When one of my team members recently responded to network-down call at a client's home office, he quickly established, beyond a shadow of a doubt, that the edge device -- a customer premise equipment (CPE) router -- had been compromised. Regaining control of the edge router proved difficult. A neighbor who was within range of the 802.11n wireless radio was actively hacking the router, overpowering the field tech with password resets in real time. In order to regain control of the network, the tech had to remove the antennas, allowing for LAN access only to the routing edge, and effectively cutting off the hack by cutting off his basic access.
When the field engineer recounted this story, I was skeptical. Traditionally an active hack on an edge device is something found only in corporate networks that house a treasure trove of corporate information. You know: credit card numbers, medical records, all sorts of information that someone can exploit for monetary gain. Traditionally, the sophistication level required to overpower an edge device has been out of reach to the "script kiddies" or low-level code miscreants.
My engineering meeting soon dissolved into a heated discussion about the availability and sophistication level someone would need to compromise CPE. We decided to pull the packet logs from the routing edge and sleuth out the user type, based on traffic type. The compromised network did not have any saleable information, only client contact files. There were no credit card numbers -- just your basic contact information, such as email addresses and cellphone numbers. Not exactly the family jewels, digitally speaking.
We determined the leveraged network was used as an access device for a gaming console -- with access only being sought after school hours. Based on the traffic type, we figured our hacker was a school kid playing Gears of War. In other words, a middle-schooler had bypassed what has been thought of as a sophisticated security paradigm. This kid had changed basic access passwords, altered the default IP address scheme had, and enabled WPA2 security. None of the traditional security tactics worked; this kid defeated them all, in real time.
Our answer to the client was simple: Upgrade your edge device to a more current hardware version, hoping to outrun the digital truant. The teen has not gained any access since the upgrade. Time will tell.
The question bothered me. How could a middle-schooler with an Xbox defeat an encrypted password set? Apparently, there are videos out there that explain how to do this. A security consultant, Pedro Joaquin of Mexico City, said he has sent these exploits to CPE manufacturers and, he warned, none are immune.
As a security professional, my visit to one exploit site sent a chill down my spine. It showed a tool set that can be captured and used offline from a tablet, gaming console, or cellphone -- anything that runs Java. More than 115 exploits are available, free, anytime -- on or offline -- from virtually any device with an interface and a processor.
In the past, my greatest concern for small and midsized business users has centered around their adherence to good password management, about changing the shipping default user name and password for edge devices, for example. Too often, the CPE that the broadband service provider delivers is not accessible to the end user or contracted IT resource. This fact plays into the hands of the nefarious user or digital thief, given this highly available tool kit.
In a vast conglomerate or midsized organization, think about all those employees who telecommute part time, who answer business emails from their iPads, or revise spreadsheet figures at the breakfast table on Monday morning. These days, who doesn't work from home sometimes? Which colleague might be sending confidential or sensitive data from his flimsy household network? Who's living next door, down the road, or across the backyard?
Taking your data to the cloud, and getting your primary data storage out of the LAN and into a more secure enterprise-based solution, is becoming more urgent. For many generations of data access -- a cycle that runs in dog years -- the web has not been a nice neighborhood. Data thieves, traditionally looking for saleable data, are around every corner. With the advent of easy to use exploit tools, the cancer of hacking has spread to your front door.
No comments:
Post a Comment