CSL Dualcom make their Network Operations Centre widely known.
When they posted a video, I thought I’d check them for sensitive information disclosure, like actual customer ICCIDs and chip numbers.
However, what I found was far funnier. On one of their own promotional videos, they show a close up of an member of staff using some kind of operations/support portal, but they are also logged into Hotmail.
To the left, the partially obscured tab says “o Be Loved?” – a dating site maybe?
Don’t let your staff use personal web email in your Network Operations Centre. This is idiocy.
Adam
November 11, 2015 at 7:00pmFirst the video video was from 2012. Second most tech businesses have their servers sand boxed, so no sensitive information is gained or sent. Its the reason businesses like Google, Yahoo, and Microsoft are able to allow potentially malicious uploads without worrying about a virus or anybody stealing their information. Third: most big tech businesses allow the use of personal emails and cell phones, as long as its not in or near the server room. Network Operations Centers have safe guards against viruses and security breaches by sandboxing so that even if a virus or a spybot were to get in their servers they wouldnt be able to destroy anything or send any information to the attacker. Google offers the lowest bug bounty for attacking sandboxed servers, because even if they managed to execute remote code they wouldnt be able to do anything. Forth: They hired actors and it probably wasnt shot on site of their business, a lot of businesses do this.
cybergibbons
November 11, 2015 at 9:34pmThanks for the comment.
1. Yes, the video is from 2012.
2. I don’t really understand how sandboxing applies here. Sandboxing doesn’t stop sensitive information being gained or sent. That’s not what the purpose of sandboxing is – it’s isolation. It’s also not “the reason” that big names allow upload. I don’t think you understand the purpose of sandboxing, or why defence-in-depth is important.
3. Many businesses explicitly forbid the use of personal email, especially web mail, on any machines. It’s often enforced by firewalling. It’s a huge risk to business.
4. They hired actors, who found enough time to log in to their personal email? Why would you build a fake network operation centre to show off your network operation centre?
A network operations centre is as close as you can get to the network infrastructure. It’s an incredibly privileged position, and should be protected.
Adam
November 16, 2015 at 6:13pmThanks for your reply.
Sandboxing can stop information from being gained and sent.
Heres one sandboxing application designed for businesses:
http://www.checkpoint.com/products/threat-emulation-sandboxing/
As you can see it has become very intricate.
And thats the reason Google doesnt have to worry about a malicious user gaining sensitive information, they store all uploads on sandboxed servers. Google uses custom sandboxing designed by Akamai for most of their uploads.
Thats the reason they offer the lowest bug bounty for attacking sandboxed servers, aside from sandbox escapes.
I could be wrong that they hired actors it just didnt look like a real NOC, it looked small.
I do know that many big tech companies allow the use of personal emails, it’s mainly the smaller ones that dont allow it or the ones with classified material(such as server rooms). I know at Captial One and Chase Bank they allow the use of personal emails, as they know it’s impossible to prevent a highly skilled programmer from accessing his or her email even with firewalls. They have security measures to make sure that data doesnt get stolen, some of which I wasnt briefed on because its on a need to know basis.
In addition whats to stop an employee from using a paid VPN or proxy on their personal laptop or work computer to access insecure networks over the companies WiFi? Sure the company could block the majority of the IP’s used by VPN’s or proxies but not all the IP’s.
A.n.Actor
November 12, 2015 at 1:37pmhttp://www.zoominfo.com/p/Daniel-Whicker/2049970374
Chris
November 13, 2015 at 12:25am“most tech businesses have their servers sand boxed, so no sensitive information is gained or sent”
Hi Adam, I saw the above and wanted to add my 2 pence. Firstly, I’ve worked with tech businesses and infrastructure architecture for years and I can assure you that a large number of very capable businesses don’t appreciate their own risk factors across all the stakeholders in the business, let alone implement a fully thought through plan to isolate different parts of the infrastructure. Typically some networking and firewalling is used as a panacea after the fact, often overlooking entirely how the supposedly now secure areas are accessed in normal use.
Secondly, in the video you see an invidual on a desktop logged into CSL’s Gemini NOC platform as daniel.whicker@… in one IE 7 or IE 8 (you can tell from the logo design) tab while simultaneously logged into public Hotmail as danwhicks@… in another IE tab and also one what may be a dating site in another IE tab. The desktop shown earlier is XP (from the Start button design and Quick Launch layout) and this is consistent with IE 7 and IE8 and they are local desktops running from PCs which you see underneath the desks in the video. This means they are running an old OS nearing end of support life and a browser which is one or two major revisions behind in 2012.
Whatever steps CSL have taken to protect their Gemini platform, it is running inside a browser on a local OS and in the same browser instance is a webmail client which potentially has access to anything including viruses, malware, malicious scripts and so on. For all we know the apparent dating site was opened after clicking a spam link in a mail in Hotmail. The sad fact is that this browser instance bridges the insecure domain of Internet and the valuable domain of the NOC platform and anything running against that instance on that desktop has equal access to both domains.
Weighing up the risks here you can hopefully see that this is bad and yet fully avoidable by replacing IE 7/8 with IE 9/10 which were current in 2012 or with a different browser altogether (depending on whether the Gemini platform had any browser-specific requirements) and ensuring that these PCs can only access NOC related resources and a whitelist of any external sites required for operation. There may be some add-ons helping with protection behind the scenes but, since none of these more straightforward safety measures have already been taken, I doubt it.
Daniel Whicker appears to be a real person who was there. http://www.zoominfo.com/p/Daniel-Whicker/2049970374. If an evil person saw that video at the time they could have emailed Dan at his Hotmail account with an irresistible dating offer in a booby-trapped html attachment which, when opened, scraped data from other tabs, likely resulting in confidential data from the NOC platform being accessed by unauthorised an unauthorised third party. Or perhaps it could detect and replace some specific targeted alert information so that an alarm event is hidden, handy for a targeted robbery. You get the idea.
Regards,
Chris
NKT
November 13, 2015 at 6:27pmChris clearly gets it, even if Adam doesn’t – if you let anyone and everyone (Hotmail, random websites) to sit on your most secure machines? Well, suddenly they aren’t so secure. And we aren’t talking 0days here, just the dozens of well known browser based attacks!
We live in a world where air gaped servers are being attacked by thumb drive transferred data, heat pulses as slow comms, & ultrasonic ‘secret codes’ passing info, and yet these secure rooms aren’t even cutting off Hotmail?! Very poor.