“We are in a brave new world of security threats”
By Dan McDuffie, CEO Wyless
As you may have already seen on the news, a security vulnerability known as Heartbleed was recently identified in the popular OpenSSL cryptography library. This weakness allows stealing secure information including any sensitive data or even private keys that would normally be protected by the SSL/TLS encryption used to secure Internet traffic and it made big news primarily around web sites that could have the security hole built in, however this is a phenomenon that also has had serious implications on corporate security around access devices in the Corporate IT and Machine to Machine market and highlights the need for stringent security controls not just on Corporate owned systems but to any vendor that might have installed a solution into your our your clients’ premises that required any level of external access. With regards to Heartbleed, any device (wired or wireless) that is connected to the corporate network and used OpenSSL in any way potentially had this vulnerability, and there are undoubtedly other similar issues lurking out there as well.
What’s the impact of this? Essentially we are in a brave new world of security threats. Think in terms of several scenarios:
- Many ATM Machines worldwide are connected wired and wirelessly using modems that could be hacked, and every day hundreds of millions of people bank over these networks.
- Many corporate IT departments have secondary networks using wireless access gateways for Internet continuity or public Wifi Networks. (For instance retail chains, restaurants, doctors offices, health clubs, etc.)
- Both residential and corporate security systems have cellular gateways for backup or in growing cases for primary access to central monitoring stations.
- Building control systems such as energy management devices, HVAC Systems, etc. are connected to wired or wireless gateways for out of band management or remote monitoring.
- And in many cases of the above and other similar scenarios, disparate systems increasingly are interconnected without the knowledge of the end user, opening up the potential of a backdoor into other areas of the network.
How serious is this? Let’s consider the security breach where literally tens of millions of consumer credit card numbers were compromised in last year’s hack of Target department store’s network. Malware was installed at their Point of Sales devices, the thieves having hacked through the HVAC System’s remote management gateways. The hacking of a simple industrial control connection somehow led to one of the largest security breaches of consumer data in history.
With respect to Heartbleed what is truly disturbing is that it appears that this flaw in Open SSL that was recently discovered had been undetected by over 2 years. Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers. What’s worse is that it is estimated that over two-thirds of the worlds Web servers rely on Open SSL.
So what can one do to mitigate such disasters lurking in the shadows? First, secure the network from the obvious. Devices on public IP addresses are the most vulnerable as these devices are directly accessible from the Internet. Use a private network instead. For instance, standard “private-IP” cellular connections from Wyless use a network configuration called “many-to-one” Network Address Translation (NAT) in accessing publicly accessible Internet destinations. That configuration prevents unknown entities on the internet from initiating contact with the private-addressed device. When a device has a public IP, either natively, or assigned via “one-to-one” NAT, then the firewalls by default does not filter, block, or prevent any Internet source from contacting the device. This leaves the wireless device itself as the only layer of security, and while most devices have some firewall capabilities of their own, these capabilities are frequently either left disabled by default, left with default username/password in place (and the default is easily obtainable via internet searches), or misconfigured in a way that unexpectedly permits easy access, or even installed correctly but exposed by a later patch or firmware upgrade.
It is our strong recommendation that any device with public IP addressing ensure their device be “locked down” and the factory default username/password be changed to something unusual and not easily guessed. We also recommend customers evaluate the vulnerability of their devices and reach out to their hardware vendors for any updates needed to secure them.
And choose a managed services provider that offers Security as a Service. Any MSP or Carrier that is touting a public IP network should be reconsidered. When it comes to external access to a corporate IT network, best practice security is a must. But that’s just common sense right? Ask Target’s HVAC vendor!