A railway network was hacked. How?
Anything can be hacked! No one is safe, but you can significantly reduce the damage from hacking attacks if you set up your security the right way. One computer enthusiast scanned a range of IP addresses and gained access to an internal railway network with video surveillance and trains.
But how was it possible to hack the railway network?
The loophole was incidentally found in a router connected to the Internet. An engineer scanned the network using standard ports and found a proxy server on the router requiring neither authorization nor a password, and then another one behind it, also without a password, behind which was hidden an unsecured network.
Scanning the network revealed more than 20,000 devices, most of them with factory passwords.
Among them were:
• Outdoor and indoor surveillance cameras;
• IP phones and FreePBX servers (GUI for Asterisk management);
• IPMI (Intelligent Platform Management Interface) servers;
• Ethernet to COM port converters;
• UPS control systems;
• Network equipment, etc.
But how was this possible?
The engineer lists some of the possible reasons:
• The hacker managed to find one of the railway offices, which is connected to the main network via l2tp, making it possible to access the entire network;
• There were no firewalls separating the networks;
• No intrusion detection systems IDS/IPS;
• There are a lot of unsecured devices and with default passwords, which means there is no password change policy;
• Outgoing traffic is not monitored;
• All management interfaces are on the same network with client services, there is no separation by VLAN.
When the report was published, engineers promptly plugged the loophole.
Last week, we conducted a survey on firmware and software updates for devices. The results showed that many technicians try not to mess with the devices operating at their companies and do not update firmware and software. Is that good or bad? It is difficult to say, as there are many nuances involved.
So, how are you dealing with security at your company? Have you noticed any of the faults listed above?
