back to article What can $10 stretch to these days? Lunch... or access to international airport security systems

Dark web shops are selling access to computers on corporate networks for less than the cost of a short cab ride. Security researchers at McAfee have uncovered a network of so-called Remote Desktop Protocol (RDP) shops on the dark web which sell access to compromised IT systems, sometimes for as little as $10 a pop – which …

  1. regregular

    The more I find out about the management of important and critical infrastructure, the more I get interested in building an off-the-grid house and taking up hunting.

    1. Rich 11

      Agreed

      Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton.

      1. I am the liquor
        Joke

        Re: Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton.

        You can definitely raise your own pigs and chickens in Surbiton though, there was a documentary series about it in the 70s.

        1. Robert Helpmann??
          Childcatcher

          Re: Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton.

          That still leaves a variety of other protein on the hoof or wing (roof rabbit, squab and various other CMOT Dibbler meatonnastick delicacies). You aren't really hungry if you aren't willing to eat it.

          1. Rich 11

            Re: Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton.

            You aren't really hungry if you aren't willing to eat it.

            That reminds me of a terrifying one-night stand I had back in the 80s. Shave first, goddammit, shave!

            1. sanmigueelbeer

              Re: Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton.

              Shave first, goddammit, shave!

              That's what she said.

      2. H in The Hague

        Re: Agreed

        You could try hunting urban foxes instead. From their front door a friend in Twickenham once managed to spot six of them at once.

      3. Doctor Syntax Silver badge

        Re: Agreed

        "Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton."

        You might need to move out a little and develop a taste for horse meat.

      4. MachDiamond Silver badge

        Re: Agreed

        How about hamster or squirrel?

    2. Martin Summers Silver badge

      What I don't get though is if there are so many building and industrial systems compromised why we don't hear anything of the results. Surely someone wreaking mayhem with such a system would result in some sort of press coverage even if they didn't know what caused it to begin with.

  2. Anonymous Coward
    Anonymous Coward

    I was "hacked" via RDP

    last Christmas.

    Came home to find 2 emails saying I had purchased two iTunes vouchers worth $80 and £50.

    I figured they were junk but a quick check revealed they were genuine.

    Cue frantic phones calls to ebay, paypal and my bank.

    I got them cancelled and the bank refunded me but I was stumped how they had done it, until I checked a log from my firewall software. 1000's of connection attempts and eventually they broke through a semi-rigid password so I suspect a rainbow table was used.

    It woke me up, my password for windows RDP is now some 30+ characters, ONLY my tablet and works PC are allowed access and the firewall blocks ANY other RDP connection except those two.

    1. Lee D Silver badge

      Re: I was "hacked" via RDP

      Do yourself a favour - get or write a script that emails you for every RDP login. There are loads of them out there.

      There's nothing more reassuring than at least knowing "Hey, I spotted something odd that managed to slip past what I thought was secure!".

      RDP has suffered several attacks recently (e.g. CredSSP), so patch it like mad, and check people aren't bypassing your password entirely.

    2. Anonymous Coward
      Anonymous Coward

      Re: I was "hacked" via RDP

      I had a discussion once about the concept of doubling the time between login attempts:

      start with a 1 second re-try and double the time for every wrong login attempt. Has anybody ever implemented this?

      1. Anonymous South African Coward Bronze badge

        Re: I was "hacked" via RDP

        I had a discussion once about the concept of doubling the time between login attempts:

        start with a 1 second re-try and double the time for every wrong login attempt. Has anybody ever implemented this?

        That's what a good BOFH would do

        WITH THE ADDITION of a "bandwidth throttle" the more failed attempts, the more that specific IP or connection will be throttled.

        Hopefully the attacker will give up in despair after increasing timeouts and a connection that get progressively slower.

        Come to think of it, if it was possible to do a GPO where your timeout increases the more incorrect passwords you type, I will implement it most definitely.

      2. Wensleydale Cheese

        Re: I was "hacked" via RDP

        "I had a discussion once about the concept of doubling the time between login attempts:

        start with a 1 second re-try and double the time for every wrong login attempt. Has anybody ever implemented this?"

        VMS introduced an intrusion detection system back in 1984 (VMS V4.0). It would automagically disable logins when the number of login failures exceeded a predefined limit within a short space of time, and there was a random element to that, to make life a bit more difficult for attackers.

        It filtered on login source, so for example network logins from a particular workstation or a modem line could be disabled while logins from a local serial connection weren't. It was parameter driven so you could customise its behaviour

        By default logins would be re-enabled after some random time, so you weren't locked out permanently, again configuration parameter driven.

        Early versions of the documentation omitted or carefully hid the command to re-enable logins manually (e.g. after a user rang up to say they'd locked themselves out), which led to much frustration when the Messages User Guide had it that the remedy was "Contact your System Manager", and you were that person.

      3. Bobby Omelette

        Re: I was "hacked" via RDP

        Lotus Notes client.

    3. Joe Harrison

      Re: I was "hacked" via RDP

      Having a 30+ character password is not ideal though in terms of convenience.

      If you feel you are that juicy enough a target then surely login with a client certificate (maybe stored on a USB security key) is the way to go.

      RDP (well mstsc.exe at least) also supports optionally having the server present it's own client certificate to you at login time so you can be sure you are not connecting to a spoofed server configured to look like yours. Time-consuming to setup but no particular expense involved if you can use self-signed certs.

    4. Flakk
      Headmaster

      Re: I was "hacked" via RDP

      1000's of connection attempts and eventually they broke through a semi-rigid password so I suspect a rainbow table was used.

      Not to be pedantic, but I don't think a rainbow table was used. A rainbow table is a table of pre-calculated hash values for passwords. They're most useful when the attacker already has an offline copy of your SAM database file (or its dumped contents), from which he can compare its stored password hash values to the values in the rainbow table. You probably wouldn't have seen 1000's of connection attempts if this had been the case.

      Brute force attack, maybe? You can set an Account Lockout policy in your Local Security Policy to slow down brute force attacks.

    5. Anonymous Coward
      Anonymous Coward

      Re: I was "hacked" via RDP

      1000's of connection attempts and eventually they broke through a semi-rigid password so I suspect a rainbow table was used.

      To use the rainbox table, you have to get ahold of the password database. The idea is to find users usering known passwords, not a password of a known user.

      This sounds like non-tarpitted brute forcing...

  3. GnuTzu

    No Remote Access Here

    I'm glad that I work in a place where desktop sharing, web meetings, and other manners of remote access from the outside world are utterly verboten.

  4. Anonymous Coward
    Anonymous Coward

    "Die Hard with Remote Desktop"

    Now in movie theaters. To follow the twenty-years fad of cheap superhero fantasy fare, Spiderman makes a guest appearance to fight Dr. DarkHat.

  5. Anonymous Coward
    Anonymous Coward

    No love for RDP Defender?

    If it's just a home box you're defending, I can recommend the free RDP Defender from TerminalServicePlus.com. It works with the event log, failed logins and the windows firewall. Simple but effective.

    1. GnuTzu

      Re: No love for RDP Defender?

      There are also some enterprise solutions that log all remote access activity--so that if anything bad happens, you who did exactly what. And, that makes allowing plain vanilla RDP look seriously stoopid.

  6. No 3

    "In addition, sysadmins should consider blocking RDP connections over the open internet."

    SHOULD?? No, MUST be blocked. Where and on what planet is it a good idea to allow remote administration access to a window machine without having to go through a VPN? I'm truly astonished that computer security has dropped so far that this is even a thing.

    1. Lee D Silver badge

      "I'm gonna give you run of the complete IP network" rather than "I'm going to show you a picture of a machine that you'll have to log into"?

      VPN is sensible, sure, but as an encryption layer only. VPN into a network as if you were plugged in locally is just a perfect way to spread stuff from their machines to your network.

      VPN, and filter, and VLAN, and etc. etc. etc. and then to a limited network that only allows RDP traffic, through an authenticated gateway, only to select apps/VM's... yep. That sounds ideal.

      But to most people, well-configured RDP - with up-to-date clients - to an unprivileged TS acting as a network client is perfectly sufficient in terms of encryption, stopping brute-force attacks, letting people work from hotels, etc., convenience, and compatibility (you can do it from an iPad, or a smartphone).

      The question is not "what protocol do you use" but "what measures do you have protecting that protocol".

      But, personally, blanket VPN access is incredibly dangerous. And most people want it "to access network shares", so you can't block the protocols associated with that. Now you have SMB/CIFS traffic flowing around uncontrolled home networks.

      RDP, via a gateway, with certs, decent policy, IDS/IPS, and file-transfers disabled... it's then impossible to do anything that "that user logged in on a real machine inside" couldn't do, while also preventing all exposure of unsanitised data to/from their home / cybercafe / etc. IP networks.

      1. Flakk

        The question is not "what protocol do you use" but "what measures do you have protecting that protocol".

        That is one question to ask. Another question could be, "What am I going to expose to the Internet: a computer running a Windows OS or the Cisco hardware that's already exposed to the Internet?"

        You do make an excellent point regarding huge potential problems if a successful VPN connection grants unrestricted access to the private network. That's not a particularly wise strategy. I had a Cisco device that did nothing but handle remote access VPN connections. VPN users were collected in groups that governed which resources on the private network they could remotely access. Those restrictions were enforced by the firewall that the Cisco device connected to, and also by ACLs in the core switch.

        It wasn't a particularly pretty or speedy solution, but it did provide the defense-in-depth that allowed me to sleep at night while enabling my remote Accounting users access to the corporate PeopleSoft server.

  7. fargonebastage
    Big Brother

    VPN configuration

    VPN configuration if neglected or implemented incorrectly can indeed grant too much access. If however one takes the time to understand the environment and the roles it can be quite easy to grant very specific access. A VPN implemented correctly is much more secure than an RDP connection open to the world. Your windows server is a mere stepping stone to the rest of your environment. Better to have a few layers between it and the internet.

  8. Anonymous Coward
    Anonymous Coward

    What Services.msc entries to Modify to Disable this and similar 'backdoors' permanently?

    ServiceName: SessionEnv

    Display Name: Remote Desktop Configuration

    Path to Exe: C:\Windows\System32\svchost.exe -k netsvcs

    ~~~

    ServiceName: TermService

    Display Name: Remote Desktop Services

    Path to Exe: C:\Windows\System32\svchost.exe -k NetworkService

    ~~~

    ServiceName: RemoteRegistry

    Display Name:RemoteRegistry

    Path to Exe: C:\Windows\system32\svchost.exe -k regsvc

    ~~~

    ServiceName: RemoteAccess

    Display Name:Routing and Remote Access

    Path to Exe: C:\Windows\System32\svchost.exe -k netsvcs

    ~~~

    ServiceName: RasMan

    Display Name:Remote Access Connection Manager

    Path to Exe: C:\Windows\System32\svchost.exe -k netsvcs

  9. MachDiamond Silver badge

    Mind the gap

    Part of the problem is lax policies when it comes to remote access. Why does an airport need lots of people that can remotely access the internal system with just a L/P? There should be a limited number of people that can do that and many of them should be restricted by their machines MAC address. Any facility of a significant size is going to have an operating staff on hand 24/7. It would take one heck of an emergency to need having a bunch more remote people logging in to get something done.

    The more critical the system, the more restricted outside access should be. Some sites like a nuclear power plant or National Grid center should not have any or only one or two that are only accessible in a way that highly controlled. The likelihood of place like that being in danger of being hacked is much greater than the chance remote access is needed to resolve an emergency.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon