1 Sicurezza informatica via cavo, wireless e satellite:segreti e soluzioni, II sessione Raoul Chiesa Founder & Mediaservice.net Divisione Sicurezza Dati/DSD-LAB [ PROACTIVE SECURITY AND FIELD EXPERIENCES ] Steering Committee, CLUSIT Italian Association for the Computer Security Board of Director s Member, Director of Communications, ISECOM Institute for Security and Open Methodologies, USA Authorized International Trainer, ISECOM OPST & OPSA Official Certification Programs Southern Europe Reference Member, T.S.T.F. Telecom Security Task Force, USA, EU, ASIA
2 COPYRIGHT Questo insieme di slide è protetto dalle leggi sul copyright e dalle disposizioni dei trattati internazionali. Il titolo ed i copyright relative alle slide (ivi inclusi, ma non limitatamente a, ogni immagine, fotografia, animazione, video e testo) sono di proprietà degli autori indicati. Le slide possono essere riprodotte ed utilizzate liberamente dagli istituti di ricerca, scolastici ed universitari afferenti al Ministero della Pubblica Istruzione per scopi istituzionali, non a fine di lucro. Ogni altro utilizzo o riproduzione (ivi incluse, ma non limitatamente a, le riproduzioni a mezzo stampa, su supporti magnetici o su reti informatiche locali e pubbliche) in toto o in parte è vietata, se non esplicitamente autorizzata per iscritto, a priori, da parte del/degli autore/i. L informazione contenuta in queste slide è ritenuta essere accurata alla data della pubblicazione. Essa è fornita per scopi meramente didattici e non per essere utilizzata in progetti di impianti, prodotti, ecc. L informazione contenuta in queste slide è soggetta a cambiamenti senza preavviso. L autore non si assume alcuna responsabilità per il contenuto di queste trasparenze (ivi incluse, ma non limitatamente a, la correttezza, completezza, applicabilità ed aggiornamento dell informazione). In ogni caso non può essere dichiarata conformità all informazione contenuta in queste slide. In ogni caso questa nota di copyright non deve mai essere rimossa e deve essere riportata anche in utilizzi parziali. (C) Raoul Chiesa (C) Mediaservice.net Srl
3 AGENDA AN INTRODUCTION TO PROACTIVE SECURITY The company The speaker What we do Our clients Proactive Security Schools & methodologies ISECOM s Security Proactive Square IT SECURITY AND SAT COMMS: THE LINKS Applying Proactive to the world of satellite s communications: a real overview Typical security issues THE SATELLITE AND THE BUSINESS WORLD: A CASE STUDY ON END-USER APPLICATIONS Finance environments Editorial group environments Telecommunications environments ASSET & PROBLEMS: HISTORICAL ISSUES AND FIELD EXPERIENCES Smart Card, Decoder, Router, NoC, Dealers Penetration Testing Case Studies ZOOM: SAT ROUTER S FIELD EXPERIENCES (BLACK BOX SECURITY TESTING) Router X Router Y (A THEORICAL) CASE STUDY: SAT-OPERATOR SECURITY Points of attack Vulnerabilities: Devices, Applications, Network Lessons that have been learnt SECURITY SAT-COMMS R&D: SOME RESULTS ON ROUTER S SECURITY Q&A
4 THE COMPANY We r not a dot-com sec-company [Est. 1997] Privately owned by security professionals, no VCs Vendor-independent: no resell, no (re)distribute! D.S.D. ( Data Security Division ) since 1998 Wide Background, Direct Experience InternalTiger Team ( 99) On-the-Edge consulting expertise Unconventional technologies builder Vendors & Carriers External Audit Team Strong R&D ( national/intl: scouting, black-box testing, distributed research, contributes to the world s security community ) Top & Large Companies s final choice ( Corporate, Telco, IT, Industry, Chemical, Editorial, Finance, Healthcare and P.A. Environments ) Third-partyselected partnerships
5 THE SPEAKER Hacking skills started back in 1986 From 1989 to 1995 high level hacking and phreaking experiences Ice Trap operation, : SCO/FBI, Interpol, Criminalpol Co-Founder Mediaservice.net in 1997 (a l0pht focus) Papers & articles for standard and specialized press Interviews with mass-media (independent point of view) CLUSIT, ISECOM, TSTF Member of the Board
6 CLIENT PORTFOLIO (EXTRACT) Arma dei Carabinieri (ROS, Central Command in Rome), Hospital S. Giovanni Battista, Torino (Ospedale delle Molinette), Banca Mediocredito Friuli Venezia Giulia, Bo*frost SpA, Bulgari SpA, CNR di Milano (Security Task Force) Telecom Italia SpA (Italy and abroad group companies), Editorial Group L Espresso (La Repubblica, Kataweb, Radio DJ, etc..), ITC/ILO - International Training Center of the ILO (ONU), Mirato SpA (Malizia, Clinians and Intesa brands pharmaceutical/chemical sector), NoiCom SpA, Pirelli SpA Corporate Security Department, TIM SpA, Vodafone Omnitel SpA, University of Udine, University of Milano (DSI), UNICRI United Nations Interregional Crime and Justice Research Institute (ONU), Zyxel Telecommunications Inc. (TAIWAN), Watchguard Technologies Inc. (USA).
