Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Over Half of Fortune 500 Exposed To Remote Access Hacking (axios.com) 29

Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, something many experts warn should never happen, according to new research by the security firm Expanse and 451 research. From a report: According to Coveware, more than 60% of ransomware is installed via a Windows remote access feature called Remote Desktop Protocol (RDP). It's a protocol that's fine in secure environments but once exposed to the open internet can, at its best, allow attackers to disrupt access and, at its worst, be vulnerable to hacking itself. RDP is a way of offering virtual access to a single computer. It allows, for example, an IT staffer in one office to provide tech support for a baffled user in a different office. But RDP is best used over a secured network rather than over the open internet. "We compare exposed RDP to leaving a computer attached to your network out on your lawn," Matt Kraning, co-founder and CTO of Expanse, told Axios.
This discussion has been archived. No new comments can be posted.

Over Half of Fortune 500 Exposed To Remote Access Hacking

Comments Filter:
  • That is like almost 100, right?

  • Easy Fix (Score:4, Funny)

    by DontBeAMoran ( 4843879 ) on Thursday November 14, 2019 @02:29PM (#59414754)

    "We compare exposed RDP to leaving a computer attached to your network out on your lawn."

    Don't put your computer on the lawn. Problem solved.

  • How do they know it was RDP? Did they actually attempt to hack the connection to find out what it was, or are they just making assumptions because, we all know, making assumptions leads to wonderful clickbait headlines. Maybe they were honeypots designed to trap the unwary scriptie.

  • Did not read the article but there is exposed RDP and there is exposed RDP.

    Older versions of RDP had weak encryption etc that would make me skiddish about using outside of a VPN. However the transport is now TLS protected by default and probably as secure as any VPN.

    If you have some kind of MFA provider and you are careful to set logins for both domain and local users to require MFA, and you make sure the MFA system fails closed I don't see how RDP is worse than any other remote access solution..(well okay

    • Damn. People really think like this in 2019.

    • by Jaime2 ( 824950 )

      No

      Remember, this report is about Fortune 500 companies. At scale, you can't count on desktop-level solutions because you simply have too many desktops. Security solutions belong in the datacenter. The only proper Fortune 500 way to do this is to allow remote access via an intermediate security device that lives in the datacenter and is managed by either the network team or the security team. This is not rocket science, there's a billion of them, from vendors we already know, like Cisco, SonicWall, Barracuda

      • by DarkOx ( 621550 )

        I don't think anyone is suggesting that these companies should or are letting all desktops have RDP access. We are talking about probably a couple systems administrators can use as work platform. Tools like Group Policy will ensure login polices are in fact applied and not changed locally. We are very much talking about hosts that are managed via the network team or the security team.

        A good rule that I learned at a previous job (15 years ago, this stuff isn't new) was to never allow a packet crafted by a foreign device into the core of your network.

        I am probably as old as you are based on the magnitude of our UIDs here and "15 years" and you know what I am still going to

        • by Jaime2 ( 824950 )

          In other words I'd want a reverse proxy + waf watching HTTP messages being passed to my web server; not a TCP proxy...but maybe a layer 7 firewall could at least provide some cover or defense in depth.

          A TCP proxy would be the minimum acceptable, and only if there were no other options. That's what the policy was for, to define that minimum. Since no one could ask for a NAT, they had to start a discussion of how to handle it. That discussion would always be with a networking or security team that was in a position to ask the right questions to get the right kind of device in place. I'm sure you know how often a business team gets a consultant that thinks they know what they're doing and simply asks for a

    • Re:How bad really (Score:5, Informative)

      by EndlessNameless ( 673105 ) on Thursday November 14, 2019 @04:07PM (#59415090)

      Encryption means little when there are zero-day vulnerabilities that affect the service. The problem isn't the lack of modern crypto; the problem is exposing internal servers to the internet.

      Just this year, we have CVE-2019-1326, CVE-2019-1225, CVE-2019-1224, CVE-2019-1223, and CVE-2019-1108 for DoS or information disclosure.

      And let's not forget the remote code execution under CVE-2019-1181 and CVE-2019-1182 [microsoft.com].

      In short, if you think it's OK for a server to expose RDP/3389 to the internet then you're just wrong. You need to have your remote workers VPN into the network so you can keep RDP traffic within your network perimeter.

  • by TigerPlish ( 174064 ) on Thursday November 14, 2019 @03:23PM (#59414954)

    In Corporate America, like, real corporate america, this isn't a problem.

    But let me tell ya, from personal experience in an MSP some time ago, the clients of that MSP are spectacularly careless, ignorant, reckless.

    You explain to them, as you clean up ransomware and restore databases and file shares, that opening RDP and SQL to the Internet At Large is a really Bad Idea. You charge the a nice fat sum to clean all the damage up. They do it again.

    And again.

    And again. And once more. The last one, happened as I turned in my resignation to the owner of the MSP.

    So before cockup, before even honeypot, I just consider terminal stupidity as the cause, compounded by eternal laziness.

    • Not all IT workers understand; the BOFH is the hero of the story. All those stupid rules have Reasons.

  • I am not suprised. (Score:2, Interesting)

    by jellomizer ( 103300 )
    Fortune 500 companies have a lot of big personalities and "Big Bosses" who get there way. IT is just a cost center in the organization so if they say No don't do that it is bad, they will just get their budgets slashed more and a scolding. Giving these people things like VPN with two factor authentication is just too hard for them, and will cost them minutes of their precious boss time.
  • There is no link to the main claim which is : "Over a two-week period, the computer networks at more than half of the Fortune 500 left a remote access protocol dangerously exposed to the internet, something many experts warn should never happen, according to new research by the security firm Expanse and 451 research.". So we have no idea what that means.

    The article starts by "Exclusive:".

    The content is just a bunch of vaguely related associations from famous names (MacAfee, Sophos).

    So this is very likely

    • Exactly. All it says is that some mechanism found an 'open RDP port', with no data on their methodology. There are quite a few possibilities for why a port might appear open to a simple TCP syn or connect scan, not necessarily the same thing as as a host RDP port exposed to the Internet directly. For example, some orgs are using RDP gateways which broker incoming RDP connections and protect against this sort of attack. I knew of one that used an IKE exchange to authenticate incoming RDP, but only after the
  • Just use SSH in front of your terminal server then tunnel all traffic via port forwarding. Simples.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...