Tag Archive for Firewall

Scary SS7 Flaw Strikes Banks

Scary SS7 Flaw Strikes BanksLost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.

Telephone system Signaling System 7 The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was  a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.

According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.

Central office equipmentGerman Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.

O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.

Ford Road CO in Dearborn Mi is the Oregon officeTwo-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are.  2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.

Cris Thomas, a strategist at Tenable Network Security warns in the article:

Two-factor authenticationWhile this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…

Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016  and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.

man-in-the-middle attackIn 2014 security researchers first  demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.

Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times.  In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.

Carriers should use SS7 firewall to secure the SS7 networkThe Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.

Of course the TLA’s would never use this “flaw” in SS7 to spy on us.

The Guardian says that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself beyond not using the services.

PoliticianThey recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.

For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

protect yourself Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Linux Turns 25

Linux Turns 25Linus Torvalds released the first Linux operating system kernel on Oct. 5, 1991. On Oct. 6, 1991, Torvalds began arguing with volunteer developers who would go on to make Linux an open-source powerhouse and eventually a household name. Today the Linux community is upwards of 86 million users strong.

Linux Turns 25As part of celebrations to mark Linux’s 25th birthday the Linux Foundation has published its annual Linux Kernel Development Report (PDF reg required). According to the Register, the report concludes that Linux is in great shape, “There may be no other examples of such a large, common resource being supported by such a large group of independent actors in such a collaborative way.”

The independent actors have a lot to collaborate on. The report notes that the first versions of the Linux kernel comprised about 10,000 lines of code. Now it’s nearing 22 million and growing at a rate of 4,600 lines a day.

Wall StreetWhile Linux may have started out as a hobby OS, that changed in the early 2000’s. At the turn of the century, Wall Street banks demanded Linux support for their enterprise application servers says Tech News World.

“That was a moment that broke down resistance to Linux in the big IT vendors like BEA, IBM and Oracle (ORCL). That hole in the dam was the start of a flood,” said Cloud Foundry CEO Sam Ramji. “Today Linux is the home of operating system innovation.”

LinuxAporeto Virtualization Expert Stefano Stabellini, who has been a Linux user and open source advocate since the 1990s explained the transition. “… back when I started with Linux in the ’90s … [companies] did not understand it. They thought that open source was unsustainable, and Linux was niche and hobbyist.” He says that now everything has changed. Every company has an open source strategy now. “Microsoft (MSFT) was the biggest foe and now is a strong ally. Linux is the most widely adopted operating system of all times.

Dice points out that the most active contributors to the growth of Linux have included (in descending order) Intel (INTC), Red Hat, Linaro, Samsung (005930), SUSE, IBM (IBM), and various corporate consultants. Google (GOOG), AMD (AMD), and Texas Instruments (TXN) also ranked in the top 15.


So my first pass at Linux was Red Hat Linux 5.0. when Novell bought into Linux. Yeap I was a Novell CNE 5 way back in the day.

The last couple of projects I have been involved with have used Linux and not Windows, CMS, IVR, PAFW’s and storage.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Snoops Offer Security Tips

Snoops Offer Security TipsIn one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.” To be more specific, the report recommends that IT security pros:

  • Information securitySegregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;
  • Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
  • Deploy, configure, and monitor application whitelisting to prevent malware from executing;
  • Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
  • Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters (PDF) to catch the malware before it breaches the network;
  • Network attackMaintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;
  • Implement pass-the-hash mitigation to cut credential theft and reuse;
  • Deploy Microsoft (MSFT) Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability for devices running non-Windows operating systems;
  • Employ anti-virus file reputation services (PDF) to catch known malware sooner than normal anti-virus software;
  • Implement host intrusion prevent systems to detect and prevent attack behaviors; and
  • Update and patch software in a timely manner so known vulnerabilities cannot be exploited.

The author quotes from the report;

Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.


For those who have not been following along, the TLA’s have been attacking and manipulating anti-virus software from Kasperskey.

We also now know suspect that the TLA’s have compromised at leat one and probably two hardware vendors. The Business Insider recalls, way back in 2013, as part of the Edward Snowden NSA spying revelations.German publication Spiegel wrote an article alleging that the NSA had done a similar thing — put code on Juniper Networks (JNPR) security products to enable the NSA to spy on users of the equipment. 

Over at Fortinet (FTNT) they had their own backdoor management console access issue that appeared in its FortiOS firewalls, FortiSwitch, FortiAnalyzer and FortiCache devices. These devices shipped with a secret hardcoded SSH logins with a secret passphrase.

The article seems like advertising for the TLA’s hacking program.

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Is The Perimeter Dead?

Even while mobile, cloud, and software services are blurring the lines of corporate IT boundaries through deperimeterization, DarkReading recently asked out-loud, if the perimeter is dead. There are those who believe enterprises are wasting their money as they spend increasing amounts of their security budget on perimeter protection. In fact, FierceTelecom reports that 57 percent of enterprises responding to a survey said they plan to spend $500,000 or more in 2014 to upgrade their firewalls to high-speed network interfaces. Security is the chief reason cited.

TelescopeIt is no surprise that the answers varied according to the author. Hardliners, of course, have been hammering on the death of the perimeter for a long time now. “Perimeter security is no longer relevant to enterprises. With the mobilization of the workforce, it’s very hard to define the perimeter of any organization because mobile-enabled employees are connecting to the network from all over the world on devices of their choosing,” Thevi Sundaralingam, vice president of product management at Accellion told DarkReading. “Next-gen security needs to focus keeping content safe, not on defining a network perimeter.”

