Cyber Attack Using Rack PDUs as a Backdoor to Server Data

Greetings and welcome back!  This month we look at something that we have been predicting for some time, a Cyber Attack Using Rack PDU’s as a Backdoor to Server Data.  There was an excellent article on this in Identity Week last month.  In this article, it discusses an attack on DDoS protection firm Staminus.  In this attack, the intruders managed to do all of the following:

  • Bring down Staminus’ entire network
  • Reset routers to factory settings
  • Stole Staminus’ databases and dumped the contents online

The attackers were brazen to say the least as they actually posted how they hacked Staminus with an online post.  The two key factors they mentioned in their attack were:

  • Use one root password for all the boxes
  • Expose PDUs to WAN with telnet authority

The first mistake is all-too-common for any type of equipment.  If you use the same password for everything, a hacker only needs to break it once and they are in.  The second problem is the specific reason that we built RackGuardian.  Here, they used an open Telnet port on rack PDU’s to gain backdoor access into the servers in the rack.  I will add that, whether a hacker uses Telnet, FTP or SNMP, each of these ports is normally open on a rack PDU and each has minimal security.

So what can you do once you gain access into a rack PDU?  Plenty!  You can immediately traverse to the servers in the rack if they are on the same sub net.  If they are on a different subnet, you will first need to go to the switch and then back again.  In this case, its not clear which they did as they also had the open passwords on the switches and routers.

The long and short is that a rack PDU makes a perfect camoflauge as a sniper nest to extract data from a server without easily being observed.  After all, who expects data to be coming from a rack PDU?

The moral of the story is clear: You MUST secure your rack PDU’s and RackGuardian is the only product that is specifically built with this purpose in mind.  Cyber Attack Using Rack PDUs is a real threat to every organization.  RackGuardian does all the things that you need to protect your rack systems from harm.  It plugs into the Ethernet ports of your Rack PDU, UPS and other systems and it provides full monitoring of the power and environment in your rack – while it secures all of your rack power and environmental systems from being used as hacker targets.

Think about this and, we would be more than happy to have a confidential conversation about how to protect your rack systems.

Until next time,

Be Well!

 

 

Security Compliance for Data Racks

Welcome back! This week’s blog is: Security Compliance for Data Racks. To begin with, whether you remotely host your servers offsite or you have your own data center(s), you need to have the ability to remotely manage the systems in your racks. These systems include the following groups of items:

  • Processing and Storage
  • Networking
  • Power, Environment and Security

All of these systems need to be managed remotely at some point. Whether your racks are located in a data center, IDF room, MDF room are telecom closet, if a server goes down at night, you’re going to need to reboot it.  The most common way to reboot a server in a remote rack is via power cycling an individual plug on a rack PDU or rack UPS.  In some cases, you may use a specialty device that is specifically devoted to a reboot function.

Each of these systems, PDU, UPS and reboot bar are typically managed by SNMP from a central console system. Sadly, as this  peer-reviewed paper from Georgia Tech shows, even the latest version of SNMP – SNMPv3 – can now be easily compromised. For those who are taken back by this, please realize that SNMPv3 is a protocol that is now 15 years old.  If I asked you to use a 15 year old piece of software to secure your database, would you trust it?  Of course not and so, it should not be a surprise that SNMPv3 can not be trusted as a secure protocol.

The question then becomes: What can SNMP exploits do to my data?  The answer to that question comes from a quick review of the 3 types of systems shown above: processing and storage, networking and power/environmental/security that are typically in a data rack. The first two items are typically open to ports 80 and 443 and are normally guarded by the perimeter firewall. But, many servers, storage and systems and networking gear such as switches, are managed via SNMP.  Because SNMP devices communicate in a very friendly manner toward one-another, this makes it easy for a hacker who has gained access into the SNMP port of a PDU, UPS or other support system to jump to a data system such as a server and steal data.

While that is a very bad scenario, its not the only problem.  Table 1 from the linked Georgia Tech paper shows that many different attacks can be launched by gaining access to one of these devices.   The simple fact is, its easy to enter SNMP-enabled systems and change power cycle servers over and over, destroying database.  As the Table also shows, its also possible to launch Denial of Service (DoS) attacks through several of these systems, effectively shutting down that network segment and access to its data.

 

SNMPv3 Vulnerabilities

The information presented in this week’s blog makes it clear that, if you are concerned about an Security Audit Compliance & Your Data Racks, you need to protect your rack infrastructure. AlphaGuardian’s RackGuardian system is the only system on the market that is uniquely focused on protecting your data by protecting the security of your infrastructure. Power systems such as Rack PDU’s and UPS’s, cooling systems such as In-Rack Cooling, and security systems such as rack-mount environmental and security monitoring units all support and rely on SNMP. RackGuardian protects all of these devices while it securely monitors them as well.  All information is then sent from RackGuardian is transmitted via an encrypted, push communication to a certificate-based data server. The result is you get all the information that you need for remote rack management while keeping all of your systems – and your data – completely safe.

