22
Sun, Dec
3 New Articles

Out of the Blue: Security Through Obscurity: Don't Count on It

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Obsessing about Internet security? Probably not. But perhaps you should be. If your company operates an Internet server, the host very likely has one or more remotely exploitable security vulnerabilities, and sooner, or later, someone will find them. Even if you are fastidious in your precautions, it is humbling to remember that the Internet indirectly links your system to a formidable global hacker community. One need not be deprecating to concede that cyberspace is populated with growing numbers of technical exhibitionists, most of whom are much more astute and technically fixated than the average system administrator. How good are these hackers? It is rumored that the National Security Agency (NSA) was recruiting cyberspooks at DefCon, the annual hacker convention.

Connection is contagious. Being linked to the Internet is like having unprotected sex: You can control your own behavior, but you can never be sure about the other guy. As IBM bluntly states in its Internet security site: “You need to protect your system from everyone on the Internet.” Good luck.

Attacks occur much more often than they are reported. Like banks reluctant to admit to depositors that they can be successfully defrauded, businesses naturally prefer to conceal security breaches. There is no point in advertising vulnerabilities and alerting employees, customers, suppliers, and other hackers that confidential information isn’t. So rather than address the issue systemically, security remains a problem that is managed in isolation. Firewalls and Computer Emergency Response Team (CERT) advisories notwithstanding, the reality of cyberspace is that, as soon as the castle is built, invaders start to scale its walls. No sooner does a new operating system or piece of software hit the streets than an army of clever code surgeons begins to dissect it looking for points of entry. Once backdoors are unearthed, Common Gateway Interface (CGI) scripts can be compromised, and, soon, privileged commands are being executed by malicious strangers. And while systems administrators toil in isolation to secure their systems, hackers are a cooperative bunch. As vulnerabilities are discovered, they are graciously posted on the Internet for other hackers to use (see the Exploit World Web site at www.insecure.org/ sploits_remote.html). Even though the AS/400 boasts a high level of security, IBM concedes that “the number of e-commerce and e-business applications and solutions that can be conceived are endless...[therefore] there is no way we can begin to describe securing every conceivable e-commerce and e-business scenario. One hundred percent security can never be realized.” Swell.


But just how insecure is the Internet? An anonymous group of ingenious hackers who describe themselves as “a small, independent, security research group” decided to audit Internet security. No small undertaking. From Canada to Argentina, from Iran to Japan, they scanned the networks of ISPs, government agencies, military installations, universities, corporations, and banks looking for “commonly known security vulnerabilities.” Why? They were interested in the results, of course, and for the singular reason most mischief and innovation occur in cyberspace. The spokesman for the group summarized it rather gleefully: “We did it because we can.” In all, they examined over 36 million hosts. How they did it and what they found provide a loud wake-up call for enterprises that rely on obscurity for their security.

To scan 36 million servers, the group needed some resources, a vigorous piece of invasive software to start. Not by coincidence, the Internet is a fine source of free invasive software from SATAN to Nessus, but none of these applications were designed “with bulk in mind.” So they did what any self-respecting hackers would do: They wrote their own and christened it BASS (Bulk Auditing Security Scanner).

Next, they needed to map the address search space. There are several ways of accomplishing this. One way is to do a recursive search through the Domain Name System (DNS) registry, then map host names to IP addresses. Or you can download prepackaged information from assorted Network Information Centers (NICs). Some NICs, they advise, have “precompiled data files available over anonymous FTP.” It’s faster and easier than the first method, and the team was able to download .com, .net, .org, .edu, .mil, and .gov domains. But all of this takes time, software, and expertise. If you’re short of these commodities but have some extra cash, anyone can buy the information for $2,500 from Matrix Information and Directory Services.

Unless time is no object, some serious bandwidth is also required. A single workstation running BASS “with enough memory to support hundreds of scanning threads and a T3’s equivalence in bandwidth could probe the entire Internet in under a week at about 4,500 jobs per minute (JPM).” But if your means are more moderate, “ten PCs with dialup-strength connections could probe the Internet in a month or so at a modest 90 JPM.”

