Networks Placed At Risk – By Their Broadband Providers
Some network security incidents are so obviously preventable that it is mind boggling. Such was the case with a recent Wi-Fi-based network security breach at a client. It was eminently preventable. It was even more upsetting when I found out that the source of the incident was a carrier-supplied device that had been configured by the broadband provider's technician.
The other week, I was called to one of my clients because of problems with their computers. Certain network applications were not functioning correctly. When I arrived at the site, a possible explanation for the problem became apparent: there was an active virus infection. However, what was more interesting than the virus infection itself was one of the possible infection vectors I identified: their provider-supplied broadband router/firewall.
Several months ago, this client had changed broadband providers. The new provider was a heavily promoted high bandwidth network.[1] As is common, the new provider-supplied gateway appliance supported both wired and wireless connections. The device was configured with a well-documented password and was configured with its wireless support enabled, even though no one at the customer used a Wi-Fi device. In fact, my client expressed surprise that Wi-Fi access was even turned on.
Worse, the Wi-Fi was encrypted using WEP, the weakest of the Wi-Fi supported encryption standards. Their offices were also located in a busy area on a main street with clear signal paths to many buildings. A check of their network activity using a variety of tools showed that there were active connections whose addresses did not correspond to machines legitimately on the network.
My first reaction was to cut off access by strangling the Wi-Fi. I also immediately changed the management passwords on the gateway appliance to something other than the standard documented default provided by the carrier.[2] I then had to perform the laborious task of having each of their machines re-scanned for malware.
The shame of this situation is how preventable and unneeded this security breach was. The customer had no need for Wi-Fi, nor even knowledge that it had been enabled. There was simply no need for the Wi-Fi to be enabled at this customer. Worse, it was not only enabled, but it was configured in a security posture that almost invited an intrusion.
A few simple steps can make this type of security incident far less likely.
From “Protecting Internet-Visible Systems”, Computer Security Handbook, 4th Edition. 2005 |
Wi-Fi is not inherently dangerous, but maintaining security is aided by properly compartmented networks, as I described at the 11th Annual New York State Cyber Security Conference (June 2008) in Compartmented Networks: A Corporate Solution for Privacy, Integrity, and Security.
Fortunately, my client's network problems were resolved after I cleaned out some modest malware infections. The outcome could have been far worse. Such an intrusion, if it was linked to criminal activity could have implicated my client, the victim of the attack, as a spammer or worse.
[1] | I have omitted the name of the provider as it is not material. Reported security problems of various types have been reported involving many different providers. |
[2] | The password for which was well published on the web. |