Then there are the cynical abandoners. “In my opinion, perimeter security is not dead — it just has been handled incorrectly for so long people are giving up,” Alex Chaveriat, a consultant at SystemExpert told the blog.

Network perimeterBut others believe perimeter protection still has plenty of relevance for enterprise IT, even if it means rethinking the role of the perimeter and how these defenses are deployed. Corey Nachreiner, director of security strategy for WatchGuard (a firm that sells firewalls) believes the perimeter is different but still relevant.

The perimeter will never die, it will just get more focused … Sure, our workforce is getter (sic) more mobile, which means we need to incorporate new security solutions. But let’s not fool ourselves. The perimeter will never go away.

CopperWatchGuard’s Nachreiner believes that the new perimeter needs to focus on server infrastructure and data centers, and not endpoint users. He believes firms will have to operate in a hybrid environment that bolsters the perimeter rather than replacing it. “Just because people are using mobile devices and cloud services doesn’t mean they won’t still have local servers and assets behind a relatively static perimeter.”

Another argument for perimeter defenses, according to the author is network egress monitoring. Michael Patterson, CEO of Plixer International told the author that egress visibility is crucial to pinpoint large-scale breaches.

Ultimately, the bad guys need to pass through the perimeter in order to complete the exfiltration of the data they are trying to steal … Monitoring behaviors is playing a significant role in this area as is the reputation of the site being connected to. 

CEO Patterson also explains that perimeter defense doesn’t necessarily have to be placed at the edge. He told DarkReading it may have more relevance inside the network to monitor and block threats within the organization. It’s for this reason that Mike Lloyd, CTO of RedSeal Networks, says that rather than dying, the perimeter has actually grown in recent years. In the article he says;

Companies have more and more perimeters that are getting smaller and smaller … Regulation drives it: PCI demands internal “zones” of segregation. BYOD drives it: Once you let zany uncontrolled endpoint devices onto your network, you have to build zones to keep them away from internal assets. Security drives it: We’ve talked about defense in-depth for years, but people are finally doing it.

As a result, RedSeal’s Lloyd says, security practitioners have more opportunities for controls. This, though, can be a blessing and a curse. The downside is complexity, more controls in more places … The aspirin for that headache is automation. Make sure that all the enclaves you designed are actually set up and maintained properly as change happens.

The last time I re-designed a network, we put a Checkpoint (CHKP) firewall in front the of server segment. We dropped it in, in transparent mode to collect the who, what, when and why of people accessing data you should have heard the howls of protest.

Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.



Network Security Layering

Most companies are prepared for threats to their networks from the outside world, but it’s breaches of security from within the corporation that often pose the biggest concern in this post-Enron world of increased corporate governance. In addition, IT managers must deal with both technical and human challenges to meet the security requirements of their companies, as well the mandates of new legislation such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and the Graham-Leach-Bliley Act.

When considering how to secure a network, it’s important to take a holistic approach, from the physical layer to the application layer, with thorough security policies, appropriate authentication mechanisms and effective education of users to complement the technologies implemented within the network.

The security-layering concept results in the ability to offer variable-depth security, where each security level builds upon the capabilities of the layer below, resulting in more stringent security moving up through the layers. This can help to protect organizations from security breaches that may come from within, as layering provides multiple measures of security controls.

The first layer: VLANS At the first layer, basic network compartmentalization and segmentation can be provided by virtual LANs. This allows various business functions to be contained and segmented into private LANs with traffic from other VLAN segments strictly controlled or prohibited. Several benefits may be derived from the deployment of VLANs for small to midsize businesses across the company’s multiple sites. These include the use of VLAN “tags,” which allow the segregation of traffic into specific groups, such as finance, human resources and engineering, and the separation of data without “leakage” between VLANs as a required element for security.

The second layer: Firewalls A second layer of security can be achieved with perimeter defense and distributed firewall-filtering capabilities at strategic points within the network. The firewall layer allows the network to be further segmented into smaller areas and monitors and protects against harmful traffic originating from the public network. In addition, an authentication capability for incoming or outgoing users can be provided. The use of firewalls provides an extra layer of protection that’s useful for access control. The application of policy-based access allows the customization of access based on business needs. The use of a distributed firewall approach affords the added benefit of scalability as enterprise needs evolve.

The third layer: VPNs As a third layer of security, virtual private networks, which provide a finer granularity of user access control and personalization, can be added. VPNs offer fine-grain security down to the person user level and enable secure access for remote sites and business partners. With VPNs, dedicated pipes aren’t required, since the use of dynamic routing over secure tunnels over the Internet provides a highly secure, reliable and scalable solution. The use of VPNs with VLANs and firewalls allows the network administrator to limit access by a user or user group based upon policy criteria and business needs. VPNs give stronger assurance of data integrity and confidentiality, and strong data encryption can be enacted at this layer to provide more security.

The fourth layer: Solid security practices Best practices by the IT security team are yet another level in a layered network security strategy. This can be achieved by first ensuring that operating systems are protected against known threats. (This can be accomplished by consulting with the operating system manufacturer to get the latest systems-hardening patches and procedures.) In addition, steps must be followed to make sure that all installed software is virus-free.

Clearly, securing network management traffic is essential to securing the network. It’s preferable to encrypt all management traffic all the time using the IPsec or Secure Sockets Layer protocol to protect HTTP traffic.

Encryption is a must even if the traffic is traveling on the local-area network.