Hacking你的商业合伙人（已译完）

Hacking your business partners

Hacking你的商业合伙人
《endurer注：business partner 商事合伙人》

by John Verry
作者：John Verry
翻译：endurer　2005.10.22第一版

英文来源：http://techrepublic.com.com/5100-1009_11-5889196.html?tag=nl.e101

Keywords: Security | Hacking | Databases | Database management
关键字：安全 | Hacking | 数据库 | 数据库管理

Takeaway:
When this security firm was asked to do an evaluation of an International Bank's systems, they didn't know that their techniques would take them from hacking the critical application, to hacking the Application Service Provider, to hacking another bank's hosted network.

概述：
当这家安全公司被请求做一家银行系统的评价时，他们不知道他们的技术将把他们从hacking关键性应用程序带到hacking应用程序服务提供商，hacking其它网上银行。

《endurer注：firm n.[C] 1. 商号,商行,公司》

---

Ethical Hacking is one of the most intriguing and exciting elements of our work at Pivot Point Security. A recent engagement for an International Bank took us a bit by surprise as the level of security provided by an Application Service Provider to protect the identities of the banks clients and hundreds of millions of dollars was notably less than one would expect. I'll show you the techniques that we used and how our efforts turned from hacking their critical application, to hacking the Application Service Provider, to hacking another bank's hosted network.

道德黑客攻击（Ethical　Hacking，下同）是我们在轴心点安全（Pivot　Point　Security）（公司）的工作中最迷人和令人兴奋的元素。最近一个国际银行的雇佣带给我们一点冷不防，因为一个应用服务提供商保护银行客户身份和上亿美元的安全级别比人们预期的低得多。我将为你展示我们使用的技术和我们的努力，从hacking关键性应用程序转到hacking应用程序服务提供商，hacking其它网上银行。

《endurer注：1。a bit adj.少量,一点
2。by surprise adv.突然,冷不防
3。less than 小于, 决不》

A call to arms
求助电话

On a Monday morning in the not-too-distant past, we received a call from an Information Security engineer at a major international bank, who we will refer to as Bank Client (BC) from this point forward. An industry colleague that frequently worked with us in support of our projects (and vice versa) on network and security architecture referenced them to us. This was not a typical introductory call to vet our capabilities; this was a call to engage our services.
在不久前的一个星期一早晨，我们接到一家大国际银行的信息安全工程师打来的电话，从这点起我们将这位工程师作为银行客户（BC）。一位在网络和安全架构项目支持上经常与我们合作的同行向他们推荐了我们。这不是一个典型的调查我们的能力的介绍电话；这是一个预定我们的服务的电话。
《endurer注：1。refer to v. 查阅, 提到, 谈到, 打听
2。Industry Colleague同行 》

"We have a few concerns regarding the security of an application that is hosted by a third party on our behalf. How soon can you come on site and perform an Ethical Hack against the application?" he queried. Still surprised by the directness of the call, I offered, "I think we could get resources on site early next week."
“我们有一些和代表我们的第三方主持的应用程序安全有关的重要的事情。你多久能到现场对这个应用程序进行一次道德黑客攻击？”他询问说。尽管惊异于电话的率直，但我提议说：“我想我们能在下个星期前获得现场的资源。”
《endurer注：1。on behalf a. 代表(为了)
2。on site n.现场》

He replied, "We were really hoping that we could get this done no later than the end of the week" reinforced the urgency of the call.
他回答了，“我们真诚希望周末前进行”强调了电话迫切性。

"If it's that important I think we can move some personnel around and get there Thursday," I said quietly as I prayed that I wouldn't take too much grief from our project manager for reallocating his resources, but it’s not every day that an opportunity this intriguing rears its head.

“如果这件事如此重要，我想我们可以转移一些人员，星期四成功，”我轻声地说，因为我祈祷我不会因重新分配项目经理的资源而带来太多的伤心事，但是这样显露头角的机会不是天天有的。
《endurer注：1。move around 走来走去
2。get there [美口]成功, 达到目的
3。too much adj.多,太多的,极好的
4。grief n. 悲痛, 伤心事, 不幸, 忧伤
5。intrigue n. 阴谋, 诡计 vi. 密谋, 私通 vt. 激起...的兴趣, 用诡计取得
6。rear the [ its,his ] head 抬头;出现;显露头角;(恶意等)显露出来》

"OK, let me confirm everything with our management," he said. "We’ll be in touch, shortly."

