Help desks are supposed to be helpful – but only to company employees. However, a penetration tester was able to fool support staff at a Canadian police forces into giving away a crucial piece of information allowing the cops to be busted.
That was one of the lessons IT staffers learned Monday from a case study presented at the start of the annual infosec conference of the Ontario branch of the Municipal Information Systems Association of (MISA) in Toronto.
The conference officially starts Tuesday and includes sessions on cloud security, risk management, machine learning, security awareness, hardening physical systems and ransomware. However there were management training sessions Monday for CIOs and a deep dive technical session, where the penetration test was discussed.
MISA has some 1,300 members from 150 municipalities across the province. Just over 220 people are registered for the event.
In an interview three association directors said the agenda for this year’s conference reflects current concerns of the members: Ransomware and employee security awareness.
April Towns, technology analyst for city of Barrie, said she hopes to pick up lessons from others at the conference on successful awareness training.
“We do social engineering awareness training,” replied Jamie Hagg, manager of information technology at the city of Peterborough, who oversees a staff of 25 (which not only covers the city but also its municipally-owned utilities. “Our IT security manager will send out phishing attempts to our end users; if they click they are then presented with an educational message, and there’s follow up. That’s a pretty useful tool. I think we’re seeing a decrease” in clicks.
He also tries to encourage employees to practice safe computing at home, hoping they’ll bring that attitude to the office.
What makes the conference valuable, said Towns, is understanding from municipal colleagues that “you’re not alone… We all face the same issues so it’s always nice to know that everybody else is dealing with the same things, too.
“It’s the contacts and the networking that you gain. We’re all willing to help each other.
As for that penetration test of the police department, the case study was presented by Tyson Rauch, senior security specialist, at the Digital Boundary Group of London, Ont., who led the technical track.
He showed how attackers can use a number of tools to scan LinkedIn resumes to get a list of names and job titles at a target, including their email address and hashed version of their LinkedIn passwords from a 2012 database of hacked data from the site. (Hint: If you haven’t changed your LinkedIn password in five years, do it now).
After some sleuthing he was able to get to the police force’s email login page, which required not only a password but also a domain or user name. To get that he called the force’s help desk and pretended to be a sergeant working out of the office who didn’t have the domain name handy. The support staffer was convinced to help, perhaps persuaded by the name of an IT administrator he dropped into the conversation.
That was a breakdown in protocol, although, admittedly, it didn’t get him into the email system. Ultimately what did the cops in was Rauch’s discovery of the only login page not secured by two-factor authentication. Unfortunately it led to network and application access. With some educated guesses exploiting weak passwords he was able to gain administration rights, performed remote code execution, added his own account to Active Directory, and then added that account to the Domain Admins group.
Overall, Rauch said, the police IT team had done a good job of security, and had it not been for the portal that allowed single factor authentication he would have been locked out.
And that’s the other lesson: Two-factor or multi-factor authentication is vital on everything today.