An example of The Chain of Trust

2016-03-11
, , , , , ,
Padlock-light-silver.png

A long while back, this blog lost its database. That's why it went dark for some months.

The host claimed that the database was dropped using it's hosting control panel. This post is an examination of that claim using The Chain of Trust.

It tries to break down that claim and other possibilities to understand their likelihood and difficulty. This is a method to untangle claims to line them up and go down that list. If at any point a link in that chain is seen to be impossible, then the entire claim falls apart.

This is the reasoning that should be done with any discussion, especially something as important as the law. Make a bulleted list, go down it from start to finish. For each link, show another chain coming off of it. Any link from that parent-chain that branches must itself have one single unbroken chain.

This could be demonstrated physically, even graphically, but is straightforward to do in a top-down list (a post), a bulleted list for the main chain, bulleted lists for each link, and hyperlinks for any shared problems.

I don't know that I demonstrated this very well, but I'll give it a shot with a real-world claim.



Table of Contents [hide]

Database dropped from the control panel

Let's begin with the claim "the control panel was used to drop the database".

We begin backwards by listing that item, and then list as many dependencies as can be thought of. This creates a user story which could feasibly be followed to reach the goal.

Whenever multiple possibilities could exist, an entirely separate chain is branched off from the parent.

The host's claim is that "someone" accessed the control panel and dropped the database. Since it wasn't the administrator, it had to be someone else.

This is the chain for someone accessing the control panel:

  • Drop database
  • Access hosting control panel
  • Get the password for the Firefox encrypted password file
  • Get the Firefox encrypted password file
  • Remotely access the administrator's computer

  • Attain the administrator's personal IP

We can go through that chain and examine each one.

Further complexities

Many problems have additional complexities, making the tree of possibilities significantly broader.

Attain the administrator's personal IP

  • Get it from another website.
    - Any number of websites could have the administrator's IP address. This would not only require that administrator to use one of those websites but requires a link to their identity.

    • Commenting on a website.
    • via email
      - This requires knowing the administrator's email address, which is trivial.
      - No outside communication is made through email, so this is impossible via an embedded image. A reply to an email would give this information.
      - If the administrator used their IP to access a mailing list, if that information is recorded then that would be a simple way to gain their information. This is never done through any mailing list I'm aware of, but email host information may be. Going down that chain of trust is entirely unreasonable though, as it would require getting that information from the email host itself. e.g. Google, Yahoo, Microsoft, the administrator's ISP, of even the administrator's government citizen-spying program.

  • From the blog

    • A WordPress security hole, then the most reasonable vector would be accessing the administrator's IP from one of the blog's WordPress Plugins which might store such information. I can't think of many examples which would even do that. Akismet and W3 Total Cache perhaps, but the latter is not even enabled and the former is unlikely.
      (difficult if even possible)
  • Access the server itself, to get access logs with their associated IPs.
    - This would require all manner of strangeness. Getting the knowledge of what hosting service would be simple, but traversing their data to find one particular IP associated with the administrator is .. difficult.
    (next to impossible)

  • Access IP visitor tracking.
    - An outside service was used to track visitors. If the administrator's IP is included in their logs, then it (among many) would be available.
    - Getting access to that information is difficult enough, but many of those IPs would have to be tested and cracked into, which seems doubly difficult to me.
    (very difficult)

This entire tree is difficult at best.

(difficult)

Keylog capture

  • Attain the administrator's personal IP
  • Remotely access the administrator's computer
  • Install keylogger
    - This would require elevated permissions, which is non-trivial. The keylogger itself would have to be crafted to somehow hide its process. I researched this, and it appears to be possible.
  • Capture keystrokes
    - With elevated permissions, installing software to do this would be simple enough that the actual keystroke capture would be simple.
  • Retrieve keylog file
    - This would be as difficult as installing the keylogger in the first place, requiring the same network and computer access.

  • Remove keylogger
    I did not detect a keylogger, so either

    • I couldn't and still can't find the keylogger
    • , or more likely I did a system reinstall and ended up removing all trace of it before a possible detection.

This entire tree is difficult at best.

(difficult)

Get a password

  • Brute-force attack
    - A brute-force attack is by far the most likely. A dictionary attack with a little variation could have done it.
    - Here there would be an additional branch describing the steps to do this.
    (moderate difficulty)
  • Attack Implementation
    - The security which the password file uses could itself have an implementation that could be attacked. The open source libraries may have an exploitable hole. Still, the "many eyes" concept could make this extremely hard, especially for a "script kiddie" who isn't on top of such things. The fact that the administrator's operating system at the time, Lubuntu, is aggressive about security patches, make this very unlikely.
    (difficult, unlikely)

  • Keylog capture
    (difficult)

This entire tree is difficult at best.

(difficult)

TODO Remotely access the administrator's computer

Once the administrator's IP is known, gaining access to their computer is the hurdle.

  • Penetrate ISP-facing router.
    - I hate saying it, but this is fairly easy.
  • Penetrate internal routers and firewalls
    - This is more difficult, but still fairly easy for someone that knows what they're doing.
  • Identify individual computer on the network.
    - If more than one computer is on that network, and they are not identified in router logs, then all would have to be checked.
  • Penetrate the administrator's computer's software firewall.
  • Penetrate Linux.

  • Gain elevated permissions.

Those last few items are by far the most difficult things on this list.

(difficult)

We can still say things like "gain physical access to the administrator's computer", which would require a new chain that includes

  • Associating the website with the administrator's physical location.
  • Finding their address.
  • Breaking into their facility, undetected.
  • Breaking into the server room, undetected.

  • Physically accessing their computer, undetected.

This is basically impossible if it includes things like 24/7 physical security and auditing.

Well, the host lied.

Perhaps the database was dropped from the host's server because of a hole in WordPress or their server software. Lots of difficulties exist with that, but it's far more reasonable.

It's far more likely they fucked up a backup, a system update, or the like, and blamed the administrator.

Stuff

Further investigation reveals that a possible second crack dropped the admin account.

Comment

Leave a Reply

Your email address will not be published. Required fields are marked *