to extract its original source code. There are tools called ‘decompilers’ through which this can be done very easily.
To our surprise, we found hardcoded credentials in the APK file. Through these credentials, we were able to login into the app and were able to download other user’s statements. This was just the initial foothold we needed, after which we could do many things with these credentials.
Hardcoded credentials are the silliest security mistakes one can make. It refers to login credentials of the application embedded in the software program’s code itself. The best example to understand this is like having your ATM sim cards pin written on the card itself. If someone has access to your card, they can exploit it as you have written your pin on the card itself.
To avoid this mistake, security should be followed as a best practice from the coding stage itself. Developers should store the credentials securely by using methods like encryption and password hashing.
Not Masking Credit Card Details Throughout
During our exercise with the same client, we found that they were not masking credit card information throughout their environment. Masking refers to making sensitive information like credit card number, expiration date, and security code, not readable or understandable.
Masking is the minimum best practice that a financial institute should exercise. However, the institute was not doing it throughout. And because of it we were able to successfully use bruteforce (a trial-and-error method to get perfect details from the details available) and print credit card statements.
Core Applications Code Available Publicly
Offensive security is often practiced by Fintechs, and one of the largest fintechs from the Middle East approached us to do a red teaming exercise for them. Red teaming is an exercise where they hire us to do actual attacks on their systems and help them discover vulnerabilities in their people, processes, and technologies.
We could easily download the entire source code of their application, as it was publicly available on their website. This was the worst place to have such information. We simply visited their website and downloaded their entire source code of applications without any authentication.
From that source code, we were able to get admin credentials, logged into the application, and got access to their database which led us to their Personally Identifiable Data. This was akin to getting the keys to open any lock in the organization. We made them realize the amount of damage this silly mistake would have cost them, if the information had been accessed by real adversaries.
Just like in grammar, in order to avoid silly mistakes, we need to practice consistently. Organizations should have an offensive first and offensive daily approach to find their silly mistakes. It is better that a red teamer finds your silly mistakes than an adversary.