7 WHO WE ARE An independent team of security professionals +10 years expertise in high-level penetration testing & security consulting Specialized in telco and corporate environments Independent researchers, independent auditors We enjoy impossible missions and hard-to-solve security issues T.S.T.F. International Consulting Team Members (+40 telecommunication operators audited in 4 USA, Australia, Asia, Europe) We r not the ones that talk, we re the ones that AUDIT, TEST, REPORT.
8 WHAT WE DO Proactive Security (I m going to explain you this) Real-Time Security - Secured Production Systems (Web, Mail, FTP and SMS systems) - Defense Systems (Firewall, xids and Monitoring systems - Security Managed Services -S.O.C. Post-Attack Security -Log Analysis - Computer Forensics - Criminal Profiling Specialized Security Training - Certified Security Classes (OPST, OPSA) - Ethical Hacking for Corporates - L.E.A. Security (authorities only) IT & TLC Security Consulting
9 MEDIA RELATIONSHIPS (EXTRACT) Magazines/Newspapers: Apogeo Editore, Fondazione Ugo Bordoni-Telèma, Hackers & C, ICT Security Magazine, Il Sole 24 Ore Internet News, Internos, La Repubblica, La Stampa, Linux & C, MAX, Mondadori My Tech, Panorama/Panorama Web, PC Magazine Italia, Zeusnews. Books: Feltrinelli, Pearson Italia, Sperling & Kupfler, Apogeo Editore: scientific supervisors and writers for italian editions of specialized books and manuals. Matrix Reloaded, The art of Deception, Security in Computing and Hacking: The Art of Exploitation.
10 Proactive Security I [ a basic intro ]
11 PROACTIVE SECURITY: WHAT S S THIS?!? Proactive Security = Act BEFORE [and gain a better night-sleeping]
12 WHY IS IT SO IMPORTANT? Maybe for the consequences? Economic damages Company s image damages Confidential informations and reserved projects theft Law responsabilities (both civil and penal) Resources abuse Violation of international practices and standards Revocation/suspension of certifications (ISO/BSI) you really have many reasons to care of.
13 PROACTIVE SECURITY: from schools Yesterday..we used to have different schools : - Automated testings (Vulnerability Scanning/Assessment) our scanner use A.I. on neural networks, and everything is in HA - Manual testings (Ethical Hacking, Pentesting, Unconventional Security Testing) we ve got the most advanced & up-to-date hacking techniques we have the best hackers in the world (or whatever)...uh, yeah, you know, we use lettonian people! - Security through Obscurity Security Testing...dear customer, you shouldn t care about HOW we do it, that s our job and we know how to do it, but we can t explain you the whys and the hows!
14 PROACTIVE SECURITY: to methodologies - Vulnerability Scanning/Assessment - Security Scanning - Penetration Testing - Risk Assessment - Security Auditing - Ethical Hacking - Posture Assessment & Security Testing DECISIONAL FACTORS: Execution Costs Execution Timings DISTINCTION FACTORS: Applied methodology Repetibility of the tests and comparision s chance Numeric classification of the risk values Compliance with standards and legislations (ISO/BSI, Privacy laws, company policies, )
15 The PROs and the CONs Automatized (Vulnerability Scanning, Security Testing) Hand-made (Penetration Test, Ethical Hacking) The first methodology is based on the quality of the securitytesting tool (a product); it s not that easy to reproduce the tecnical skill and motivations of an attacker Would an hacker ever buy a software to attack your company? We suggest the use of automated tools in order to plan cyclic Internal Vulnerability Assessments, but it cannot be a serious way to take a real screenshot of the existing situation and the effective technical risk level. The second technique produces the best results, but the testings must be executed by a Tiger Team with huge and proved expertise and skills.
