Uh Oh, You Forgot
How it is Hacked
Everything that ever used the Simple Network Monitoring Protocol (SNMP) before 2012 (meaning V1 and 2c). Early SNMP versions were nice, but a bug in the early versions of the protocol mandate occasional queries for their existence.
Communications in V1 and 2(c) are in plain text. They can be sniffed by any clever four-year-old child. Have great fun switching on/off ports with simple packets. Even Lego thought it was too easy.
Do a full network probe. Kill anything that answers. V3 won't respond unless you've implemented correct encryption, which means you've done this drill. Convert to V3 (encrypted) devices as soon as is humanly possible.
Affects printers, alarms, routers, L2/L3 (Layer2/Layer3) switches, older Ethernet hubs, switching equipment, and many network-related “non-computing” devices. Fix it: Now. Or shut it off if you can't upgrade it.
VPNs using PPTP(1) are made of rice paper. Wet rice paper. They work marvelously until they encounter one good breeze, and you're hacked.
Child’s play. Breaking in is easier than opening a fresh box of granola bars and far less pleasurable.
IPSec(2) VPNs are preferred, but if PPTP is absolutely necessary, use MSChapV2, Microsoft's more advanced encryption method, for encryption until you can re-design your VPN. There is an encrypted version of PPTP, but no one knows how to use or support it. Not even me.
MSChapV2 encryption is much tougher, and might be needed because of hop-count problems with IPSec when a VPN is used behind NAT. IPSec's not easy, but PPTP VPNs are essentially insecure, leaving sysadmins always wondering if they'll get dictionary attacked.
Wi-Fi Access Point Admin Open Public-Facing Ports!
Although some Wi-Fi APs administrative webpages have silliness like Captcha, many can be dictionary attacked as fast as packets can be thrown at them.
This backdoor is usually left open by installers so they can do remote tech support without needing a physical presence in your offices. Pick up the hammer, disable the external admin port, and bang it on their fingers!
You're asking for problems if you allow public-facing admin access. It's better to have a reflected ssh session or DMZ proxy access to the APs. If you make a door, someone will try to open it.
Lucky Cable Plant
Perhaps you carefully restricted your Wi-Fi access, but if you put an Ethernet jack in your office lobby, someone will try to use it.
Although NAC(3) helps prevent this, there's an inevitable call from the receptionist, wondering if our guest can have access to the company network – just to check email, of course. If you don't allow guest Wi-Fi access, why give them a jack?
Examine each public area for network jack connections, then install new blank face plates covering the jacks, noting their exact locations for posterity, and future reference.
Fire, Humidity, Smoke, and Door Alarms: Every Port In a Storm
It was clever to tie all of those devices to the network. Now they're all entrance points to listen to your wiring, and play along with their tunes.
Like the jacks in the reception area, some organizations use lovely POE(4) devices that are wired with other network devices. They may rarely pass even a few small packets, but connect a laptop with Wireshark on it, and it's sniffing time!
If a network doesn't have traps (SNMP-style) that listen for even momentary power down of devices, you can tap into Ethernet-wired alarms of any kind and merrily listen to whatever conversations are on that segment. Yum!
There are any number of methods to connect your building with the last-mile Internet provider. You monitor on your side of the customer/vendor demarcation block, but what about your provider?
Checking the physical security of where your data provider plugs into your network is important. Even fiber demarcs often have service connections. But you have to wonder: Just how secure are they?
If you have multiple/backup routing demarcation points, check all of them. Test locks and hack cabinets, because if you don't, vendors probably haven't, either.
I bet you use a syslog analyzer. One that captures logs from every possible log and normalizes the data, hunting and sniffing for odd behavior, and packet destinations to a five-story military building in Beijing. Right? Right?
No one ever reads the system logs. Read Facebook? Sure. Read Twitter? In a heartbeat. The system logs, event logs, door logs, NOC alarms, SNMP traps… all of them? Or the handy log analyzer? No. Three hour-long lunches are cool. Unless someone's eating yours.
You need to use a log normalizer, and look for trends. But you have to read the logs. No Facebook. No Kings of Conquest. Until. You're. Done. Daily.
All Your Printer Server Are Belong To Us
There is perhaps no device on a network more publicly accessible than a print server, and therefore no device is more rife for abuse. Printers are usually wide open and would accept jobs from the International Space Station.
Print from a Mac? AFP? CIFS? NFS? SAMBA? Active Directory? Edirectory? AnybodyDirectory? No authentication? No Problem! Tighten down accessibility until you hear the user screams, then loosen up slightly. In all seriousness: Print servers, especially those managed by MSPs(5), will accept a job from a vagrant. They're a back door. Close it. Feel the room get warmer.
Printers are almost guaranteed to be as wide open as the Grand Canyon. Go through the manual, and eliminate all but known local protocol needs. Use vice grips if necessary.
The Service Guy Scam
Although this didn't happen in the Uunited States, it could have: Service guy in uniform gets admitted and installs an entire system that sends a proxy network wireshark filter packet cap to a competitor, focused on the sales department's database server. No fingerprints. IP C&C(6) server is in Romania.
Asset tags, anyone? This machine might have had one. What good are asset management sections of network management if no one cares about a new MAC address on the network? This one was found after the system died, and someone wondered why it hadn't been serviced. Uh oh.
This is one of the strongest arguments for Network Access Control (NAC). Foreign IP address? Duplicate IP address alert? It’s time for a hunt. Today. Not tomorrow.
Diving for Dollars
Yes, I mean your trash. Don't want to pay Iron Mountain or someone else to slice and dice your paperwork? Think some of your docs won't be juicy to the competition? Thought you were the information technology department? This is about genuine document control.
No, it's not pretty. If you don't shred your print matter, from scrap paper to employee handbooks, your competition will do so. Sniff sniff sniff. Yes, they'll dive into your garbage dumpster, steal your trash bags, and even go into your cafeteria garbage – and not for the food.
Scent them up. Shred, shred, shred. Recycle, in any event. It's information technology with a delete key, the trash bin, the recycler, whatever – and it's too simple of a hack to ignore. Without an effective documentation and paper recycling shredding campaign, your cast-off data becomes fair game. Now where's that asset/password list you printed the other day — and the copy?