Poor OpSec at the North Pole

Mr Thisleton
Hykel and I watched Prep & Landing: Naughty vs Nice a couple of nights ago. Everything I’m going to talk about should be ignored mostly because this is a fun Christmas movie about the importance of family. That said, I noticed a whole bunch of poor practices going on in the North Pole’s IT dept…

This is Mr. Thisleton – the head of the North Pole’s IT. One of the first things you hear him say is “Protective Firewalls are in place” – great first start Thistleton. In the early scenes, we see “JingleSmell1337″‘s first attempt at hacking into the system.

jinglesmell

This attack manages to interrupt the entire production line. We know from the first scene in the film that JingleSmell1337 – Grace, is linking into the North Pole’s systems through a stolen Fruitcake Conduct Calculator – a device that allows Coal Elves to provide on-the-ground surveillance of naughty kids, and deliver coal to them. Thistleton states that they recently discovered that the calculator had gotten into the hands of Gracie. A few thoughts about this:

  1. Why wasn’t the theft/loss of this equipment reported immediately upon the coal elves’ return? Depending on the checkout/ownership practices of the North Pole it’s an understandable oversight, but it begs the questions…
  2. If you have critical pieces of equipment that have access to secured systems, that access should be revoked immediately upon it being compromised. The firewall previously mentioned should be blocking all access to information coming from that device.
  3. Why are your systems not siloed from each other? Why is a bad, malformed, or otherwise invalid signal able to stop everything?!?

So, lets suppose that none of that matters, maybe Grace just figured out how to use the calculator to access the system. Whatever means she was using prior to this, she’s fallen back to just trying to brute force the password. This is where we learn that the password is the magic word “PLEASE”

please

Have you ever tried to guess a password? People (and programs) that try to guess passwords work within what’s known as a “search space” It refers to the maximum number of different characters that the password could contain. This is because when you’re “brute-forcing” a password, you have to guess all possible combinations it could be. If you know the limit of which characters were used, you don’t have to guess as much. For instance, if your password were only one character long, and it was a letter of the alphabet, I would have to check all 26 letters of the alphabet. If however, that one character was possibly a number, you have to check 36 characters to be guaranteed to find it. Now add all the capital letters: 62 characters. And if you make your password two characters long, now I have to guess every combination for both letters. That’s why password length is important. It’s why your bank requires a capital letter, and a number and a minimum of some length. BUT, there’s an easier way: Attackers know that most people are lazy. So instead of trying combinations of letters, you do what’s called a dictionary attack. A dictionary attack tries all the words it can think of – because most people are going to using words they know. They’re words from a dictionary. So you guess those first.

Anyway, going back to the show, it looks like the password input is stylized to be capital letters – which means that instead of 52 characters, we’re only looking at a 26 character search space. What we know now is that the search space for this password is 26 characters – but it doesn’t matter

According to Wikitionary, “please” is the 696th most common word in the English dictionary. Suppose you can try a new password once a second: Less than 12 minutes, and you’re in.

Lastly, and somewhat related to my earlier point: A broken antenna on the Fruitcake Conduct Calculator manages to start some sort of chain reaction in assigning all children in the world to the “naughty” list. Once again going to device management and user permissions, It seems pretty reasonable that Coal elves (and therefore their FCC) assigned to a particular child would only be able to confirm that child as naughty. The lack of isolating data is a bit concerning.

So, Mr. Thiselton: I appreciate your job is hard. You’re managing a very complex system, there are lots of people who are working under you and you can’t manage every one of them. However, you need to spend some time in the coming year fixing weaknesses in your system. For what it’s worth, you might want to just spin up an AWS instance and not worry about it.

Screen Shot 2015-12-21 at 6.46.30 PM