“好的，我向管理部门请求批准”，他说。“我们很快就会联系。”
《endurer注：in touch 在...能达到的地方, 在...的附近；可以接近的, 可以做到的》

On Tuesday morning a signed purchase order rolled off our fax machine.

星期二早晨，我们的传真机印了了一份签定购买单。
《endurer注：roll off 印出；复制出》

On Thursday afternoon we were on site for a project kick-off meeting in a conference room with carpeting so deep I dropped my pencil and decided not to bother looking for it.

星期二下午，我们到现场开项目动员会，会议室的地毯很深以至我跌落铅笔并决定不再费事的寻找。

《endurer注：Kick off踢或脱（鞋等）；中线开球；动员会，开工准备会 》

Dinner and dessert
正餐和餐后甜点

Judging from some of the titles of the individuals at the kick-off meeting (Chief Information Security Officer, Chief Information Officer, Sr. VP Auditing) , we quickly surmised that their concerns were of a significant nature. Interestingly, they would not detail any specific concerns and we spent the better part of the two-hour meeting discussing their business environment and the critical role of the application under review. After understanding that the application we were looking at processed billions of dollars of transactions on a daily basis, our interest in kicking things off escalated.

根据项目动员会上一些个体的头衔（首席信息安全官Chief Information Security Officer, 首席信息官Chief Information Officer, Sr. VP Auditing高级副总审计），我们迅速地猜测他们的事情具有重要性质。有趣地是，们们没有详述任何特别事情，我们花了两小时会议的大半（时间）来讨论他们的商业环境和检查中的应用程序的主要角色。在我们理解我们正在考虑的应用程序处理了日常基础业务的大量美元后，我们对即将开始的事情的兴趣逐渐升高了。
《endurer注：1。judge by/from根据...作出判断
2。Sr. (=senior) 高级的
3。VP=vice-president 副总统;副主席
4。be of vi.具有...性质,内容
5。under review在检查中
6。look at v. 看, 考虑, 着眼于
7。billions of大量,无数
8。interest in 对...有兴趣》

Since the application and supporting systems include interfaces to Federal Reserve Banks, we were advised that we could not begin Penetration Testing until after 6:30PM. We gladly accepted an invitation to grab a bite for dinner with the CISO and some of the other key team members on this project.

因为应用程序和支持系统包括对联邦储备银行（Federal Reserve Banks）的接口，我们被告知下午6:30才能开始渗透测试（Penetration Testing）。我们高兴地接受了与CISO（首席信息安全官）及项目中其他关键团队成员一起吃些正餐前食。

《endurer注：get/have a bite : 简单吃一点东西；尝一尝》

At 6:45 PM we were back from dinner.

下午6:45，我们餐后回来。

At 6:55 PM we owned the hosted network. That is, we were the Domain Administrator for all of the hosted devices that encompassed the ASP-hosted solution (including redundant database servers, application servers, Domain Controllers, and gateway router.)

下午6:55，我们拥有了宿主网络，就是说，我们是围绕ASP宿主的所有设备（包括冗余数据库服务器，应用程序服务，域控制器，和网关路由器）的域管理员。
《endurer注：that is 即, 就是, 换句话说, 就是说，更确切地说》

At 7:00 PM we owned the application and the database.

下午7:00，我们拥有了应用程序和数据库。

At 7:01 PM we jointly realized that we could transfer $100M+ between accounts with the level of privilege we had achieved. The BC Security Administrator monitoring our activities immediately halted our testing.

下午7:01，我们共同地认识到我们可以利用我们已经达到的特权级在帐户间转帐$100M+。监视我们活动的银行客户（BC）安全管理员立即停止了我们的测试。

At 7:10 PM we were on a conference call with BC’s executives to discuss next steps.

下午7:10，我们已经开始在电话会议中与银行客户（BC）的执行者讨论下一步。

《endurer注：1。conference call n. 电话会议
2。be on 已经开始了, 接受打赌》

I would like to tell you that our rapid success in this engagement was a reflection of the brilliance of our Ethical Hacking team, but that wouldn't be the truth. Unfortunately, our success was a reflection of the egregious security the ASP had provided on behalf of the client’s data. The next section outlines our techniques.

