Christmas crackers: how we did it

Richard Brain, technical director at ProCheckUp, explains how the results of his company's report on e-commerce security were...

Richard Brain, technical director at ProCheckUp, explains how the results of his company's report on e-commerce security were compiled

In the interest of consumer safety commissioned ProCheckUp to look at 20 popular Web sites. The flaws and weaknesses discovered were found using ProCheckNet, a tool developed by security firm ProCheckUp. This gathers publically accessible information disclosed by servers that it uses to attempt targeted attacks, akin to a real-life intelligent hacking attempt. However no attacks were performed on these Web sites, as this would have required prior written authorisation from the site owners.

The ProCheckNet system was run at Level 1, its lowest level of vulnerability discovery, providing banner grabbing and application response finger printing. Internet servers publicly disclose this information.

In communications between client software and server software identification information is communicated. This is called the banner and identifies the server to the client and vice versa. ProCheckNet uses a set of standard clients, designed to ensures that communications are legal and do not disrupt the servers.

Application response finger printing by ProCheckNet's clients allows ProCheckNet to identify (precisely in some circumstances), the exact application running irrespective of whether the banner has been modified. The other unique technology utilised by ProCheckNet within this test is encryption algorithm identification, which advises on the strength and suitability of the encryption algorithm used.

When a client connects to a server over an encrypted link, they agree on an encryption algorithm to use. The ProCheckNet clients use a database of all the common encryption algorithms to cross-reference the agreed encryption algorithm and advise on its strength.

Sometimes, banner grabbing certain applications will give no indication of the version, or whether patches have been applied. This is common to the majority of Microsoft-based Web sites. One way to verify the security of these and to determine if patches have been applied is to run exploits attacking the site. As this legally requires permission from the site owner, this was not done. However, evidence of how they are configured can be found from other information publicly obtainable from the sites: poor encryption; unnecessary firewall ports open or running obscure Microsoft services with no patches (against the advice of Microsoft).

Sites running on Unix servers generally give more predictable results with banner grabbing, due to most Unix application vendors disclosing full version and patch information within the banner. This allows us to be more accurate in determining the security and patch level of a Unix site using simple banner grabbing.

After identifying applications, the ProCheckNet system then determines the configuration of the system, identifying any flaws that may exist due to misconfiguration errors. Irrespective of any firewalls and protective measures ProCheckNet can find configuration details, applications and operating systems. All of this highly detailed and specific information is used by ProCheckNet attack systems to target any possible weaknesses or flaws within the targeted system. The attacks used are not fixed exploits, but are instead held as patterns that are modified to precisely match the system under test.

Read more on Antivirus, firewall and IDS products