To better understand IT risks, listen to the hackers

The security of Huawei routers

DEFCON made headlines this year when a duo of respected security researchers presented their case on the numerous flaws in the increasingly popular Huawei routers that can lead to serious security breaches.  Felix Linder of Recurity labs said that the Huawei routers were working on a 1990s-era operating system.  “The operating system has absolutely no mitigations in place; to the contrary, it even has functionality to help you exploit it,” said Linder.

Huawei, a Chinese telecommunications company with $32 billion in sales, is one of the fastest growing providers of networking and telecommunications equipment in the world and is gaining on top American router maker, Cisco.

The concerns with security issues and the Huawei routers are not limited to the DEFCON crowd.  The company was on the cover story of The Economist recently in which the security concerns connected to the company’s routers were examined.

Experts agree that if the market continually raises concerns around the security flaws in Huawei’s routers, the company will begin to make changes.  For your own concern, it is always a good practice to check with your IT department and vendors to ensure that the routers being used to service your needs are certified by ISCA Labs or other credible sources.  You can also check with your vendors to see if they are using Huawei routers and taking the appropriate precautions.

These routers could be anywhere: Halfway across the world as part of the Internet or used by your Internet service provider just down the street.  This highlights the need to ensure that you’re using encryption, validation and other good transmission security practices whenever data leaves your oversight.

Immobilizing your mobile devices

Without a doubt, mobile devices such as smartphones and tablets are indispensable business tools today.  They do, however, have inherent risks because they are portable and rely on wireless connections.  Those vulnerabilities were exposed in a presentation in which the “hacker” took control of a mobile phone through a server and caused it to wipe itself out.

Most mobile devices are used with Microsoft Exchange servers and interact with the server in order to receive email and synch calendar and contact information.  The mobile device and Exchange server most often communicate via Wi-Fi.

When you connect mobile devices to an Exchange server, the server imposes a number of controls over the device including password policy, remote lock, and the ability to wipe the phone clean of information.  We all accept these controls when we initially synch our devices to the Exchange server.

It’s those controls, combined with a wireless connection that provides the opportunity to hackers.

Security researcher Peter Hannay gave a live demonstration showing that he could hack into the wireless communication between a smart phone and its Exchange server, “trick” the phone into thinking he was the Exchange server, and send it the command to wipe itself out.  In a matter of moments a healthy smart phone was dead and useless.

While he only killed a smartphone, Hannay made it clear that it’s just a matter of time before hackers find a way to exploit this weakness to steal data off of a mobile device, or control that device to gain access through the Exchange server to an organization’s IT system.

There is a way to protect the connection between mobile devices and your Exchange server.  The first step is to make sure you have Certificate Authority-signed SSL certificate for your Exchange server.  This will prevent Android and Windows- based devices from accepting the false connection.  Apple devices, however, will still present the user with an option to continue with the connection that could mistakenly be accepted by the user.  It should then be part of ongoing training that your employees are made aware of these alerts in order to prevent a takeover of the device.

Hacking VMware

As the demand on servers has grown in the workplace the industry has responded by creating a “virtual server” program called VMware.  This service allows for a number of “virtual servers” to live on one real hardware server and operate independently as if they were stand-alone devices.  This creates efficiency by saving space, money, and electricity for companies today.  However, it does present vulnerabilities that can be exploited by hackers, data thieves, and cyber-sneaks.

Alexander Minozhenko, a security expert who specializes in testing network systems, showed how he could exploit existing bugs present in the VMware system to penetrate into the main hardware server known as the Vcenter, and have access to the entire system, including all virtual servers, in one fell swoop.

There are ways to protect your data and virtual servers if you are using the VMware system.  The access controls that come with the system can be a good protection that should be utilized to the furthest degree.  Make sure your IT team is on top of patch management to cover up vulnerabilities and that they are securing all elements both in the host hardware and virtual servers.

Tools like virtual servers and smart phones bring a great deal of innovation, efficiency, and connectivity to financial institutions and the services they provide.  Incredible minds create these inventions and equally smart minds find ways to exploit vulnerabilities with criminal intent.  By learning from the minds at DEFCON, we can get a better picture of what steps to take to stay ahead of the curve of ever-evolving security threats.

Ryan Rodrigue, CISA, CISSP, is an IT Assurance Manager at Wolf & Company and regularly attends the DEFCON convention.  He can be reached at 617.428.5443 or rrodrigue@wolfandco.com.

This publication is distributed with the understanding that the author, publisher and distributor are not rendering legal, accounting, tax or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. The information in this publication is not intended or written to be used, and cannot be used, by a taxpayer for the purpose of (i) avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in this publication. Copyright 2013.