The truth about insider netoworking attacks.

[Amol S.]

Most people think that insider networking attacks only happen in a business environment or network, but I do not think this is true. I also think that man IT tech professionals would agree with me on this as well. The fact that the majority of the public think that their home networks are a safe network are 100% wrong.

Anyone inside a home can try to do an insider attack, even your wife if she thinks you are having an affair with someone, and wants to hack your phone to see all your conversations. The majority of home network insider attacks are usually created by guests that are given the AP passcode to the network. But I am not creating this thread to rant about this, but about the fact that why is the general public not being informed about this fact.

The majority of the general public are not informed or guided to the truth about the fact that home networks are not 100% safe from insider attacks. Without this information, most of the general public would not know about this, since not every one studied in the field of Network Security or Information Technology.

I think the blame on who is responsible for not informing the public about his fact are the ISP providers who usually supply the modem and/or the router. They should inform the consumers when buying service from them that even though the device (which usually has an internal firewall), has firewall protection from the outside, it usually does not protect internal attacks. This little fact, which is usually not told to the consumer is what I am worried about; the router and/or modem belongs to the ISP, so they should be responsible to tell the consumer about the security shortfalls of the device. So this is why I am asking the community the following question.

Why don't ISP inform or alert their consumers upon purchase of the service, about this information?

 

[VirtualLarry]

Why don't ISP inform or alert their consumers upon purchase of the service, about this information?

Inform about what? That it may be dangerous to let strangers that you don't trust with your equipment, into your home? Seems kind of self-evident.

Edit: Or is there some sort of more-specific exploit that you would like to discuss, that would allow a user using your "guest" network SSID, to access your LAN?

Edit: It's a well-known principle that if they have physical access to the network gear, or the host PCs, then they can (eventually) gain some sort of access.

 

[Amol S.]

Inform about what? That it may be dangerous to let strangers that you don't trust with your equipment, into your home? Seems kind of self-evident.

Although I do agree with you in some aspects, there are many people in the world dumb enough to let strangers even use their equipment. If you remember the large ransom ware attack that hit Europe and America, even after it came in the news the first day it happened and that the tech reporters stated not to just blindly click on links, the attack still continued a few days after the news report came out. Isn't that just proof enough that there are people in the world who are dumb enough not to know things?

 

[VirtualLarry]

And...? Yes, this world includes "dumb people". Who, largely, will not heed any sort of warning on the package anyways. So it would be pointless to add one.

And for people that allow strangers to "use their equipment"? Would YOU let a stranger drive your car? Letting them drive your internet vehicle isn't much different, really.

Edit: And about the specific issue of Ransomware, both the users and Microsoft deserve the blame for that one, well, mostly the makers of the malware, but sometimes users are dumb, and even click "OK" for "Run this program? It might be a virus!", and sometimes, an innocent click, can lead to an exploit (due to deficiencies in the software the user is using, through no fault of their own), and their PC gets taken over.

Offline backups, in this day and age, are a MUST.

 

[Amol S.]

Offline backups, in this day and age, are a MUST.

I agree with you on that. However my Network Perimeter and Security professor in college, told me that it is very expensive and impractical. He gave an example like, companies that have large old databases who didn't back up from the start, would have a hard time backing up their data. That to by the time all the data gets backed up, the original data might have been updated, and the long back up process happens again. The lesson he was trying to teach there was to not be dumb and back data up from the beginning.

 

[VirtualLarry]

Is there a specific incident of this that you wanted to discuss, did something happen to you over the holidays?

Certainly, if you can, change your Router's admin Login / Password, to block anyone from changing the settings from what you set it to, or reading what could be sensitive settings that you programmed in.

It's helpful that many equipment vendors now default to device-specific password that is relatively secure. (But heaven help you, if you lose that sticker with the default password, and need to factory-reset it with the little pinhole. In that case, some service providers will also allow you to set the password using the ISP's TR-069 access backdoor, as long as you have the online login info for your account.)

 

[VirtualLarry]

I agree with you on that. However my Network Perimeter and Security professor in college, told me that it is very expensive and impractical. He gave an example like, companies that have large old databases who didn't back up from the start, would have a hard time backing up their data. That to by the time all the data gets backed up, the original data might have been updated, and the long back up process happens again. The lesson he was trying to teach there was to not be dumb and back data up from the beginning.

That's not, strictly, true.

For an individual Windows-based PC, yes, generally, you would back up the PC (image backup, let's say), and generally you want to do that "offline" (from a boot disc with the OS not running).

For a big server, generally, the backup software has a software component, that runs alongside or inside the database process, and it allows the database to continue functioning without downtime, and still allows you to back it up "live", well, for the most part.

It's not impossible, by any means, but in some cases it may be impractical to implement.

