Success Stories

Our examples below, demonstrate how we are constantly working with our clients to meet the challenge of successfully delivering information security services.

They can be downloaded here Success Stories.pdf

"A Hacker Discount"
If issues remained undetected and unresolved, the retailer could have suffered severe monetary losses from both the online shopping card abuse and services availability disruption.

Customer
Major online multimedia content retailer.

Challenge
The enterprise was concerned about illicit remote access to it's digital assets and “hacktivist” attacks by various software pirate groups. They asked us to verify whether such activities can or can not be successful and advise on deploying the most suitable countermeasures and safeguards to counter them.

Solution
A full external security assessment was performed to determine weak spots that can be abused by the aforementioned attacker types. In the process of testing we have uncovered a method of modifying the input to buy music and video clips from the company's website at a fraction of the original price. Besides, two novel denial of service (DoS) attacks against industry standard firewalls protecting the retailer's network perimeter were discovered. Proof of concept code was written to demonstrate these attacks to the customer technical team and the firewalls manufacturer.

Result
The shopping card flaw was fixed by it's vendor ASAP, while the DoS issues were resolved by the firewalls manufacturer with the next operating system release. There was no need to deploy any additional safeguards by the retailer's IT & information security team.

Benefit
If these issues remained undetected and unresolved, the retailer could have suffered severe monetary losses from both the online shopping card abuse and services availability disruption. As the tests demonstrated that when all bugs are fixed the existing defences are sufficient, the customer has abandoned the plans to acquire costly application layer firewalls.


"Gatecrashing"
Theft of the company's trade secrets constituting the core of it's business was prevented.

Customer
A specialised telecommunications software development company.

Challenge
The company IT team boasted impenetrable perimeter defences designed to protect the code and algorithms their large development team designs. They have challenged us to find at least a single security issue that would allow outsider access to the company's intellectual property.

Solution
During the external security assessment all visible systems and services proved to be upgraded and patched to the latest versions and were, indeed, invulnerable to all known attack vectors. However, the gateway router leading to the company network had a fatal security flaw that allowed us to assume complete control over the device. All data passing through the router was mirrored for interception, modification and session hijacking. Eventually, this led to the further compromise of the audited network.

Result
Using the vulnerable gateway we were able to intercept sensitive information belonging to the firm. It turned out, that unlike the perimeter firewalls and public services, the router was administered not by the company's IT personnel, but by it's Internet provider. As an outcome of the test, the ISP was persuaded to fix the problem and pay more attention to the security of client-side appliances it manages.

Benefit
Theft of the company's trade secrets constituting the core of it's business was prevented.


"False Alarm"
The risk of unauthorised access to confidential information was eliminated and the client were able to roll out the remote access solution globally.

Customer
A large multinational law firm

Challenge
A web-based authentication gateway to allow access for the company remote branches, as well as it's partners and clients was deployed. This gateway was tested by a different, well-recognised information security company, which did not find any flaws and judged the gateway as "completely secure". Arhont were challenged to verify the findings.

Solution
Highly reputable and expensive commercial web scanning and fuzzing application has identified 33 vulnerabilities of the gateway. However, during a more close manual examination all these vulnerabilities turned out to be mere false positives. Further in-depth manual testing was conducted to reveal possible security flaws missed by automated and semi-automated tools.Result
Three issues unreported by any web application security scanners were uncovered and investigated. One of them eventually allowed unauthorised web server privilege level access to the gateway with further network penetration. After the testing we have worked with the authentication gateway's vendor to eliminate the discovered vulnerabilities.

Benefit
The risk of unauthorised access to confidential information was eliminated and the client were able to roll out the remote access solution globally.


"Fatal Backup"
A network infrastructure merger has been secured.

Customer
Investment management company.

Challenge
A sizeable investment management firm has ordered an internal assessment to examine security architecture of it's networks after acquiring another company. The newly assigned technology management needed to find out where the soft spots of the still chaotic unified infrastructure are.

Solution
A sweeping audit of the large network infrastructure was performed. Shortly after the start of testing, a database holding sensitive information about the company's clients was identified and verified to be well-protected against database-centric and other attacks. However, the same could not be said about the database backup server. Our consultants have managed to obtain administrative access to this server and retrieve all the data stored as backups.

Result
Access to business-sensitive information including personal details of clients and employees, e-mail archives and other corporate documents has been gained. After the audit a more secure backup solution was suggested and implemented.

Benefit
A network infrastructure merger has been secured.


"Shaky Border"
Insider threats to the chief executives data and systems are strongly reduced. The security policy is properly implemented.

Customer
An international finance firm.

Challenge
A major financial company's information security policies stated that the top management traffic should be completely separate from the rest of the network data. In practice, this was implemented by placing all top managers workstations and laptops on a specific restricted access virtual local area network (VLAN) supposedly out of reach for the rest of the employees. The  firm's management ordered an independent enquiry to verify the effectiveness of this implementation.