我想告诉你我们在这次雇佣中迅速成功是我们道德黑客攻击团队才智的反映，但这不是真相。不幸地是，我们的成功是ASP为代表客户数据提供的异乎寻常的安全的反映。下一节概述了我们的技术。
《endurer注：1。would like 愿意,想；would like to 愿意, 意欲
2。brilliance n.[U]光辉,光彩,光耀；宏伟,壮丽；(卓越的)才华,才智
3。egregious adj. 异乎寻常的, 过分的, 惊人的
4。on behalf of adv. 代表...》

The means to an end (game)
结束的手段（游戏）

A Terminal Services login screen, that fronted the application, greeted us after connecting across the VPN. The ASP intended for the user to authenticate to the Domain, but had actually left the option of allowing the individual to log on locally to the system by selecting it in the drop down box. Selecting this option, under the assumption that local system security is usually weaker than domain security, we attempted to log in using the account "administrator" with a password of "password". Our second attempt was the combination "administrator"/"ASP" (where ASP was the name of the ASP.) Sadly, we were local administrators on the box. To our sheer disbelief, we proceeded to find that every device on the hosted segment was using the same password.

面向应用程序的端服务登录屏，在通过VPN连接后向我们致意。ASP是想让用户进行域验证，但竟然留下了允许通过在下拉列表框选择“本地登录”项进行本地登录的选项。选择这个选项，在本地系统安全通常弱于域安全的假定下，我们尝试使用“administrator”帐号，密码作为“password”进行登录。我们第二次尝试是“administrator”/“ASP”组合（这里的ASP是ASP的名字。）可悲地是，在框里我们成为了本地管理员。十分怀疑，我们进一步发现在该主机段的每个设备使用了相同的密码。

《endurer注：1。intend for 打算供...使用；打算送给；意欲;本意是
2。proceed to 向...进发；进入(下一个议程项目) ；改读[获取]学位》

In many applications, hacking the application and network devices are only a means to reach the ultimate goal, which is often the database. Therefore, we set our sights on the Microsoft SQL Server. Noting the incredibly low security we had encountered to date, we joked that it would probably still be running with the default administrator account (user "sa" with a blank password). Our level of astonishment continued to rise when we found we were indeed correct. Perusing the database we noted the client's included Republics, Corporations, and Royalty.

在一些应用场合里，hacking应用程序和网络设备只是达到最终目标的一种手段，最终目标一般是数据库。所以，我把Microsoft SQL Server作为目标。标注了难以致信的、迄今为止所遇到了的低级安全，我开玩说它或许仍然使用默认的管理员帐号（用户“sa”，空密码）运行。当我们发现我们（的推测）确实正确时，我们的惊讶程度继续升高。阅读数据库时，我们注意到客户包括Republics，公司，王室。
《endurer注：1。set our sights on 以...作为自己的目标,希望得到
2。noting 注释法, 计算法；标注》
3。to date 到此为止
4。corporation n.【美】股份(有限)公司；【英】市政府》

Before you bail out of the article at this point to click on the "Add your comment" link to blast this as an absolutely unbelievable story, consider our intention. Detailing our compromise of a system that a secretary could have hacked, does not provide us any true benefit. If we wanted to tout our capabilities I would regale you with a VoIP hack inside a governmental agency or some other more compelling tale. This article is intended to raise the awareness of those readers whose business critical data is in the hands of strategic business partners. Unfortunately, the level of security detailed in this narrative is 100% accurate.

在你在这点上挖抠这篇文章，点击“增加评论（Add your comment）”链接来批评这是绝对不可相信的故事前，考虑一下我们的意图。详述我们对一个秘书室可能已经hack过的系统的危害，不能为我们提供真正的利益。如果我们想兜售我们的能力，我可以用VoIP hack替代政府机构或者更令人信服的故事让你乐个够。这篇文章倾向于提高那些商业关键数据在重要商业合伙人手上的读者们的意识。遗憾地是，这个故事中的描述的安全级别是100%精确的。
《endurer注：1。bail out保释出(某人)
2。compromise[S][(+of)] 连累,危及；(原则等的)放弃
3。regale with 以...使乐不可支
4。VoIP  = voice over Internet Protocol 互联网协议电话(俗称IP电话,是一种利用IP网络作为传输载体的语音通信技术,即通过互联网协议传输语音)
5。in the habit of 有...习惯》

Two for the price of one
双倍价格

The most compelling question asked during our conference call with management was, "Can another BC-client compromise our infrastructure, access our client data, and gain the ability to transfer funds, in the same way that you did?"