For example, the database backup component, might start to backup all records over a year or a month old, and then get to records less than a week or day old, and all the while, keeping track of updates to records, marking them as newer, and eventually it works its way around to backing up nearly everything.

 

[Amol S.]

Is there a specific incident of this that you wanted to discuss, did something happen to you over the holidays?

Certainly, if you can, change your Router's admin Login / Password, to block anyone from changing the settings from what you set it to, or reading what could be sensitive settings that you programmed in.

It's helpful that many equipment vendors now default to device-specific password that is relatively secure. (But heaven help you, if you lose that sticker with the default password, and need to factory-reset it with the little pinhole. In that case, some service providers will also allow you to set the password using the ISP's TR-069 access backdoor, as long as you have the online login info for your account.)

No.... well I do have a router/modem issue that's separate from anything that being discussed here. It was probably I just wanted to say something, since I have came back to the forums after almost a year. It keeps disconnecting from the internet every few days or sometimes after a long time, mostly at night time. The modem it self was delivered by the ISP when I graduated from 6th grade, im already in my last year in college.

On a side note, and relating to the topic, why would anyone even use a default password. Non-default user made passwords are always more secure than default passwords. All it requires for a chaos to occur is dumb 3rd world router/modem manufacturer to decide putting the same default password on their devices.

 

[Amol S.]

That's not, strictly, true.

The professor referred to the last situation in a greater sense. Also, he did not say that it was impossible, I placed that word by accident .

 

[VirtualLarry]

No.... well I do have a router/modem issue.
...
It keeps disconnecting from the internet every few days or sometimes after a long time, mostly at night time. The modem it self was delivered by the ISP when I graduated from 6th grade, im already in my last year in college.

Time for an upgrade?

On a side note, and relating to the topic, why would anyone even use a default password. Non-default user made passwords are always more secure than default passwords. All it requires for a chaos to occur is dumb 3rd world router/modem manufacturer to decide putting the same default password on their devices.

Generally, it hasn't been a big issue, as admin login was only allowed from a wired internal connection. But potential hazards, as you pointed out, or web sites that redirect using frames or something and attempt to re-program your router, are still a potential risk when using a default password.

 

[Amol S.]

Generally, it hasn't been a big issue, as admin login was only allowed from a wired internal connection.

Well that is not the case for home modem/routers, on some ISP providers. For example, with Verizon all you need is the public IP address of your home router/modem, and just enter that in the address bar on a remote wireless network. Then it will automatically take you to the pre-installed home page of the router itself. Of course in both scenarios regardless if your inside or outside the network, you still need to enter the password to change any settings.

 

[VirtualLarry]

Well that is not the case for home modem/routers, on some ISP providers. For example, with Verizon all you need is the public IP address of your home router/modem, and just enter that in the address bar on a remote wireless network. Then it will automatically take you to the pre-installed home page of the router itself. Of course in both scenarios regardless if your inside or outside the network, you still need to enter the password to change any settings.

Is this with "default" ISP settings? Or after user-modification of the "Remote Admin" settings? Because, you can access the router from the ISP side, but that's not supposed to be accessible by your world-routeable public IP.

 

[Amol S.]

Is this with "default" ISP settings? Or after user-modification of the "Remote Admin" settings? Because, you can access the router from the ISP side, but that's not supposed to be accessible by your world-routeable public IP.

Its a sad truth, but its default.

 

[VirtualLarry]

Have you actually seen this, in person? Because I'm about to go into the other room with my laptop, and try this. I don't believe that's true.

Edit: Nope, doesn't work.

I connected to my FIOS router, looked up my public IP address, and tried to connect to it. Timed out.

Then I hopped onto my Comcast connection, and tried to connect to that public IP. Timed out. Tried http 8080, https, still no dice.

Edit: That's with the "FIOS Quantum Gateway".

 

[John Connor]

Reading past all the blather. I can tell you that home users have a major problem with updating their router firmware and staying abreast of any security patches. I can't tell you how many infected ISP IP addresses try to do nefarious things at my website's.

Then you wonder why they complain they lost all of their bandwidth and blame the ISP. Well, stupid. You're router is a hack zombie, yo!

 

[Genx87]

Biggest issue is most consumer routers ship wide open without URL, IPS or App filtering. Layer 4 is also wide open. And we see it in many consumer applications when they lazily consume all open ports. I have no idea how to clamp down on this stuff. End users are not trained well enough to run such a system. But because these routers are wide open. Once an attacker lands their trojan on a machine on the inside network, they will have free reign to do whatever they please.

 

[VirtualLarry]

Once an attacker lands their trojan on a machine on the inside network, they will have free reign to do whatever they please.

