LONDON, UK: A recent report titled “Can you trust your vendor?” published by Ovum, the global advisory and consulting firm, found out that undocumented privileged administrator accounts have been discovered in new network routers belonging to two telecoms service providers.
This raises serious concern about the motives of the people or organisations who created them. These ‘back doors’ could be used for both active and passive attacks on the networks. They call into question the reliability of the vendor and its products.
“This is not the first time that we have seen attempts to hack into enterprise and carrier networks by infiltrating network routers”, says Graham Titterington information security principal analyst at Ovum.
“At the time of the Athens Olympic Games, rogue software in four mobile switching centres illegally intercepted calls by Greek politicians, including the Prime Minister, for a year. After the discovery of the software, both the network operator and the equipment vendor were fined several million euros. More recently, the US government detected an attack on IT systems in the Pentagon in 2007 in which 1,500 computers were found to have been compromised.”
These attacks can have serious consequences for enterprises, but when they attack carrier networks, they also have implications for national security. They threaten the commercial health of the communications service provider and its major customers. “The risk is much greater in this age of IP-based communications than it was with traditional telecommunications networks because network control and payload are not segregated”, explains Titterington.
“There must be a relationship of trust between vendors and their customers, ideally based on a culture of partnership. Customers, in both the service provider and enterprise communities, need to place trust at the top of their criteria when selecting suppliers”, Titterington suggests.
Ovum’s report highlights that enterprises and carriers alike are dependent on the integrity of their suppliers and the trust relationship is crucial to both parties. “Vendors who fail to establish their integrity should be struck off supplier short lists.”
Enhanced network audit procedures would uncover this spook account type of exploit, but a vendor hacker could turn to embedding the spyware in the code of the product, making it much more difficult to detect.
Insofar as this threat impacts on critical national infrastructure and national security we can expect governments to take an increasing interest in this issue. However any response will be fragmented due to the limits of jurisdiction of any government.
“The United States is likely to lead the way in government oversight. President Obama’s recent announcement on cyber security shows that the current administration is giving a much higher priority to the problem than previous administrations,” Titterington concludes.