Types of Insecure Systems Ingrid Insecure Systems are sorted into the following categories: Category Explanation of Risks Examples of Systems in this Category Debug Firmware Detected Explanation: Systems in this category are mobile devices that have rootkit capabilities disguised as a debug tool, and are reaching out to unregistered domains. [1] [2] Risks: Domain owners can push new firmware versions, hence controlling/hijacking the mobile device. Firmware can send out unauthorized detailed information about the device. Mobile Firmware File Sharing Explanation: Systems in this category are reaching out to abandoned torrent tracker domains for information about files to download via BitTorrent. Learn more about File Sharing trackers. Risks: Attackers can set up false trackers and inject false information. Trackers can instruct clients to fetch files from an arbitrary list of systems, with false or dangerous content. Expired Torrent Tracker Gnutella Domains Proxy Configurations Explanation: Systems in this category are using an abandoned domain for proxy configuration. [3] [4] Risks: Domain owners can control browser navigation when proxies are used. Expired internal domains may have other severe implications. Misconfigured Proxy Domains NetBios Explanation: Systems in this category are reaching out to Windows NetBios networks via an abandoned domain. [5] [6] Risks: Windows/NetBios connections represent a vulnerability because the NetBios protocol has known security vulnerabilities and is a common attack target. Domain owners can interact with endpoints, potentially hijacking Windows Challenge/Response (NTLM) authentication credentials. Windows NetBios Abandoned Software Explanation: Systems in this category have applications which are either no longer maintained (the software has been “abandoned”* by its developers) or are communicating to the wrong servers; in either case, there is software present that is reaching out to an unregistered domain. Risks: The app sends detailed information regarding how the device is being used, which could be used by attackers to gain access to the device. Domain owners could potentially leverage app functionalities to exfiltrate more information or gain a certain level of control over the device. Go Contacts Pro Auto Words With Friends Cheats Itiva Internet Accelerator IPTV Explanation: Systems in this category are smart TV systems and other media systems that are reaching out to abandoned domains*. Risks: Endpoint** is reaching out to unused IPTV platform related services, which may allow attackers to capture endpoint data. Abandoned IPTV platform. Abandoned live TV add-on. Abandoned media hub. Abandoned swarmcast media. Remote Management Explanation: Systems in this category involve either software that is responsible for automatically providing updates, or network or other hardware used in business environments, that is reaching out to abandoned domains*. Risks: Attackers can potentially interact with endpoint** devices, simulating the endpoint management solution. Endpoints will not be able to install security and firmware updates, since they cannot reach the intended service, and may remain vulnerable to a number of attacks. Symantec Patch Management McAfee Corporate Antivirus McAfee ePolicy Orchestrator Microsoft Server Update Services Symantec Endpoint Protection Manager Honeywell HVAC Controllers My DLink Service TR-069 Protocol Citrix Receiver PN Agent LDAP Explanation: Systems in this category have Lightweight Directory Access Protocol (LDAP) services running, which are used to manage information about an organization's employees, systems, and applications in the network; these services are reaching out to abandoned domains*. Risks: Attackers that hijack the abandoned domains may be able to interact with endpoints**, and obtain sensitive information. Expired Windows LDAP Domains SMB Explanation: Systems in this category are reaching out to Windows NetBios networks via abandoned domains*. [5] [6] Risks: Windows/ NetBios connections represent a vulnerability because the NetBios protocol has known security vulnerabilities and is a common attack target. Domain owners can interact with endpoints**, potentially hijacking Windows Challenge/Response (NTLM) authentication credentials. * “Abandoned domains” are no longer registered to anyone. They may have been abandoned if the manufacturer/developer shut down or it slipped the domain owner's attention.** “Endpoints” refer to desktop computers, servers, or handheld devices that have internet access. Resources Bitsight Blog, “Inherent Risk: How Insecure Systems Pose a Threat to Network Security” Carnegie Mellon University, “Ragentek Android OTA update mechanism vulnerable to MITM attack” Cisco Systems, Inc., “Web Proxy Auto Discovery Protocol” Mozilla and individual contributors, “Proxy Auto-Configuration (PAC) file” The Kodi Foundation Bitdefender, “Kodi Media Center Vulnerability Exposes Users to Man-in-the-Middle Attacks” July 17, 2018: Published. Related articles Insecure Systems Risk Vector Insecure System Findings Data Collection Methods Overview TLS/SSL Certificates Risk Vector Finding Behavior Feedback 0 comments Please sign in to leave a comment.