Please think about this for a bit and let us know how we can help you.

Until next time,

Be Well!

Cyber Attacks on Server Rack Systems

We continue our series about how cyber criminals look at your rack systems. This week, we have part 1 of: Cyber Attacks on Server Rack Systems.  To begin with, please realize that cyber criminals always have their eyes on the prize of your data. If they can find key pieces of data, they can sell that data or use that information for their own purposes.

The data that cyber criminals seek includes:

  • Personally Identifiable Information – PII. This data includes names, addresses, social security numbers, credit card numbers, etc. 
  • Corporate Financial Information – FCI. This data includes compiled but unreleased financial data from a company.
  • Intellectual Property – IP. Intellectual property is a much, much larger field than many realize. 

At the end of the day, the vast majority of the data that you own resides in servers and storage systems inside data and telecom racks. Once we realize this, we understand why the rack systems are the prize for the cyber criminal. With that fact established, we must then ask: What can we do to thwart cyber crime? The answer to that question is that, in order to stop a criminal, we must think like a criminal and get inside his mind of how he or she or they operate – I mention “they” because a large amount of cyber activity is generated by nation states who have no qualms about stealing what belongs to others to benefit themselves.

In trying to think like a cyber criminal – a cyber thief really – let’s think about a thief who would break into your home. Chances are 90%+ that the thief will not enter through the front door – which is most often locked and secured – but through a back door or window. That’s no different from a cyber thief. They look for a backdoor to your servers and storage systems. OK, what devices are there in a data rack that could be used as a back door into your servers and storage systems?

If you consider that the servers and storage systems themselves are the front doors, they normally have good security protection for their standard entrance ports. But, most of these devices are remotely monitored for their performance and health. The most common management protocol is SNMP. So, if we can find devices other than servers and storage systems that support SNMP, we have found our suspects for a back door.

There is a short list of devices in your server racks that can be used as a backdoor to your servers and storage systems.  These include:

  • Rack PDU’s
  • Rack Reboot Devices
  • Rack UPS’s
  • Rack Environmental Monitoring Devices

These devices universally employ SNMP and, even if you have SNMP turned-off, a good cyber criminal can gain entrance via another port and turn SNMP on in one of these systems. If you have read the previous blogs, you know that SNMP is very vulnerable, even SNMPv3 is now hackable quite easily by a good cyber criminal. Once the criminal is inside your PDU or other rack back door, its only a matter of pivoting within your data cabinet network to reach one of your servers or storage systems and since most of these system also use SNMP to communicate, if you enter one, you can enter all.

Once a cyber criminal has pivoted from your SNMP device, such as a PDU, to your server, they can gain the data that they need and send it out the back door of your rack PDU or similar system. In fact, these criminals are so good, we have even seen file systems that they put on your PDU, UPS or other device for temporary storage of the documents and data that they are stealing. After all, a document is normally very small is size so, this isn’t much of a challenge.

So, sadly, there you how Cyber Attacks on Server Rack Systems can take place.  It is all-too-easy and all-too-common.  The cyber criminal targets you or your organization, finds a back door and enters, then connects to your servers and storage systems to steal documents. They do this all under the cover of your PDU, UPS or other rack power or environmental system. It is an amazing site to watch and we have seen it countless times.

Next week, we take a closer look at the details of how this is actually done. Please think about these things and, until next time,

Be Well!

Denial of Service Attacks on Data Racks

Greetings. This week’s blog is about SNMP Denial of Service Attacks on Rack PDU’s.  Rack Power Distribution Units, or PDU’s are a standard feature in every rack and are used to distribute the power in a rack via individual power outlets.  Most all PDU’s used in server and telecom racks today are intelligent, in that they use SNMP to communicate their status to a central console or trap receiver.

A Denial of Service (DoS) attack and a Distributed Denial of Service (DDoS) attack can cripple any organization.  DoS attacks seek to overwhelm and overflow the network with large sums of data that will effectively cripple the ability of your network to operate.  In order to launch a DDoS attack, a cyber hacker needs several devices that speak the same protocol language and SNMP is becoming a favorite of hackers.

In terms of sheer numbers, Rack PDU’s are one of the most prevalent devices in your network, trailing only servers and switches. Because of this, they offer a great opportunity to a hacker to launch a very destructive Distributed Denial of Service (DDoS) attack. The fact that so many of your Rack PDU’s are tucked-away in remote server rooms makes them that much more vulnerable to attack.

