Out of the Blue: Security Through Obscurity: Don't Count on It

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Obsessing about Internet security? Probably not. But perhaps you should be. If your company operates an Internet server, the host very likely has one or more remotely exploitable security vulnerabilities, and sooner, or later, someone will find them. Even if you are fastidious in your precautions, it is humbling to remember that the Internet indirectly links your system to a formidable global hacker community. One need not be deprecating to concede that cyberspace is populated with growing numbers of technical exhibitionists, most of whom are much more astute and technically fixated than the average system administrator. How good are these hackers? It is rumored that the National Security Agency (NSA) was recruiting cyberspooks at DefCon, the annual hacker convention.

Connection is contagious. Being linked to the Internet is like having unprotected sex: You can control your own behavior, but you can never be sure about the other guy. As IBM bluntly states in its Internet security site: “You need to protect your system from everyone on the Internet.” Good luck.

Attacks occur much more often than they are reported. Like banks reluctant to admit to depositors that they can be successfully defrauded, businesses naturally prefer to conceal security breaches. There is no point in advertising vulnerabilities and alerting employees, customers, suppliers, and other hackers that confidential information isn’t. So rather than address the issue systemically, security remains a problem that is managed in isolation. Firewalls and Computer Emergency Response Team (CERT) advisories notwithstanding, the reality of cyberspace is that, as soon as the castle is built, invaders start to scale its walls. No sooner does a new operating system or piece of software hit the streets than an army of clever code surgeons begins to dissect it looking for points of entry. Once backdoors are unearthed, Common Gateway Interface (CGI) scripts can be compromised, and, soon, privileged commands are being executed by malicious strangers. And while systems administrators toil in isolation to secure their systems, hackers are a cooperative bunch. As vulnerabilities are discovered, they are graciously posted on the Internet for other hackers to use (see the Exploit World Web site at www.insecure.org/ sploits_remote.html). Even though the AS/400 boasts a high level of security, IBM concedes that “the number of e-commerce and e-business applications and solutions that can be conceived are endless...[therefore] there is no way we can begin to describe securing every conceivable e-commerce and e-business scenario. One hundred percent security can never be realized.” Swell.


But just how insecure is the Internet? An anonymous group of ingenious hackers who describe themselves as “a small, independent, security research group” decided to audit Internet security. No small undertaking. From Canada to Argentina, from Iran to Japan, they scanned the networks of ISPs, government agencies, military installations, universities, corporations, and banks looking for “commonly known security vulnerabilities.” Why? They were interested in the results, of course, and for the singular reason most mischief and innovation occur in cyberspace. The spokesman for the group summarized it rather gleefully: “We did it because we can.” In all, they examined over 36 million hosts. How they did it and what they found provide a loud wake-up call for enterprises that rely on obscurity for their security.

To scan 36 million servers, the group needed some resources, a vigorous piece of invasive software to start. Not by coincidence, the Internet is a fine source of free invasive software from SATAN to Nessus, but none of these applications were designed “with bulk in mind.” So they did what any self-respecting hackers would do: They wrote their own and christened it BASS (Bulk Auditing Security Scanner).

Next, they needed to map the address search space. There are several ways of accomplishing this. One way is to do a recursive search through the Domain Name System (DNS) registry, then map host names to IP addresses. Or you can download prepackaged information from assorted Network Information Centers (NICs). Some NICs, they advise, have “precompiled data files available over anonymous FTP.” It’s faster and easier than the first method, and the team was able to download .com, .net, .org, .edu, .mil, and .gov domains. But all of this takes time, software, and expertise. If you’re short of these commodities but have some extra cash, anyone can buy the information for $2,500 from Matrix Information and Directory Services.

Unless time is no object, some serious bandwidth is also required. A single workstation running BASS “with enough memory to support hundreds of scanning threads and a T3’s equivalence in bandwidth could probe the entire Internet in under a week at about 4,500 jobs per minute (JPM).” But if your means are more moderate, “ten PCs with dialup-strength connections could probe the Internet in a month or so at a modest 90 JPM.”

