Mike Pedersen, Director at Proseq AS (www.proseq.net), examines just how secure conventional access control solutions really are, and how using basic internet hacking techniques could disable a complete office block.
Over the last ten years, great strides have been made in the field of corporate access control. Today, a whole Company ‘ encompassing buildings located throughout the World ‘ can be controlled by a central server communicating with a number of distributed panels. These are then used to control ingress and egress through doors, lifts and car parks, using a variety of reader technology. Naturally, the access control sales person will eulogise about the benefits of a single PC, with access to a server that can control a whole organisation. In reality, of course, this is just what a hacker needs to know. The natural drive in access control product development is to make the software as functionally rich as possible. Often described as multi-functional, the cards or badges used to open doors can also be deployed for computer access, cash transactions and personal identification. The focus of the development process is to make the system simple to use, requiring little training, and capable of managing the whole enterprise. With the correct privileges, a security guard can open and close a door to the bullion room from the other side of the world. Or, by altering certain parameters, all the workers of a whole corporation can be locked in or out. While physical access control systems have developed to meet the material security needs of major companies, the systems and solutions offered have not kept pace with Internet and network security issues. This is especially true of the threats and vulnerabilities that hackers can easily expose. Of course, it’s true to say that hackers can equally find back doors into your system through any number of other IP addressable devices that happen to be connected to your network. According to the US Federal Bureau of Investigation website: ‘it is only a matter of time before organised crime identifies how easy it could be to open a bank without ever being near.’ Since writing this sentence a few weeks ago, the FBI has now issued a warning statement, which is reprinted later in this article. Let’s look at the simple issues first, some of which could be easily and swiftly corrected. <br><br>
All access control software has security access protected by a password. Using the correct password activates user privileges that are assigned to the system. Often, those system passwords are stored unencrypted, in simple databases such as Microsoft Access. These are frequently held on a server, but more often on a local PC. These passwords are readily available to most hackers, using a variety of standard hacking techniques. As passwords will also be required on the servers that control access to the doors, immediate action needs to be taken, if close examination reveals any password storage and retrieval issues. <br><br>
In the past, security companies used proprietary hardware and, often, proprietary communications, both to collect data from card readers and to verify and acknowledge cardholders. The falling cost of PCs, together with their increased functionality, has allowed most vendors to use a single board PC with a variety of interfaces to drive the readers. These PCs are still called controllers, for marketing purposes, and are boxed in a similar way to the original controllers. These controllers communicate over enterprise LANs and WANs using TCP/IP protocols, identical to those adopted throughout the Internet. Internet users can therefore deploy tried and tested Internet hacking tools, which can be adapted to gain control over access control systems, with only a slight learning curve. As a simple example, every PC has its own security issues, one of which is the inclusion of over 65,000 Internet Protocol ports, used for a variety of services. Ports which are not used for communications or security related services should be switched off immediately, otherwise both they and their underlying services can provide access to unauthorised users. Therefore, any security conscious user must undertake a network or port scan to check for vulnerabilities on their access control system, by ascertaining if the ports are open and the network accessible. <br><br>
Most Companies install firewalls and a variety of other solutions, with the intention of protecting their enterprise network. Many associated vendors, however, like to update their software remotely, using modems. Left connected, these modems provide the perfect back door for targeted war-dialling, using existing hacking programs to gain access to the network. Apart from the obvious dangers of an open unencrypted link to a network from the outside, these also give hackers an ideal opportunity to install back door applications or Trojans, enabling access to be gained at a later date. There are numerous methods that can be used to improve the security of a dial up modem. Unfortunately, large Companies are often unaware of the number and location of these modems, because they are frequently installed within laptop computers provided to senior staff and executives, enabling them to work remotely, or from home.
Of course, some issues are rather more subtle, especially when they concern the hackers of the future. Education and corporate environments both operate under different security policies, although some of the larger university campuses are not dissimilar to large corporate enterprises containing, as they do, many geographically diverse buildings. This environment constitutes a perfect training ground for the hackers of the future, who often attempt to access or compromise their university’s security system ‘just for fun’. Inevitably, a security risk can arise from students knowing the vulnerabilities of these enterprise-wide access control systems. Many hackers outside the educational environment use the virtual open access of a University system to carry out hacking attacks. Therefore, any security system used in the educational market should be viewed with caution when the technology is applied to the corporate sector.
