The Bankwatch

Tracking the consumer evolution of financial services

Hacking your Bank | Snosoft

This is a fabulous post.  It is fabulous because it shows the folly associated with every banks walled garden approach to security. 

The message here is that you (bank) must assume your personnel network is compromised.


Because this engagement required stealth, we focused on the social attack vectors and Social Reconnaissance. We first targeted FaceBook with our “FaceBook from the hackers perspective“ methodology. That enabled us to map relationships between employees, vendors, friends, family etc. It also enabled us to identify key people in Accounts Receivable / Accounts Payable (“AR/AP”).

After investigating a few social network sites they applied for a job after carefully reviewing the specs.  The result:

Upon completion of our screening call, we had sufficient information to attempt stealth penetration with a high probability of success. The beauty is that we collected all of this information without sending a single packet to our customer’s network. In summary we learned:

  • That the bank uses Windows XP for most Desktops
  • Who some of the bank’s vendors were (IT Services)
  • The names and email addresses of people in AR/AP
  • What Anti-Virus technology the bank uses
  • Information about the banks traffic control policies

Based on this information they developed a plan to get inside the bank with the first attack being a pdf invoice containing a compromise.  They were able to do this because they knew the types of intrusion detection used at the bank.  It was all downhill from there.

That proved to be very useful as we were able to quickly identify VNC connections and capture VNC authentication packets. As it turns out, the VNC connections that we captured were being made to the Active Directory (“AD”) server.  We were able to crack the VNC password by using a VNC Cracking Tool. Once that happened we were able to access, the AD server and extract the servers SAM file.

Relevance to Bankwatch:

Traditional security methods and approaches are not adequate.  Banks must assume that every employee in their organisation is vulnerable and will (not may) reveal some snippet of information that associated with other snippets will provide a dedicated attack to obtain enough information to succeed. 

This revelation will result in a different approach to security. 

Technorati Tags: ,,,

Written by Colin Henderson

April 29, 2010 at 22:58

Posted in Security

2 Responses

Subscribe to comments with RSS.

  1. The fact that the chances of an employee’s information could be hacked, is high is definitely something banks should consider. It is equally important for banks to use anti-virus software applications of the highest degree to ensure their computers are protected against malicious attacks.

    If a bank uses traditional security methods, it is time for the customers to make a move, as these measures could be described, Out-dated.

    Jack Ingram

    May 3, 2010 at 06:20

  2. I am not sure anti virus software is the issue. If we assume employees computers are compromised, then what?

    Colin Henderson

    May 4, 2010 at 21:33

Comments are closed.

%d bloggers like this: