It was way back in 2005 and 2007 when I presented a paper entitled ‘The Dirty Shirt’ in London to a dismayed set of delegates, where I was yet again, branded as a person with an over-active imagination, and one who would seem to have evolved an unusual profile of encapsulated paranoia.
Yes, there I was again preaching to the unconverted on my theories Next Generation Insecurity (NGI).
My 2005/7 madcap presentations were based on a chap who turned up for work dressed in a smelly, dirty shirt he had worn the previous day – the reason being, his Internet connected Steam-Iron had been the subject of a cyber attack against its local LAN allocated IP address.
At that time, I also went on to predict that just about everything (which I called IP everywhere) would eventually enjoy an association with an IP address, ranging from the TV, fridge and toaster, to just about anything else, which had the potential to tech-sex up boring items into commercially lucrative devices in order to transition them into attractive, marketable geek innovations.
But then, here we are in the year 2015 and today, as I write this piece on the advent of the Infosecurity 15 show kicking off in London, where we saw the Internet of Things (IoT), or as I like to call it the ‘Internet of Pings’ (IoP) walk the boards as one of the new vectors of threat we all face as a matter of everyday circumstance. So, I am guessing that now that its arrived in Olympia, it must be a reality.
I would also wish to add into this conversation a comment from a recent article that appeared in SC Magazine UK, which shared observations from two companies, including Experian, that ‘UK firms are horribly unprepared for data breach response,’ concluding that 34 percent of organisations do not have an incident response plan in place. Personally speaking, I feel that 34 percent is a gross underestimation, and that things are much worse than suggested in this report.
Having got the intro out of the way, it gets me on the subject of what I actually intended to start to write about, which is those promiscuous protocols, and the current ever presence of insecurity associated with air-based communications.
So, to exemplify this, please allow me to present some real world cases, which tend to underpin the opinion, and also go much further than just inferring that it is in the area of incident response in which organisations are failing.
My suggestion is that the security missions of many businesses are suffering from the lacklustre application that is real security, which have been consumed by the misdirected mind-set of compliance as the answer when in fact, it can be the problem in the form of a pig with painted lips.
So, take the security event being held in a top London hotel, which was attended by UK, international operational and senior security management professionals.
Whilst I was looking at a presentation being given on the virtues of the ISO/IEC 27001, my mind wondered away from the concept of Ticking-the-Box, and I took a look at the invisible logical profile of the hotel access point (AP) – discovering to my horror that it was compromised.
From the 31-page dump of its profile, it was obvious that it was fully-loaded with multiples of malware applications, backdoors, Trojans, and well-known tools from the hacker community. Thus being one of those caring personalities, I decided to inform the delegates that if they were utilising this communications channel, they should take care.
Whilst some took head, others were still employing its insecure 802x offering, pumping their own corporate and business data through it without any form of VPN, thus exposing their business data assets to the eyes of the AP ‘owner(s),’ [not to mention those miscreants who can work out how to leverage Wireshark to sniff out items of interest].
However, let us not forget that this device was also continuously catering for those residential business people, along with domestic and international travellers.
End Point Access
Now, I would like to think that the aforementioned discovery was a one off – but alas no!
It was in recent years when I attended another event as a delegate, and yet again, I found myself listening to the attributes of ticking the ISO/IEC 27001 and balance score card reporting to achieve cyber security. So, once again I found myself looking around logical-promiscuity.
On this occasion, the AP was open and in an expected state, carrying no obvious indications of being compromised or hacks. However, that said, the casual onlooker (in this case, me) could see the range of devices hanging-off to this particular AP, and thus it was possible to traverse back through the air-based infrastructure and land upon a selected end-point – here it got interesting.
Of the 100+ presented systems, four were found to be wanting, running a number of services, including SMB on Port 445. It was here where one could observe some Windows 8/10 systems, which were enabled with a profile of a Guest Account, and an associated blank password, supporting visitation to their local drives and files.
Again, please allow me to remind that these people were security professionals. And it’s not just about the obvious threats of exposure, but here we should also consider the dangers posed by such promiscuous profiles in respect of Malwareistic opportunities.
Compromised Global Brand
But let’s not stop there – now, we visit a London-based site of a global brand.
In this case, the company in question is so trusting, they deploy a Guest AP, which carries no Acceptable Use Policy (AUP), never enjoys a password/key change ever, and is utilised by just about every employee, contractor and guest who may enjoy access into its infinity of use – hundreds of users connected to its environment day and night, even when they are no longer working for the company in question.
However, the real double whammy here was when a WiFi-enabled USB Keyboard Logger was attached to one of their Corporate PCs, which was in turn connected to their very own Public/Guest AP for purpose of illicit exfiltration – recording, sending out information, credentials, and other interesting tidbits over a period of an estimated six to nine months to an unknown person.
This only found after the company in question suffered a significant offshore hack against a very key asset.
Associate such opportunities as described above with the powerful spatial gain of tools, such as Hak5’s WiFi Pineapple, and we may start to appreciate just how easy it may be to not only steal valuable and sensitive information assets but we can also start to see how on-the-hoof air-based credentials may be obtained.
Who knows, such extraction of promiscuous protocols, which have no respect for physical binderies, may even facilitate eventual access to the wired environment – presenting what may be described as a game-over moment!
The WiFi Pineapple & The Exposed Public
And then we look to the Vox populi who have been sold the technological dream for years in the form of services like Home Hive from British Gas, WiFi-enabled toasters, down to just about anything else, which can entice them to extract the required funds from their pockets, and invest in the latest and greatest must-have toys.
But you may notice that in most cases, the supply of such hack-targets are usually completely devoid of any element of logical health warning, which alerts to the potential of threats, along with some associated good, or even better still, best practice advice.
For instance, take the description of security, which may be found on the British Gas Home Hive Site. This is an opportunity missed, as it presents a point of leverage to provision some education and awareness to the end-user in support of a public mission to assist with securing their IoT thing with security tips to baptise the great unwashed, unaware public with the waters of the security cross to help secure their own Wi-Fi enabled device, and home infrastructures – going that extra mile to make that difference.
To conclude, as someone who regularly responds to security incidents, hacks and compromises, or suspected events, it is on such occasions as these where one may need to think out-of-the-box, look for the root cause incumbent, and ask the question ‘How was this possible?’ and open up the mind and look for the environmental and logical clues.
I also feel very strongly about promoting security but I am not a fan of elevation of its dangers as a matter of a marketing campaign. However, I feel this should be delivered on each and every occasion when professional and tech companies sell and interface with the end-user public.
Last but not least, I am hopeful that one day, we will have more people and organisations who are prepared to stand up in front of the known curve, take a risk, make a statement looking to the unknowns of the future, and be prepared that they could be wrong, but more than likely with conviction, they will be correct.
We have also encountered a lot of followers in the speaker space of cyber security waving their pens and papers but what we really need is growth out of the small number of evangelists like Peter Wood et al who tell it as it is.
We need more independents like those who are prepared to put the sales mission to one side, and to follow the agnostic line of educating as to the facts. The alternative is Baa Baa Bad Sheep give the Net a Hack – and that we are seeing far too much of as things stand, so time has arrived for change.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.