What do you do with a hacker who’s already in jail?

Apparently, some prisoner(s) in New Hampshire compromised the prison network.

By plugging in a network cable.

It’s still unclear if any sensitive data was obtained, but the fact that an access point was established is a serious matter.

There are so many ways this could have been stopped.

In the first place, the network switches should disallow rogue devices. Plugging in an unexpected device should at least fail to work, if not send an immediate alert to the systems administrators. They would find out which port had the access attempt, and be able to find exactly where the inmates were attempting to connect.

Now if you didn’t stop the improper connection at the switch, you could have controls in your DHCP server that wouldn’t provide an IP address on the network, and/or firewall rules to restrict access to known machines, and/or an IPS (intrusion prevention system) on the network.

If you managed to let the connection through anyway, you can run network baseline checks to catch something like this. I’ve previously talked about baselining in regards to an operating system’s profile, but the same principle applies to networks as well.
I’ve even got some sample commands (replace the loopback IP with the network range you want to test.¬† 192.168.1.1-254 for example).

nmap -sV -T4 -O -F --version-light 127.0.0.1 -oX C:\test.xml
ndiff --text C:\baseline.xml C:\test.xml > C:\results.txt

This example uses Nmap to compare the current network state to an established baseline (created the same way as the first line, just a different filename). Nmap has a ton of features for examining networks, including Ndiff which compares two Nmap scans. This is highly useful, since in addition to being able to detect rogue devices, you can also detect when the systems that are supposed to be on the network change in some way. Perhaps a security patch that was applied, or a new piece of software opened up a new port. Or more insidiously, an insider threat has set up a personal backdoor.
The two commands above can be set up as a scheduled task in a windows environment, or as a cron job in *nix or OS X. I like to follow it with another job that emails the result file to me.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s