16 TODAY: THE PROACTIVE SECURITY SQUARE
17 Proactive Security II [ Know Your ENEMY ]
18 KNOW YOUR ENEMY: HACKER S S PROFILING PSYCHOLOGICAL PROFILE DANGEROUSNESS LEVEL Wannabe Lamer NULL (I d liketobeanhacker, buti can t ) Script Kiddie LOW (The script boy) Cracker HIGH (Burned ground, the Distructor) Ethical Hacker MEDIUM (The ethical hacker s world) Quiet, paranoid, skilled hacker MEDIUM (The very specialized and paranoid attacker) Cyber-Warrior HIGH (The soldier, hacking for money) Industrial Spy HIGH (Industrial espionage) Government agent HIGH (Governative agent: CIA, Mossad, FBI, etc. Cuckoo s Egg docet)
19 KNOW YOUR ENEMY: TARGETS PSYCHOLOGICAL PROFILE TARGET Wannabe Lamer End-user (I d liketobeanhacker, buti can t ) Script Kiddie SME/specific security flaws (The script boy) Cracker Big Companies/PA/Finance/Telco (Burned ground, the Distructor) Ethical Hacker Vendor/System Integrator/Telco (The ethical hacker s world) Quiet, paranoid, skilled hacker Big Companies/PA/Finance/Telco/R&D (The very specialized and paranoid attacker) Cyber-Warrior Multinationals symbol (The soldier, hacking for money) Industrial Spy Multinationals, ICT companies (Industrial espionage) Government agent Multinationals/Governments (Governative agent: CIA, Mossad, FBI, etc. Cuckoo s Egg docet)
20 Attack tools grown up, intruder s skills went down!
21 BACK! THE PROACTIVE SECURITY SQUARE
22 SECURITY TESTING: HOW IT WORKS Ok, what s in these verification actions? Using different actions of Vulnerability Scanning, Penetration Test or attacks via Ethical Hacking, we actuate proactive verification systems, useful to point out weaknesses in the target systems, environments or goal network EXTERNAL Deep Inside INTERNAL
23 FROM THE EXTERNAL FROM THE INTERNAL Public Networks Leased TCP/IP lines (CDN/CDA/ADSL/HDSL/F.R.) Packet Switching lines (CDN or Frame Relay) Telephone lines (PSTN/ISDN) Satellite lines (mono/bidirectional) Mobile (GSM, GPRS, 3G) Private Networks with public gateways INSIDER ABUSE PROFILE INTERNAL L.A.N. (via RAS or on-site) LAN-to-LAN PtP LAN-to-LAN Public LAN-to-LAN VPN INTERNET linked Point-to-Point X.25/X.121 DECnet SNA Dialin/Toll free access numbers RAS Suppliers gateways: SAP, trusted suppliers, trusted gateways, etc..
24 WHY HIRING AN EXTERNAL TIGER TEAM? You obtain an objective and impartial test of your data infrastructure External T.T.s often use unconventional verification techniques, beyond the classic verification methodologies Already knowing your information technology systems = interests conflict + useful informations for the attacks (e.g. 10 or private IPs classes? ) Company s preconceptions could influence a security testing home-made (blind view issues) Third party confirmations supply guarantees to insurance and financial partners, as well as to the customers.
25 CONSULTANT SELECTION: COMPANY OR FREELANCE? Single freelance: OK! He costs less: money (apparently) savings. NOT OK...he does not have availability on particular apparals, skill and infrastructures, in order to execute large-scale jobs or attacks on specific medias (e.g. RAS, PBX, X.25, OS different from Microsoft, Linux, Sun). compromise #1: problems on availability, immediate reponse, target dimensions; compromise #2 : lower-profile testings, low-vision on the targets; compromise #3 : 3 heads work better that 1, we all know this: but if this could lead to missing vulnerabilities discover, this will mean a false sense of security on the client s side.