Amazingly, unauthorised users may not even need access to a network, in order to initiate a series of functions that would be capable of bringing down a system. Network Communications can be recorded and played back, a process that is made easier if the data is moved between controller and server in a clear text format. This makes the numbers and names within the body of the text easily visible, and readily available to hackers. Similarly, data uploads can also cause security issues. Most security systems will provide an export/import routine or ODBC connection to populate a server database. The primary data for this will probably come from a human resource application that could well carry passwords or, at the very least, clues to their makeup. To the average hacker, the full names of all employees, harvested from the HR database, will provide enough clues for the operation of standard password cracker tools. Internet Database Connectors (IDC) use ODBC to allow connectivity to back-end databases, through a variety of specific "connectors". Because ODBC utilises a variety of transports, protocols and port numbers, this leaves hackers with the opportunity to exploit any protocol bugs and connections that are left open for the sake of ODBC. Therefore, it is important only to run the connectors that are absolutely necessary for business and operational reasons. [Thanks to Dr Eugene Schultz] Additionally, as network cables are easily accessible in many environments, such as large corporations and campuses, it’s often a simple procedure to gain entry to un-encrypted access control data. Most security systems provide the user with the ability to process identity cards, with images of staff and students stored in GIF, Jpeg or other graphical forms. Usually, these files are large and rarely used. Consequently, they can be the ideal place to store virtually undetectable programs or Trojans, taking advantage of freely available Steganography tools. Because of the security implications of their core business, companies that supply access control systems can find themselves becoming a primary target for hackers. These Companies, as outsourced suppliers, have access to client sites, client data and other valuable information. As such, these security vendors must learn to adopt stringent security measures ‘ all the way from shredding to installing firewalls, virus scanners and especially Intrusion Detection Solutions (IDS). One of the first steps to take is the appointment of a security officer, who must not have the contradictory role of system support or product development. Free from these constraints, he or she can then issue independent advice on enterprise-wide security policy. Many large IP addressable access control systems are supported by highly complex programs. Often, these programs are constructed using software plug-ins, dll’s and functions such as ActiveX. In particular, ActiveX contains a range of well-known vulnerabilities that a hacker could exploit. To ensure that the owner is not caught out, the access control security supplier should provide the client with the original CDs and licenses for each of the programs installed. Instead, some only release their software over the Internet, which by its nature can cause system vulnerabilities. As these vulnerabilities are discovered, the manufacturers issue fixes and patches to harden the program against attacks. This method can cause further problems, as without a full knowledge of the system building blocks, a client may not have the opportunity to install the appropriate fixes. Therefore, when buying access control software and systems, it is important to include software requirements in the contract. Because this issue is a moving target, this represents the best way to guarantee the required level of updates and fixes. Installing an access control system often has an effect on the insurance premiums paid by a Company. Consequently, if an access control system ends up providing a gateway into a corporate network, then the resulting losses can run into millions. Therefore, insurance Companies quite rightly insist on appraising the quality of the access control provider, and receiving some indication of the extra security that the vendor has put into place. Access control systems have to be made easy to operate, so that they can be used with minimal training. There is often a high staff turnover in security departments, so training needs to be as straightforward as possible. However, as we have already established, it is paramount that corporate systems are well protected against future threats, and a system that is easy to install and operate may not be the most secure in the long run. A complex system needs to be looked at as a whole ‘ not just the network itself, but also the hardware and the software connected to and running on it. Often, an external Ccompany such as Proseq has to be appointed to look at the configuration, sometimes because the in-house network support personnel do not have the time and the skill set to dig deeply into the security of the network. The whole of a company’s network should be mapped and reviewed, including a concerted effort into searching for vulnerabilities. Any vulnerability testing undertaken must include network penetration testing, and must be initiated at the specific request of the company. The ideal solution would be to initiate a fixed frequency of vulnerability testing and mapping and, at regular intervals, employ an external organisation to survey and report on the state of the network and related internet services. Following the vulnerability testing process, there are several tasks that will need to be co-ordinated. In strict order, these comprise closing down unnecessary ports and IP services, updating and ensuring that the required services and software are properly patched up, and then setting up authentication & encryption. Following this, physical access to systems and networks needs to be addressed. This issue includes configuration control (including documentation handling), together with replacement of unsafe and partial applications. In addition, a knowledge base should be constructed, to allow consistent state management to be achieved. Information from the FBI, available at www.fbi.gov: ‘Over the past several months, the National Infrastructure Protection Center (NIPC) has been coordinating investigations into a series of organized hacker activities specifically targeting U.S. computer systems associated with e-commerce or e-banking. Despite previous advisories, many computer owners have not patched their systems, allowing these kinds of attacks to continue, and prompting this updated release of information. <br>
More than 40 victims located in 20 states have been identified and notified in ongoing investigations in 14 Federal Bureau of Investigation Field Offices and seven United States Secret Service Field Offices. These investigations have been closely coordinated with foreign law enforcement authorities, and the private sector. Specially trained prosecutors in the Computer and Telecommunication Coordinator program in U.S. Attorneys’ Offices in a variety of districts have participated in the investigation, with the assistance of attorneys in the Computer Crime and Intellectual Property Section at the Department of Justice. The investigations have disclosed several organized hacker groups from Eastern Europe, specifically Russia and the Ukraine, that have penetrated U.S. e-commerce computer systems by exploiting vulnerabilities in unpatched Microsoft Windows NT operating systems. These vulnerabilities were originally reported and addressed in Microsoft Security Bulletins MS98-004 (re-released in MS99-025), MS00-014, and MS00-008. As early as 1998, Microsoft discovered these vulnerabilities and developed and publicized patches to fix them. Computer users can download these patches from Microsoft for free. Once the hackers gain access, they download proprietary information, customer databases, and credit card information. The hackers subsequently contact the victim company through facsimile, email, or telephone. After notifying the company of the intrusion and theft of information, the hackers make a veiled extortion threat by offering Internet security services to patch the system against other hackers. They tell the victim that without their services, they cannot guarantee that other hackers will not access the network and post the credit card information and details about the compromise on the Internet. If the victim company is not cooperative in making payments or hiring the group for their security services, the hackers’ correspondence with the victim company has become more threatening. Investigators also believe that in some instances the credit card information is being sold to organized crime groups. There has been evidence that the stolen information is at risk whether the victim cooperates with the demands of the intruders. To date, more than one million credit card numbers have been stolen."
