10 Non-Computer Network Security Dangers

Nearly anything with a CPU in it is a potential hazard. Sure, we go to great lengths and firewalls and build in intrusion detection worthy of a three-letter agency on a good day. On a bad day, we get hacked, and there is data on the floor – or worse, somewhere you didn't want it to be in Southeast Asia.

In my job as a researcher, I have to think about the crazy things that people forget, and then list them in tables, so that they can smack their forehead and say to themselves, “Oh fudgeberries! Edsel Murphy is in my gene pool!”

You see, we're all related to Edsel, because he was the first screw-up. The poor guy did everything right, but then something went wrong. Below, I list my 10 favorite things pentesters like to snicker over, because you forgot that they're hackable, and why. No, you shouldn't go through every CVE (Common Vulnerabilities and Exposures) to look for trouble. Instead, trouble is likely looking for you. 

 

Uh Oh, You Forgot

How it is Hacked

Protection Procedures

Limitations

Everything that ever used the Simple Network Monitoring Protocol (SNMP)  before 2012 (meaning V1 and 2c). Early SNMP versions were nice, but a bug in the early versions of the protocol mandate occasional queries for their existence.

Communications in V1 and 2(c) are in plain text. They can be sniffed by any clever four-year-old child. Have great fun switching on/off ports with simple packets. Even Lego thought it was too easy.

Do a full network probe. Kill anything that answers. V3 won't respond unless you've implemented correct encryption, which means you've done this drill. Convert to V3 (encrypted) devices as soon as is humanly possible.

Affects printers, alarms, routers, L2/L3 (Layer2/Layer3) switches, older Ethernet hubs, switching equipment, and many network-related “non-computing” devices. Fix it: Now. Or shut it off if you can't upgrade it.

VPNs using PPTP(1) are made of rice paper. Wet rice paper. They work marvelously until they encounter one good breeze, and you're hacked.

Child’s play. Breaking in is easier than opening a fresh box of granola bars and far less pleasurable.

IPSec(2) VPNs are preferred, but if PPTP is absolutely necessary, use MSChapV2, Microsoft's more advanced encryption method, for encryption until you can re-design your VPN. There is an encrypted version of PPTP, but no one knows how to use or support it. Not even me.

MSChapV2 encryption is much tougher, and might be needed because of hop-count problems with IPSec when a VPN is used behind NAT. IPSec's not easy, but PPTP VPNs are essentially insecure, leaving sysadmins always wondering if they'll get dictionary attacked.

Wi-Fi Access Point Admin Open Public-Facing Ports!

Although some Wi-Fi APs administrative webpages have silliness like Captcha, many can be dictionary attacked as fast as packets can be thrown at them.

This backdoor is usually left open by installers so they can do remote tech support without needing  a physical presence in your offices. Pick up the hammer, disable the external admin port, and bang it on their fingers!

You're asking for problems if you allow public-facing admin access. It's better to have a reflected ssh session or DMZ proxy access to the APs. If you make a door, someone will try to open it.

Lucky Cable Plant

Perhaps you carefully restricted your Wi-Fi access, but if you put an Ethernet jack in your office lobby, someone will try to use it.

Although NAC(3) helps prevent this, there's an inevitable call from the receptionist, wondering if our guest can have access to the company network – just to check email, of course. If you don't allow guest Wi-Fi access, why give them a jack?

Examine each public area for network jack connections, then install new blank face plates covering the jacks, noting their exact locations for posterity, and future reference.

Fire, Humidity, Smoke, and Door Alarms: Every Port In a Storm

It was clever to tie all of those devices to the network. Now they're all entrance points to listen to your wiring, and play along with their tunes.

Like the jacks in the reception area, some organizations use lovely POE(4) devices that are wired with other network devices. They may rarely pass even a few small packets, but connect a laptop with Wireshark on it, and it's sniffing time!

If a network doesn't have traps (SNMP-style) that listen for even momentary power down of devices, you can tap into Ethernet-wired alarms of any kind and merrily listen to whatever conversations are on that segment. Yum!

Ah, Demarcs!

There are any number of methods to connect your building with the last-mile Internet provider. You monitor on your side of the customer/vendor  demarcation block, but what about your provider?

Checking the physical security of where your data provider plugs into your network is important. Even fiber demarcs often have service connections. But you have to wonder: Just how secure are they?

