Embed Size (px)
DESCRIPTION
Cisco Public 3 © Cisco and/or its affiliates. All rights reserved. Timeline of recent media reports…
Citation preview
GVF CyberSecurity Task Force
Rakesh BharaniaChair, GVF Security Task ForceNetwork Consulting Engineer, Cisco Tactical Operations
2015
Update on Activities and Security Implications for HTS
Agenda:
Media reports of VSATsecurity
GVF Response
GVF Product Security Baseline (PSB)
Conclusion…
Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Timeline of recent media reports…
Cisco Public 4Cisco Public 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1/9/2014: IntelCrawler report: Scan of entire IPv4 address space “found approximately 313 open UHP VSAT Terminals, 9045 open HUGHES Terminals, 1142 SatLink VSAT”, “use of default passwords, telnet”
Timeline: VSAT Security In the Media
Cisco Public 5Cisco Public 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
1/31/2014: CERT/CC Publishes Bulletin on BGANVulnerability Note VU 250358:“Firmware developed by Hughes NetworkSystems used in a number of BGAN satelliteterminals contains undocumented hardcodedlogin credentials (CWE-798) … containsinsecure proprietary protocol on TCP 1827that can be used to perform privileged operations (CWE-306)
Timeline: VSAT Security In the Media
Cisco Public 6Cisco Public 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
2/20/2014: GVF AnnouncesCybersecurity Task Force “…global initiative to address escalating cyber-security threats with the establishment of a task force that will identify best practice and provide guidance on how users and industry can optimize the application of VSATs to reinforce network integrity.”
Timeline: VSAT Security In the Media
Cisco Public 7Cisco Public 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
4/17/2014: IO Active report“A Wake up Call for SATCOM Security”Discussed vulnerabilities in Harris, Hughes,Thuraya, Cobham, JRC, Iridium productsAttacks included: backdoors, hardcoded credentials, insecure and undocumented protocols, weak password reset mechanisms.Attempted coordinated disclosure with vendors &CERT/CC, but only Iridium responded to inquiries.HUGE media uptake: industry press, BBC, Wired,Ars Technica, Christian Science Monitor, 60+ articles written
Timeline: VSAT Security In the Media
Cisco Public 8Cisco Public 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sometime later this year…The other shoe will drop“Specific details needed to replicate or test for the vulnerabilities discovered in this phase will not be disclosed publicly until the latter half of 2014–allowing time for the relevant fixes to be developed and deployed.”Challenge to the VSAT industry: are you paying attention?
Timeline: VSAT Security In the Media
??
Cisco Public 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The GVF Product Security Baseline
Cisco Public 10Cisco Public 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Voluntary specification created by the members of the task force
Representation from vendors, network operators, end-users of VSAT (FSS/MSS)
Details requirements and recommendations for all VSAT hardware and software that supports or transmits on an IPv4 or IPv6 network.
Details requirements and recommendations for all VSAT equipment and software vendors for vulnerability management, disclosure, etc.
The GVF Product Security Baseline
Cisco Public 11Cisco Public 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Current Status: GVF PSB is in “near final” state.
Task Force members have access to the specification, and are starting implementation, since we do not know when vulnerabilities will be detailed or exploited.
Successful implementation requires a “culture of security,” may not be easy (or cheap) – but it does need to happen.
The GVF Product Security Baseline
Cisco Public 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wrapping up…
Cisco Public 13Cisco Public 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security scrutiny of the satellite industry is higher than it’s ever been.
Exploitation of systems is widely discussed, and we should assume the bad guys are paying attention too – and using that knowledge maliciously.
GVF Security Task Force – a coordination center for satellite security knowledge
Vendors and network operators should implement robust protection, abandon widely discredited practices where they still exist.
In conclusion: This isn’t going away.
Thank you.
Cisco Public 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Backup Slides
Cisco Public 16Cisco Public 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
GAO Report, August 2002“Commercial Satellite SecurityShould Be More Fully Addressed”“Commercial satellite service providers have established operational procedures, includingsecurity techniques, some of which, according to officials, cannot be easily changed.”
Because we have been here before…
Cisco Public 17Cisco Public 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
“Satellite Hacking, a Guide for the Perplexed”(May 2013)“A root cause of many satellite vulnerabilities is anattempt to cut cost… profit driven risk assessment, particularly with commercial operators, has resulted in increasedInternet connectivity and reduced redundancy, hardening, and encryption. Increasing Internet connectivity of satellite systems increases performance and reduces the cost of operations,but it exposes satellite systems to increased riskof malicious activity.”
http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1131&context=cm
Because we have been here before…
