1 Comment
In the pursuit of efficiency. In other words: to avoid being drowned in the flood of obligations to perform our due diligence. When we look at IoT (the Internet of Things), the numbers of devices easily outgrows normal means of management. Very large numbers of IoT devices can be installed anywhere, including places that are hard to reach to perform a direct repair or update. So remote administration that is easy and automated, is not just nice to have, it is an absolute necessity. Systems and services to manage and perform admin/update/patch on thousands, or tens of thousands of devices, can be a huge overhead; the scale of IoT installations are by their raw numbers unprecedented and overwhelming. So what is a conscientious system admin to do? Some easy to use tools paid services have popped up recently supporting Raspberry Pi and its related operating systems - Raspbian is a variant of Debian, on which Ubuntu is based, so these remote admin tools work on all of those platforms. Using a tool like dataplicity is trivially easy and takes little time. You can have one managed device for free. It's as simple as: 1) go to their website and enter your email, which generates a confirmation message, and password creation page. 2) copy and run a one-line script that invokes an install process running on python - at the end of that a URL is provided, but you don't need to even copy or remember it. 3) go to the dataplicity website, log in, and click on your device, and inside your web browser is a terminal logged into your RaspberryPi / Debian / Ubuntu system. su to your local account and then you can so all admin functions from a command line. That's it! You have just bypassed all the firewalls protecting your system, and anyone on the internet with the account and password, has a command line on your internal system, from any browser you (or they) choose to use. This, if you have not already figured out, is the reason you must not do this on your work computer without appropriate authorization and approval from IT and Security teams. Most entertaining is that I have not found any mention that doing this on your work computer (most likely) is a violation of your company's security policy, since you're exposing an internal system to the public internet and anyone who has an account name+password; anyone, including hackers, attackers who might have compromised the service provider. Good news: it's easy to enable 2-factor authentication; use a phone number to receive a text message with a code to log in to your device (or use authy). Bad news: you can host a website from your Pi/Debian/Ubuntu system easily: https://docs.dataplicity.com/docs/host-a-website-from-your-pi . Down in the fine print, Security considerations When you switch on Wormhole you are placing the web service hosted on your Pi directly on the wider internet. That's actually the point, but what it means is that you need to take special care in what you put online. While it is not (yet) part of the product feature set, it would be easy to add the ability to access VNC or RDP not just to the Pi/Debian/Ubuntu system, but to any machine in the same subnet as the Pi. If you're curious about how this is a trivial use of the existing capabilities, drop me a note and we can chat, or even run a demo. Dataplicity and resin.io provide similar remote access that can be configured to run WITHOUT static ip addresses, without port forwarding inbound from a remote location, and without firewall exceptions. Beautiful, and should scare all security and IT professionals charged with protecting the networks and systems. What should you do instead? For free (I mean no monthly fees), you can install tor on these platforms (sudo apt install tor), configure the device to be a hidden service on TOR (the dark web). Your 56 character .onion address is not known to anyone but yourself, you maintain full control of the connection rather than trust a third party (and their employees, consultants, vendors) with access to your internal system, No need for dynamic dns, no need for static IP, no need for firewall exceptions. Comparing the address space of IPv6 (2^128=3.4x10^38) and TORv3 (36^56=1.4x10^87). That's 49 more zeros in magnitude. Other than China where the GFWC actively blocks TOR, this could be the universal remote admin that is better than dataplicity with just a bit more work. A general plan to implement in an enterprise environment is described in the SRATOR web site. Any of these methods for bypassing the firewall should be a concern to IT and Security professionals who try to protect the private network of any company or organization, but doing it all in house with TOR can eliminate some of the risks of outsourcing.
Cisco bought umbrella a few years ago. Umbrella.com now forwards to https://umbrella.cisco.com/ and the free services seem to be migrating to paid ones, but there are a number of resources that appear to be "no charge". The page for this live demo
https://info.umbrella.com/cisco-umbrella-live-demo.html talks about "Users today work from anywhere — and they’ll often bypass the VPN to get work done. Sound familiar? Get the boost you need to secure your apps, data, and users whenever they’re on the move." Circumventing the VPN is a fundamental violation of conventional security policy, if that is not already obvious. Other free information include "what attacks aren't you seeing" - if you see some ideas that are useful, great. As noted elsewhere, mention of a product does not constitute endorsement. https://learn-umbrella.cisco.com/ebooks/what-attacks-arent-you-seeing |
AuthorDjilpmh Pi has been tracking the spread of Shadow IT for some time. This collection lists some of the most egregious examples. He Archives
January 2020
Categories
All
|