Extending your home network... insecurely

I reorganized my house this week and gained a private office space, though one without a coaxial jack. This makes it impossible to immediately replicate my previous setup of a whooping three feet of CAT 6 between my main workstation and the FiOS router. Unfortunately a WiFi connection isn't an option as the box isn't compatible.

Options for connecting a new room to your home network

1. Add CAT 6 Ethernet cabling: Doing this cleanly requires running cables through the walls and cutting holes for new outlet boxes with a face plate. Highly suggested if you own your house, but I'm in a rental. Pass.
2. Reuse an extra wireless router as a wireless bridge: I tried this one for a few hours (hours that the wife was not happy I was spending!) but the only router I had sitting around was an Actiontec MI424WR Rev I which is not compatible with DD-WRT firmware.
3. Power-line networking: Add a device to connect Ethernet networking over the existing power lines within the house. The guy I talked to at Best Buy recommended the Actiontec Powerline Ethernet Adapter Kit [PDF] over the WiFi extender I was looking at. At $39.99 instead of $99.99, I decided to try it.

Fast and easy...setup in less than 5 minutes

The box claims a quick and easy set-up, just plug the single adapter into the wall and wire it to the router. Plug the four port adapter into the wall near your machines and wire them up. So I did, and almost immediately my workstation was connected to the Internet... success! Or so I thought.

Verify that the network is up

Along with my main workstation, my office is home to a server which provides multimedia and intranet web hosting. Once I had Internet access, the next step was to check for the rest of the intranet machines. I navigated to http://192.168.1.1 (default MI424WR address) and the expected page pulled up, but my login failed. Double checking my password typing, the login failed a second and third time. More information needed now!

Check Windows' "Network" page

Under Printers there was a Lexmark, under Computer there was a name I didn't recognize. This is a problem, and one that needed addressed immediately! My workstation was connected to someone else's network.

**generic encryption key**

Ease of setup security hole

The problem was documented right there in the manual, the adapters come pre-provisioned with a default, generic encryption key. This is great for easy set up because you can just plug it in and go. It is bad for security because it means you can just plug it in and join any network that is already there! Turns out my neighbors already had expanded their network with a similar, compatible product. They plugged it in and it just worked. I plugged mine in and it just worked... with their existing network.

I don't understand why the manual in the box doesn't tell how to update the encryption key, it just directs you to their website. Which pretty much guarantees that a random person directed by their Best Buy clerk will never update it.

From the Actiontec website:

How do I change the encryption key on a PWR500 Powerline Adapter?
To reset and change the encryption key on the PWR500, follow the steps below:

1. Plug the Adapters into electrical outlets on the same circuit.


2. Press and hold the Security button on each unit one at a time for exactly 10 seconds. On the 10th second, let go of the button. When you release the button, the Power LED's will turn off very briefly and turn back on. The LK LED's will not turn back on at this time.


3. Then on one of the units, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will begin to flash.


4. Now on the other unit, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will turn off and back on breifly, and then the LK LED should be lit on both units. Provided the LK lights on both units are lit, the encryption key has been changed and the two Adapters are now connected on the same Powerline network with a new encryption key.

Mobile Device Impact on Network Analysis

Topic - As new technology becomes adopted by organizations, standards must also adapt to meet the change. Using mobile device technology as an example, discuss the differences that will need to be addressed for penetration testing. What about vulnerability assessments?

The changing landscape of technology with regard to mobile computing requires a reassessment of potential access points into a network. Wireless access points were already dangerous, as they extended the accessibility of your network outside of the relative safety of your walls. Connecting a mobile phone to the wireless network is directly creating a bridge between the network and the Internet by way of the cellular data connection.

Such a bridge opens up new pathways, and expands existing ones, to be tested via penetration testing.

• New pathway: ARM Malware. Mobile devices with ARM processors are miniature computers that cannot run the executable binaries which are created for traditional Intel-compatible x86 and x64 processors and desktop operating systems. Such malware requires a toolset designed for analyzing mobile applications to be analyzed. Malware for popular mobile operating systems, iOS and Android, are in the wild and on the rise (Schmidt, et al, 2009).
• Expanded pathway: Social Engineering. Because the mobile device doubles as a phone three additional vectors of social engineering attacks are made available.
  1. The most straightforward is simply asking an employee to use their phone to make a phone call.
  2. Spear phishing via SMS can send links to malicious web servers. Due to the reduced character count, there is less room for explanation with the link, which can lead to users being less suspicious of concise messages containing links.
  3. QR Code exploits and links to malicious web servers. Due to the opaque nature of QR codes, a user does not know where they point until they scan them. A malicious QR code sticker can be placed on any number of signs, objects, or such where a target is likely to go (Kieseberg, et al, 2010).
• Expanded pathway: Man in the Middle. The data connection of the phone to the cell network can be attacked Man-in-the-Middle style by an actor impersonating a cellular base station (Meyer & Wetzel, 2004).