26 OPERATING SYSTEMS TESTED IN +10 YEARS - AOS/VS - BBS Systems - Bull PAD - CICS/VTAM - Cisco IOS - CDC NOS Control Data Corporation - DEC VAX/VMS and AXP/OpenVMS - DEC Ultrix - DEC Terminal Decserver - DG/UX Aviion General -DOS - DRS/NX -GS/1 - HP HP/UX IBM Aix - IBM OS/400 (AS/400) -IRIX SGI - IRIS Operating System (PDP and others) - Linux - Motorola XMUX (Gandalf) - Northern Telecom PBXs - PACX/Starmaster (Starmaster Gandalf) -Pick Systems - PRIMOS Prime Computer -RSTS -SCO - Shiva LAN Router - Sun Solaris - TOPS 10/20 - Unknown systems -VCX Pad - VM/CMS - VM/370 -XENIX - WANG Systems
27 MAIN CHECKINGS AND TESTS Policies (External/Internal) Passwords Operating System (OS) Bugs Applications Bugs.
28 OUR METHODOLOGY APPROACH
29 ATTACK PHASES Information Gathering The goal of this phase is obtaining all the available informations about the target, using public sources and tools. Services scanning In this second phase, the goal is obtaining all the available informations regarding the active services of the target machine(s), as well as their versions and releases. Security flaws identification & PoC/Attack Phase The goal here is to penetrate into the target system(s) and obtaining whenever it s possible full operating privileges on the machine; demonstrate the theorized vulnerabilities; Proof of Concept using specific or on-the-fly coded exploits. Target Session The fourth phase on the security verification process looks for informations and trends on the target system itself; we also look for previous (unknown) break-ins or intrusions and we try to define and understand the management and administration level of the target box. Security Report The final Security Report contains: Executive Summary, Technical Summary, Attack Sessions, Evidences, as well as Tested Environment specifications, assigned Technical Risk Level, Suggestions and final Conclusions.
30 BACK AGAIN THE PROACTIVE SECURITY SQUARE
31 VULNERABILITY ASSESSMENT (SCANNING) THE PROACTIVE SECURITY SQUARE (1/7) YOU ARE H E R E Level 1 in the Security Testing Quality standards Automatized testings English language reports fits for everybody High number of false positive/negative (fake alerts, fake security sensation It just cares about the IP world
32 SECURITY SCANNING THE PROACTIVE SECURITY SQUARE (2/7) YOU ARE H E R E Level 2 in the Security Testing Quality standards Automatized scannings, hand-made verifications Final report in italian and english language Manual tuning of the False Positives and Negatives We keep on to take care only of the IP areas
33 PENETRATION TESTING THE PROACTIVE SECURITY SQUARE (3/7) YOU ARE H E R E Level 3 in the Security Testing Quality standards Verification actions manually executed, following proprietary methodologies (pentester s personal background or attack team specific know-hows) Final report is directly written by the executing Tiger Team and it s sent in italian (or others) language to the final customer You can bundle special testing services (optionally), sich as Social Engineering,Trashing, Physical Intrusion, Web Applications Security Testing, black-box penetration test, etc... It does not stop at the IP world (RAS,X.25,DECnet,Wi- Fi,Web, etc...) The execution time grows up on each single tested asset
34 RISK ASSESSMENT THE PROACTIVE SECURITY SQUARE (4/7) YOU ARE H E R E Level 4 in the Security Testing Quality standards Evaluation and correlation actions, toward the datas mined from testing operations and the company s risk values Results can be generated from the 3 previous technical analysis methodologies It needs a long exetion time If the technical testings results are somehow false, the whole risk analysis will pay the consequences (and the economic investments as well!)
35 SECURITY AUDIT THE PROACTIVE SECURITY SQUARE (5/7) YOU ARE H E R E Level 5 in the Security Testing Quality standards Auditing actions tipically from the internal environment of the whole IT information infrastructure: the analysis looks at the projectual, procedural and implementation points of view and security issues, exposures and flaws. It is manually executed, with a strong customizing final report, based on the effective client s needings, taking also under consideration specific assets or company s businesses. It can be the final result of proactive security methodologies, married with standard risk analysis methodologies (CRAMM, etc..)
