Tuesday, 25 May 2010

Telephone Systems a Hackable Backdoor?

I have been talking to a company that provides telephone exchanges and services to companies this week on behalf of a client and it has highlighted a worrying backdoor. It turns out that many of these companies have a way to remotely connect to their exchange for support purposes - they can remotely control, configure and troubleshoot your system to get you back up and running. Exchanges often have additional modems in them to allow for remote connections. This is all very well and good from a managed service point of view, but what about the rest of your network? Can this be exploited to gain entry to your network? Quite possibly in some cases - it certainly needs to be included in your security audit and perimeter testing.

Talking about a specific company now, they supply the software to monitor and bill phone calls through the exchange. They remotely install, monitor and manage this software. How do they do that? Well, it turns out that they install LogMeIn on your machine. Now this will make outbound connections through the firewall to make the internal machine accessible from the outside world. Hang on; you're making my networked machine that controls my exchange and billing accessible by anyone? By default LogMeIn will use simple username/password type authentication.

The user who accesses the computer has to set up their account with LogMeIn and will use the same username and password combination on all machines as far as I can see. Does the company have a universal account that they use to remotely access the machines or does each user have their own? If the company uses one default username/password, then what happens if someone gets hold of that information or someone leaves? Does the password get changed? If everyone has their own account, then are they removed when they leave the company? As this is all done through the Web, they could still gain access if they aren't specifically removed from the user group.

How much do you trust all the employees of that external company? How much do you trust the disgruntled ex-employee from them who has access? It might not be that they are trying to attack you, but they may be careless about the credentials or not revoke them properly. Also, consider the case where all the internal employees of an organisation are required to have 2-factor authentication and remote access is locked down. What's the point? There is a simple username/password entry point into the network that bypasses all the secure remote access services you may have in place. How secure are the passwords that the external company use? Would they match up to your complexity requirements? If they are simple, easily guessed or shared, then they open full administrative control over a machine on your 'secure' internal network. Who patches the machine and who updates LogMeIn?

How about installing a keylogger in such a firm to pick up on their username/password combinations so that you can gain full access to every customer's network. Once on the internal machine, malware can easily be installed and attacks launched on other internal machines unhindered. How many organisations have followed best practice and installed a UTM firewall in the core of their network to segregate their servers, etc., from other internal machines? Would a machine running this software be on a normal user subnet or on the management subnet anyway? Do many SMEs have more than one subnet anyway?

Needless to say, my advice was to avoid installing LogMeIn on the machine and temporarily allow a more controlled access to the machine with a temporary account, all of which can be disabled immediately after remote installation is completed. This opens up the problem of how to obtain support, but access can be temporarily granted and then removed when support is required with relatively little effort.

Clearly any such system needs to be well documented and be part of the security audit. I would advise that companies also ask for security audit and policy information from any external company who has any kind of access to the network - this should be standard procedure.

Thursday, 20 May 2010

CQC Using Email to Verify Care Workers

The Care Quality Commission (CQC) has decided to put registration of Care Providers online to make everything faster and easier for the providers. At least that's what they said. In practice, care providers had to fill in the online forms addressing standards that won't be published for another 5 months after the registration deadline. Ignoring all the problems, ridiculous re-branding to avoid inconsistencies and money wasted, there was a serious problem/lack of understanding that has lead to this blog post.

All care providers and managers have to register online individually and have to agree to particular terms in order to be registered and, therefore, trade. I have no problem with this as these care providers are looking after vulnerable people. However, it became obvious that there are serious problems with their system. First off, it isn't possible to change the owner's name if you make a mistake (they can't change it either apparently). Therefore, if you make a mistake, you now have to lie to say that all the details are correct, otherwise you can't register and you'll be out of business - not a good start.

However, this is overshadowed by the fact that the CQC uses only email to verify care managers. First of all they sent a 6-character password to the main business email address with the URL and details of how to log in (no paper verification was done at all). Don't they realise that email is all sent in plaintext and can be read by anyone with a packet sniffer? When logged in, the care provider has to fill in some initial forms as the owner and then list the care managers that they employ. Following this, each care manager is sent a 6-character password via email in order to log in and register their care service. There are a couple of problems with this. Firstly, the email addresses are just entered during the initial form filling exercise and are not checked and secondly, you can't reuse the same email address. So if you are the manager for more than one care service you have to use two different email addresses. The stupid thing is that they accept any email address from an alias to the same mailbox through to hotmail accounts with no checking at all.

They don't seem to realise that half the email addresses people use are just aliases onto other email accounts. On one of my accounts I have 9 email addresses all delivering mail to the same mailbox as they are various options of name and domain all relating to the same company. However, CQC would treat this as 9 different people. There is no checking done to see if that really is the care manager at all. Anyone could sign up as long as they intercept the initial password. Who has access to the standard email address for the organisation? Usually several people and usually not the actual owner of the business - the only person who should receive that email. Due to the way their system works, if someone were to intercept that email (such as a disgruntled ex-employee) they could sign up with a random free email address begin the registration process, not complete it and put the care provider out of business as they won't have registered in the set time.

This is mostly a PR exercise as far as I can see and a bad one. They say that they are checking providers and improving standards. However, it is perfectly possible for the owners and managers to be completely unaware of their registration process because no actual checking is done. In addition, to assume that two email addresses entered into a website are for two different people, and base your authentication on that, shows a lack of understanding of the technology that they are forcing on people.

Edit: 13/7/10

I sent an email to the CQC about this issue and being able to hold people to it legally a while back and a few days ago I received a reply. Here is the main bulk of their reply:

"Thank you for taking the time to write to us and we would acknowledge that the
points you correctly make present some element of risk. To reassure you, and
your customer, we were previously aware of each of those points and have
considered, with our compliance and legal teams, the balance of risk that they
present and any difficulties with legal status that could result, before making
a positive decision to implement in this manner."
"To further reassure you, we commission independent penetration testing of our systems prior to go live to assure their security."
I did ask to see one of their security assessment reports, but was (unsurprisingly) turned down. I understand that they don't want everyone to know how their systems works as that could reveal further problems, but I would like to know what was actually said about this issue and how they justify it.

Monday, 10 May 2010

Series of Demo Videos of Trusteer's Rapport

I am currently producing a series of videos demonstrating the anti-spyware capabilities of Trusteer's Rapport. So far I have looked at keylogging software and screen capture. Specifically, I have demonstrated it with Zemana ScreenLogger, Zemana KeyLogger and SpyShelter. I will be adding more videos over the next few days. The first two videos are embedded below. (Edit: 17/05/10 - I have now added three more videos covering Zemana SSL Logger, AKLT and Snadboy's Revelation V2.)





Links to the YouTube videos are below:

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust