The more I find out about the management of important and critical infrastructure, the more I get interested in building an off-the-grid house and taking up hunting.
What can $10 stretch to these days? Lunch... or access to international airport security systems
Dark web shops are selling access to computers on corporate networks for less than the cost of a short cab ride. Security researchers at McAfee have uncovered a network of so-called Remote Desktop Protocol (RDP) shops on the dark web which sell access to compromised IT systems, sometimes for as little as $10 a pop – which …
COMMENTS
-
-
Thursday 12th July 2018 12:34 GMT Anonymous Coward
I was "hacked" via RDP
last Christmas.
Came home to find 2 emails saying I had purchased two iTunes vouchers worth $80 and £50.
I figured they were junk but a quick check revealed they were genuine.
Cue frantic phones calls to ebay, paypal and my bank.
I got them cancelled and the bank refunded me but I was stumped how they had done it, until I checked a log from my firewall software. 1000's of connection attempts and eventually they broke through a semi-rigid password so I suspect a rainbow table was used.
It woke me up, my password for windows RDP is now some 30+ characters, ONLY my tablet and works PC are allowed access and the firewall blocks ANY other RDP connection except those two.
-
Thursday 12th July 2018 13:02 GMT Lee D
Re: I was "hacked" via RDP
Do yourself a favour - get or write a script that emails you for every RDP login. There are loads of them out there.
There's nothing more reassuring than at least knowing "Hey, I spotted something odd that managed to slip past what I thought was secure!".
RDP has suffered several attacks recently (e.g. CredSSP), so patch it like mad, and check people aren't bypassing your password entirely.
-
-
Thursday 12th July 2018 14:28 GMT Anonymous South African Coward
Re: I was "hacked" via RDP
I had a discussion once about the concept of doubling the time between login attempts:
start with a 1 second re-try and double the time for every wrong login attempt. Has anybody ever implemented this?
That's what a good BOFH would do
WITH THE ADDITION of a "bandwidth throttle" the more failed attempts, the more that specific IP or connection will be throttled.
Hopefully the attacker will give up in despair after increasing timeouts and a connection that get progressively slower.
Come to think of it, if it was possible to do a GPO where your timeout increases the more incorrect passwords you type, I will implement it most definitely.
-
Thursday 12th July 2018 14:33 GMT Wensleydale Cheese
Re: I was "hacked" via RDP
"I had a discussion once about the concept of doubling the time between login attempts:
start with a 1 second re-try and double the time for every wrong login attempt. Has anybody ever implemented this?"
VMS introduced an intrusion detection system back in 1984 (VMS V4.0). It would automagically disable logins when the number of login failures exceeded a predefined limit within a short space of time, and there was a random element to that, to make life a bit more difficult for attackers.
It filtered on login source, so for example network logins from a particular workstation or a modem line could be disabled while logins from a local serial connection weren't. It was parameter driven so you could customise its behaviour
By default logins would be re-enabled after some random time, so you weren't locked out permanently, again configuration parameter driven.
Early versions of the documentation omitted or carefully hid the command to re-enable logins manually (e.g. after a user rang up to say they'd locked themselves out), which led to much frustration when the Messages User Guide had it that the remedy was "Contact your System Manager", and you were that person.
-
-
Thursday 12th July 2018 13:34 GMT Joe Harrison
Re: I was "hacked" via RDP
Having a 30+ character password is not ideal though in terms of convenience.
If you feel you are that juicy enough a target then surely login with a client certificate (maybe stored on a USB security key) is the way to go.
RDP (well mstsc.exe at least) also supports optionally having the server present it's own client certificate to you at login time so you can be sure you are not connecting to a spoofed server configured to look like yours. Time-consuming to setup but no particular expense involved if you can use self-signed certs.
-
Thursday 12th July 2018 14:11 GMT Flakk
Re: I was "hacked" via RDP
1000's of connection attempts and eventually they broke through a semi-rigid password so I suspect a rainbow table was used.
Not to be pedantic, but I don't think a rainbow table was used. A rainbow table is a table of pre-calculated hash values for passwords. They're most useful when the attacker already has an offline copy of your SAM database file (or its dumped contents), from which he can compare its stored password hash values to the values in the rainbow table. You probably wouldn't have seen 1000's of connection attempts if this had been the case.
Brute force attack, maybe? You can set an Account Lockout policy in your Local Security Policy to slow down brute force attacks.
-
Thursday 12th July 2018 18:02 GMT Anonymous Coward
Re: I was "hacked" via RDP
1000's of connection attempts and eventually they broke through a semi-rigid password so I suspect a rainbow table was used.
To use the rainbox table, you have to get ahold of the password database. The idea is to find users usering known passwords, not a password of a known user.
This sounds like non-tarpitted brute forcing...
-
-
-
Thursday 12th July 2018 15:13 GMT No 3
"In addition, sysadmins should consider blocking RDP connections over the open internet."
SHOULD?? No, MUST be blocked. Where and on what planet is it a good idea to allow remote administration access to a window machine without having to go through a VPN? I'm truly astonished that computer security has dropped so far that this is even a thing.
-
Thursday 12th July 2018 15:39 GMT Lee D
"I'm gonna give you run of the complete IP network" rather than "I'm going to show you a picture of a machine that you'll have to log into"?
VPN is sensible, sure, but as an encryption layer only. VPN into a network as if you were plugged in locally is just a perfect way to spread stuff from their machines to your network.
VPN, and filter, and VLAN, and etc. etc. etc. and then to a limited network that only allows RDP traffic, through an authenticated gateway, only to select apps/VM's... yep. That sounds ideal.
But to most people, well-configured RDP - with up-to-date clients - to an unprivileged TS acting as a network client is perfectly sufficient in terms of encryption, stopping brute-force attacks, letting people work from hotels, etc., convenience, and compatibility (you can do it from an iPad, or a smartphone).
The question is not "what protocol do you use" but "what measures do you have protecting that protocol".
But, personally, blanket VPN access is incredibly dangerous. And most people want it "to access network shares", so you can't block the protocols associated with that. Now you have SMB/CIFS traffic flowing around uncontrolled home networks.
RDP, via a gateway, with certs, decent policy, IDS/IPS, and file-transfers disabled... it's then impossible to do anything that "that user logged in on a real machine inside" couldn't do, while also preventing all exposure of unsanitised data to/from their home / cybercafe / etc. IP networks.
-
Thursday 12th July 2018 19:11 GMT Flakk
The question is not "what protocol do you use" but "what measures do you have protecting that protocol".
That is one question to ask. Another question could be, "What am I going to expose to the Internet: a computer running a Windows OS or the Cisco hardware that's already exposed to the Internet?"
You do make an excellent point regarding huge potential problems if a successful VPN connection grants unrestricted access to the private network. That's not a particularly wise strategy. I had a Cisco device that did nothing but handle remote access VPN connections. VPN users were collected in groups that governed which resources on the private network they could remotely access. Those restrictions were enforced by the firewall that the Cisco device connected to, and also by ACLs in the core switch.
It wasn't a particularly pretty or speedy solution, but it did provide the defense-in-depth that allowed me to sleep at night while enabling my remote Accounting users access to the corporate PeopleSoft server.
-
-
-
Thursday 12th July 2018 20:20 GMT fargonebastage
VPN configuration
VPN configuration if neglected or implemented incorrectly can indeed grant too much access. If however one takes the time to understand the environment and the roles it can be quite easy to grant very specific access. A VPN implemented correctly is much more secure than an RDP connection open to the world. Your windows server is a mere stepping stone to the rest of your environment. Better to have a few layers between it and the internet.
-
Thursday 12th July 2018 22:06 GMT Anonymous Coward
What Services.msc entries to Modify to Disable this and similar 'backdoors' permanently?
ServiceName: SessionEnv
Display Name: Remote Desktop Configuration
Path to Exe: C:\Windows\System32\svchost.exe -k netsvcs
~~~
ServiceName: TermService
Display Name: Remote Desktop Services
Path to Exe: C:\Windows\System32\svchost.exe -k NetworkService
~~~
ServiceName: RemoteRegistry
Display Name:RemoteRegistry
Path to Exe: C:\Windows\system32\svchost.exe -k regsvc
~~~
ServiceName: RemoteAccess
Display Name:Routing and Remote Access
Path to Exe: C:\Windows\System32\svchost.exe -k netsvcs
~~~
ServiceName: RasMan
Display Name:Remote Access Connection Manager
Path to Exe: C:\Windows\System32\svchost.exe -k netsvcs
-
Friday 13th July 2018 19:37 GMT MachDiamond
Mind the gap
Part of the problem is lax policies when it comes to remote access. Why does an airport need lots of people that can remotely access the internal system with just a L/P? There should be a limited number of people that can do that and many of them should be restricted by their machines MAC address. Any facility of a significant size is going to have an operating staff on hand 24/7. It would take one heck of an emergency to need having a bunch more remote people logging in to get something done.
The more critical the system, the more restricted outside access should be. Some sites like a nuclear power plant or National Grid center should not have any or only one or two that are only accessible in a way that highly controlled. The likelihood of place like that being in danger of being hacked is much greater than the chance remote access is needed to resolve an emergency.