Is Spectrum's modem really bridged?
-
AT&T defines IP Passthrough as an alternative to Bridging, not another word for it. And this is 2017, quite recent.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
AT&T defines IP Passthrough as an alternative to Bridging, not another word for it. And this is 2017, quite recent.
I never said AT&Tcalled it bridging.
-
@JaredBusch said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
AT&T defines IP Passthrough as an alternative to Bridging, not another word for it. And this is 2017, quite recent.
I never said AT&Tcalled it bridging.
No, the point is that no one does except for the techs on the phone lying about their setup. It's not accepted by other ISPs, probably not even by Spectrum officially, definitely not be customers, IT or networking people. Not by language references. Saying that it's an accepted use of an inverse term would require that someone could look it up.
What I'm trying to show is that the people inside Spectrum saying that this is bridged are just flat out being dishonest. There is no accepted use of bridge to mean the polar opposite. The term bridge is the inverse of router in this context. but a router is what they are doing, while trying to mislead the customer.
The real important bit here is "intention to mislead or defraud". There's no grey area where they could produce reference material that says that bridge now means the exact opposite of its meaning up to this point.
-
Moreso, they conversation that they are having with the customer, the customer is pointing out that it is not a bridge and showing why it cannot be. There's really no excuse, even if there was some grey area for using the terms to mean exactly the opposite of their established meanings which I dont' believe that there is, for the techs at Spectrum to not acknowledge that clearly the customer has established what they mean by the term and explain that they are using a wholly different term than the customer is. By showing that there should be no IP address, the onus is on the techs to divulge that they have made up a new meaning for an established term now that they are aware that the customer has explained that they have requested something by the old (and only) meaning.
Imagine if you went into a car dealership, bought a Chevy Suburban in blue, and then they delivered something red and just kept saying it was blue and even when you said it was red and you weren't happy because you ordered blue that they just kept calling it blue knowing full well that they had secretly started using blue to mean red. They know that that isn't what you meant, and they know that they made up their own meaning... that's what lying is here. It's that they are using the term to deceive.
Now why Spectrum so often goes to such lengths over something so incredibly unimportant to them, I have no idea. There has to be something really awful that they are doing with those boxes that gets disabled when actually bridged.
-
@Fredtx when contacting Spectrum/Time Warner in the past I never used the word 'Bridged', that only confused the level whatever technicians. Always say you want to configure pass-through mode, or Spectrum needs to provide a device that does not include wireless. Right now I have 2 sites; one is in pass-thru; they do have a private IP in the traceroute but that at least so far has not impacted us. The device onsite is a Ubee modem with wifi that they insist will not be replaced unless there is a physical failure. The other site I had to specify that we wanted a modem only device no wifi or extra features and I did that at time of install. They provided a Ubee as well but its a base modem no wifi or other options just 1 coax port and 4 ethernet ports (I dont have the model# but can find it). Just be persistent that the device is not working properly and you must have A device that does not contain wifi or extra features.
-
@jt1001001 said in Is Spectrum's modem really bridged?:
They provided a Ubee as well but its a base modem no wifi or other options just 1 coax port and 4 ethernet ports (I dont have the model# but can find it).
This is a router, not a modem. Modems do not have multiple LAN ports.
-
Hey guys. So this customer is still having connection issues at this site with the new modem. Is there an alternate solution for these remote users to connect to the terminal server simultaneously outside the vpn? Connectwise? Nomachine remote s/w?
-
@Fredtx said in Is Spectrum's modem really bridged?:
Hey guys. So this customer is still having connection issues at this site with the new modem. Is there an alternate solution for these remote users to connect to the terminal server simultaneously outside the vpn? Connectwise? Nomachine remote s/w?
You don't need a VPN for RDP. RDP is already tunneled through a VPN mechanism. Using a VPN is just double VPNing in reality. You likely want to change ports, lock down with some mechanism to increase security, maybe limit to a set of IPs, ensure very strong passwords, etc. But there is no reason to not expose RDP directly, that a VPN is needed is a myth used to sell VPN gear. The VPN encryption is already there, most breaches come from weak passwords, not the protocol.
-
-
@Fredtx On your clients Ubee modem/router try:
Username: technician Password: C0nf1gur3Ubee#
All this login does is allow you to configure more options on the CPE end via GUI- one of which is the "bridge mode" option. I add the former merely to save you a frustrating phone call.
Having been a TWC customer (residential AND Business,) - and now once again a residential customer (Spectrum/TWC) living in South Carolina- I have felt (and to some extent-STILL feel) your pain and frustration. During the course of reading this thread I ran a
tracert
on my end (EdgeRouter-4 > "Bridged" Ubee M/R) just to check and got inside private 1st hop and outside public 2nd hop.When I had the TWC Business Static- I want to say I remember the entire support mechanism being an entirely separate entity. That being said- me sharing my experience isn't solving your issue so I'll check out now. Best of luck, bud.
-
The only problem is this customer was hacked through Rdp a few months ago due to an open port on the router. This happened at 2 of their other sites, but caused a lot of headache for the entire company. This variant is called Darma. We closed all those ports on the rest of their routers.
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
-
@Fredtx said in Is Spectrum's modem really bridged?:
The only problem is this customer was hacked through Rdp a few months ago due to an open port on the router. This happened at 2 of their other sites, but caused a lot of headache for the entire company. This variant is called Darma. We closed all those ports on the rest of their routers.
