Do you recall One ISP’s 600,000 Dead Routers? The article makes no final conclusion but I offered an assessment - it’ll prove to be a disgruntled insider. Key takeaway: consumer routers never get OS updates and thusly are utter shite.
This was the news of the day when I drafted this piece in mid-June.
China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says
Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.
And this it the scary part - the solution is to simply throw away your Fortinet gear.
The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned.
Hardening:
Let’s review how to harden a publicly facing service:
Nobody gets into Disinfodrome without me logging into Cloudflare using 2FA and manually adding their email.
Disinfodrome systems only talk https to Cloudflare IPs, so no circumvention of Cloudflare even if the server IP were to be discovered.
Management of the system depends on 1) a static route to 2) an IP in /etc/hosts.allow for which 3) there is also a firewall permit rule.
Management IS likely to move because Tailscale Changes Everything, but that won’t happen overnight.
Routes:
The configuration of systems via DHCP is a nicety, you can do static configurations.
ARP is a dynamic protocol for ease of use, if you’re truly paranoid you can disable it and make this static as well.
Having one route to the whole internet is just a convention, there’s no operational requirement for this, so only provide static routes to what you need.
When systems having public IP addresses limited in this fashion do need generalized internet access that you do not want to micromanage, there’s no reason you can’t use an internal network for the default with the gateway behind some sort of VPS that provides NAT. And that VPS could be running a VPN as well.
English translation: if you don’t need to expose a port, then don’t. If you don’t need a specific IP prefix to see your stuff, don’t have a route to it.
Tailscale Implications:
As I recently noted, Tailscale Changes Everything. I could just use the service as is - it does kinda just WORK without a lot of fiddling, but I want to understand the nuances of it. The ability to orchestrate WireGuard is really great, but what happens when a bad actor compromises a node on the network? Even worse, what happens when the compromise leads to some sort of legal discovery effort?
Someone pointed out headscale to me earlier this week and this is intriguing. I think it might make sense to pair this system with an overall internet exit, so that we’re running our own DERP node. But every step down that path is a step away from the smooth orchestration that Tailscale provides.
So watch this space …
Conclusion:
If you do not have two layers of defense you should assume that you have no defense.
Consumer gear is de facto compromised junk. And it seems enterprise gear is little better.
If you aren’t maintaining it, someone else might take it upon themselves to do that work for you.
If you aren’t auditing it, your volunteer maintainer certainly is.
Untested disaster recovery plans are just disaster recovery theories.
As a long term norm I think I spend about one day out of every week working out how to do things safely, auditing my theories, and staging real world tests. This seems like minimal operating discipline if one is going to tweak nation state security, and PressTV was not the first victim, they’re just the first to get turned into a headline.
What steps have YOU taken today to harden your environment?