Solution
In the process of internal security assessment our consultants have uncovered architecture and configuration flaws that allowed them to intercept sensitive data from the restricted access VLAN while staying connected to a different network segment as a casual member of staff. In fact, the company policies permitted connectivity for contractors and guests that would also allow them to abuse the network separation insecurities found. The discovered problems were resolved by altering the network infrastructure and connecting all senior managers computers to separate physical switches.

Result
It became impossible to access top managers computers and traffic from any other network apart from the restricted VLAN unless explicit authorisation is granted.

Benefit
Any insider threats to the chief executives data and systems are strongly reduced.  The security policy is properly implemented.


"Pirates Among Us"
Avoided legal problems related to copyright infringement.

Customer
A large retail company.

Challenge
While performing an annual internal IT security assessment suspicious traffic streams have been detected. We were asked to investigate the issue in the process of the audit.

Solution
The traffic flows were analysed and followed to one of the production servers, on which an unauthorised web service bound to a high port was running. That service has been identified as hosting a password-protected site, accessible from several external IP addresses only. A man-in-the-middle attack was employed to capture login credentials for this site for further examination.

Result
Upon login, large volumes of illicit media content and pirated software were discovered and quarantined. An incident response procedure was initiated. As the outcome of the internal investigation one of the system administrators was found to be responsible and got fired immediately.

Benefit
The company has successfully avoided legal problems related to copyright infringement. A serious violation of the acceptable use policy is corrected sending a clear message to any would be offenders.

"Pirates Among Us".

Customer

A large retail company.

Challenge

While performing an annual internal IT security assessment suspicious traffic streams have been detected. We were asked to investigate the issue in the process of the audit.

Solution

The traffic flows were analysed and followed to one of the production servers, on which an unauthorised web service bound to a high port was running. That service has been identified as hosting a password-protected site, accessible from several external IP addresses only. A man-in-the-middle attack was employed to capture login credentials for this site for further examination.

Result

Upon login, large volumes of illicit media content and pirated software were discovered and quarantined. An incident response procedure was initiated. As the outcome of the internal investigation one of the system administrators was found to be responsible and got fired immediately.

Benefit

The company has successfully avoided legal problems related to copyright infringement. A serious violation of the acceptable use policy is corrected sending a clear message to any would be offenders.


"Risky Bids"
A huge monetary loss and reputation damage are avoided.

Customer
The infamous hippodrome.

Challenge
A well-known hippodrome employed a wireless system to take real-time bids from gamblers mobile computers. The management of the hippodrome was concerned about possible bidding fraud and other malicious actions if the system's wireless protection mechanisms are compromised. Thus, they have decided to order a wireless security audit to establish whether such activities are possible and determine the best defence means against relevant wireless threats.

Solution
An in-depth wireless security audit was performed using several locations around the hippodrome where the attackers can position themselves without being captured on CCTV cameras. The auditors have discovered that the hippodrome wireless networks are safeguarded with WPA PSK (pre-shared key) and successfully cracked one of the keys, thus gaining access to the network it protected. Besides, an opportunity to run massive wireless denial of service (DoS) attacks using broadcast MAC addresses was demonstrated. Such an opportunity could cause significant financial losses if assailants block the very possibility to place bids electronically during a race. The audit report strongly suggested, that using a common shared password for multiple users access is unsafe, since rogue users would be able to snoop on their neighbours bids and modify them at will.

Result
In accordance with the auditors recommendations, a transition from WPA PSK to more secure WPA Industry countermeasures was performed. Access points firmware was updated to prevent broadcast-based DoS attacks. After a few months, a distributed wireless intrusion prevention system was deployed to monitor the hippodrome networks and deflect malicious hacking attempts.

Benefit
A huge monetary loss and reputation damage are avoided.


"Upgrade Enforcement"
An insecure authentication solution was replaced by a safe equivalent. The quality of the wireless network operations has dramatically improved.

Customer
A manufacturing plant.

Challenge
Cisco EAP-LEAP was employed to authenticate its employees to the wireless network covering the factory warehouses, offices and machine rooms. An argument whether the plant's IT department should spend time and effort to upgrade to the novel and more secure Cisco EAP-FAST authentication protocol led to requesting an independent wireless security assessment.

Solution
During the audit EAP-LEAP authentication credentials of several legitimate users were cracked allowing successful network association and further gateway scans. Using directional antennas, the auditors were also able to connect to the network and perform various security tests far away from the factory premises, thus avoiding being spotted by security guards and perimeter CCTV systems. Besides, the reconnaissance phase of the assessment uncovered several non-802.11 sources of interference, that severely impaired wireless networks quality of service in selected warehouse storage areas. In these areas, wireless barcode readers were regularly used, and their connectivity problems were previously reported by workers. The interference sources were pinpointed as the elements of a distributed alarm sensor system deployed in the warehouses.

Result
Now the plant is using EAP-FAST to authenticate it's users and distribute WPA keys. After the network reconfiguration, all operational frequencies "polluted" by the alarm system sensors are carefully avoided.