If you have multiple/backup routing demarcation points, check all of them. Test locks and hack cabinets, because if you don't, vendors probably haven't, either.

Timber!

I bet you use a syslog analyzer. One that captures logs from every possible log and normalizes the data, hunting and sniffing for odd behavior, and packet destinations to a five-story military building in Beijing. Right? Right?

No one ever reads the system logs. Read Facebook? Sure. Read Twitter? In a heartbeat. The system logs, event logs, door logs, NOC alarms, SNMP traps… all of them? Or the handy log analyzer? No. Three hour-long lunches are cool. Unless someone's eating yours.

You need to use a log normalizer, and look for trends. But you have to read the logs. No Facebook. No Kings of Conquest. Until. You're. Done. Daily.

All Your Printer Server Are Belong To Us

There is perhaps no device on a network more publicly accessible than a print server, and therefore no device is more rife for abuse. Printers are usually wide open and would accept jobs from the International Space Station.

Print from a Mac? AFP? CIFS? NFS? SAMBA? Active Directory? Edirectory? AnybodyDirectory? No authentication? No Problem! Tighten down accessibility until you hear the user screams, then loosen up slightly. In all seriousness: Print servers, especially those managed by MSPs(5), will accept a job from a vagrant. They're a back door. Close it. Feel the room get warmer.

Printers are almost guaranteed to be as wide open as the Grand Canyon. Go through the manual, and eliminate all but known local protocol needs. Use vice grips if necessary.

The Service Guy Scam

Although this didn't happen in the Uunited States, it could have: Service guy in uniform gets admitted and installs an entire system that sends a proxy network wireshark filter packet cap to a competitor, focused on the sales department's database server. No fingerprints. IP C&C(6) server is in Romania.

Asset tags, anyone? This machine might have had one. What good are asset management sections of network management if no one cares about a new MAC address on the network? This one was found after the system died, and someone wondered why it hadn't been serviced. Uh oh.

This is one of the strongest arguments for Network Access Control (NAC). Foreign IP address? Duplicate IP address alert? It’s time for a hunt. Today. Not tomorrow.

Diving for Dollars

Yes, I mean your trash. Don't want to pay Iron Mountain or someone else to slice and dice your paperwork? Think some of your docs won't be juicy to the competition? Thought you were the information technology department? This is about genuine document control.

No, it's not pretty. If you don't shred your print matter, from scrap paper to employee handbooks, your competition will do so. Sniff sniff sniff. Yes, they'll dive into your garbage dumpster, steal your trash bags, and even go into your cafeteria garbage – and not for the food.

Scent them up. Shred, shred, shred. Recycle, in any event. It's information technology with a delete key, the trash bin, the recycler, whatever – and it's too simple of a hack to ignore. Without an effective documentation and paper recycling shredding campaign, your cast-off data becomes fair game. Now where's that asset/password list you printed the other day — and the copy?

Acronym Magic Decoder Ring:

  1. Point-to-Point Tunneling Protocol, an early L3 VPN protocol
  2. IP SECure L2/L3 protocol, which needs clear L2 paths to work
  3. Network Access Control, or network admittance and key management
  4. Power Over Ethernet, which supplies remote devices with power
  5. Managed Services Providers, usually onsite contractors
  6. Command and Control Servers – that usually control botnets

Some of us are genetically endowed to keep the coffee or electric teapot away from the computing machinery. Others are predisposed to use our elbows at precisely the correct angle to ensure maximal damage. Whichever genetic type you are, it's always best to keep a small and handy notepad nearby, so that the notepad can be lost-- and the problem repeated. Edsel Murphy's DNA will then live on and your successors will be able to clock-in the overtime needed to fix it. Again."

About the author:

Tom Henderson runs ExtremeLabs, Inc., of Bloomington Indiana, where he's principal researcher. His staff analyzes large systems infrastructure, and performs testing on products and platforms for publications and private organizations worldwide.

See also:

 


Close

By submitting this form, you agree to our
Terms of Use and Privacy Policy

Thanks for Subscribing

Keep an eye on your inbox for more great content.

Continue Reading

Add a little SmartBear to your life

Stay on top of your Software game with the latest developer tips, best practices and news, delivered straight to your inbox