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
I’m sorry but it’s not possible to back somebody through a router via RDP. you have to have RDP forwarded through the router to a device it actually is RDP server before somebody can be had to be RDP. So your entire premise for the statement is weird if not a flat out lie.
-
@JaredBusch said in
I’m sorry but it’s not possible to back somebody through a router via RDP. you have to have RDP forwarded through the router to a device it actually is RDP server before somebody can be had to be RDP. So your entire premise for the statement is weird if not a flat out lie.
There was a port that was open and then fowarded through 3389 to the TS.
-
@Fredtx said in Is Spectrum's modem really bridged?:
The only problem is this customer was hacked through Rdp a few months ago due to an open port on the router. This happened at 2 of their other sites, but caused a lot of headache for the entire company. This variant is called Darma. We closed all those ports on the rest of their routers.
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
Dharma is what they got infected with, but doesn't explain the "hack". As I said before, all known RDP "hacks" are not RDP hacks, they are all just guessed passwords - which affect VPN equally.
Remember anytime you say that RDP was hacked, you also say that the VPN was hacked. So using a VPN to protect against a VPN hack fundamentally doesn't make sense.
What most people do is use a different or stronger security rules with what they label VPN and use loose ones with RDP then blame RPD for the failure of their policies, but it is not RDP that is the threat, it's the policies or the end users. Treat RDP and a VPN the same, and they have the same security because they are the same security mechanism.
-
@Fredtx said in Is Spectrum's modem really bridged?:
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
From your own source, it makes it clear how Dharma is distributed...
"The Dharma Ransomware family, including this Brrr variant, is manually installed by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.
There are also underground sites that sell known credentials for publicly accessible computers running remote Remote Desktop Services that attackers can buy."
You are only susceptible to Dharma if you are already hacked elsewhere (creds available for sale) or use an easily guessed password that is susceptible to brute force or don't provide any security to lock down brute force attempts. None of that is "hacked RDP", it's all "guessing passwords." It's the password, not RDP, that is hacked. Any password on a VPN would be susceptible exactly the same.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Fredtx said in Is Spectrum's modem really bridged?:
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
I would say hacking is when an unauthorized user gains access to computer,network. In this case, there was a successful brute force attack. While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn. Instead the customer used RDP to external IP with the specified port. Per management, no one is allowed to open ports for rdp on any customers router. So I’m just trying to find a work around.
-
@Fredtx said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Fredtx said in Is Spectrum's modem really bridged?:
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
I would say hacking is when an unauthorized user gains access to computer,network.
Hacking in a loose sense, yes. Hacking of RDP, no. It's hacking of the password. RDP wasn't compromised. That's the key part.
-
@Fredtx said in Is Spectrum's modem really bridged?:
While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn.
This is why it's important how to word it. They DID use a VPN, just not one labeled a VPN. RDP has VPN tech built into it.
And if they had used something labeled a VPN, it would have had a port open and forwarded just the same, and susceptible to the same brute force attack.
So RDP is a red herring here, it has nothing to do with the vulnerability or the hack, it's just coincidental that it was used. It could have been a normal VPN, SSH, a web page or anything that had a weak password and no limit on attempts against it. What was breached was just that someone got the password right, nothing more.
-
@Fredtx said in Is Spectrum's modem really bridged?:
Per management, no one is allowed to open ports for rdp on any customers router.
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
The open port, and RDP are in no way an issue. What they are going to do is change which port is open (changing nothing to an attacker) and change which protocol is used (again, changing nothing to the attack) and exposing the system identically again. It's not even plausible deniability. It's just smoke and mirrors thinking whoever they are answering to is clueless and isn't going to really follow up (probably true.)
-
@Fredtx said in Is Spectrum's modem really bridged?:
So I’m just trying to find a work around.
It's all just words. Do anything and claim to have made the change. Change the port and claim that's done it. It's all just politics at this point, not technical.
They aren't asking you to lock it down or fix the problem. They are looking for a checkbox to show to an auditor of some sort.
The real "problem" here is that all of this is being done, presumably, to hide the fact that there is an actual security problem and they don't want to address it. If someone actually cares about the security, then that discussion needs to take place. If the belief is that this is only politics and has nothing to do with results and security, then just do anything that satisfies the words that they have used.
The real issue is a lack of password policy and a lack of password protection. Moving to a thing with a VPN label will in no way affect that. That's misdirection and a true security auditor should catch that instantly and question why someone would be working so hard to cover up not actually fixing the problem. If this was a financial institution, this situation would warrant a pretty serious sit down and internal audit. In a normal SMB, it's just managers trying to not have to actually do hard work of investigating.
So the question you have to answer for yourself is... are you here to secure the environment to protect against what happened? Or are you here to simply action what you've been told to do and to ignore the problem?
If the former and the goal is actual security, you need to have a sit down, explain how security works, do a port mortem, show where the failure was and address the real problems which have literally nothing to do with port forwarding or RDP.
If the latter is the case, the simplest answer is just throw any VPN on and pretend that that is a magic fix and move on not letting on that you know that nothing has been addressed and it is all just being done to trick someone higher up the food chain who likely will never discover that he was being played - so it's generally completely safe to do this.
Red pill vs blue pill. Only you know what is important in your environment. It's almost certainly the latter, this is how SMBs tend to work. But in some cases, you might know the CEO or owner and know that they truly wanted someone to protect them and you can actually let them know the truth. But if you are insulated from them and you might get in trouble for exposing this kind of thing, just do the VPN and don't worry about it. If the owner cared he'd never let himself get insulated.