It’s 10PM and you’re ending your day but hackers are just getting started. Maybe a cup of brute-force strength hacking techniques to start their day? Before you drift to sleep, you can’t help but start thinking about that new corporate application you installed today. Did you configure everything correctly with the right passwords, settings, and certificates? You can check tomorrow but business doesn’t stop and with employees working from home, “business hours” are a thing of the past. Besides, everything you tested worked great and did what it was supposed to do so you know things will probably work fine. And they do for months… until something strange starts happening and you see that new competitors are taking your business by selling a product that looks eerily similar to yours. How could they have copied it so well? You suspect that you may have a mole in your organization and so you begin analyzing the network traffic of all your employees. But what you end up seeing is something unexpected, outside traffic not tied to any of your users is coming in and stealing your internal corporate data. How is this happening? After much investigation and discussions with the provider of the application, you discover that there were default settings you had to change and you are told it’s your fault for not changing them.

It was recently reported by Hacker News that over 200,000 businesses were susceptible to being hacked because of not changing a default setting in Fortigate VPN.  Customers have been told that it’s unfortunate they didn’t follow instructions but nothing is going to change.  “For its part, Fortinet said it has no plans to address the issue, suggesting that users can manually replace the default certificate and ensure the connections are safe from MitM attacks.”  I don’t know about you but if I have 200,000 clients buying a VPN that can be hacked because my clients aren’t aware of what they need to configure, then something needs to change. “‘The Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine,’ Hertz and Tashimov noted.  ‘These types of businesses require near enterprise grade security these days, but do not have the resources and expertise to maintain enterprise security systems. Smaller businesses require leaner, seamless, easy-to-use security products that may be less flexible, but provide much better basic security.’”

This is akin to the early days of home Wi-Fi where every router was public and not password protected. A common tactic of wardriving forced the consumer router industry to wake up and make their routers private and put default random passwords on the box like happypuppy632.  Perhaps this bad publicity will force a change to the default behavior for Fortigate VPN but that remains to be seen. For liability, Fortinet may publicly be pushing a hard line but perhaps changes will be quietly made in future releases. It defeats the purpose of an application explicitly designed for privacy to be insecure out of the box when so many will just plug it in and start using it while unaware of the dangers.

 

At Grey Market Labs we believe you shouldn’t need a computer science degree to be safe online. That’s why our solutions are built with Security and Privacy by Design, striving toward our mission to protect life online. Our products accelerate your business and work online and in the cloud, making you more productive and ensuring privacy and security especially with in a world of remote work.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Leave a Reply