Going After BP

BP continues to be the subject of criticism following the Deepwater Horizon oil spill, and the hacking community appears to be taking exception to some of BP’s recent public relations activities in the online arena. Specifically, reactions to BP’s having bought the sponsored link for the search term ‘oil spill’ seems to have triggered resentment in the form of both reconnaissance work, a Twitter account compromise, and an amusing cross site scripting vulnerability.

In the Reddit case, the method shown and gotchas demonstrated are worth covering, although no actual hack takes place. The XSS demonstrated at the bottom of the post is just creative and funny.

Twitter

As widely reported, on May 27th, BP’s official Twitter account was compromised and the following tweet put up.

Pick a stronger password.


And while it’s not a hack, the spoof Twitter account BPGlobalPR has garnered some attention (150k followers) as a satirical response to BP’s actual public relations response. It has gotten enough attention that the real BP has made overtures to the fake account to better identify itself as a parody.

Reddit

Last night on Reddit a user skipperdee responded to a post about the BP sponsored link as follows:

Reconnaissance


Let’s walk through his suggestions:

VPN Login Screen

Looking at what’s here, he found what is ostensibly a VPN login screen for some extranet type applications: https://access.bpglobal.com/bp/C/login.html?_targetURL=https://access.bpglobal.com/pkmslogin.form (with what looks like an open redirect).

Down tick one for information security is that it offers only certificate based authentication or alternatively login with a plain id and password.

https://access.bpglobal.com/help/bpcertExpired.html


A review of this screen (above) however seems to indicate that the user’s windows login (active directory) is the same as their IDAM login, by referencing the phrase NT ID and password.

User Names

Our Reddit user goes on to show off a little Google hacking by demonstrating how to find out the user names of BP employees:

http://www.google.com/#hl=en&q=%22Documents+And+Settings%22+site%3Abp.com&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=dfdf66882bd03aae.

Username equals Warna3.


Because a number of BP employees use the built in MS Word footer option for file name and path, their user names have been exposed in publicly released documents. Now that a number of usernames can be enumerated, with a brute force password cracker its off to the races for an attacker.

Documents

He then goes on to demonstrate that publicly available sites have a sub-directory /STAGING which appears to show semi-public documents (releases to the press, investor releases, etc.).

http://www.google.com/#q=site:bp.com+inurl:staging+%222010%22&hl=en&start=0&sa=N&fp=dfdf66882bd03aae

It’s unclear that anything unusual is publicly exposed here. One document is marked official use only which shows the oil spill projections, however that’s a lot like saying something is under copyright but still releasable. Another is marked “Project Confidential” but it’s unclear if it left that classification when added to the /STAGING site.

Situation Map.


Like a lot of large companies, there’s probably more online than should be, but it doesn’t appear /STAGING has any special significance as an intranet type site. I will confess, this is my favorite document, the April 2008 company magazine:

BP Horizon: The Battle to Secure Company Data.


Some Passwords

There are two old passwords in two of the files, a form and a newsletter, both are for ibackup.com access which like other document sharing sites has a public folder concept. Given their age, there probably isn’t much of an issue here, however password re-use inside organizations is quite common.

ID: bproadmap
PW: safety
journey_hazard_assessment_card_2009_02_18.pdf

ID: bpshipping02
PW: flag01
Flag_29_May_2008.pdf

In the case of the second id, it certainly looks to be the kind of id and password that gets incremented for different things (bpshipping01, bpshipping03, flag02).

PHP File Include and XSS

Finally, the Reddit commenter points out the energizer.gp.com URL as one that appears to be a web application with a few issues including potentially a PHP remote file include or arbitrary file access:

http://energiser.bp.com/help.php?module=moodle&file=insert file here

The site appears to use Moodle, a popular CMS platform, thus something else that can be looked at. However holisticinfosec got there first and best with an XSS based iFrame injection:

http://energiser.bp.com/login/index.php?lang=%22%3E%3Ciframe%20src=http://www.tampabay.com/multimedi
a/archive/00121/SP_322824_BORC_oilp_121445c.jpg%20width=450%20height=300%20frameborder=0%20scroll=no
%3E%3C/%3E%3C/;document.write%28unescape%28a.source%29%29;{//

iFrame inclusion on a bp.com site.


Finally

Is most of this nonsense from a hard core security standpoint? Yes, to an extent. The XSS ought to be corrected, and dual factor authentication on VPN’s is kind of a must have at this point.

Does BP need a security audit of their perimeter, web properties, online services used, and security policies? Also yes. Maybe schedule it after they plug that gushing oil geyser this August.

Filed Under: Web Site Defacement

Tags: , , , , ,

Comments (3)

Trackback URL | Comments RSS Feed

  1. rellay nice !!

    just Keep after BP.

  2. [...] recover in the event of a cyberevent. By the looks of things BP is dealing with their fair share of Hacktivism right now. [...]