与经理电话会议中被问得最令人注目的问题是“其它银行客户的客户（BC-client）能像你们做的这样危害我们的基础组织，访问我们客户数据，获取转帐资金的能力吗？”

We jointly agreed that testing this scenario was critical, but were uncertain of the legal implications of the effort. We quickly convened a second conference call, which would include BC counsel and our counsel.

我一致同意测试这个方案是必不可少的的，但是对努力的成果的法律含义不能肯定。我们迅速召开第二电话会议，这个会议包括银行客户（BC）的律师和我们的律师。

《endurer注：1。uncertain of 对...不能肯定》

After considerable discussion with our respective attorneys, we reached a consensus that we would continue the ethical hack to ascertain whether another bank could potentially take the same actions that we did, but that we would make every effort practical to ensure that we did not breach another ASP client’s confidentiality.
在我们各自的律师重要的讨论后，我们达成了一致，我们将继续道德攻击(ethical hack)以确定其他银行是否能潜在地采取与我们相同的活动，但是我们要尽全力以确信我们不能攻破其他的ASP客户机的机密。

With our foot already planted within the ASP infrastructure, we set out on behalf of BC to see if their data was at risk to another hosted bank. The ASP had done a good job of segregating their clients from each other. Via ICMP ping sweeps we could confirm the existence of duplicate infrastructures for dozens of other banks. We attempted to enumerate other clients’ hosted servers on the ASP network but to our disappointment, all we could do was ping them.

利用我们已经在ASP基础组织中立足，我们在银行客户（BC）代表开始，看他们的数据对于其它宿主银行是否有风险。ASP已经把分离其客户的工作做得很好。通过ICMP ping扫视，我们可以确定许多其它银行存在完全一样的基础组织。我们尝试枚举ASP网络中的宿于服务器的其他客户机，但很扫兴，我们能做的只是ping它们。
《endurer注：1。set out 开始
2。at risk 处于危险中
3。do a good job 工作干得好
4。ICMP =Internet Control Message Protocol 【电脑】ICMP协定(TCP/IP协定中IP协定的上层,通过ICMP可对发信人进行通知和检测通讯前对方节点是否存在)
5。dozens of 许多》

Fortunately, one of our Test Team members came up with the clever idea of writing and deploying a quick script that would feed periodic netstat output back to the console we were sitting at. Netstat is a windows utility that displays active TCP connections and the ports a computer is listening on. We had noted several "interesting" ports that multiple systems were listening on and our hope was that we may catch a connection in progress.

幸运地是，一名测试团队成员想出了一个聪明的主意，写并部署了一个快速脚本，可以定期的把netstat（命令）输出（信息）反馈到我们所在的控制台。Netstat是windows一个实用工具，显示活动的TCP连接和计算机正在监听的端口。我们已经记录了几个多系统正在监听的“有趣的”端口，我们的希望能在进行中捕获一个连接。

《endurer注：1。scome up with 赶上；(针对问题等)想出;提供；准备好(钱等)
2。feed back 反应;反馈
3。in progress 进展;在进行中(在发展中)》

After an hour or so, we observed a connection to one of the boxes that we were watching from a network we were not aware of previously. Fingers crossed, we attempted to telnet to the new found IP address with no success. Our second attempt to establish a secure shell connection (SSH) to the box was more promising as we were challenged for a user name/password combination. As you likely guessed --"administrator"/"ASP" put us on the box with root privilege.
大约1个小时后，我们观察到一个从先前不知道的网络到我们正在监视的盒子的连接。交叉Finger后，我们尝试远程登录（telnet）到新发现的IP地址没有成功。我们接着尝试建立一个安全壳连接（secure shell connection，SSH）到盒子，在我们挑战用户名/密码组合时，这个盒子是多么有希望。你或许猜中了--“administator”/“ASP”给了我们在这个盒子上的root特权。

《endurer注：1。or so 大约
2。be aware of 知道
3。Finger 查找器（查找因特网用户的程序）
4。put on 上演,演出；穿上,戴上；假装;夸大》

It was a Linux system running Little Brother, an open source network monitoring tool that was monitoring all of the ASP's clients. We SSH'd from the Little Brother box, into another hosted bank’s network, and were not surprised to find that the "administrator"/"ASP" combination was in use on their hosted domain as well. In short order, we had confirmed that a malicious individual at any one of the dozens of banks hosted by the ASP could connect into another bank’s fund transfer system and move hundreds of millions of dollars across banks and accounts.

