|
The quietly confident, 24-year-old Chris Wilson has faced some tough challenges in and around his home base, west of Philadelphia. He is a no-nonsense hombre, and he can spot your weakness before you can say "intrusion detection." Wilson is head of the security services division for WorldNet Technology Consultants (www.wtci.net), and his specialty is network penetration testing, an audit of a company's perimeter security. So take it seriously when he says one of his favorite vulnerabilities is your edge router.
"Everyone forgets about them," Wilson says of the routers. "All of the clients that have used us for a perimeter audit may be rock-solid from the firewall forward, but there is always something open on the router that should be closed. It's the device sitting out there that everyone forgets about."
Wilson gave as an example a WorldNet attack on a financial institution's network that was successful because the router had been deployed improperly. It was not password-protected, and the intrusion led to deeper access into the company's data.
When Wilson cracks into a router, sometimes he is able to change routes and route packets to places they should not go, "maybe route them back to us or route them somewhere else, which would cause a denial of service on their end," Wilson says.
Wilson adds that some name-brand routers allow Web-based configuration, and by using combinations of building commands (e.g., ping and others that have the power of outputting data) a malicious person can potentially take over the router and "tell that router to send information in a flood sort of way to another site." A single router might not cause extensive damage, he says, but if several routers were involved, the result could be a distributed denial of service attack.
Hacked Routers on the Rise
It was an increase in such reports of routers being used in denial of service attacks that got the attention of the security watchdog group CERT (www.cert.org) at Carnegie Mellon University. Members of the CERT incident response team collaborated with outside experts to write a white paper outlining "Trends in Denial of Service Attack Technology."
Kevin Houle, coauthor of the paper, says reports sent to CERT indicate routers are being used as launch points for denial of service attacks, as platforms for scanning activity, and as proxy points for obfuscating connections to IRC (Internet Relay Chat) networks.
"Intruders continue to compromise routers, particularly routers deployed with passwords that have not been changed from the vendor-supplied default," Houle says.
Routers are attractive targets for hackers because they are part of the network infrastructure, but they are often less protected by security policies and monitoring technology, Houle says.
The CERT paper reports "an imminent and real threat, with a potentially high impact," exists with the potential for routers being used on direct attacks against the routing protocols that connect the networks comprising the Internet.
On the issue of router vulnerabilities, Chuck Adams, general manager of security at NetSolve (www.netsolve.com), in Austin, Texas, has some long-standing, close knowledge of the subject.
Adams, who was a member of the elite Cisco Secure Consulting group before joining NetSolve last July, says, "The biggest vulnerability, based on my 15 years in the information security assessment industry, is authentication. I don't know how many routers in the world one can telnet to, straight across the Internet, and log in with the password of Cisco123, assuming it's a Cisco router."
It should come as little surprise that the culprit is not manufacturers like Cisco.
|
