In two previous posts, I have been discussing the possibility that although true computer security may not be possible in the most general and widest cases, it could be significantly better with relatively simple solutions. In particular, I propose that we could see massive reduction in computer vulnerabilities by correcting “The Password Problem.”
Today’s post is about the corollary: unless we fix “The Password Problem”, I believe we will never have a reasonably secure network infrastructure.
Recently, CERT published TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. I recommend reading the entire article, but this part is striking (emphasis added):
In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network.
The routers referenced by this advisory are Cisco routers. Cisco routers are everywhere as Cisco still dominates the routing and switching market with approximately 56% market share. Obviously, not every Cisco switch or router is vulnerable to the SYNful Knock attack, but it’s frightening, perhaps even terrifying, to imagine large portions of the Internet’s underlying infrastructure running with compromised operating systems.
In fact, calling such a system “compromised” is inaccurate. The correct term for a system with a replaced operating system image is “rogue.”
Any guesses as to how these devices are first compromised? Again, from the CERT advisory:
The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications.
I thought it was significant that CERT felt the need to stress that the attack was not initially vectored by zero-day vulnerabilities. Zero-day’s are certainly scary because there’s little you can do about them. Zero-day’s are the scary computer-security nightmare of having unknown bugs in your system that you can’t defend against because you (nor anyone else except the bad guys) even knows where they are. They are the Achilles heal of the most well designed security system.
And yet, the bad guys don’t need an Achilles heal. They just need a router left with default passwords, or a router accessible from other devices with weak credentials.
When I read this advisory, it reminded me of another computer threat from many years ago. In fact, the first known computer “worm”: the Morris Worm.
The Morris Worm was released by one Robert Morris in 1988 and it literally shut down much of the Internet as it existed at that time. It is worth noting that the worm itself had no malicious payload. It did not delete files, corrupt data, or steal information. In truth, it did nothing more than replicate itself and spread. But it replicated so fast that the infected computer systems simply shut down under the processing load.
Any guesses as to how the worm spread?
[The Morris Worm first] looks for trivially broken passwords. These are passwords which can be guessed merely on the basis of information already contained in the password file. Grampp and Morris report a survey of over 100 password files where between 8 and 30 percent of all passwords were guessed using just the literal account name and a couple of variations. [Next] the worm compares a list of favorite passwords... The list contains 432 words, most of which are real English words or proper names...
Once a password was broken, other networking utilities enabled the worm to spread across the Internet. At the time, most users of the Internet had accounts on many machines. After the worm had access to one machine, it could almost trivially jump to any other machines on which the compromised user had accounts. On the new machine, the worm would begin trying to crack the passwords of other users thereon, thus finding new victims and subsequently new machines.
What was the impact of this worm? Keep in mind that the year was 1988, approximately five years before the World Wide Web, and in a time when less than 15% of the United States population had a personal computer, let alone access to the Internet. Because the average consumer had no idea that an Internet even existed, and it was primarily used for research and military purposes, the Morris Worm’s significant effects had very little impact on people outside of IT circles.
But they were significant:
[The Morris Worm] did compete for CPU time with, and eventually overwhelm, ordinary user [programs]. It used up limited system resources... [and] caused some machines to crash by operating them close to the limits of their capacity, exercising bugs that do not appear under normal loads. It forced administrators to perform one or more reboots to clear worms from the system, terminating user sessions and long-running jobs. It forced administrators to shut down network gateways, including gateways between important nation-wide research networks, in an effort to isolate the worm; this led to delays of up to several days in the exchange of electronic mail, causing some projects to miss deadlines and others to lose valuable research time.
This relatively benign sounding passage obscures the fact that these “nation-wide research networks” constituted most of the Internet in 1988. In short, the Internet had to shut down for a few days because of a Worm that didn’t actually try to destroy anything.
What if the Morris Worm repeated today? As described by CERT, significant portions of our Network infrastructure are vulnerable to compromise because of default or weak credentials. The widespread overwhelming of Internet infrastructure, spreading faster than IT or security professionals can stop, is not at all unreasonable. Corporations and institutions under attack commonly shut down their network connection until they can identity and block the intrusion. But is that really an option for the networking infrastructure that keeps the Internet operational?
As discussed, it may be impossible to fully protect, and completely secure, our Internet from any and all cyber security failures, but without solving our Password Problem we are guaranteeing ourselves damage, the extent of which we can only guess.