Is Spectrum's modem really bridged?
-
@Fredtx said in Is Spectrum's modem really bridged?:
Hey guys. So this customer is still having connection issues at this site with the new modem. Is there an alternate solution for these remote users to connect to the terminal server simultaneously outside the vpn? Connectwise? Nomachine remote s/w?
You don't need a VPN for RDP. RDP is already tunneled through a VPN mechanism. Using a VPN is just double VPNing in reality. You likely want to change ports, lock down with some mechanism to increase security, maybe limit to a set of IPs, ensure very strong passwords, etc. But there is no reason to not expose RDP directly, that a VPN is needed is a myth used to sell VPN gear. The VPN encryption is already there, most breaches come from weak passwords, not the protocol.
-
-
@Fredtx On your clients Ubee modem/router try:
Username: technician Password: C0nf1gur3Ubee#
All this login does is allow you to configure more options on the CPE end via GUI- one of which is the "bridge mode" option. I add the former merely to save you a frustrating phone call.
Having been a TWC customer (residential AND Business,) - and now once again a residential customer (Spectrum/TWC) living in South Carolina- I have felt (and to some extent-STILL feel) your pain and frustration. During the course of reading this thread I ran a
tracert
on my end (EdgeRouter-4 > "Bridged" Ubee M/R) just to check and got inside private 1st hop and outside public 2nd hop.When I had the TWC Business Static- I want to say I remember the entire support mechanism being an entirely separate entity. That being said- me sharing my experience isn't solving your issue so I'll check out now. Best of luck, bud.
-
The only problem is this customer was hacked through Rdp a few months ago due to an open port on the router. This happened at 2 of their other sites, but caused a lot of headache for the entire company. This variant is called Darma. We closed all those ports on the rest of their routers.
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
-
@Fredtx said in Is Spectrum's modem really bridged?:
The only problem is this customer was hacked through Rdp a few months ago due to an open port on the router. This happened at 2 of their other sites, but caused a lot of headache for the entire company. This variant is called Darma. We closed all those ports on the rest of their routers.
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
I’m sorry but it’s not possible to back somebody through a router via RDP. you have to have RDP forwarded through the router to a device it actually is RDP server before somebody can be had to be RDP. So your entire premise for the statement is weird if not a flat out lie.
-
@JaredBusch said in
I’m sorry but it’s not possible to back somebody through a router via RDP. you have to have RDP forwarded through the router to a device it actually is RDP server before somebody can be had to be RDP. So your entire premise for the statement is weird if not a flat out lie.
There was a port that was open and then fowarded through 3389 to the TS.
-
@Fredtx said in Is Spectrum's modem really bridged?:
The only problem is this customer was hacked through Rdp a few months ago due to an open port on the router. This happened at 2 of their other sites, but caused a lot of headache for the entire company. This variant is called Darma. We closed all those ports on the rest of their routers.
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
Dharma is what they got infected with, but doesn't explain the "hack". As I said before, all known RDP "hacks" are not RDP hacks, they are all just guessed passwords - which affect VPN equally.
Remember anytime you say that RDP was hacked, you also say that the VPN was hacked. So using a VPN to protect against a VPN hack fundamentally doesn't make sense.
What most people do is use a different or stronger security rules with what they label VPN and use loose ones with RDP then blame RPD for the failure of their policies, but it is not RDP that is the threat, it's the policies or the end users. Treat RDP and a VPN the same, and they have the same security because they are the same security mechanism.
-
@Fredtx said in Is Spectrum's modem really bridged?:
https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/
From your own source, it makes it clear how Dharma is distributed...
"The Dharma Ransomware family, including this Brrr variant, is manually installed by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.
There are also underground sites that sell known credentials for publicly accessible computers running remote Remote Desktop Services that attackers can buy."
You are only susceptible to Dharma if you are already hacked elsewhere (creds available for sale) or use an easily guessed password that is susceptible to brute force or don't provide any security to lock down brute force attempts. None of that is "hacked RDP", it's all "guessing passwords." It's the password, not RDP, that is hacked. Any password on a VPN would be susceptible exactly the same.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Fredtx said in Is Spectrum's modem really bridged?:
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
I would say hacking is when an unauthorized user gains access to computer,network. In this case, there was a successful brute force attack. While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn. Instead the customer used RDP to external IP with the specified port. Per management, no one is allowed to open ports for rdp on any customers router. So I’m just trying to find a work around.
-
@Fredtx said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Fredtx said in Is Spectrum's modem really bridged?:
Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.
I would say hacking is when an unauthorized user gains access to computer,network.
Hacking in a loose sense, yes. Hacking of RDP, no. It's hacking of the password. RDP wasn't compromised. That's the key part.
-
@Fredtx said in Is Spectrum's modem really bridged?:
While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn.
This is why it's important how to word it. They DID use a VPN, just not one labeled a VPN. RDP has VPN tech built into it.
And if they had used something labeled a VPN, it would have had a port open and forwarded just the same, and susceptible to the same brute force attack.
So RDP is a red herring here, it has nothing to do with the vulnerability or the hack, it's just coincidental that it was used. It could have been a normal VPN, SSH, a web page or anything that had a weak password and no limit on attempts against it. What was breached was just that someone got the password right, nothing more.
-
@Fredtx said in Is Spectrum's modem really bridged?:
Per management, no one is allowed to open ports for rdp on any customers router.
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
The open port, and RDP are in no way an issue. What they are going to do is change which port is open (changing nothing to an attacker) and change which protocol is used (again, changing nothing to the attack) and exposing the system identically again. It's not even plausible deniability. It's just smoke and mirrors thinking whoever they are answering to is clueless and isn't going to really follow up (probably true.)
-
@Fredtx said in Is Spectrum's modem really bridged?:
So I’m just trying to find a work around.
It's all just words. Do anything and claim to have made the change. Change the port and claim that's done it. It's all just politics at this point, not technical.
They aren't asking you to lock it down or fix the problem. They are looking for a checkbox to show to an auditor of some sort.
The real "problem" here is that all of this is being done, presumably, to hide the fact that there is an actual security problem and they don't want to address it. If someone actually cares about the security, then that discussion needs to take place. If the belief is that this is only politics and has nothing to do with results and security, then just do anything that satisfies the words that they have used.
The real issue is a lack of password policy and a lack of password protection. Moving to a thing with a VPN label will in no way affect that. That's misdirection and a true security auditor should catch that instantly and question why someone would be working so hard to cover up not actually fixing the problem. If this was a financial institution, this situation would warrant a pretty serious sit down and internal audit. In a normal SMB, it's just managers trying to not have to actually do hard work of investigating.
So the question you have to answer for yourself is... are you here to secure the environment to protect against what happened? Or are you here to simply action what you've been told to do and to ignore the problem?
If the former and the goal is actual security, you need to have a sit down, explain how security works, do a port mortem, show where the failure was and address the real problems which have literally nothing to do with port forwarding or RDP.
If the latter is the case, the simplest answer is just throw any VPN on and pretend that that is a magic fix and move on not letting on that you know that nothing has been addressed and it is all just being done to trick someone higher up the food chain who likely will never discover that he was being played - so it's generally completely safe to do this.
Red pill vs blue pill. Only you know what is important in your environment. It's almost certainly the latter, this is how SMBs tend to work. But in some cases, you might know the CEO or owner and know that they truly wanted someone to protect them and you can actually let them know the truth. But if you are insulated from them and you might get in trouble for exposing this kind of thing, just do the VPN and don't worry about it. If the owner cared he'd never let himself get insulated.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill )
-
@Fredtx said in Is Spectrum's modem really bridged?:
@scottalanmiller said in Is Spectrum's modem really bridged?:
This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.
A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill )
Most companies prioritize politics over profits. It's sad, but the average business is driven by emotion not "doing business"
-
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
-
@Dashrender said in Is Spectrum's modem really bridged?:
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
But you are comparing a third party "option" vs. a perceived lack of first party option. To make this argument valid, you have to assume that you aren't using a specific VPN or using it in the same way as the RDP. Then you have to assume RDP done with a specific client in a specific way. So it isn't VPNs and RPD that are being compared, but using the full range of options of one, and limiting the other to one assumption.
In the real world, a specific VPN implementation might not allow saving passwords, and RDP most certainly does allow it (I use that feature all of the time.)
There is a false perception here of what a VPN will do and what RDP will do based on how the are "commonly seen", but it's really all myth.
But it is no the VPN or the RDP that creates the artefacts. We are confusing the means with the ends.
-
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
Even the Windows RDP client does allow saving creds, it's a commonly used setup.
https://www.nextofwindows.com/how-to-save-password-in-a-remote-desktop-connection-in-windows-8
lol I looked for that, but forgot to click advanced.
Still doesn't solve the problem using using a horrible password (length along is horrible to some) each time you want to log into your box.
-
@scottalanmiller said in Is Spectrum's modem really bridged?:
@Dashrender said in Is Spectrum's modem really bridged?:
Scott is of course right in his explanation - but he's glossing over something. Many VPN clients allow you to save that savage password into the VPN client so it never has to be typed again.
So management might not want more complex passwords (or simply longer ones) that the staff (and themselves) have to use. instead they want to protect the border to the network with the VPN and it's client that holds the password. I don't believe the default Windows based RDP client will save the password - not that that alone would solve the problem, again, management likely doesn't want to type in a 18+ char password everytime they unlock their computer.
But you are comparing a third party "option" vs. a perceived lack of first party option. To make this argument valid, you have to assume that you aren't using a specific VPN or using it in the same way as the RDP. Then you have to assume RDP done with a specific client in a specific way. So it isn't VPNs and RPD that are being compared, but using the full range of options of one, and limiting the other to one assumption.
In the real world, a specific VPN implementation might not allow saving passwords, and RDP most certainly does allow it (I use that feature all of the time.)
There is a false perception here of what a VPN will do and what RDP will do based on how the are "commonly seen", but it's really all myth.
But it is no the VPN or the RDP that creates the artefacts. We are confusing the means with the ends.
Sure - you're absolutely right - sadly.. that's a managers typical playground.