Is Spectrum's modem really bridged?
-
@Fredtx said in Is Spectrum's modem really bridged?:
While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn.
This is why it's important how to word it. They DID use a VPN, just not one labeled a VPN. RDP has VPN tech built into it.
And if they had used something labeled a VPN, it would have had a port open and forwarded just the same, and susceptible to the same brute force attack.
So RDP is a red herring here, it has nothing to do with the vulnerability or the hack, it's just coincidental that it was used. It could have been a normal VPN, SSH, a web page or anything that had a weak password and no limit on attempts against it. What was breached was just that someone got the password right, nothing more.
-
@Fredtx said in Is Spectrum's modem really bridged?:
Per management, no one is allowed to open ports for rdp on any customers router.
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
The open port, and RDP are in no way an issue. What they are going to do is change which port is open (changing nothing to an attacker) and change which protocol is used (again, changing nothing to the attack) and exposing the system identically again. It's not even plausible deniability. It's just smoke and mirrors thinking whoever they are answering to is clueless and isn't going to really follow up (probably true.)
-
@Fredtx said in Is Spectrum's modem really bridged?:
So Iām just trying to find a work around.
It's all just words. Do anything and claim to have made the change. Change the port and claim that's done it. It's all just politics at this point, not technical.
They aren't asking you to lock it down or fix the problem. They are looking for a checkbox to show to an auditor of some sort.
The real "problem" here is that all of this is being done, presumably, to hide the fact that there is an actual security problem and they don't want to address it. If someone actually cares about the security, then that discussion needs to take place. If the belief is that this is only politics and has nothing to do with results and security, then just do anything that satisfies the words that they have used.
The real issue is a lack of password policy and a lack of password protection. Moving to a thing with a VPN label will in no way affect that. That's misdirection and a true security auditor should catch that instantly and question why someone would be working so hard to cover up not actually fixing the problem. If this was a financial institution, this situation would warrant a pretty serious sit down and internal audit. In a normal SMB, it's just managers trying to not have to actually do hard work of investigating.
So the question you have to answer for yourself is... are you here to secure the environment to protect against what happened? Or are you here to simply action what you've been told to do and to ignore the problem?
If the former and the goal is actual security, you need to have a sit down, explain how security works, do a port mortem, show where the failure was and address the real problems which have literally nothing to do with port forwarding or RDP.
If the latter is the case, the simplest answer is just throw any VPN on and pretend that that is a magic fix and move on not letting on that you know that nothing has been addressed and it is all just being done to trick someone higher up the food chain who likely will never discover that he was being played - so it's generally completely safe to do this.
Red pill vs blue pill. Only you know what is important in your environment. It's almost certainly the latter, this is how SMBs tend to work. But in some cases, you might know the CEO or owner and know that they truly wanted someone to protect them and you can actually let them know the truth. But if you are insulated from them and you might get in trouble for exposing this kind of thing, just do the VPN and don't worry about it. If the owner cared he'd never let himself get insulated.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill
) -
@Fredtx said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill
)Most companies prioritize politics over profits. It's sad, but the average business is driven by emotion not "doing business"
-
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
-
@Dashrender said in Is Spectrum's modem really bridged?:
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
But you are comparing a third party "option" vs. a perceived lack of first party option. To make this argument valid, you have to assume that you aren't using a specific VPN or using it in the same way as the RDP. Then you have to assume RDP done with a specific client in a specific way. So it isn't VPNs and RPD that are being compared, but using the full range of options of one, and limiting the other to one assumption.
In the real world, a specific VPN implementation might not allow saving passwords, and RDP most certainly does allow it (I use that feature all of the time.)
There is a false perception here of what a VPN will do and what RDP will do based on how the are "commonly seen", but it's really all myth.
But it is no the VPN or the RDP that creates the artefacts. We are confusing the means with the ends.
-
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
But you are comparing a third party "option" vs. a perceived lack of first party option. To make this argument valid, you have to assume that you aren't using a specific VPN or using it in the same way as the RDP. Then you have to assume RDP done with a specific client in a specific way. So it isn't VPNs and RPD that are being compared, but using the full range of options of one, and limiting the other to one assumption.
In the real world, a specific VPN implementation might not allow saving passwords, and RDP most certainly does allow it (I use that feature all of the time.)
There is a false perception here of what a VPN will do and what RDP will do based on how the are "commonly seen", but it's really all myth.
But it is no the VPN or the RDP that creates the artefacts. We are confusing the means with the ends.
Sure - you're absolutely right - sadly.. that's a managers typical playground.
-
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
Sure, but neither does a VPN. You can control the passwords in either case, or you can let the end user use horrible passwords in either case. The VPN doesn't change the basic issue.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
Sure, but neither does a VPN. You can control the passwords in either case, or you can let the end user use horrible passwords in either case. The VPN doesn't change the basic issue.
Sure. and now we're just running in circles.
I did start by saying you are correct.
-
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
Sure, but neither does a VPN. You can control the passwords in either case, or you can let the end user use horrible passwords in either case. The VPN doesn't change the basic issue.
Sure. and now we're just running in circles.
I did start by saying you are correct.
At the end, VPNs just don't solve those problems. A VPN's benefit is only in having a second mechanism, if it is kept completely decoupled from the original. But it's a poor approach when it is used to cover up a lack of security applied to the core protocol.
