[BreachExchange] Cyber security relics: 4 older technologies still plaguing the infosec world

Destry Winant destry at riskbasedsecurity.com
Tue Nov 6 02:13:46 EST 2018


https://www.csoonline.com/article/3316549/vulnerabilities/cyber-security-relics-4-older-technologies-still-plaguing-the-infosec-world.html#tk.rss_news

If you bumped into me on the street, you would probably not guess that
I am a cyber security professional. I am, one might say,
well-seasoned. Given my history of chasing bad actors who were
attacking my mainframe, some may wonder if I have the skills necessary
for such a bleeding edge profession (one CEO asked me exactly that).
While I can certainly make that case effectively, there are many times
my knowledge of the “olden days” comes in very handy.

Case in point: some years ago I was re-engineering the transaction
system for a credit bureau. When I started, they were running
black-box servers with custom DOS-based software. I had finished an
18-month project to replace everything with systems and software from
the current century, and we had successfully gone live. Unfortunately,
our largest client, still using modems to communicate for many of its
locations, was complaining of connectivity issues. When the
development team could not identify the issue, I jumped in.

I remember sitting in the break room late one night talking to the
communications developer about how he wrote his software. He was only
a couple of years out of one of the top engineering schools in the
country. I asked him about how he was handshaking with the modems.
When he responded with a blank stare, I knew the problem.  Having
never worked with a modem in his life, he had no idea how to properly
interface with them.  Once I showed him, we had the system modified,
testing, and operating properly in 30 minutes.

You might think knowing how to work with modems is not particularly
useful for 2018. Consider, however, the recent discovery of a
vulnerability in some Android devices, allowing someone with physical
device access to interact with many of the basic phone functions. It
seems the implementation of phone controls in these very modern
devices is based on the old Hayes modem command set. Since nobody has
learned about this commend set in years, it took a fellow relic to
discover the vulnerability.

The fact is, much of our modern technology has its roots in systems
that were in use many years ago. And in certain industries, including
healthcare, utilities and manufacturing, those original systems are
still in use. In order for a cyber security professional today to
fully understand the risks and how to address them, it helps to have a
foundation in the old fundamentals.

Here are four examples of older technologies that are still plaguing
the information security world:

Faxsploit

As I discussed in 5 cyber security basics you can't afford to ignore,
Faxsploit allows a bad actor to access and exfiltrate data using only
a fax line connected to multi-function printer, HP in this case. The
problem is that the driver software for the fax port is ancient.  It
has not changed significantly in 15 years. On the other hand, newer
network connectivity software has been added, with nobody stopping to
think about its interaction with the fax software.

Heartbleed

Heartbleed, which was first reported in 2014, allowed clear text data
to be obtained from SSL encrypted web sites. It is believed to have
affected at least one third of all web sites at the time, and is
considered one of the most serious sever vulnerabilities of all time.
It was likely exploitable long before 2014, but was not discovered and
reported until then.

Social engineering

I suspect many people think social engineering is a recent phenomenon,
but this could not be further from the truth.  In the early days of
phone hacking, people crawled around in dumpsters looking for
discarded manuals to help them understand the inner workings of the
phone systems of the day.  These dives were often followed by phone
calls to technical folks, under some pretense, to get additional
information.  Together, this information allowed hackers, known as
"phone phreaks," to build devices allowing them to obtain free long
distance.  This practice got its start in the 1950s, peaking in the
late 1960s.

Today, dumpster diving is still a common practice, as is posing as
someone you're not and using some pretense to obtain information.

Cross-site scripting

In 2007, cross-site scripting (XSS), which allows a bad actor to
inject code into a user's browser session, was added to the OWASP Top
10 Vulnerabilities list.  It has never gone away.  This vulnerability
can still be found on many web sites, and is actively being exploited
by bad actors.

The bottom line

As I noted above, everything old is new again, and this certainly
applies to cyber security.  Many of the attack strategies used and
vulnerabilities exploited today have their roots in what happened many
years ago.  You are well served if you understand these roots, and if
you keep a few of us relics around to help with that perspective.


More information about the BreachExchange mailing list