Testing client-side risks

How many of your employees can be tricked into opening malware? The answer may surprise you

Normally, I don’t get excited about updates, but the main improvement to Version 6.0 of Core Security's CORE IMPACT penetration-testing tool got my attention: It focuses on client-side attack improvements. Essentially, you can drag and drop client-side attacks on top of one or more e-mail addresses. CORE IMPACT will then send e-mails containing those attacks to the selected e-mail addresses.

At the very least, the client-side e-mail test can include a Web bug that dials “home.” CORE IMPACT installs a Python-based Web server that records the incoming connection, along with any other information collected along the way. You can send real exploits, including executing a client-side agent that allows further exploitation testing. For example, you can use a Windows Media Player bug to inject the client-side process into Internet Explorer, so it can outlive the use of Media Player.

Metasploit, which I’ve also used and recommended, and other testing tools have client-side attacks, but aren’t nearly as user friendly. CORE IMPACT makes it a drag-and-drop process. My only complaint -- if you can call it a complaint -- is that Core Security hasn’t made it a stand-alone testing tool for client-side attacks.

Most companies drastically underestimate their client-side risk in face of overwhelming evidence to the contrary. Nearly all (99.99 percent) of the hacking attacks to any environment are client-side attacks. Long ago are the days when the dedicated human malicious hacker was the primary attacker against our networks. Today, it’s automated, self-replicating, viruses, worms, Trojans, and bots. And they aren’t attacking servers … unless you pick up your e-mail on your file server.

The malware ends up on an end-user’s desktop via e-mail, instant messaging, or Internet browser. The user runs the attached file, clicks on the link, or launches the script. In all cases, the client-side malware installs itself on the user’s desktop and then notifies its originating hacker (or "mothership" Web server, etc.) of its success.

Client-side attacks used to notify their master using IRC or some other non-normal port. Now, they all use port 80 or 443 to scoot out past the host and perimeter firewall. The smarter malware agents use SSL- or SSH-encrypted traffic to connect home, easily escaping network detection. The hackers then have their backdoor program installed, and can pillage and plunder the exploited host and their network at will.

Many of the most famous network exploits have been accomplished using client-side attacks. Have you read about the latest online bank heist or government break-in? Most aren’t being accomplished by malicious hackers beating against hardened servers and perimeter firewalls. Instead, they spam the company’s user base with malicious e-mails. There is always somebody willing to click on anything.

Most companies, even though they are aware of the threat of client-side attacks, aren’t testing for it. Do you have any idea about the percentage of your end-users who can be tricked into running unauthorized code or into clicking on malicious links?

One of the services my personal company provides is getting the answers to those questions. The hiring company gives us a list of all its e-mail addresses. We craft a very spam-looking e-mail containing a malicious link and Web bug. We try to make the e-mail look as foreign and strange as possible, so it isn’t confused with company messages, but we also offer some sort of enticement (e.g., free game, genealogy software, or -- of course -- porn). We may even ask for the user’s corporate log-on name and password.

Then we record who responds. We automatically send back an internal link in another e-mail (this time more official-looking and linked to their company) that points to a custom-branded document made for the company that discusses Internet risks and common-sense computer security steps -- spot-on computer security education. Depending on the client, the offender may be invited to a morning or weekend computer class, the more inconvenient and boring the better.

We send the client a report on which e-mail addresses were the offenders, and calculate the percentage of takers on that first malicious e-mail. It is not usual for the initial conversion rate to be 60 percent. We then wait 30 days and test the original offenders again, and re-calculate the rate. It’s not usual for it to be low as 2 percent.

It's measurable computer security return for low or no cost. We have sold this client-side testing service to corporations large and small, financial companies, banks, and government consultants, but I'm not trying to get more business. With a little investment of time, anyone can do it. Are you?