36 ETHICAL HACKING THE PROACTIVE SECURITY SQUARE (6/7) YOU ARE H E R E Level 6 in the Security Testing Quality standards 360 degree verification attacks, aimed towards specific assets, services or infrastructures It requires FULL OPERATING AUTHORIZATION + Free to Jail (special options at point # 3) It is executed using unified actions of: 1. Penetration Testing (IP, xsdn, X.25/X.121, SAT, Wi- Fi,Web Applications, ) 2. Phreaking 3. Social Engineering, Physical Intrusion, Trashing 4. Reverse Engineering 5. Black Box Penetration Testing
37 CERTIFIED POSTURE SECURITY ASSESSMENT THE PROACTIVE SECURITY SQUARE (7/7) YOU ARE H E R E Top Level (7 ) in the Security Testing Quality standard Repeated verification and matching actions (follow-up), executed in a time-frame defined and agreed with the client The analysis are based on initial knowledge factors (expressed in the vulnerabilities analysis, generated from the previous testing actions) and they are executed in full respect of the OSSTMM methodology (repeat and compare is possible, saving time & money!) and of its RAVs Risk Assessment Values The final report is manually generated from the Tiger Team, it s in client s language and it is compliance to international guidelines and stadards, such as ISO/BSI, GAO, FISCAM The Security Report is OSSTMM Certified
38 Proactive Security & SAT Security [ the dangerous relationships ]
39 THE PROBLEM The main Telecommunications vendors (Nokia, Ericsson, Alcatel, etc.) are selling insecure software and systems to telcos. Telecommunications operators have a very poor understanding of security issues. Based on 5 years penetration testing experiences, TLC operators are the most vulnerable of all industry groups. Sophisticated hackers have an increased interest in telco security, communications and VAS hacking. In the SAT environment the facts are even worst: no-one ever cared about Proactive Security. Contents resell (movies, shows, sit-coms, etc) is moving to H.323 and other IP-based protocol.
40 THE VENDORS Some vendors have decided to take an active stance in security (e.g. Nokia on security advisories), however such initiatives are isolated and do not address most TLC security problems. Most vendors sell antiquated software full of bugs, running old and unpatched version of operating systems and daemons. Operators cannot fix the identified security weaknesses because it would void their warranty. Lately in these years, vendors discovered Linux as a good operating system for embedded applications: the security aspects are usually forgotten. The result of this head in the sand approach is an increase in the threat: critical infrastructures are at risk.
41 THE TLC OPERATORS Operators rely on vendors for secure solutions. Operators are primarily focused on network operations, software upgrades, network performance and other time-consuming routine tasks. Operators lack in-house expertise on TLC and hacking security. Operators are usually divided between the IT and Engineering, departments, creating two separate security domains. Most operators networks are open to hackers.
42 THE PARADIGMA Two different worlds, IT ed Engineering Very different priorities
43 SOME NUMBERS Based on a 5-years study encompassing 21 network operators: 100% could be hacked from the Internet 90% could be hacked through PSTN, X.25 or ISDN. 72% had a security incident in the last 2 years 23% had appropriate perimeter security control 0% had all their mission-critical hosts secured 0% had comprehensive database security in place 0% had integrity measures protecting billing data
44 THE ENEMY SAT fraud is still an attractive target: Cloning smart-cards. Bypassing toll, getting services without fees, setting up premium subscriptions, etc. (web hacking, operator s hacking). Privacy invasions: interception of call-related data (e.g. contents, signalling data, billing data) via device s or Internet s hacking. Unauthorized Access: illegal access to the broadcasting center and IT back-office. Recently one underground group announced it was reverse engineering Nokia software. Groups of sophisticated hackers are working on abusing many Sat-decoders running on embedded Linuxes. A US-based research group is working on a secure decoder.
45 THE COMPETITION Traditional security shops: no knowledge of TLC specific issues, poor understanding of security procedures. Traditional TLC consultancies: very poor knowledge of security issues. Big 5 audit firms: focused on policies, no real expertise (they outsource their jobs to people like us). In-house resources: Very dangerous. Internal fraud overlooked. Interdepartmental ego problems. Good security and bad security looks the same.
46 DOING NOTHING with your sat and tlc infrastructures today is like doing nothing with your Internet hosts in the 90 s. It is an invitation for upcoming disasters.
47 TYPICAL SECURITY ISSUES INTERNET LINK: Firewalls not updated/managed Lack of security policies Errors in the secure network design (DMZ, direct access to internal hosts, bridge systems not in a secured area) PSTN/ISDN LINKS: Not-presidiated access gateways (RAS, ISDN_Backup on routers, ) Missing hardening on RAS devices Default passwords Same phone numbers both for end-users (Pay-TV via xstn) and IT management SAT-LINK: Unsecure SAT device (SAT IP routers) Missing hardening on SAT devices Internal exploitation, interception of passing datas
48 END-USER APPLICATIONS & ASSETS FINANCE ENVIRONMENT: stock-exchange datas download PRESS ENVIRONMENT: news from the agencies TLC ENVIRONMENT: Internet connectivity ASSETS: Smart Card/JAVA Card Sat Decoder (STB) Sat Router Centre of Broadcasting Dealers clonable, breakable, reversable easy to crash, RS-232 consolle we ll discuss about this later hackable the weakest part of the chain
49 A THEORICAL CASE STUDY: CoB ATTACK LAN 1 SIT LAN 2 SIT
50 A THEORICAL CASE STUDY: CONTACT POINTS When talking about IT Security, we must NOT forget that attackers don t use just the Internet Process Security Information Security Physical Security Communications Security Internet Security Wireless Security
51 A THEORICAL CASE STUDY: Internet Presence ADMIN INTRANET ISP NEWS DMZ NSI Blue is considered under control. SATELLITE OFFICE Red is in 3rd party control. MOBILE OFFICE Yellow is 3rd party where some control can be maintained.
52 A THEORICAL CASE STUDY: Attack Points ADMIN ISP INTRANET NEWS DMZ INTERNIC Note the traditional defense points. SATELLITE OFFICE Note what a hacker can attack to cause damage. MOBILE OFFICE
53 LET S S PLAY IT AS A MOBILE TELCO GSM Architecture
54 GSM Operations Not WCS To WAP, SMSC, IN etc. ID & Address Validation CREDIT CHECK BLACKLIST? Multi Media WWW Electronic Queue Manager Service Centre Queue measurement tool Customer details Normalised address Customer Result of check Customer Result of check Multiple Fulfilment Vendors. Information access, supply for Internet information (APIs) and Interactive TV Portal. Information access device for Internet information (APIs) CRM Tool Credit Scoring manages integration of billing system and external validation agencies. SAP POS Activation Security. Certification and encryption External Billing for content supply Customer and subscription data, and real time billing Customer details, Credit score result Document Imaging BANK DD payments DD Returns BANK I/F DD payments DD Returns Card payments & authorisation CARD AUTHORISATION Card payments & authorisation CARD PAYMENTS (EFT) Card payments Billing System & Golden Database Customer and service administration, personalisation, content management, tariffing, SIM and number management, provisioning requests, call data collection, rating and billing (roaming, retail and interconnect), and payment collection Bad Debt Database Customer and subscription changes Subscriber data Rated CDRs Pre-pay CDRs Unrated CDRs FRAUD Ernie PRINTING SIM Manufacturer SIM + MSISDN numbers including blacklisting IMEI Dealer information Reporting Service requests and responses Normalised call data SIM orders, dispatched SIMS, Dealer codes, activation information, money back deactivations, general ledger updates Screen Navigation Small Purchases Retail Outlets E-Wallet Roaming call data Mediation System Collection and normalisation of call data, and transfer of service requests to GSM network TAP CLEARING HOUSE Dispatch SIM SIM orders, dealers codes GL updates & Roaming service requests, and responses Call data IN Platform SOG Service activation gateway BGW Billing gateway BANK I/F SAP Sales support, logistics and finance processing, Human Resource, and Materials Management Financial/Inventory Material master WCS Shops Customer and subscription data Logistics Company ISCP Commissions Sales and Dealer -Outbound -Goods mvt inbound -Picking conf. inbound -Change serial# kits -Physical inv. inbound Shops & Dealers IVR ISCP Site rental Assets SGSN GGSN WAP VMS SMC AuC HLR MSC Data Warehouse Customer call Call (CLI) Per call ACD Distribute customer calls in call centre Caller ID, Service Level, Preferred Language CRM Tool Manage customer tasks to completion Query type Recommendation Isaac Case Based Reasoning Tool Diagnose problems and recommend solutions GIS (Geographical Information System) Site, Dealer & Shops info Sites, faults & Links IMS Sites administration, BTS build provision and transmission, operations and network faults logging IVR Caller ID and Preference Screen navigation Signal strength and coverage IVR Identify customer, preference and satisfy simple queries Predictive Dialler O/S Operator services Directory inquiries Scholar Knowledge System On-line call centre reference Radio planning tool
55 LET S S PLAY IT AS A MOBILE TELCO
56 ZOOM: SAT ROUTER S B.B. SECURITY TESTING B.B.= BLACK BOX MODE when testing the security of a device What we tested: Broadlogic Satellite Express XLT * (DVB to Multicast Router) SatLynx BBI Astra ViaSat LinkStar (ComSat Laboratories) * Now become SkyStream EMR 5000 Edge Media Router
57 ZOOM: SAT ROUTER S B.B. SECURITY TESTING What we found: 1) LACK of security in default accounts Web Management Interface: Username: webadmin Password: webadmin Telnet Management Interface: Username: admin Password: admin Username: installer Password: installer System Users (hash MD5): root:$1$t.tujsep$zzhajmrk7z.oqerarfwkn1 bsupport:$1$taviasbi$0rvfqes85knelm/eowd2r.
