Tuesday, April 14, 2015

TV5 Monde: the revealing of our TVs security vulnerabilities – Silicon

According to Le Monde, citing a source close to the investigation, the attackers who were engaged in the attack against TV5 Monde had spotted the field in order to identify targets most interesting on the channel network. A trivial observation since the attack was deployed in several directions at once, which requires a good level of preparation. Recall that on Wednesday night at 8, TV5 Monde lost control of his Twitter and Facebook accounts, saw its website defaced and was forced to cut its antenna after watching the broadcast infrastructure and emergency escape system . The cut of the antenna lasted about 3 hours and dissemination has taken with pre-recorded programs.

‘);}googletag.cmd.push(function(){googletag.display(“div-gpt-ad-DESKTOP_IN_ARTICLE-0″);});}})(jQuery);

The 13 experts Anssi sent there certainly consider to be in the presence of actions of a organized group with a few dozen people in terms of technical skills implemented. Le Parisien said that the attack was launched in January by sending mail bombs to journalists from the international channel in French.

According to the explanations of the investigators, the assailants have benefited from l lack of insulation systems in the network TV5 Monde, to win the business part (including servers involved in the broadcast) from office systems. In short, the attack mechanism appears more conventional: Penetration phishing and lateral movement to take control of a critical system

Dedicated Servers. The puzzle

But this picture of an attack by determined and skilled opponents should not mask the intrinsic weaknesses of TV5 Monde and more widely broadcast television systems. Including weaknesses highlighted by an analysis of Pierre-Olivier Blu-Mocaer, who runs a consulting firm in IT infrastructure, FixSing. This confirms the testimony obtained by Silicon.fr with a specialist broadcast: the infrastructure designed for production in the emergency, 24 hours 24 , and teams that manage to embarrass bit of good security practices.

The consultant noted FixSing eg an interview with an employee of TV5 Monde explaining that at the time of the attack, he was waiting for a email containing a link to download WeTransfer images from Gabon. An obviously dangerous method if done directly on production machines

Another disturbing sign. Via a search on the IP ranges of TV5 Monde in Shodan.io (IP Search Engine Connected device), the expert has found more accessible systems from outside : Google Search Appliance, administration interface PowerShell, SMB file server … but, above all, an Isilon storage system. Now, EMC a press release, the designer of these machines, said that TV5 Monde uses this infrastructure to the “ online storage nearby broadcast before .” The attackers have they used this door open to go back to broadcast systems? Pierre-Olivier Blu-Mocaer, which bases its analysis solely on public information, do not say, but the question needs to be asked.

Another inherent weakness of broadcast systems is multiple specialized servers they operate. FixSing identifies several machines used by TV5 Monde: Nexio Volt, Pixel Power ChannelMaster or Volicon Observer. The problem, as confirmed by several sources working in these trades: these specialized servers are often based on OS standard (including Windows, sometimes in older versions) but rarely updated to avoid interruptions in production. Almost a crime to shoot as long as these machines are not isolated in a highly secure network.



Luckily or specialized skills?

At this point, the main question arises is whether the attackers laid flat on the broadcast intentionally – which assumes knowledge of these very special infrastructure – or fortunately, for example by infecting a Windows XP server unpatched and visible on the network. “ This is the question that is being put to ,” we recognize the Anssi. Guillaume Poupard, its director general, also explains Regularly groups of attackers are now specialize to increase efficiency. The issue is serious enough that Anssi has decided to organize in the next 15 days, a tour of the French media to verify that they have been victims of similar attacks .

Read also:

3 questions on cyberjihadiste TV5 Monde
Anssi The attack puts his nose in safety large companies

Photo credit: Eldar Nurkovic / shutterstock
LikeTweet

No comments:

Post a Comment