Finding security holes in WA govt through open source intel

For many organisations, making sure systems are fully operational is the biggest priority.

But being aware of your public footprint on the internet can be just as critical.

Open source intelligence is the collection and analysis of publicly available information. It’s often the first step towards more sophisticated attacks, and is used regularly in social engineering.

The amount of information about an organisation that can be gleaned through this type of research - without even touching any of its systems - might surprise you.

Security researcher and regional director of Hivint, Aaron Doggett, spent two months with colleague Sam Reid studying the WA government’s online footprint to work out spots of weakness.

The goal was to identify the likely entries for attack without a single packet going from Hivint’s infrastructure to the WA government’s.

“The intent was, if you wanted to profile an entity and get an idea about how you might attack them, what can you get without actually probing their networks,” Doggett told iTnews on the sidelines of the recent Wahckon conference in Perth.

The pair started out by trawling through the list of WA government departments and entities, as well as local governments and councils, coming up with a total list of 466 state government, local government, and council unique domains.

Initial testing showed a bunch of misconfigured name servers, leaving 28 vulnerable to DNS zone transfer attack, 15 vulnerable to DNS amplification attack, and 21 which were vulnerable to both.

Of the 9467 total subdomains, 473 were test or dev; 225 were VPN, proxy or remote domains; 99 were UAT or staging; 91 were admin; 44 were login; another 44 were FTP or archive domains; and 39 were content management systems.

They also found four domains with the word “firewall” in them.

“So you can start to see the attack surface here is getting pretty large,” Reid said.

They were also able to identify 27,000 email addresses associated with the 466 WA government domains.

They compared the addresses with datasets from breaches like those at LinkedIn and Myspace, finding about 4500 WA government emails within those sets.

Breach datasets like these are goldmines for attackers; there’s a high likelihood that an individual has reused the same password that has been leaked on more of their personal accounts.

“There were 55 breached members of parliament, 23 admin accounts, three breached IT or support accounts, and three breached corporate accounts,” Reid said.

“There were 32 different breaches that we identified @wa.gov.au accounts in. There were the big ones like LinkedIn, Dropbox, River City Media, but we also found accounts in Myspace, Tumblr and Neopets.

“So you can see that people really love using their work accounts for non-work related purposes.

“From an attacker’s perspective this could lead to some serious footholds.”

Next up was IP addresses, checking where they resolve as well as any open ports.

The pair found a lot of shared hosting providers, as well as a few IP addresses with “very odd services on the internet that probably shouldn’t be there”.

“We found some IP addresses resolving into places like China and Panama,” Doggett said.

“We don’t know why. It could be that some entities aren’t really aware; they might have outsourced their website to a service provider that happens to have a location in China, and that’s where their stuff has ended up.”

The instances of misconfigured DNS were probably the most serious security problems the pair found during the whole reconnaissance, Doggett said - which gives the WA government a relatively high score when it comes to its open online footprint.

“The worst case scenario is the misconfigured DNS might get used in an amplification attack, which could get you blacklisted by your ISP, but it’s not going to give someone access to your information or assets,” Doggett said.

The pair decided against validating any of their findings to keep the exercise strictly open source intelligence - plus they hadn’t been commissioned by the WA government to do any security testing.

“We could have validated the emails and ports but we didn’t want to do that because to me you’re then starting to touch their infrastructure, and that wasn’t something we wanted to do,” Doggett said.

“But for anyone who wanted to do some reconnaissance, there’s a lot of stuff that helps build a pretty big picture of what the landscape looks like. And with a bit of poking you could validate a lot of potentially sensitive stuff pretty easily.”

Doggett said his and Reid’s findings illustrated just how susceptible people are to social engineering attacks.

“The amount of information you can get just from the footprint an organisation has on the internet that can help you craft things specifically to individuals in that organisation is pretty high.”

The pair have notified a WA government central body of their findings and offered to provide an overview, but are yet to hear back.

“There are some things that need to be looked at, like some of the DNS misconfigurations, but if we’d seen something that looked like a clear compromise or that could lead to one, we would have pushed it a bit harder,” Doggett said.

"But the WA government is really no worse than anyone else in this space.”