You may think, your corporate network is more secure than your home network. And which might actually be true for most of your cases. But believe me, it’s a bad bad idea to access your personal and financial information from your office network and/or office machines.
No, I am not talking about the ethical bit of it. That you should not be wasting productive hours at office accessing your personal and financial information. Though that’s also a major reason why you shouldn’t. but my two ( or rather three ) cents are focused only towards the online security and privacy of yours.
But, before we begin. A standard disclaimer. I am not at all trying to blame any organization on snooping their employees data. Rather what I am trying to focus here are two things. One – the insecurity with each and every standard Ethernet switch, which makes most of the enterprise network vulnerable. And Two – that a network administrator actually possess a lot of power. Which either by him or someone who can trick/hack/fool him, can be used to capture or snoop a lot of user data.
Content Filters – Could be Much Dangerous than Government Snooping
Content filters were there in the industry since ages. And had become one of the biggest boon for corporates to filter out unwanted internet access. Thus optimizing the network and making it secure from many type of threats.
Since past few years, the banking sites used to be encrypted ( read has https ) and regular social media and personal/free emails sites used to be unencrypted ( read as regular http ). Those were the golden days for hackers to sniff into the network and steal your email, etc. But then things changed, and https became the preferred choice for a majority of websites. Be it Facebook, or Gmail, or Yahoo. Now they all work on https by default. Even google.com ( the basic search ) now by default works on https.
And that made all kinds of sites, be it a banking or trading website or a simple free email website similarly secure. Isn’t that great ? yes that is. But it posed a nightmare in-front of content-filter selling companies. As they now couldn’t read through the content of most of the websites been accessed.
So, to defend their ground, and keep selling their boxes. They started building technologies which can read through and intercept SSL communication channels as well.
Ok, So what’s that essentially means is, if you are accessing your bank online over a SSL channel. And your organization has a Content Filter which can do SSL inspection. Then technically its completely possible, that somewhere in the way your data can getting decrypted, read, and re-encrypted before it hits your bank’s servers. Though your organization is doing it or not, you can go and check with your SysAdmin. Or keep reading and I will tell you how to know that.
Now, these content filters are very secure and mostly they don’t store any decrypted data on disk. But the scanning activity happens in the RAM. and if, the SysAdmin, a Vendor’s Engineer or a Hacker can get into the content filtering system and take a RAM Dump somehow. There is a high possibility, that they can capture a lot of secure ( otherwise encrypted ) data. And it’s no hypothesis. I have done this successfully for some products. And would love to try on some other 😉 !!
So, for SysAdmins, a word of advice. If your Content Filter is software based, then make sure the shell of the OS is hardened as hell and no direct RAM access is allowed.
And if it is a hardware appliance. Then make sure you don’t share any crash dump or memory dump file to your vendor for the root cause analysis of the failure ( that generated the dump file ). Before vetting the dump file yourself. And be careful while doing so, as you can find your CEO’s banking password lurking there. Also, Never every do HTTPS inspection on any banking/financial institution website & Make sure everyone in the organization knows which HTTPS sites are scanned by the company.
And for the Users, if you want to know, whether your company is intercepting your SSL traffic or not. Whenever you visit a SSL website. Specifically the banking ones. Just check the SSL certificate. If your organization is doing SSL inspection on that site, then you should see a SSL certificate generated by the Company or by the Content Filter’s vendor instead of the actual SSL certificate that should be signed by the known signing authorities like Verisign, Thawte, GeoTrust etc.
Ethernet Switches – As insecure as Popular !
This might scare you the most. But believe me it is one of the weirdest fact that, irrespective of the widespread of this vulnerability in many ( read as most ) of the corporate networks ( baring a few who are really paranoid and smart. ). It is mostly taken very causally. And no measures are implemented to fix it. This vulnerability is called ARP poisoning or ARP-IP Flip Flop attack.
I remember talking to a Reseller and a Pre-Sales Engineer of a renowned UTM brand recently. And they were trying to laugh it away the fact that their UTM which has a so called IPS and ARP poisoning detection functionality, can’t handle or mitigate an ARP poisoning attack hitting directly on the UTM device’s IP. Can’t even generate an alert ! Probably this is not the right medium to take brand names here. But believe me I have Video recordings of the successful attacks. And I am happy to share them offline, where I have some OTR options available 😉 .
And that’s not just one UTM/Firewall solution which lacks this functionality !
Now I will come to the scary part first. Then will touch upon the funny part.
So, what the hell is this ARP Poisoning all about ? well, understand it like this. If this attack could run undetected in your network. Then the attacker can do the following things
1. steal any unencrypted content flowing through your network
2. steal any unencrypted username/password flowing through your network
3. steal AD auth hashes, which can be later cracked by rainbow table attack
4. Can, poison your DNS requests and redirect your urls to a spoofed url without you even knowing about it.
a) And by doing so, the attacker can created a fake page of your bank. Redirect you to that page when you open the bank’s actual URL. And steal your passwords from there.
b) ditto for your Gmail and Facebook accounts
c) and for your corporate intranet portal and email server
and
so on and so forth …
Figure 1: That’s how a Hacked Gmail looks like. after a successful DNS Poisoning and phishing attack in a corporate network. notice the email id and password below ?
Oh hell. That’s trivial. Isn’t it ( Of course I am playing sarcastic here )
Ok. Now the funny bit. Setting up an alerting system against ARP poisonings takes a simple open source and free tool and a Linux machine ( no need to be a dedicated server. it hardly takes any resource ). Hell yes ! I had written about this tool probably few dozen times. Probably first time, exactly a decade ago. The tool is called arpwatch. But you use it ? probably No! Now that’s the funny part ( yes I am playing sarcastic again ).
SysAdmin – Can go Rogue someday
Now, who says policies are always supposed to be best for your interest. No it mostly isn’t. it’s supposed to be for the Companies interest. But it actually turns out to be for the interest of the rogue SysAdmin. Now the rogue behavior could be just for fun, for corporate espionage or just to take out his grudge on you for whatever reason. Could just be, s/he don’t like your face.
But, what all he can do ? ok let’s see some scenarios.
1. How many times you have given your laptop and its password to him/her. To fix something ? hope you remember you save your Facebook passwords in the browser. And the browser does it in plane text.
2. How many times you have shared your pen drive to him ( or for that matter to any of your colleagues ) which had your honeymoon pics. But of course you formatted the disk. Right ? Oh well, you remember going to him, to get your crashed hard disk recovered last winter ? and he miraculously restored it ? yes, because he can 😛
3. how many times, you didn’t gave him a good Peer/Boss review ratting and sent a secretive mail to the HR mentioning the reasons ? Well he manages your inboxes ( and the sent items ) 😉
So, you know the possibilities. Right ?
So, trust me ! Go out. Buy a laptop of your own, If you don’t have one already. Get an internet connection. Even a 3G modem will do. They are actually more difficult to hack-in than a regular DSL line with Wi-Fi. Preferably install Linux on that laptop. And keep it for your banking and social media use !!
Sleep Tight !
Anindya Roy 
Leave a Reply