Benefit
An insecure authentication solution was replaced by a safe equivalent. The quality of the wireless network operations has dramatically improved.


"A Phishing Trip"
Multiple possibilities of unauthorised access and theft of confidential data via employees mobile computers are prevented.

Customer
A multinational manufacturer.

Challenge
One of the largest multinational corporations has asked our consultants to present on wireless client-side vulnerabilities and defence at its annual security conference. It was expected that the presentation will be accompanied by practical demonstrations of the relevant issues.

Solution
The attendees, themselves security or networking consultants and IT managers, were forewarned that the presentation would include live demonstrations of various client-side attacks. Thus, out of caution, they have turned off wireless support of their laptops and PDA's during the demonstrations. As our consultants were escorted out by security guards after the presentation was over, the CISO of the corporation has joined them for an after-talk discussion. The same attacks were repeated in the CISO's presence outside the conference hall. As the attendees started to turn back wireless capabilities of their mobile hosts, multiple laptops were force-associated by the consultants and several login credentials were successfully phished out, while other interesting data were also captured.

Result
The CISO has recorded MAC addresses and usernames, that belonged to the owners of the vulnerable laptops. In the future, strong wireless client security policies were introduced and reinforced in practice.

Benefit
Multiple possibilities of unauthorised access and theft of confidential data via employees mobile computers are prevented.


"Angry busybody"
The perpetrator of the attack is pinpointed and fired. Corrective measures are taken so that such incidents would not reoccur.

Customer
A multinational oil company.

Challenge
The company has suffered from a confidential personal information disclosure and hired our consultants to establish the definite source of the leak.

Solution
We have thoroughly investigated all Human Resources department servers and workstations storing such information looking for any potential signs of unauthorised access, as well as backdoor and keystroke logger installation. As a result the time, likely source and detailed nature of unauthorised access to personnel files were clearly established. The attacker appeared to know valid administrative login credentials and did not use any exploits to gain access to the systems involved. He or she has connected remotely via the corporate VPN and copied the information on selected employees by opening the files and doing cut & paste into a separate document. Some of the documents accessed were password-protected and apparently broken into via a standard dictionary attack, as the passwords weren't strong enough. Later, some but not all of the personal data obtained by the attacker were selectively distributed from a free webmail account registered to a non-existing third party. Our consultants worked closely with the internal investigation team to discover the true identity of the assailant and eliminate all possibilities of some external hacker or physical impostor hijacking and abusing the resources used for unauthorised access.

Result
It turned out that one of the company's remote branches system administrators is guilty. As the documented evidence collected by our team was presented to him on a disciplinary hearing, the perpetrator confessed that he did it for reasons of personal dislike and revenge. He was summarily dismissed, however the company's management decided not to pursue the case in the Court of Law. As a side effect of the investigation, the company has introduced stricter access policies and password guidelines together with technical configuration safeguards needed to reinforce them in practice. We have assisted their IT team in implementing these countermeasures, so that the probability of similar attacks in the future is strongly reduced.

Benefit
The perpetrator of the attack is pinpointed and fired. Corrective measures are taken so that such incidents would not reoccur.


"Talking to the crew"
The company has fully recovered from the incident and fulfilled its legal duties.

Customer
A software solutions development company.

Challenge
Suspicious network activity was reported. We were asked to assist with the investigation.

Solution
The analysis of data traffic has demonstrated that one of the Linux servers belonging to the company is used as a SPAM mail relay and a peer-to-peer file distribution node while hosting an unauthorised IRC service - everything being a sign of a successful break-in. Traffic dumps were prepared as evidence, and the server was quarantined with images of it's hard drives and operational memory dumps taken and thoroughly analysed.

Result
The investigation has discovered both the vulnerable network service and the likely exploit used to gain unauthorised access. Chat and peer-to-peer file sharing services set up by the attackers, as well as alterations in the legitimate E-mail service running on the server were studied and documented as evidence for the Court of Law. However, the hackers did a very good job at erasing all logs beyond any reasonable restoration, and there was no centralised logging system implemented within the company. Even though the standard anti-rootkit utilities did not discover any backdoors, we could not believe that the hackers did not leave a well-planted rootkit in place. A lateral approach was needed to proceed any further with the investigation. All suspicious traffic captured by the company's system administrators and during the investigation prior to isolation of the server was extensively studied to establish any traces related to the attackers online credentials and whereabouts. All the pointers related to such traces were then investigated on the Internet, finally leading us to a "crew" of Romanian hackers as highly likely perpetrators of the break-in. A social engineering attack pretending to be a motivated novice seeking advice from more experienced "colleagues" was performed against the hacker group, and after a few days of talking eventually handled us all information needed to search for and neutralise the custom rootkit (which was then discovered on two more systems belonging to the company). In a meanwhile, all evidence was submitted to the authorities.

Benefit
The company has fully recovered from the incident and fulfilled it's legal duties.