Wednesday, August 22, 2012

Basic Security and You... and your friends, and your clients...

It seems as if now-a-days when someone mentions Information Security, the first things that might come to mind are the dreaded words: APT, China, and Cyber War.  But there is much more to it I think.  The government is definitely on the cyber war kick.  With nation states actively sponsoring attackers, and defense contractors locking up their IP tighter than the great firewall of China, who could blame them?  I mean viruses and other malware just jump through the air now and land on systems that are supposed to be off the grid!  Its madness!!!  The apocalypse is not coming on December 21st, it is already here!  So while all the big boys fight it out with their budgets and search for the newest best shiny toy or magic unicorn slaying bullets, what are the little guys doing?  Who is protecting them?

Over the weekend I was messing around with Shodan (  For those that don't know, this is basically a search engine to find online devices such as routers, webcams, VoIP phones, Power plants, and Wind Turbines... wait what?  Yep, you know those important systems that feed our electrical grid and people are always concerned with being attacked? But  that is a discussion for another time.  So back to this awesome tool and its many uses...  Now one might ask, "How can something like this be allowed to exist???"  Well that is easy, the data it searches is publicly available on the Internet.  It searches based on any number of criteria such as open ports, website headers as well as response banners.  You can also drill down to specific locations.  For example you can search for open FTP ports in your home town.  Now I am not from Tampa, but I didn't want to out my own town.  So as I was popping in different ports to search on, I stumbled across a list of open RDP (remote desktop protocol)  ports.  Of course my curiosity gets the better of me and I find one device is a Windows XP system that could possibly be linked to say a financial department at a local University.  I was like oh fudge (only I didn't say fudge)!

OK, so why is this so bad?  I mean after all the staff must need to work from home and the school doesn't want to give them laptops for the fear of them being lost with important data on them.  But I am sure they encrypt all their laptop hard drives right?  Sadly I doubt it.  But who cares about laptops when you can just walk up to the front door and ring the door bell!  Someone might say "so what, even if they attempt to log in using a brute-force password attack, the accounts will lock."   But there is more than one way to skin a cat.  Enter Microsoft Security Bulletin MS12-053.  This is a vulnerability in Remote Desktop which could allow remote code execution.  Essentially, using the RDP service, I can send instructions to the target without actually having to log onto the system.  Well I can't, but I am sure someone much more talented than I, can.  So this is a big deal, can an organization confirm that they are 100% compliant with patching to prevent these attacks?  Knowing how much work it takes to keep a much smaller shop compliant, I would say, no way!  But who knows, maybe they are.  It still begs to question, if they are so sure of their compliance, why are they not using much more secure methods of granting remote access to their network?  So this brings my long winded rant to a close and I will leave you all with the following thought...

I had no luck with my other University contacts, so I am now tasked with the next steps:  Do I track someone down at the school and say "um... you dropped something here" and show the them site and query?  Or do I say screw them and their crappy security and move on?  The enterprising youngster in me say, "hmmm could be a nice lead."  But the paranoid adult in me says "Hell no they will probably think you are hacking their network!"

So what do you think?  Leave your comments below!

UPDATE 10/15/2012
Sent the "Data Security Admin" an anonymous email stating the problem and heard nothing.  Oh well I tried.  On to the next task.