To get to the heart of this, let’s take a quick look at DDoS and reflection/amplification. The reflection component of this attack happens when someone spoofs one of your active IP addresses as the host point for your SNMP queries. The hacker sends out SNMP requests to lots of devices, like rack PDU’s using your IP address as the spoofed host. That will cause all of those devices to respond to your IP address with data. As the hacker adds more SNMP’s to his request list, the volume grows and can reach into the gigabytes per second. To up-the-ante, the bad guys can used techniques that elicit huge data responses from each SNMP query and may ultimately amplify the original request by well over 1000 times. A nice article and visual picture of this can be found here.

USENIX, the Advanced Computing Systems Association, has identified SNMP as the second largest source for Reflection/Amplification DDoS attacks and they list Power Distribution Units as one of those specific sources that can be easily used in such an attack. Because SNMP, even SNMPv3, is no longer secure as can be seen in this excellent peer-reviewed article, it is clear that your PDU’s provide a good source for DDoS attacks and it is important that you secure them.

We ask all readers of this blog to take a look at how many PDU’s you have under management. We then ask that you consider that you can’t manage what you can’t secure. Please take a look at how RackGuardian can protect each of your critical racks. It is the only system that completely shuts out cyber intruders, while giving you all the management information on your systems that you require.

Until next time.

Be Well!

Cyber Risks of Power Reboot Devices

Welcome back!  This week, we look at a very serious problem with server and telecom racks: Cyber Risks of Power Reboot Devices.  To begin with, having the ability to reboot a server or telecom unit remotely is an extremely handy thing to use and it can save an enormous amount of time and effort.   The problem is that all-too-many of these devices have little if any protection from a cyber criminal using this device against you.

Let’s at the various devices that can be used to remotely power cycle an electrical outlet a little more closely.  Here are the common types of units used for that purpose in order of market penetration:

  • Intelligent Rack PDU’s
  • Rack mounted and small UPS units
  • Remote reboot devices

Rack PDU’s are Vulnerable

Intelligent Rack PDU’s are in high demand and use in server and telecom racks and for good reason.  Most of them can measure power usage, provide reboot capabilities and allow you to better manage your rack systems.  The problem is that Rack PDU’s rely on SNMP as their primary form of communication.  SNMP was a great protocol in its day but, the most recent version – v3 – is now 15 years old!  That brings me to a simple question: Would you trust a 15 year old piece of software or “secure protocol” to manage your critical systems?  I think the answer is: NO.

SNMP Communications are Vulnerable

To make the point clearly, there was an excellent study done by a group at Georgia Tech University on the security of SNMPv3 specifically for the units listed above: PDU’s, UPS’s and Reboot Devices.  The study is available here and proves beyond any doubts that rack servers and telecom units connected to these systems are highly vulnerable.  Please note that the research report also shows that Distributed Denial of Service (DDoS) attacks can be launched by using these SNMP devices.  SNMP devices are being increasingly used in DDoS attacks because of their prevalence and ability to be used in an amplification scheme as the SANS Institute points out.

Its clear from these reports that using any version of SNMP natively presents a risk to the systems being powered with these PDUs and UPSs.  In fact, its clear that power systems being managed by open SNMP ports are not in compliance with Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley and other data standards.

Remote Reboot Devices are Extremely Vulnerable

While PDU’s and UPS’s that use SNMP are clearly vulnerable, there is actually one last item that we need to examine: Remote Reboot Devices.  We have examined several popular brands of Remote Power Reboot Devices and most of them allow control via simple HTTP access.  Please remember that HTTP has NO ENCRYPTION and all your logins and passwords are passed over your network in clear text.  Now for the kicker; because the purpose of these devices is REMOTE rebooting, you primarily use them from outside your facility.

If you login via HTTP to a reboot box over the Internet (the most common use of a reboot box) you are passing your login and password as PLAIN TEXT for anyone in the world to see.

I would encourage every reader of this blog to think about these facts and how secure your facility needs to be.  If you are covered under any data security standard, you must place a protective system between your rack PDU, UPS or Reboot device and your network.  Even if you are not under a security standard, if you use a Remote Reboot Device, you are just taking your server’s life and data into anyone’s hands who wants to take the effort to sniff your traffic.

RackGuardian was built from the ground-up to protect your rack assets from cyber or physical hackers.  At the same time, its patented remote control features provide a FULLY ENCRYPTED reboot authorization process with 2-Factor Authentication.  Please give us a call to confidentially discuss your rack security needs.  We are here to help you meet your compliance standards while continuing to give you the remote management capabilities that you need.

Until Next Time,

Be Well!