The group took the middle ground installing BASS on eight UNIX boxes, each with at least 512 kilobits per second (Kbps) bandwidth. For security reasons of their own (in some parts of the world, governments and discrete military installations have a tendency to object violently to unauthorized probes), the eight systems were dispersed in five countries: Israel (1), Mexico (1), Russia (2), Japan (2), and Brazil (2). Five systems participated in the live scan, and three served as backups.

The first test for BASS was in Israel, and some bugs were expected. Initially, when the multithreaded application bumped up against misconfigured firewalls or broken routers, individual threads froze and the application eventually ground to a halt after scanning some 18,000 addresses. “A fail-safe timeout circuit fixed the problem,” and they tried again.

“This time, the scan finished on schedule: 110,000 addresses in under four hours on a dual ISDN 128k connection.”

The next test was considerably larger. BASS scanned the United Kingdom “with an address space of 1.4 million.” This time, the team discovered “obscure memory leaks [that] slowly inflated BASS to monstrous proportions,” dragging the entire system down. Several debugging sessions later, they were ready to tackle the world.

As expected, they began to get some responses, which were “much friendlier than [they] anticipated”—mostly “harmless acts of mindless automata and mutual curiosity,” several portscans a day, the occasional TCP/IP stack exercise, operating system fingerprinting, pings, traceroutes, and a few emails politely asking why their network was attacking the sender’s. People either didn’t know they were being probed, didn’t care, or didn’t have the skills to do anything about it. Third World countries, in particular, appeared to have no security expertise at all. By the end of the week, the group had successfully scanned 12 million hosts.


During the second week, they scanned U.S. military networks. Although they noticed a significant increase in the number of probes they were receiving, “to say we were not impressed by the security of the military network is a big, fat, major understatement.” But by midweek, their Russian scanner was taken out by a denial-of-service attack. A 16- hour attack of a “512 Kbps stream of packets amplified 120-times strong over an unsuspecting Canadian broadcast amplifier.” At first, they thought it was the military, but no, it was “just some ill-tempered English fellow who didn’t appreciate getting probed.”

The emails, however, got progressively nastier: lawyers citing computer crime, threatening court action, and demanding immediate identification of the attacking party. Sure.

During the last week, they tackled the massive .com and half of the .net domain, and they were done. It took five nodes running BASS at 250 JPM to scan 214 national domains and seven three-letter domains in just over 20 days. Remember, they only tested for selected known vulnerabilities—security fissures for which patches already exist. Still, they found 450,000 vulnerable hosts with 730,213 individual points of access.

The implications of the audit are sobering and far-ranging, especially considering that the BASS source code and detailed instructions on how to replicate this scan are posted on the Internet. “Easy pickings,” the group acknowledges, “at the fingertips of anyone who follows in our footsteps, friend or foe,” well intended or not.

The group reports being stunned by how many networks that they expected to be ultrasecure were instead wide open to attack. That included nuclear weapon research centers, banks, and, surprise, surprise, companies specializing in computer security.

“Seven hundred thousand vulnerabilities, gaping holes, wounds in the skin of our present and future information infrastructures, our dream for a free nexus of knowledge, a prosperous digital economy, where we learn, work, play, and live our lives.” These vulnerable systems, of course, do not exist in isolation but are part of affiliated networks, thus “putting many millions of systems in commercial, academic, government, and military organizations at a high-compromise risk.”

At the very least, the audit suggests that there is no obscurity; if your are on the Internet, you are both visible and vulnerable. It is only a matter of time before someone with hostile intent picnics on your system, unleashes some Internet-borne blight, or attempts to shut down all or part of the Internet. Clearly, a systemic Internetwide solution must be developed, and when it is, we can be certain it will be tested by the finest hackers on the planet. For system administrators, the annoying paradox is that the potential for the Internet’s invulnerability lies in the exposure of its vulnerabilities.

In the meantime, it may be useful to remember that if eternal vigilance is the price of liberty, it applies with equal urgency to network security.


BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: