Hackers conference shown how to bypass Active Directory controls

Security threats to Bluetooth wireless technology, credit card hacking and tricks to bypass Windows Active Directory were...

Security threats to Bluetooth wireless technology, credit card hacking and tricks to bypass Windows Active Directory were revealed at the Defcon conference in Las Vegas earlier this month.

Experts from the CIA and FBI rubbed shoulders with hardcore computer hackers at the conference. Once the sole preserve of hackers, Defcon has now become a recognised fixture in the IT industry's calendar.

One presentation showed delegates how hackers can bypass the controls restricting user access in the Windows Active Directory due to poor configuration of the software.

Phil Cracknell, security consultant at NetSecurity, said this kind of threat has been largely overlooked by companies, partly because computer viruses and worms are more visible and easier to detect.

Users expect there to be greater security in a Windows Active Directory environment as it allows administrators to overlay network-based group policies onto the security permissions of users' PCs, said Cracknell.

But Cracknell said he had come across set-ups where desktop security had been weakened because of badly implemented Active Directory environments.

He said he had seen examples of organisations using Active Directory where a reboot and removal of the network cable left a PC operating with just the desktop security policies. Restrictions on user access that were written into Active Directory no longer applied, said Cracknell.

"Plug in the cable and you effectively have a rogue PC on a corporate network," he said.

Stuart Okin, chief security officer at Microsoft, said, "Users cannot rely on security policies alone. There needs to be [system] lockdown, end-user education and constant review."

In a warning to banks and companies that do business over the internet, security analyst Robert Imhoff-Dousharm demonstrated credit card hacking. Delegates were given laptops and shown how a hacker could tap into a private network and download credit card details, which could then be decrypted.

Richard Brain, technical director at security consultancy Procheckup, said hacking credit cards details was relatively straightforward.

"Certain payment systems use particular ports. You can scan this port, capture all packets and grab credit card details," he said.

Credit card data is secured, but only by 56-bit encryption, which Brain said could be broken relatively easily to reveal the credit card number, expiry date and the cardholder's name. Secure banking transactions are usually protected by 128-bit or 256-bit encryption.

Another presentation explained how law enforcement agencies were using facilities on Microsoft's development tools to track down hackers.

Businesses have long made use of the ability of Microsoft software to track changes made to documents, but Microsoft's development tools can also track the author and computer used to create the program.

"If you use a Microsoft tool to create a [security exploit], the FBI can find out who you are," said Brain. This happens because most users generally type in the correct information when registering new software.

Read more on IT risk management