The group took the middle ground installing BASS on eight UNIX boxes, each with at least 512 kilobits per second (Kbps) bandwidth. For security reasons of their own (in some parts of the world, governments and discrete military installations have a tendency to object violently to unauthorized probes), the eight systems were dispersed in five countries: Israel (1), Mexico (1), Russia (2), Japan (2), and Brazil (2). Five systems participated in the live scan, and three served as backups.

The first test for BASS was in Israel, and some bugs were expected. Initially, when the multithreaded application bumped up against misconfigured firewalls or broken routers, individual threads froze and the application eventually ground to a halt after scanning some 18,000 addresses. “A fail-safe timeout circuit fixed the problem,” and they tried again.

“This time, the scan finished on schedule: 110,000 addresses in under four hours on a dual ISDN 128k connection.”

The next test was considerably larger. BASS scanned the United Kingdom “with an address space of 1.4 million.” This time, the team discovered “obscure memory leaks [that] slowly inflated BASS to monstrous proportions,” dragging the entire system down. Several debugging sessions later, they were ready to tackle the world.

As expected, they began to get some responses, which were “much friendlier than [they] anticipated”—mostly “harmless acts of mindless automata and mutual curiosity,” several portscans a day, the occasional TCP/IP stack exercise, operating system fingerprinting, pings, traceroutes, and a few emails politely asking why their network was attacking the sender’s. People either didn’t know they were being probed, didn’t care, or didn’t have the skills to do anything about it. Third World countries, in particular, appeared to have no security expertise at all. By the end of the week, the group had successfully scanned 12 million hosts.


During the second week, they scanned U.S. military networks. Although they noticed a significant increase in the number of probes they were receiving, “to say we were not impressed by the security of the military network is a big, fat, major understatement.” But by midweek, their Russian scanner was taken out by a denial-of-service attack. A 16- hour attack of a “512 Kbps stream of packets amplified 120-times strong over an unsuspecting Canadian broadcast amplifier.” At first, they thought it was the military, but no, it was “just some ill-tempered English fellow who didn’t appreciate getting probed.”

The emails, however, got progressively nastier: lawyers citing computer crime, threatening court action, and demanding immediate identification of the attacking party. Sure.

During the last week, they tackled the massive .com and half of the .net domain, and they were done. It took five nodes running BASS at 250 JPM to scan 214 national domains and seven three-letter domains in just over 20 days. Remember, they only tested for selected known vulnerabilities—security fissures for which patches already exist. Still, they found 450,000 vulnerable hosts with 730,213 individual points of access.

The implications of the audit are sobering and far-ranging, especially considering that the BASS source code and detailed instructions on how to replicate this scan are posted on the Internet. “Easy pickings,” the group acknowledges, “at the fingertips of anyone who follows in our footsteps, friend or foe,” well intended or not.

The group reports being stunned by how many networks that they expected to be ultrasecure were instead wide open to attack. That included nuclear weapon research centers, banks, and, surprise, surprise, companies specializing in computer security.

“Seven hundred thousand vulnerabilities, gaping holes, wounds in the skin of our present and future information infrastructures, our dream for a free nexus of knowledge, a prosperous digital economy, where we learn, work, play, and live our lives.” These vulnerable systems, of course, do not exist in isolation but are part of affiliated networks, thus “putting many millions of systems in commercial, academic, government, and military organizations at a high-compromise risk.”

At the very least, the audit suggests that there is no obscurity; if your are on the Internet, you are both visible and vulnerable. It is only a matter of time before someone with hostile intent picnics on your system, unleashes some Internet-borne blight, or attempts to shut down all or part of the Internet. Clearly, a systemic Internetwide solution must be developed, and when it is, we can be certain it will be tested by the finest hackers on the planet. For system administrators, the annoying paradox is that the potential for the Internet’s invulnerability lies in the exposure of its vulnerabilities.

In the meantime, it may be useful to remember that if eternal vigilance is the price of liberty, it applies with equal urgency to network security.


BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$