cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Hackers for Hire??? Network Infrastructure's Under Attack!

Product Manager
Product Manager

MEME.jpg

Blog based on my "knee jerk" response to an article on an NSA breach

                So when you first read this article, you will notice that there are groups of hackers that are auctioning off exploits of devices.  May seem like no big deal but think about this. You have a group of people that are preying on your first line of defense and profiting on making these exploits available.  Irritation set to the highest level for one simple reason. NOT EVERYONE HAS A SECURITY TEAM. Ok, now that I feel better to commence the discussion on how they did this and why you may be concerned.

                Exploiting firewalls, you are now placing into the world factory defaults and settings that people may overlook or not think about when protecting your network.  Creating a gateway for script kitties and ill-willed individuals to try now and do harm just because the day ends in “Y”.  An example of why I constantly preach about compliance reports and their ability to help you protect your network and not forget the little things.

Some of the vulnerabilities listed were things like:

Buffer overflow in OpenLDAP

SNMP exploits on devices

Scripting advisement to gain more havoc

And much more…

So how do we guard against these untimely and devastating breaches?  One answer, stop ignoring security needs.  There are several free resources that help you protect yourself.  I realize a lot of people may or may not know these so I thought I would put together a few.

Common Vulnerabilities and Exposures

https://cve.mitre.org/

National Vulnerability Database

https://web.nvd.nist.gov

                If you read any of my NCM blogs, you would know that it has a firmware vulnerability data. Checking the NIST and advises you of security holes on your Cisco devices. Not a “catch-all” by any means but helps you to be aware and proactively having security checks every day by default.  Then as always there are compliance reports with even federal compliance reports right out of the box. Allowing you to lean on what others have created to ensure that you are crossing your T’s and dotting your I’s within your security needs.

                These are all ways we can try to use products to help us every day and have a direction to head in instead of ignoring or just simply put don’t make the time to address.  Monitoring and management software needs to be an everyday defensive tool.  To help offer guidance with your security needs and allowing you to work on security today and tomorrow.  Security teams can lean on monitoring\management solutions.  It’s not just for people that are lacking the funding for a security team it’s for everyone to stand together and help stand up to people exploiting for hire.

                Circling back to my last opinion on this article.  For hire, exploits are just as bad as hackers with ransomware.  These were merely saying “hey, pay me and I’ll tell you how you can do some damage” where ransomware is more “Hey, I encrypted or stole your data give me $$$ to (maybe) get it back.”  Is there a difference in the level of punishment if ever caught? I think there is not and we need to have better ways to prosecute and track down these criminals.  What’s your thoughts?  I’m always open to opinions and love hearing all of your comments!

~Dez~

Follow me on Twitter @dez_sayz

32 Comments

There are days when one is tempted to crawl into a hole and pull it in behind them.

pastedImage_0.png

Level 14

As a security nerd, I couldn’t wait to read this.  Yes, I am actually salivating. I found the article on the NSA breach a really good read. Focus used to be on the boundary security tools.  That focus shifted to the endpoint security with some folk saying that boundary systems were passé and were no longer needed.  I have always seen all security tools as part of the security onion.  The more layers you had, the longer a successful attack would take.  The longer the attack takes, the better your chances of discovering it before anything valuable is taken.

People who attack for fun and profit will generally go after low hanging fruit.  (Notice I didn’t say hacker.  I am old school and still view the term hacker in a good way.)  At one point, attacks shifted from trying to bypass boundary security systems to attacking layer 8.  Why both with circumventing the firewall, when an untrained user can be tricked into doing that for you.  Now that endpoint security systems are have matured, the untrained user vector is harder to attack.  The focus appears to be returning to unpatched boundary systems.

I have to agree with Dez about the Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD).  You can actually subscribe to the CVE feed and peruse vulnerabilities as they come in.  I do, but then I am a security nerd.

I shouldn't have to say this, but always keep your systems patched.  No excuses.  I make it a point to check the vendors of my systems for patches at least twice per month.  A small investment of time now, can save a lot of heartache later.  I have shortcuts to these sites on my desktop and reminders in Outlook to use them.  For example, Cisco has an IOS Security checker.  You can go there, enter the version of IOS you are using, and it will tell you the known vulnerabilities.  It will also point you to the most current version for your system that fixes those vulnerabilities.

https://tools.cisco.com/security/center/selectIOSVersion.x

If I find one for NX-OS I’ll let you know.

As for the jack wagons who create exploit for money and those who use ransom ware, they are one and the same in my book.  They should be prosecuted as strenuously as possible.  Part of the problem with prosecution is often created by countries boundaries.  It is hard to go after Russian or Chinese cyber criminals from the USA.  Another problem is legislation not keeping up with how crimes are committed.  Cyber criminals will always be more nimble and adept than Congress.

Dez, thanks you for the write up.  I am smiling as I type!

The difference between an attacker and a hacker can sometimes be their intent and ethics.

Some folks like the informal and friendly idea of a hacker being someone who tries their best to do their job, but isn't always aware of the best practices.  Sort of like a hacker on the golf course, who hacks their way from tee to green as best they can.  In those terms, I might be called a hacker as I try to do better network management without getting sufficient training.  Maybe I waste cycles on reinventing the wheel, or make inadvertent but well-meaning mistakes.  My intent and ethics remain good.

As opposed to the definition of hacker that involves bad intentions and disregard for the privacy of others.  One that is well exampled in "The Hacker Diaries."  Kids or adults who got thrills from violating security and boundaries of others--doing anything possible to become "root" on any system, then moving onto other challenges.  They seem to have a philosophy that "If I can see it, it must be OK for me to attack and violate and own it."  And "it's not my fault people put insecure systems where I can reach them; it's THEIR fault."

Worse are those who get to be root, and then use their privileges to cause disruption.

There's nothing like being in a hospital or electrical or financial network environment and discovering something that's critical to your day, your health, or your bank account becoming lost or stolen or unavailable as the result of hackers and those who write and release malware.  My sole hope is for Karmic rebound:  that the people who do these bad things will quickly experience the results of their own malicious intent or carelessness.  If you write and release a virus or Trojan or wyrm or hack and you or your loved one needs emergency services in a hospital, and that same software or script prevents important network resources from being available to provide needed care, that's Karma.  Better yet:  to learn that what caused the outage to the care system was the bad software you wrote and released.

Level 14

Just view it as a continual chess match.  Constantly thinking several moves ahead.  One of my coworkers and I will often have verbal chess matches playing a version of red team, blue team.  He will take offense, such as an insider threat, and I will take defense.  We verbally spar, challenging each other's knowledge attack vector and defensive postures.  It often ends in me logging in to check a setting to verify, or prove I'm right.

Level 14

Agree completely.  btw, The Hacker Diaries was a good read.

Product Manager
Product Manager
Level 9

Hackers are on the rise, and in my opinion they make our jobs more exciting!

That really IS bad!  I was unaware of that one, and I've forwarded it on to my boss, requesting he forward it to our Security Manager.

The specialist in this article It’s Insanely Easy to Hack Hospital Equipment | WIRED  was an employee of ours, who's since gone on to bigger and more secure environments.  He had some great skills!

Level 20

I just had to update the code on ASA's this week due to a new vulnerability!  It's an ongoing process trying to defend... an attacker only has to get lucky once!

It's where Orion's ability to generate Vulnerability Reports and IOS issues needs to shine most brightly:  on ASA's.

Level 14

I think these people are opening themselves to a potential lawsuit.  Just sleazy.

Level 21

We certainly need a better way to track down and prosecute these people, the problem is government (and therefore law enforcement) moves at a glacial pace versus the technology world that moves at the speed of light.  To make this successful I think a whole new division or type of law enforcement would need to be created separate and unhindered by the otherwise overly bureaucratic and glacially slow government/law enforcement system.  And of course that doesn't even begin to address the fact that this is a war on a global stage and unfortunately law enforcement doesn't operate at that same level.

When routing and poor security allow redirecting around the globe through multiple hops using false accounts and annonymizers, new tracking/tracing technology will always be a step or more behind the bad folks.

I'd love to wave a magic wand and make everyone honest and ethical.  But maybe that would have bad consequences in the future, in environments where traits like deceit and skills in deception might theoretically become an advantage.  OK, so I have a Sci/Fi mind.  Doesn't mean that future could never exist . . .  Not that I WANT it to!

pastedImage_0.png

Level 11

I love the IOS vulnerability checker. They really need one for every flavor of OS they have... ASA OS, AireOS, NX-OS, etc.

Level 13

Most techs would agree that device patching is a pain in the butt...you never know if your system is going to come back up or not. But you need to compare that with the potential for hackers to gain access to your systems and do even more damage...

What's the worse conversation:

Hey "Boss", remember when you told me to patch the router? Well, it's going to be down for another 2 hours as the patch screwed up.

or

Hey "Boss", someone hacked into our router and we lost our entire customer data base.

Level 9

What Orion product provides that ability?

NCM allows you to see documented firmware vulnerabilities, as well as their CVE number and score.

If I could change anything in the hacker community it would be for them to adopt the code, "Honor among thieves" and for them to lay off places like hospitals, schools, and small non-profits.

Level 13

I like that suggestion...it's too bad it isn't organized properly...maybe in my next life.

Level 8

With no rule of law in certain countries these desires probably won't ever come true.

MVP
MVP

playing catch up here...the opportunities for the hacker and attacker are rising with the internet of things.  We can be diligent...

po'malley​:

I'm not sure which comment of mine you're responding to, but if you're asking which Orion product(s) can keep up with malicious intent, I'm not aware of one. 

Between building PCI environments, leveraging NetFlow and ISE and ACI, and having MSE's providing RTLS, we're spending a lot to try to achieve it behind our firewalls..

Product Manager
Product Manager

This is sooo true...   I mean hackers are by nature not following "rules".

~Dez~

Product Manager
Product Manager

The major issues I've had is when you upgrade to today's date patches and the server is running a year behind's software.  They were not able to obviously guess what patches were coming out in the future so you could potentially break software/applications.

Then we get into the conversation of "LAB" environments to test which again creates more pain in the *** processes and procedures.

It's a vicious cycle indeed.

~Dez~

Level 14

IOT will bring the "hacker" experience to the average person in a most up close and personal way.

Imagine the first time innocent items such as a thermostat, fridge, coffee pot get "hacked"..... annoying yes.... troublesome..... you bet!

Now imagine your home security system cameras and all are tampered with...

Level 14

It's amazing how many of these home security system cameras get installed with factory default security settings.

On a different note, there was an episode of Mr. Robot this season where attackers take control of a smart home.

It was amusing on TV, but pretty scary in real life.

Level 16

mrrobot6-1024x558.jpg

Level 7

Hackers only confirm how good and secure setup is - sometimes if set cleverly it can be good / deep test approach.

Certainly, they make Security Engineers job more exciting. 

Level 10

Dez:

You can always borrow my lab.

William will attest to its quality.

Regards,

Ed

Level 11

Amusingly, one of the biggest groups hiring hackers for pay ... is the NSA.

Well, for pay and in some cases deferred adjudication.

Level 7

try anonymous77hacks@gmail.com for any hack and P.I related service.

Level 13

I wish I had 3 more staff members...so much to do...

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!