But isn't that down to the OS vendor in question? I mean, sure, hack the host, and you get free outbound access, generally, and sometimes, inbound.

 

[Amol S.]

Have you actually seen this, in person? Because I'm about to go into the other room with my laptop, and try this. I don't believe that's true.

Edit: Nope, doesn't work.

I connected to my FIOS router, looked up my public IP address, and tried to connect to it. Timed out.

Then I hopped onto my Comcast connection, and tried to connect to that public IP. Timed out. Tried http 8080, https, still no dice.

Edit: That's with the "FIOS Quantum Gateway".

I do have Verizon, but its Verizon DSL.

I tried accessing using the Public IP address from inside my home network.


Also remember how old my router is compared to your, which is probably much newer.

EDIT: Now I GET WHY it might be happening. My DHCP and local DNS server is the same as the local IP Address of my router. Maybe when I sent a request for the Public IP address of my Router/Modem, the Local DNS on my router related the Public IP Address to the local Ip address of the router. I actually never tried accessing from outside the network.

 

[Amol S.]

Reading past all the blather. I can tell you that home users have a major problem with updating their router firmware and staying abreast of any security patches. I can't tell you how many infected ISP IP addresses try to do nefarious things at my website's.

Then you wonder why they complain they lost all of their bandwidth and blame the ISP. Well, stupid. You're router is a hack zombie, yo!

Its been a year or two since I last saw an update for the firmware of my router/modem.

 

[VirtualLarry]

I actually never tried accessing from outside the network.

So, you posted that without any proof, or at least, never actually tried it. Got ya.

Edit: I take that back. You did try it, but you didn't control the variables properly, and didn't actually test an incoming connection from outside the network.

Anyways, some routers have a "Local loopback" setting, for testing servers, etc. That works, such that if you attempt to access your public IP, from within your network, it will re-direct back into your router, on the local LAN side. That's probably what's going on there.

Edit: You can use the ShieldsUp! site at grc.com , to test what incoming ports your router is listening on. If it's listening on port 80, it MAY actually have your router configuration admin pages exposed to the world, which is something that you should do something about.

 

[JackMDS]

Professional Pollsters spend Million to predict what specific "segments" (should be easier than "Most") of the population think, and many times fail (e.g todays President).

That said I can say with a degree of confidence that Most people Do not even understand this Sentence.

"Most people think that insider networking attacks only happen in a business environment or network".

As for real Enthusiast (Or Pros) Larry gave you a Good example of one can try think (do) about it.:beer:

If I cared to know more about this issue I would instead post: "What can I do to insure that my Private Network is protected from outside invasion.

 

[mv2devnull]

Anyways, some routers have a "Local loopback" setting, for testing servers, etc. That works, such that if you attempt to access your public IP, from within your network, it will re-direct back into your router, on the local LAN side. That's probably what's going on there.

I don't know about "routers", but Linux network stack ...

1. A packet arrives via interface. There might be some "prerouting" filtering like mangling or DNAT (aka "port forwarding").
2. A routing decision is made for the packet. There are two possibilities: the packet is for (A) this machine or for (B) somebody else.
branches:
3A. Input filtering (firewall) and then a process in this machine receives the packet.
or
3B. Forward filtering (firewall) and then "postrouting" filters, like SNAT (aka NAT, aka masquerade), and then packet goes out from an interface.

Ok, lets play with that.
We want to send a packet to Bar. Bar is not on our subnet. Foo is our router.
Therefore, we send a packet (destination=Bar) to Foo.
Foo receives a packet. Destination is Bar. Bar is the same machine as Foo. There is no need to forward the packet. Input filter applies.
A process in FooBar receives a packet. It probably creates a response. The response is destined to our machine.
Such packets are routed out from interface Foo. We get the reply.

It is up to the firewall rules to allow or deny the above communication.

If internal LAN is allowed, then communication is allowed. Unlikely rule, but possible.
If packets coming in from interface Foo are allowed, then communication is allowed. Most likely.
Only if packet must come in via interface Foo and have IP address Foo as destination, then attempt is denied.

"Deny all new connections that come in via Bar interface" is a trivial "input filter".

My DHCP and local DNS server is the same as the local IP Address of my router.

The DHCP is trivial; your router is your DHCP server.

The DNS, there are two common options:
1. External DNS. All your devices query that external DNS server. The router merely routes queries.
2. The router acts as caching DNS. All your devices query a DNS server in the router. The router queries external DNS. It does not route. If multiple queries ask for the same name, then caching reduces amount of communication between router and external DNS.

 

[Genx87]

But isn't that down to the OS vendor in question? I mean, sure, hack the host, and you get free outbound access, generally, and sometimes, inbound.

Not if you have app filtering, IPS, and port filtering. These block outbound traffic.