Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
7/10/2019
09:00 AM
50%
50%

10 Ways to Keep a Rogue RasPi From Wrecking Your Network

A Raspberry Pi attached to the network at NASA JPL became the doorway for a massive intrusion and subsequent data loss. Here's how to keep the same thing from happening to your network.
Previous
1 of 11
Next

Since 2011, engineers, students, and hobbyists have been using a small Linux server called the Raspberry Pi (or RasPi, for short). Many of these servers, roughly the size of a deck of playing cards, are in workshops and classrooms, but their capabilities have made them popular with corporate engineers and scientists looking to solve specific problems on a small budget.

But with that popularity has come the inevitability of RasPis being attached to corporate networks, with results that can be, well, problematic. For example, a report issued last month by NASA's Inspector General on security at its Jet Propulsion Laboratory (JPL) cites a serious intrusion into the network — one that began in a vulnerable RasPi attached to the network without the approval or knowledge of the IT team.

There are now a dozen different RasPi versions, including the new Raspberry Pi 4, which includes models with up to 4 gigabytes of RAM and a powerful ARM processor. Even with the new specifications, RasPis start at $5 and top out at $55 per system.

If history is any indication, more individuals will decide they can solve problems without bothering with enterprise requisitions or approvals. So how can an enterprise security team protect the corporate network from these "rogue" RasPis? 

We've collected 10 possibilities to get you started, five aimed at applying protection to the network and five aimed at making the RasPi itself less vulnerable to intrusion. Implementing any one will make your network safer. Implementing all should go a long way toward ensuring that RasPis are good, safe, citizens on your enterprise network.

(Image: goodcatfelix VIA Adobe Stock)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ereardon
50%
50%
ereardon,
User Rank: Apprentice
7/26/2019 | 8:14:47 PM
Re: Pretty much done with darkreading
I really do enjoy the information provided here, it's good information. DarkReading does need to fund themselves and if using a slide show format to help keep themselves operational is how they succeed good for them... they keep on providing good content... I'll click through the slideshow and support them.

 
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/26/2019 | 7:48:58 PM
Re: Pretty much done with darkreading
eternjohnson,

All I can say is wow to the comment you made below, these people are writing and devoting their time to material that could be used to address significant cybersecurity problems. For someone to call this site "clickbait", that just goes beyond disrespectful. If you don't like the articles and the way they are laid out, then just remove yourself from the list, but don't disrespect people like that on a security blog, this for all people.

It is amazing, people express themselves in such a way that is belittling and disparaging on a public site and they hide behind the veil of the internet, but when you walk up to them on the street, then it is a different story.

T

 

 
peternjohnson
50%
50%
peternjohnson,
User Rank: Strategist
7/26/2019 | 2:06:57 PM
Pretty much done with darkreading
Always appears that it is going to be a good article that I can read, but I never find out because it's a slideshow. No thank you. dark reading used to be a good source of relevant information.

Maybe you should put your slideshows on facebook with the rest of the clickbait.

 
JamesS94103
100%
0%
JamesS94103,
User Rank: Apprentice
7/26/2019 | 12:50:20 PM
Likely a good article ..... BUT
I'm not interested in a revinew generating slide show.  DNR
websitejk
100%
0%
websitejk,
User Rank: Strategist
7/16/2019 | 4:12:55 PM
Re: Pi not RasPi
Concur
websitejk
100%
0%
websitejk,
User Rank: Strategist
7/16/2019 | 4:04:10 PM
Re: Pi not RasPi
Concur 💯
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/14/2019 | 7:40:28 AM
Re: Network Segmentation
To BradlyRoss,

They had Network Segmentation in place, that was not the problem (review the link and the satellite layout). Their labs, production, admin, mgmt aspect of the network was in place; the problem was that they got lax and the tools the had in place reported on its existence, no one from the security team, admin or development team identified this system as being a problem especially when you have applications that are associated with internal systems (i.e. hardware - NMS, SIEM, IPS, etc).

Remember, this device was in place for 10 months on a production network (did not matter if the network was segmented, they had time to run Wireshark or tcpdump, with all of the Ph.ds and engineering staff; they could not find this device listed as a blimp on the "network radar". You have to ask yourself, NASA has numerous layers of security, why was this ignored, it took an audit team to go through the network to find this device. That is why NSA needs a NAC (Network Access Control) device along with mac address and port filtering configured on the network.



Satellite, GSS and Network Architecture

Todd
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
7/13/2019 | 2:15:06 PM
Network Segmentation
I think that the only reasonable approach is to divide your network into multiple subnets with firewalls between them.  One should be the production subnet with strict physical controls over what can be attached and rules for configuration.  Another should be a development area where it is difficult to control what is attached or the software configuration.  Another network would be used for administration of the system, and still another would be used for normal users.  You may be able to have firewall rules enforce connections based on IP addresses and port numbers, but antivirus software can't be counted on to stop malicious software and access.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/12/2019 | 5:48:53 PM
Raspberry PI Concerns
It's not important to use a particular firewall or defensive mechanism. It is important to think about defense and use some method (or, ideally, [the] combination of methods) to protect the RasPi and the network on which it sits from criminal exploit and intrusion.

I am not so sure I agree with the ending comment made by the presenter, secuirty controls are put in place at various layers but it is knowledgebase, human interaction and device set to limit the organizations area of penetration (attack vector). However, I do think the best way of addressing this issue would be to setup a NAC (Network Access Control) system that limits what can run on the existing network. This should have been one of the first options along with:
  • Port Management/Access
  • MAC Address Control

These two methods disable the port (Port Mgmt) and MAC address policies so as not to allow unauthorized devices on the network.

Also, they should have had an NMS (Network Management System) in place to identify the systems on the network by their MAC addresses. I think this was more about incompetence and lack of attention to detail than anything else (the human factor is what we need to be focusing on). The NASA hack went on for about 10 months.

T

 
schopj
100%
0%
schopj,
User Rank: Strategist
7/12/2019 | 4:52:22 PM
Pi not RasPi
RasPi might look good on paper, but say it out loud.  Ive never heard anyone call a Pi a RasPi.  Its just a Raspberry Pi, or a Pi.  Pi 1, Pi2, etc.  

 
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.