I'm curious on the methods you would use to identify and pinpoint exposed devices

[deanfourie]

So im curious on the methods you would use to identify and pinpoint exposed devices. Unplug everything and plug one device in at a time etc? What methods would you use to find said infected device.

Im curious as obviously with the sophistication of todays malware, detection can be near impossible or just plain DIFFICULT. So, from your perspective or experience, what's the best approach and method to really identify a compromised device. Im a big fan of GitHub tools too if you wanna throw me a bone

Im also interested to hear your thoughts on hardware level infections such as BIOS, NIC, switches and APs etc. How likely is it for a devices BIOS to be infected, causing continued infection on every new install of a OS.

Im currently using ntopng and viewing live flows. I would like to know what the acceptable amount of flows / DNS requests would be for say 2 connected windows devices.

Also, how common would a ISP level targeted (or untargeted) attack be. I'm talking someone on the inside of the ISP say pushing configs with TR069. Do ISPs actually limit or restrict this type of stuff? Is this like actually hard for an employee to do?

How possible would a MITM attack be to actually push infected windows updates? Say if someone was able to intercept DNS and point the windows update hostname to a hosted server, then push a Windows Update containing vulnerabilities? Again possible be linked to an inside job at the ISP to reroute the DNS to a dodgy resolver.

Look forward to hearing your thoughts.

Thanks

 

[TheLostSwede]

TR069 attacks are highly unlikely the way you describe them, but sure, some disgruntled engineer could possibly to something, but I can't say I've ever heard about such a thing. I'm guessing a lot of people at an ISP would have access to TR069 control, but it all depends a lot on what hardware they're using and how they've implemented staff control of their customer premise hardware.
I have a cable service, but my ISP modem/router is set to bridge mode, as I don't trust their hardware.

PC BIOS attacks exist and happen and get patched at some intervals, but it's still fairly rare. NIC's unlikely unless you got some fancy server level hardware. Dumb switches can't be attacked from what I know, although I guess even those types of devices run some kind of firmware, but they normally require programming via pins, not something that can be done over the network. Routers/AP's could of course be attacked and taken over and it happens all the time, courtesy largely of botnets.

There are no to me known good ways to find out if you have an infected device, normally the only way to tell is if you check your network traffic and see something abnormal going on, or if you network speed all of a suddenly tanks. Personally I think you're worried about things that are unlikely to happen. Most of these things goes after corporations, not your personal computer, unless it's to use devices in your home as part of a botnet that would be used to attack corporations or government agencies.

The best thing I think you can do is to make sure your devices that are facing the internet, are up do date firmware wise and that all security patches are applied in a timely fashion.

 

[jdabbs]

Re: MITM attacks
Depends on the platform.
Scenario: Let's say a home router is the DHCP server, and is providing its own IP as the DNS server in leases to clients. It's not uncommon for routers to serve as a DNS relay. An attacker has compromised the router and configured a malicious DNS server.
User PC checks for updates at https://update.microsoft.com, the request for domain resolution is forwarded by the router to to the malicious DNS server, and a malware server IP is forwarded back to the client. That is not difficult to pull off. Since this is HTTPS though, the malware server has to provide a SSL certificate before a session is established. In this case, Let's say the malicious server has a certificate generated by dodgycert.ru. Also not difficult. The windows client recognizes the certificate as valid as it is signed by the dodgycert root CA. All is not lost though--just because a cert is valid doesn't mean it is trusted. Anyone can set up a root CA, but Windows only trusts a handful of root CA certificates, which are installed on the host (if you want to see which ones you have installed, run certmgr.msc) and dodgycert.ru is not a trusted root CA. Without an accepted certificate, the HTTPS session fails.

Now when I say depends on the platform, it doesn't always play out like the Windows host. What if the host is an IoT device like a smart lightbulb? If that IoT device does not have trusted root CAs configured, it'll accept any "valid" certificate, even ones issued by dodgycert.ru. Basic defenses like HTTPS would turn out to be inadequate.

 

[sfx2000]

I'm talking someone on the inside of the ISP say pushing configs with TR069. Do ISPs actually limit or restrict this type of stuff? Is this like actually hard for an employee to do?

CWMP-ACS is a client pull, not a server push, just saying...

If the ACS itself is compromised, all bets are off