The insidious threat - the hacker behind the firewall
By Greg Kelly-Oracle on Feb 10, 2009
I showed this graphic recently as part of a security presentation and without the context it's probably difficult to see that there is a connection between the objects. This is by no means an exhaustive set but it does open the conversation around the problems of risk compensation and de-perimeterization. While not PeopleSoft or Oracle specific, it is within the realm of security, and Oracle does have products to help mitigate the risk.
What are these objects?
- USB Adapter Cable
- WiFi Point of Sale Terminal
- Bluetooth Adapter
1 USB Adapter Cable
This is a USB adapter cable ( ~ $19) for hard drives, 2.5 and 3.5 IDE (PATA) and SATA drives. With this cable you can connect any typical hard disk to the USB port. In any office environment, what's familiar becomes invisible. Someone walks through an area on a regular basis is not suspicious. This is where the two pictures above become relevant. The left hand picture shows the back of a typical desktop, the eye-hole tab is not just for locking the desktop against stealing, it is also to lock the casing shut to prevent unauthorized physical access. The right hand picture shows the cover open and the disk drive(s) available. (The blue lead is the SATA cable connecting the disk.) This particular HP makes access even easier, since the drives are mounted on plastic slides. Opening the case and removing the drive takes less than a minute. The miscreant takes the drive back to the comfort of their office, copies interesting data off the disk, or copies toxic code directly onto the disk. Another minute to re-install the disk in the unsuspecting user's desktop and nothing appears to have happened. It's not enough to think that desktops used by users with relatively trivial access do not need to be protected, since network resources are much more accommodating to systems within the firewall. All corporate desktops should have locks on this tab.
2 WiFi enabled Point of Sale Terminal
Increasingly Point of Sale (POS) terminals are PC based and WiFi enabled. Because keyboard access is generally disabled and all user input is by a specialized keypad, security on these workstations is relatively trivial. WEP can be easy to crack, so all the system abuser has to do is sit outside the store with a WiFi sniffing laptop to gain access to the network. Then they can mimic the IP and MAC address of the POS terminal and start exploring the connected systems.
These fully functional Windows XP or Linux based platforms have now achieved commodity status and will become ubiquitous. The XP version is available at less than $300 and the Linux version less than $250. In fact Netbooks have breathed new life into XP. Anyone who has reason to be in your premises can easily transport these devices inside your firewall and play around to their heart's content usually after most of your staff have left. They can take advantage of any rogue or compromised WiFi network in your buildings.
4 Bluetooth Adapter
There are a number of sophisticated libraries, especially on Linux, for manipulating these Bluetooth network adapters to seek unprotected Bluetooth enabled cell phones. It is possible for the miscreant to take control of your cell phone and have it dial out to their phone so your phone becomes an inadvertent bugging device. This does not need the recently announced downloaded malware, it takes advantage of the capability of delivered functionality. If you're going to a sensitive meeting, take the battery out of your phone.
These are WiFi enabled mobile computing platforms, not just phones. There have been some anecdotal, but completely credible, stories of a package being delivered for someone who has recently left a company and the package being left at reception or with security for subsequent collection. The package contains a provisioned iPhone which listens for WiFi and then connects to a rogue web server, creating a proxy inside the firewall. Firewalls generally allow outbound connections on port 80.
This really turns on the point of judicious password selection, not an indication that Twitter poses a security risk. Recently there were reports of Twitter accounts being cracked. Unfortunately the users had relatively high levels of access in their corporate domains, but used the same user ID and password on their Twitter accounts. This emphasizes the need to maintain separate sets of credentials for internal and external resource access. See more on passwords below.
None of these objects is inherently insecure, but hackers/crackers/system abusers are very creative!
These are a some of interesting links relating to passwords
The Top 500 Worst Passwords of All Time
" ... If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people."
Ten Windows Password Myths
" ... With all of our advances in security technology, one aspect remains constant: passwords still play a central role in system security."
Passwords or Pass Phrase? Protecting your Intellectual Property
" ... A new theory on passwords is emerging that may help us remember our access codes, be more secure, and generally keep hackers and thieves out of our networks."
Here are some sensible rules for password creation:
- Unacceptable - less than eight characters
- Weak - Eight or more Characters, including one or more Numerics
- Fair - Eight or more Characters including:
- 1 Numeric, and
- 1 or more Special characters, and
- 1 or more Uppercase Characters
- Strong - Eight or more characters including:
- 2 or more Numerics, and
- 1 or more Special Characters, and
- 1 or more Uppercase characters
- Very Secure - Fourteen or more characters including:
- 2 or more Numerics, and
- 2 or more Special Characters, and
- 1 or more uppercase characters
- Ensure maximum keyboard "distance" between characters
- Equivalent use of each hand to enter
Check the password strength on Microsoft's non-recording checker
Oracle and PeopleSoft are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.