Decrypting company security

For a global corporation, we tested a web application and a rich client used for software development. Additionally, an agent application played an important role, which could be connected from the web and the rich client. A complex system with many components - and possibilities for security holes!

Sometimes it pays off to test an application over a longer time frame to comb through every small corner. Because during the last days of the project, we identified a vulnerability that could be exploited to run arbitrary commands on the agent software. Furthermore, it was possible to spawn and stop customer server instances in the customer's environment.

For a global sportswear company, the security of payment processes was assessed on three company locations. Securing the interfaces between the different payment tools is usually an underestimated attack vector in this scenario. Not many people are aware of the use of payment files (mostly XML), which contain all the bank account information, including the receiving account.

File transfer, you say? The word "interface" is not always correct in this context because the interface is a human who copies the payment file from their local work station to a network share. This leads to the files being modifiable not only during transmission but also at the location they are being stored at. Internal attackers can utilize this by changing the receiving account in the file to their own account. Depending on the receiver you could make quite some money with this trick.

But how can I prevent this? In short term it is worth to secure payment processes with available methods, meaning encryption of transmission paths and restricting file access. In the long term, this unfortunately is a more elaborate task! Structures and interfaces need to be established that prevent employees from having access to files altogether.

To gain access to the internal network in a social engineering assessment, we first had to gain access to the company building. So we developed the following scenario and realized it: 

An employee of ours, dressed up in suit and tie, waited for their cue word in front of the company building. A second employee, out of sight, called the front desk with a faked supervisor number: "The supervisor has a very important meeting but the customer is late. When the customer arrives, they need to be let through as quickly as possible." 

The first employee of ours now ran stressed to the front desk, had no need to say much more and was allowed to pass without a control. The result: Free movement within the building!