它（盒子）是一个运行Little Brother的Linux系统，Little Brother是一个开源网络监控工具，正监控所有的ASP客户机。我们利用SSH，从这个Little Brother盒子，进入其它宿主银行的网络，毫不惊讶的发现“administator”/“ASP”组合也正应用于他们的宿言域。在短期内，我们已经确认在许多ASP宿主银行伯任何一个中的恶意者可以连接到其它银行的资金转帐系统，在银行和帐号间移动上亿美元。

《endurer注：in short order 在短期内，迅速地》

Caveat emptor
顾客留心(货物出门概不退换)
《endurer注：caveat emptor [商]货物出门概不退换,买主须自行当心(货物的品质) 》

The technical briefing that closed the engagement with the client yielded one last surprise. The ASP had provided the client with a "clean" SAS-70 Type II Audit Report issued by a prestigious CPA firm. A SAS-70 is a widely recognized independent auditing standard that includes an in-depth audit of a service provider’s control activities, which include controls over information technology and related processes. Accordingly, BC had felt confident that their clients’ data would be well protected by the ASP.
结束与客户的雇佣的技术摘要产出了一个最后惊奇。ASP已经使用一个干净的SAS-70 II型审计报告保护了客户，这个审计报告中很有名望的会计师事务所发布的。SAS-70是广泛认可的独立审计标准，包括服务提供者的控制活动的深入审计，这包括控制信息技术和相关过程。相应地，银行客户自信其客户数据得到了ASP很好地保护。

《endurer注：CPA firm 会计师事务所》

Ultimately, even in the case of an ASP or Business Partner citing independent validation of their security practices, the onus lies with you (the client/partner) to perform due diligence and due care to corroborate that the validation is accurate and relevant to your security requirements. Current regulatory requirements including HIPAA, Sarbanes Oxley, and SB-1386, mandate this due diligence/due care.
最后，虽然ASP或商业合伙人引用其安全实践独立确认，责任在于你（客户/合伙人）去执行应有的注意和应当的小心，以确证这个确认是精确的并和你的安全必要条件有关。当前调整必要条件包括HIPAA（健康保险便利及责任法案），Sarbanes-Oxley（法案，SOA），和SB-1386（加利福尼亚隐私法），要求应有的注意/应当的小心。
《endurer注：1。even if/though 即使;虽然
2。in the case of 至于
3。citing vbl.引用,引证,举例
4。lie with  (责任, 权力等)在于..., 属于..., 是...的职权
5。diligence 勤勉,勤奋；【律】注意的程度【废】匆忙,迅速
6。relevant to 与...有关》

In most cases where we have been engaged to evaluate the effectiveness of a business partner's level of security, we have found it to be notably below that required by the client. Of recent note, was a marketing firm who carried its database on its balance sheets as a $55M asset. We found that the data mining company they had engaged to improve their penetration into an emerging market sector, had security practices so poor, that we were provided an unencrypted copy of the clients database, with little more than a spoofed e-mail.
一般地，在已雇佣我们评价商业合伙人的安全级别的效力的地方，我们都发现其显著地低于客户的要求。近期需要注意的，是一个坚持资产负债表为$55M资产的资料库的marketing firm。我们发现他们雇佣来提高其渗透（能力）进入新兴的市场的数据挖掘公司，所做的安全实践太差了，我们已经用近于戏弄的邮件提供了一个未加密的客户数据库拷贝。
《endurer注：1。in most cases 在大多数场合下,一般地,大概
2。carry on 继续开展, 坚持, 举止失常
3。data mining  数据挖掘，即指从资料中发掘资讯或知识
4。more than 大于》

Once again, the 2,000+ year old maxim holds true. "Caveat emptor" -- let the buyer beware.
再一次提醒，2000年后旧准则保持着真理。“顾客留心(货物出门概不退换)”—让顾客小心。

《endurer注：1。once again 再一次》