58 ZOOM: SAT ROUTER S B.B. SECURITY TESTING What we found: 2) Unsecure and bad-written web applications (CGIs, etc..) Very common (and known) secure programming issues have been found on all the tested devices.
59 ZOOM: SAT ROUTER S B.B. SECURITY TESTING
60 ZOOM: SAT ROUTER S B.B. SECURITY TESTING
61 ZOOM: SAT ROUTER S B.B. SECURITY TESTING What we found: 3) Proofed chances to abuse the device, launching attacks to other hosts (extracts from original report follow ) L apparato da noi testato presenta una problematica sullo stack TCP/IP; il campo IP ID dei pacchetti è incrementale, pertanto un ipotetico attaccante può utilizzare il sistema come ponte per lanciare port scan (zombie scan). Tale operazione è effettuabile anche senza avere accesso diretto al sistema. Un esempio pratico è illustrato di seguito: in questo caso se nella rete fosse stato presente un IDS o un sistema di rilevazione dei portscan, l indirizzo di provenienza non sarebbe quello dell attaccante, ma quello del router XXXXX (con le ovvie conseguenze legali, anche per l attuale legislazione italiana). Ulteriori informazioni su questa vulnerabilità possono essere reperite all indirizzo:
62 ZOOM: SAT ROUTER S B.B. SECURITY TESTING Procediamo ora ad una dimostrazione pratica di quanto affermato, lanciando un port-scan sull IP , indicando come IP sorgente il (router XXXXXX sotto ZombieScan ). nmap -si p 1,12,22,80,443, Starting nmap 3.30 ( ) at :18 CEST Idlescan using zombie ( :80); Class: Incremental Interesting ports on : (The 3 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in seconds
63 ZOOM: SAT ROUTER S B.B. SECURITY TESTING What we found: 4) Default SNMP Community (public, private) Some of the tested devices had SNMP capabilities. In all the cases, the community used by SNMP used to be default ones. (extract from the final reports) In general on all the tested SIT it is possible to gain access on a number of system information, but on a particular SIT it was possible to use the default SNMP community (which cannot be modified) to gain access to detailed system information, such as the satellite coordinates.
64 ZOOM: SAT ROUTER S B.B. SECURITY TESTING What we found: 5) TELNET access with NULL password (!) In another black-box testing, we found a device with TELNET opened and without a managing password.this is really sad
65 ZOOM: SAT ROUTER S B.B. SECURITY TESTING telnet Trying Connected to Escape character is '^]'. Password: Logged in as root help? help version alias unalias delay script doscript setprompt repeat systat mcbstat mcbprt memstat syscnt pbconf sysconf niprt util plog ptime echo msgtrace nochkdest chkdest putuseconput conolog time date sendtime uptime bc bread read lread bwrite write lwrite bcopy bcmp memtest hwreset reboot setprad restart kill setqsize poll initp resetp devstart devstop attach unattach prtstat show clrstat config prtconfig enable disable setloop clrloop settrace prtcache reseticache passwd rloginauth whoami login logout rlogout exit nvram_fstat nvram_parms nvram_init nvram_open nvram_read nvram_create nvram_write nvram_close nvram_copy nvram_lseek mdbselect mdbfiletype mdbread mdbwrite mdbdatavalid dblist dbprint dbprintdef dbsetvalue dbsetfield dbadd dbdelete dbdeleteall ksetprint ethnrtsho ethprtsho ethnrtadd ethprtadd ethsetprom ethclrprom ethtest ethenabcast ethdisbcast ethsetloop ethclrloop setipaddr proxytcpstatus arpadd arpdelete arpproxyadd arpproxydel arpproxylist ping riproutes disproutecb addsroute showtree showextnodes stressroute rtprt nhtprt hrtprt rtlook hrtlook mrtprt addmroute delmroute savebootparms switchbb bbrcvrinfo setdbready kdbpr