Skip to main content

Telephone Systems a Hackable Backdoor?

I have been talking to a company that provides telephone exchanges and services to companies this week on behalf of a client and it has highlighted a worrying backdoor. It turns out that many of these companies have a way to remotely connect to their exchange for support purposes - they can remotely control, configure and troubleshoot your system to get you back up and running. Exchanges often have additional modems in them to allow for remote connections. This is all very well and good from a managed service point of view, but what about the rest of your network? Can this be exploited to gain entry to your network? Quite possibly in some cases - it certainly needs to be included in your security audit and perimeter testing.

Talking about a specific company now, they supply the software to monitor and bill phone calls through the exchange. They remotely install, monitor and manage this software. How do they do that? Well, it turns out that they install LogMeIn on your machine. Now this will make outbound connections through the firewall to make the internal machine accessible from the outside world. Hang on; you're making my networked machine that controls my exchange and billing accessible by anyone? By default LogMeIn will use simple username/password type authentication.

The user who accesses the computer has to set up their account with LogMeIn and will use the same username and password combination on all machines as far as I can see. Does the company have a universal account that they use to remotely access the machines or does each user have their own? If the company uses one default username/password, then what happens if someone gets hold of that information or someone leaves? Does the password get changed? If everyone has their own account, then are they removed when they leave the company? As this is all done through the Web, they could still gain access if they aren't specifically removed from the user group.

How much do you trust all the employees of that external company? How much do you trust the disgruntled ex-employee from them who has access? It might not be that they are trying to attack you, but they may be careless about the credentials or not revoke them properly. Also, consider the case where all the internal employees of an organisation are required to have 2-factor authentication and remote access is locked down. What's the point? There is a simple username/password entry point into the network that bypasses all the secure remote access services you may have in place. How secure are the passwords that the external company use? Would they match up to your complexity requirements? If they are simple, easily guessed or shared, then they open full administrative control over a machine on your 'secure' internal network. Who patches the machine and who updates LogMeIn?

How about installing a keylogger in such a firm to pick up on their username/password combinations so that you can gain full access to every customer's network. Once on the internal machine, malware can easily be installed and attacks launched on other internal machines unhindered. How many organisations have followed best practice and installed a UTM firewall in the core of their network to segregate their servers, etc., from other internal machines? Would a machine running this software be on a normal user subnet or on the management subnet anyway? Do many SMEs have more than one subnet anyway?

Needless to say, my advice was to avoid installing LogMeIn on the machine and temporarily allow a more controlled access to the machine with a temporary account, all of which can be disabled immediately after remote installation is completed. This opens up the problem of how to obtain support, but access can be temporarily granted and then removed when support is required with relatively little effort.

Clearly any such system needs to be well documented and be part of the security audit. I would advise that companies also ask for security audit and policy information from any external company who has any kind of access to the network - this should be standard procedure.

Comments

Post a Comment

Popular Posts

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post . How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't real

How Reliable is RAID?

We all know that when we want a highly available and reliable server we install a RAID solution, but how reliable actually is that? Well, obviously, you can work it out quite simply as we will see below, but before you do, you have to know what sort of RAID are you talking about, as some can be less reliable than a single disk. The most common types are RAID 0, 1 and 5. We will look at the reliability of each using real disks for the calculations, but before we do, let's recap on what the most common RAID types are. Common Types of RAID RAID 0 is the Stripe set, which consists of 2 or more disks with data written in equal sized blocks to each of the disks. This is a fast way of reading and writing data to disk, but it gives you no redundancy at all. In fact, RAID 0 is actually less reliable than a single disk, as all the disks are in series from a reliability point of view. If you lose one disk in the array, you've lost the whole thing. RAID 0 is used purely to speed up dis

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most