When one of my team members recently responded to network-down call at a client's home office, he quickly established, beyond a shadow of a doubt, that the edge device -- a customer premise equipment (CPE) router -- had been compromised. Regaining control of the edge router proved difficult. A neighbor who was within range of the 802.11n wireless radio was actively hacking the router, overpowering the field tech with password resets in real time. In order to regain control of the network, the tech had to remove the antennas, allowing for LAN access only to the routing edge, and effectively cutting off the hack by cutting off his basic access.
When the field engineer recounted this story, I was skeptical. Traditionally an active hack on an edge device is something found only in corporate networks that house a treasure trove of corporate information. You know: credit card numbers, medical records, all sorts of information that someone can exploit for monetary gain. Traditionally, the sophistication level required to overpower an edge device has been out of reach to the "script kiddies" or low-level code miscreants.
My engineering meeting soon dissolved into a heated discussion about the availability and sophistication level someone would need to compromise CPE. We decided to pull the packet logs from the routing edge and sleuth out the user type, based on traffic type. The compromised network did not have any saleable information, only client contact files. There were no credit card numbers -- just your basic contact information, such as email addresses and cellphone numbers. Not exactly the family jewels, digitally speaking.
We determined the leveraged network was used as an access device for a gaming console -- with access only being sought after school hours. Based on the traffic type, we figured our hacker was a school kid playing Gears of War. In other words, a middle-schooler had bypassed what has been thought of as a sophisticated security paradigm. This kid had changed basic access passwords, altered the default IP address scheme had, and enabled WPA2 security. None of the traditional security tactics worked; this kid defeated them all, in real time.
Our answer to the client was simple: Upgrade your edge device to a more current hardware version, hoping to outrun the digital truant. The teen has not gained any access since the upgrade. Time will tell.
The question bothered me. How could a middle-schooler with an Xbox defeat an encrypted password set? Apparently, there are videos out there that explain how to do this. A security consultant, Pedro Joaquin of Mexico City, said he has sent these exploits to CPE manufacturers and, he warned, none are immune.
As a security professional, my visit to one exploit site sent a chill down my spine. It showed a tool set that can be captured and used offline from a tablet, gaming console, or cellphone -- anything that runs Java. More than 115 exploits are available, free, anytime -- on or offline -- from virtually any device with an interface and a processor.
In the past, my greatest concern for small and midsized business users has centered around their adherence to good password management, about changing the shipping default user name and password for edge devices, for example. Too often, the CPE that the broadband service provider delivers is not accessible to the end user or contracted IT resource. This fact plays into the hands of the nefarious user or digital thief, given this highly available tool kit.
In a vast conglomerate or midsized organization, think about all those employees who telecommute part time, who answer business emails from their iPads, or revise spreadsheet figures at the breakfast table on Monday morning. These days, who doesn't work from home sometimes? Which colleague might be sending confidential or sensitive data from his flimsy household network? Who's living next door, down the road, or across the backyard?
Taking your data to the cloud, and getting your primary data storage out of the LAN and into a more secure enterprise-based solution, is becoming more urgent. For many generations of data access -- a cycle that runs in dog years -- the web has not been a nice neighborhood. Data thieves, traditionally looking for saleable data, are around every corner. With the advent of easy to use exploit tools, the cancer of hacking has spread to your front door.
— Michael Starnes is CEO of Orlando-based Starnes Consulting.
This is alarming information. It make you wonder how much information we can really control this day and age. With everything moving beyond the PC it changes the game entirely.
This also shows that once something is cracked, the floodgates are opened to anyone with the time and energy to screw around with other people's systems. Imagine what that teenager would be able to do in a legitimate job? He would be a talented employee.
You only need one genius to break into sophisticated security. After that, the exploit gets out -- often, as we've seen here, with a YouTube instructional video -- and any chump or schoolkid can do it.
This NOT an urban myth story. The events happend recently and within my company, a real hack .. in real time .. by a schoolkid.
Passwords were changed from shipping default, gateway IP modified from standard shipping settings, real security enabled. The whole works. Editorial license prevented me from including a video showing the use of the exploits in real time.
Small networks are vulnerable, very open to attack. My post is about education, not a scare tactic.
This reminds us the fact that all the encryptions are breakable. It just takes more time if you use latest patch and/or use a long key. Layer approach is always better such as put another firewall as an interior defense, or as simple as turning the machine off when you do not use it.
In Brevard County, Florida, one family's life was, almost literally, torn apart when police stormed their home after (I don't recall all the details) they became suspicious that someone in the house was downloading child pornography. After digging into all the home's computers -- and you can imagine how much fun that must have been -- law enforcement determined the porn was actually allegedly being downloaded by a neighbor who was using their wifi connection. So after being accused and suspected by police, after having all their personal information scrutinized and being, no doubt, shunned by neighbors and friends, they were found innocent of this horrendous crime. But it must have been an awful few days.
Sam, you raise an interesting point about those times when performance is compromised. I always and immediately blame my local cable provider for the usual "technical difficulties." They always tell me to turn the router off/on. In fact, I don't bother calling them any more, but just push the power button on those occasions. We do have a pretty complex password but it does make you wonder. Certainly seems a good market for solution providers or other third-party security firms to address if they can figure out a cost-effective way to serve such a far-flung market.
Wow Micheal that is just scary, I work from home all the time and I often wonder why my bandwidth has strnge issues at times now that you have sufficently scared me I will get a network security friend of mine in ASAP to check and add additional security. I am in the process of moving all to the cloud but still very very scary stuff thanks for bringing it to light!
The hacker underbelly is scary. I recall reading about websites where tens of thousands of credit card numbers are sold, along with Social Security numbers, hacks, and other information that criminals need/want in order to steal from others. Because these sites are so cleverly concealed and often hosted offshore, it's next-to-impossible for American or European law enforcement to do much about them.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Throughout their generations, medical records have promised us lowered costs, increased efficiency, and generally better healthcare. However, despite untold dollars and the efforts of some very smart people, we've yet to realize a fully electronic medical record.
This year's opening keynote speech at the Consumer Electronics Show (CES) broke the mold: Dr. Paul Jacobs, CEO of Qualcomm, delivered the first non-Microsoft presentation in a dozen years. Though Microsoft CEO Steve Ballmer did make an appearance, the presentation was dominated by a core technology for release by Qualcomm this year.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
With more and more executives relying on mobile devices to complete their work, mobile device management has become as popular as traditional IT management solutions.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
