Posts Tagged ‘network security’

PC World recently wrote a story about Wi-Fi cable modem routers and how a security hole left thousands of Time Warner customers vulnerable to hackers.  Incredibly, the company isn’t responsible for uncovering the problem.

A customer needed help with his Wi-Fi network and asked a friend for help with the configuration.  His friend, David Chen who writes the Chenosaurus blog, was surprised to discover the issue and wrote: “from within your own network, an intruder can eavesdrop on sensitive data being sent over the Internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks.  Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.”

That’s a very scary thought!  Most subscribers trust the equipment installed by their service providers and would never imagine that a router they have been given could leave them open to attack.  Time Warner has implemented a temporary patch but prior to Chen’s discovery, administrative access to the routers was allowed and attackers were free to run programs against them.

A permanent fix for the SMC 8014 wireless router and cable modem is expected sometime in the near future.

image: SMC.com

Bill Brenner of CSO Online shares “The Seven Deadly Sins of Network Security“, sins which he links with nearly all serious data breaches. Bill notes and asks, “Companies that suffer serious security breaches have almost always committed one (or all) of 7 deadly security sins. Is your company guilty?”

Just as Absolute Software recommends a multi-layered security solution, Bill Brenner notes that any solid security defense plan is built upon a multi-layered approach involving technology, policy and practice. The technology layers are just one piece there, but only account for part of the network security sins listed here:

1. Not measuring risk – failing to identify and protect important information assets, while doing so within the parameters of business needs and requirements
2. Thinking compliance equals security – regulations like HIPAA and PCI DSS are only a starting point for strong (and evolving) data security practices
3. Overlooking the people – the ‘people problem’ is a common thread on this blog. People who access data & technology pose a large risk to it – losing laptops, falling for phishing attacks, downloading rogue software, etc
4. Too much access for too many – having access controls set in both policy and in management technology
5. Lax patching procedures - the latest Verizon report showing that 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
6. Lax logging, monitoring – like with the first item, one must know what’s going on in the network prior to security it
7. Spurning the K.I.S.S. – ‘keep it simple, stupid’ or ‘keep it simple for security’ is often overlooked if security is approached without planning and ’solutions’ are tacked on one after the other.

The article looks at common issues that have led these seven items to becoming “sins” in network security terms. This can include, in the case of the first sin, a lack of understanding of business needs and requirements that results in end users circumventing security protocols and risking data even further. Continue reading it here.

Cornell University School of Hotel Administration has released the results of a study on “Hotel Network Security“. The study concluded that US hotels are “generally ill-prepared” to protect their guests from network security issues.”

The study was conducted by Josh Ogle, Erica L. Wagner Ph.D. and Mark P. Talbert of Cornell University’s Center for Hospitality Research. The study of 147 US hotels found that there was a mixed picture with regard to the security of guest connections to the hotel wired and wireless networks.

Many business travelers use their hotel to continue working on the road, an increasingly common practice with the mobile workforce of today. However, as we’ve talked about in many instances on the Absolute blog, this places sensitive corporate information at risk.

According to the study, some hotels still rely on basic hub technology for their networks, which broadcasts every packet from every user to other users (no security). Others may have upgraded to more secure switches or routers, or may have encryption for Wi-Fi connections. Even with all of these upgrades, malicious lurkers can still intercept guest transmissions.

Highlights from the study:

• 20% of hotel networks use hub topologies
• 90% of hotels offered wireless access
• Out of the 39 hotels that had supplemental site visits, only 6 had wireless encryption
• 21% of hotels reported that malicious activity had taken place on their networks

The report outlines an example of best practice, with the case of the W Dallas Hotel – Victory. They have set up virtual local area networks (VLANs) for all hotel guests, inhibiting attackers from using the most common means of data intercept. The study goes so far as to lay fault on hotels that are not using available technology to protect hotel guests.

A number of recommendations were also made for hotel guests, including having an updated firewall, using the secure socket layer (SSL) protocol for transactions, and using virtual private network (VPN) or SSL-based email.

Download link: Hotel Network Security: A Study of Computer Networks in U.S. Hotels [PDF] Author note: at the time of publishing, the PDF link was not working well.

Via GCN ; Image: Microsoft Clipart