Probability of PWNd

Probability of PWNd
Don’t be so hard on yourself when things go badly and don’t be so proud of yourself when they go well. - Annie Dukes

In the first part of our discussion on hacking in bets, we discussed that the more bets you can place (because you manage your time well), the better your overall chances become in finding things. But what about from the defender’s side? What about risk? When we rate risk for clients, there are a lot of factors that go into consideration.  You can be as scientific as you want on things, but I personally ascribe to the idea that risk ratings (applied consistently) should just convey “what should I fix first.” We are placing a bet against the urgency to address a potential problem.  

In general low risk findings fall into the category of—you should get to these, sometime maybe. Medium risks a bit more serious, but with not nearly the urgency of high or critical risk. In my experience this model holds up well, which is why we advise this way. But like poker, you still have to respect the idea that probabilities of being exploited doesn’t always line up with actually being exploited. If there is a 75% chance your next card will be something you want, there is still a 25% chance that it won’t be. In this sense, risk ratings follow the same logic. In the long run, 3 out of 4 draws will get you what you want. 1 out of 4 won’t be right. That doesn’t change the way you should prioritize, because decisions and outcomes are not always tied to each other in the way you think. There isn’t a magic bullet, math is relentless.

As an example of this playing out, I was once hired to do an eight hour long “kick the tires” engagement on a site that almost literally had no functionality. I had three findings at the end of this, and they were all medium risk or lower. Most of the time that is the best you’d expect— in this case, these findings kicked of a multi-client incident response, with tens of thousands of customer records put at risk.

The first problem was just directory listing.  They had left some default settings on and the folder contents were listed on the web. In general this isn’t really a huge issue as typically speaking authorization checks prevent access to sensitive data from being shown (in several servers), and dynamically served pages are still served dynamically. For this to be an issue, you’d have to have pushed up a file that isn’t served dynamically and or there are no default protections for. Like say, push the source code up as a zip file.

Which they did.

The second issue was insecure credential storage in source.  This also typically isn’t that major of an issue, because the credentials stored in these types of files often only for internal systems. You could make an argument about insider threats of course, but in general a lot other stuff would need to go wrong before someone could use them (externally). Further, source code is typically stored somewhere secure and you need trusted access to get it. The only time this would really matter was say… if you pushed it to an insecure place… like a publicly accessible web folder.

Which they did.

The final issue was to publicly expose internal infrastructure to the public, like say… a database.  While clearly not a ‘best practice’, normally this isn’t as big of an issue with proper hardening, strong passwords, (which they had), they keep up with patches (which they did), etc. These protections makes it much harder to get in even though it isn’t ideal (why expose it unless you really need to share it?).  Unless of course, you have the password, that was left in the source, that was accidentally pushed to a web folder, that listed all the contents on the web folder…

Which they did.

This isn’t a typical winning hand as a pentester, nor would I assume this attack would work on any other clients.  It was more like a comedy of errors that led up to this attack.  The database I connected to was one of like 10 others, and the other nine were configured correctly. For all I know someone pushed that code up for only 30 minutes and I just happened to be there at the right time. Regardless of how absurd and low probability this all was— it worked this time, on this engagement.

So what does that say about risk? it says two things you should leave with:

  1. A 4% chance of success is still a 4% chance of success. I don’t believe in the Kobayashi Maru.
  2. Investing in the other 96% will pay off in the long run, but it isn’t perfect. I wouldn’t change my overall strategy if I could get percentages like this on defense. I’d just be aware of how it could fall apart and try to plan mitigation strategies to reduce impacts.