Vulnerability assessments are impacted because it can become very difficult to inventory the systems on the network and to assess their potential vulnerability if the network is suddenly and unexpectedly no longer homogeneous (Bace, 2009). An easy-to-see example of this is a fully managed windows domain. All of the expected systems run Windows 7, so the VA tools utilized are designed for identifying and scanning Windows 7 systems. When an Android device is connected it changes the network make-up. Now the VA tools fail to identify all the devices or, even worse, fail to even find all the devices if discovery was being done by reading the expected devices via Active Directory.

---

Bace, R.G. (2009). Vulnerability assessment. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Kieseberg, P., Leithner, M., Mulazzani, M., Munroe, L., Schrittwieser, S., Sinha, M., & Weippl, E. (2010, November). Qr code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (pp. 430-435). ACM.

Meyer, U., & Wetzel, S. (2004, October). A man-in-the-middle attack on UMTS. In Proceedings of the 3rd ACM workshop on Wireless security (pp. 90-97). ACM.

Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., Albayrak, S., & Yildizli, C. (2009, October). Smartphone malware evolution revisited: Android next target?. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on (pp. 1-7). IEEE.

Week 1 Graded submission, part 1

Topic - Many cyber security professionals believe the likely application of ‘cyber terrorism’ to be an asymmetric attack against some portion of this nation’s critical infrastructure. Which critical infrastructure do you think to be a likely target and why? Who should be responsible for protecting that infrastructure and why? Would this vary based on who the attacker is – if it is a state actor, a non-government organization, or an individual?

The electric grid is a very visible target and the loss of it is very noticeable. Just this past summer those of us in Maryland got to experience a (natural) disruption to the grid. No air conditioning, no lights, no traffic lights (come on, Maryland. No traffic light means a four way stop, not ‘Ehmagawd!’) and no refrigeration. Obviously an attack on the grid is significant.

An attack on the grid is even possible, at least for those well funded shops that can afford to spend the time and manpower to research industrial equipment. Critical infrastructure has been under assault since before late 2010 when Fleming reported on Stuxnet sabotaging Iranian centrifuges.(2010) The worm is reported to target Siemens SCADA (supervisory control and data acquisition) systems. A look at job postings for Baltimore Gas and Electric (BGE) shows that they use SCADA systems, “...integration of the various BGE Supervisory Control and Data Acquisition (SCADA) systems such ...” (BGE, 2011) If Iranian SCADA systems are targetable, it stands to reason our electric grid ones could be to.

Who should be responsible for protection is a complicated issue. As our utilities are run by private companies, the current responsibility falls to the utility companies to protect their infrastructure. They have to protect their infrastructure because it is protecting their investment and their bottom line profitability. On the other hand, a disruption of the electric grid may hurt the utility company’s bottom line, but it literally means life and death for the diabetic customer that needs to keep their insulin refrigerated during a heatwave. When it comes to protecting the general populace from bodily injury and death, that responsibility falls to the government. Outsourcing the security concerns to DHS though would provide such a budgetary windfall to the utilities though that the reasonable next step would be full government control over the utility in question. That option is rarely considered a good idea with the US population.

Since an interruption of power would be so devastatingly disruptive, it would most definitely be a target for a military, or nation state organization supporting the military, to attack as an immediate lead-up to a kinetic action.

If the goal was to just be human death, which is the likely goal of an infrastructure attack from an independent actor or organization, then [thoughts on a specific way that cyber mass murder could be possible]. If, like Stuxnet, the compromises also affected the monitoring reports, then it wouldn’t get caught until the first few victims showed symptoms. Which would be far too late for many others. (Fleming, 2010)

Matthew

BGE (June, 7 2011) BGE Job Descriptions. Retrieved 26 September 2012 from: http://www.bge.com/myaccount/billsrates/ratestariffs/Documents/BGEJobDescriptions.pdf

Fleming, R. (December 2, 2010). Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams. Retrieved 26 September 2012 from: http://www.digitaltrends.com/computing/bits-before-bombs-how-stuxnet-crippled-irans-nuclear-dreams/