 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study Electronic Customer Service Channel Penetration Test Industry: Telecoms Location: Middle East Our client, a telecoms company was on a drive to reduce cost and increase effectiveness of client contact. In this effort electronic channels were being investigated. Our client had built infrastructure to enable clients to make contact with customer service representatives over the Internet using web page with a Java chat client to chat in real time with the customer service centre. During the chat session between client and representative confidential information may be passed for example when the clients' identification is checked. This session is encrypted by the Java client and it was required to see if it was indeed secure. Included in the scope of the project was assessment of the risks to the customer service centre and potential for it to be impersonated. The penetration test involved downloading and decompiling the Java applet used to provide the client side functionality of the chat channel. This was done using standard freely available tools. The code was then investigated to map its internal workings. When the 'encryption' code was located it was seen that rather than using standard encryption APIs the developers had instead written their own 'encryption' code. This home made 'encryption' was more like a simple mathematical transformation of blocks of strings. This type of mathematical transformation had the potential to be reversed using similar code to that used in making the initial transformation. After further investigation of the decompiled code debug parameters and code were seen in the code which gave further insight into the workings of the client. This revealed the 'de-encryption' code used to perform the reverse transformation of the chat session which turns the 'encrypted' information back into text. The code was modified and started as a separate program. A chat session was then started with the client service centre and sniffed from the network. The data part of the session was taken and given as input to the 'de-encryption' code to reveal the original text from the chat session. To conclude this part of the engagement attempts to subvert the server side of the channel were attempted. By sending data to the server side which does not follow the normal protocol The main result of the engagement was the finding that the supposed 'encryption' was not encryption at all but rather scrambling which was easily reversed. The code required to reverse the initial scrambling was actually given in compiled form in the Java client, with a little modification it was used to de-scramble sniffed chat sessions from the network. Image degradation could have occurred due to the ability to turn supposedly encrypted chat session back into the original text. If a malicious individual captured scrambled sessions then turned them back into the chat session confidential information could be revealed regarding customers. |
