Thinking Back
September 26, 2006 – 12:02 pmSo I was traveling to work today and got to thinking about past pen tests.. One of may favorites popped into mind.. It was maybe 6 years back, was doing a test of a new DOTCOM property site setup by a large insurer. It always reminds me of by security in depth is so important.
We start the test of the site and do the usual foot printing a port scanning on day one, we find nothing major just the usual port 80 and port 443 open for the web site. Site was running iPlanet/Netscape Enterprise at the time nothing major we thought. Day two is where it got interesting, come in decide to run the vulnerability scan, fire that off and it does a port scan first then runs through the tests. Having done a port scan the previous day we didn’t expect much, just the web server. But we got a shock, the vulnerability scan started to come back with a whole bunch of ports including Telnet, FTP, even Echo and Chargen. Then the vulnerability scan started to come back with vulnerabilities, and high risk ones at that.
A little confused, we double checked, the previous days results and the ones we just got and yeah there was a serious discrepancy. Before long we’d compromised all the the web servers and database servers that supported the site, they where all running Solaris 8 and Solaris 7 in a default installs, no patches, nothing… We check with the client let them know what was wrong and they came back puzzled, they where insisting there was a firewall protecting the servers, in fact there was multiple layers of firewall they claimed.. They went off to check with the company that managed the servers, the same company that had designed and implemented the solution for them.
Following day we get a call from the client, they had spoken to the third party and got the low down on had happened. Firstly there was a firewall, they where using a SunScreen firewall on Solaris running in a bridge configuration, at someone point overnight between day one and day two, the firewall service had crashed on all the firewalls, it as a result had defaulted ‘open’. They didn’t know why the firewall had failed, but it seemed to do this every few hours, and the service needed restarting to fix it, so to fix they hacked up a cron job to restart it every 6 hours.
Now, it seems the company that had built this mess didn’t secure or harden the systems for the site just installed software out of the box, put a firewall in front and badge it as secure… They should have known better, the company is question is one of the worlds largest IT companies, they had their own security consultancy, they used to run numerous ads around that time promoting their ’skillz’. This is one from around that time I think, there was a number of print ads too, this is one I remember being used in Taxis in London, tho it seems to have been used in other printed media too…
All in all a classic example of why you should have multiple layers of security for an environment, and why thinking your secure because you got a firewall is just plain insane…..
