Unless you have been living under a rock, recently, then you will have heard that Kim Kardashian was robbed, last month, while on a trip to Paris. The search is still on for the perpetrators and to recover the stolen loot (reported to be somewhere between $6 and $10 million). The questions as to how the gang was able to perform the robbery do highlight some flaws in the security provided for and provided by Ms. Kardashian. However, these flaws are something we can learn from. So, while Kim Kardashian would suck at network security, you can learn from this.
Reasons why Kim Kardashian would suck at network security
Number 1: She failed to see the reconnaissance
There were reports of people disguised as paparazzi as well as a car following them in the days leading up to the robbery in Paris.
It’s clear that they were under reconnaissance. The majority of attacks begin with a little “port knocking.” Much like someone knocking on your door to see if you are home, before burglarizing your house. This can be IP address range scans, followed by port scans, followed by attempts to connect to those devices. A telnet session to a web server may not provide an immediate entry point, but it may disclose the server OS and version of the web server software, giving the attacker more insight and therefore an avenue to explore further down the line.
- Log and alert. A SEIM solution, properly configured can alert to such activity. While you won’t want an alert every time someone tries to gain access, repeated tries from the same IP address should be flagged by the software and raise an alert.
- Shun suspect IP addresses. A properly designed solution should also offer the ability to automatically deny access to such IP addresses, without the need for this to be done manually. This can be configured in the likes of the Cisco IPS units.
- Make proper use of a DMZ (Demilitarized Zone), and use the 5-tuple access list method (source IP address, destination, IP address, protocol, source port number, destination port number) as much as possible.
Number 2: They failed to secure perimeter
Technically, this was not Ms. Kardashian’s fault, actually, they tried to do something right. By staying in a Hotel they few have heard of, they practiced “Security through obscurity”. While posting bodyguards at every entrance to the Hotel would have increased their visibility, the choice was made to stay on the down-low. However, the (unarmed) doorman on duty was quickly overpowered. He was unable to raise the alarm.
How can a network be overpowered like this? Denial of Service attacks and buffer overflow attacks can be used to overwhelm a host. In such cases, the application can crash, the host could reboot, or it could allow the attacker to run malicious code.
There are some basic steps we can make to improve perimeter security:
- Make sure that patches are implemented on a regular basis. Just wait a few weeks before installing the latest patch, in case the new patch also has issues.
- Try not to use default ports. You can map port 4422 externally to an internal port of 22, but this means that the common SSH port is seen as unavailable to an attacker performing a basic scan. Scanning all 65535 would most likely raise a red flag, so basic scans will target commonly used ports, such as 22 for SSH, 23 for telnet and so on.
Number 3: Failed to properly deploy intrusion prevention
So far, we have seen how the early warning signs were missed, and how the intruders gained entry. The next reason why Kim Kardashian would suck at network security is that the inside of the network was not secured. While the general focus of security is with people getting from the outside to the inside, we should never ignore threats coming from within the network. In the case of the Paris heist, Pascal Duvier (the bodyguard) was away from the scene with Kim’s sisters. It is unusual for the “primary” to be left unattended, but apparently, this was her decision. Regardless of who and why this left Kim inside, unprotected.
The inside of a network should be protected just as much as the outside. How easy is it for someone to insert a USB stick into a machine? Host-based Anti-Virus and Anti-Trojan tools are just as important to the inside, as a Firewall is to the outside.
A Host-Based Intrusion Detection System (HIDS), can protect the hosts on the interior. Something like OSSEC can protect Linux-based hosts and Windows machines and is free. There are commercially available solutions, such as Tripwire as well. These are not just designed to protect against malicious intent, but also against the well-meaning staff member clicking a link containing malicious code.
Number 4: Failed to reduce the scope of attack
The primary reason why Kim Kardashian was targetted, is because she made herself a target. The Instagram posts flashing the $3.5m ring are an example of this. Flashing the “bling” made her target number-one.
How can we reduce the scope of the attack within a network?
Attacks are going to happen, regardless of what we show or do not show. Clearly, it would be foolish to advertise that you have a database containing usernames, passwords and credit cards numbers, but it also does not take a genius to work out that if that’s the kind of work you do, it is likely that the information will be there, somewhere. While it may have been foolish to brandish an expensive ring all over social media, it would not take a genius to work out that there would have been something of great monetary value in that Paris hotel apartment.
Honeypots are a good way to distract and deter. While they are not foolproof and can be detected, they can be used effectively to push an attacker away from the core network into a contained and secure sub-network, where that attacker and the attack pattern can be studied. An example of a honeypot system would be Honeynet.
Number 5: Failed to preserve the forensic data
The final reason why Kim Kardashian would suck at network security is the failure to preserve the forensic evidence.
Kim left Paris just a few hours after the robbery, instead of staying to assist the police with their inquiries. This meant that instead of waiting for the initial shock to pass, allowing her to potentially recollect more information to assist the police, she was heading back to the United States. Potentially costing the investigating police vital evidence and information.
Forensic evidence must be preserved.
- Disconnect the compromised host from the network as soon as it is identified.
- Avoid powering down the host as there may be useful data within memory
- If you need to work on the machine, clone it first and work from the clone.
- Access to the compromised host must be logged to provide a paper trail.
So, while Kim Kardashian would suck at network security, you don’t have to. Using the failures displayed above, it offers a chance to learn from others mistakes. Most importantly, the steps you can take to help secure your data, do not need to be expensive ones. There are plenty of open-source tools available to help.