Murphy’s Law states that: “Anything that can go wrong, will go wrong”. It’s often used to explain why a piece of toast will generally fall jelly-side down when dropped, but apply it to the field of computer network security and you’ll realize something much more profound: It implies that your network is bound to be vulnerable for the most trivial of reasons. Here’s why:
Your network infrastructure is made up of an assortment of servers, routers and other devices, all of which have to be configured to work in a secure fashion. But if any of them are misconfigured then your network could be vulnerable. And that’s the foot in the door that Murphy’s Law needs: if a router can be configured insecurely then it will be. Boom. The security of your network just flew out the window.
The degree to which misconfigured networks are a security problem in the real world was highlighted at Defcon recently, when a number of hackers and security professionals were questioned for a survey carried out by security company Tufin Technologies . Just under three quarters said that misconfigured network infrastructure is the easiest IT resource to exploit to hack a network (excluding websites.)
Asked why the most risky misconfigurations are often overlooked, a few blamed lack of time or money for audits, and fewer still said that threat windows are changing too rapidly. The majority felt the reason is even simpler: administrators simply don’t know what to look for, so they don’t recognize misconfigurations when they see them.
But let’s be clear about this: Network administrators are not stupid. Far from it. The problem here is that networks are complicated systems, and given their complexity misconfigurations that can be exploited are not obvious. Or perhaps more accurately, misconfigurations can be like bugs in software: they can be overlooked for years, but once they are spotted they seem obvious in hindsight.
Murphy’s Law is a tough one to break, but misconfigurations have to be found and corrected if you don’t want to give hackers an easy ride into your organization. As Reuven Harrison, Tufin’s co-founder puts it, “network managers need to sit up and smell the coffee on the fact that network misconfiguration is now a primary security issue for their IT staff.”
Unfortunately, avoiding misconfigurations is about to get harder. Every year we hear that the IPv4 address space is about to run out and that the need to implement IPv6 networks is becoming more critical. The latest thinking by the pro-IPv6 camp is that IPv4 addresses will run out sometime early next year. Regardless of whether that turns out to be the case or not (and one suspects not,) the chances are that IPv6 will have an impact on your network in the near future. And that means that even if your people get up to speed on the types of misconfigurations to look for in your current network setup, IPv6 is going to bring a whole wagon load of new and potentially dangerous misconfigurations to your network. Talking in Dark Reading, Cricket Liu, vice president of architecture for security appliance vendor Infoblox warns of the dangers of implementing IPv6. “Until you understand it, you’re not going to configure it right. So there are going to be a lot of mistakes, and [that will be] the source of a lot of vulnerabilities in the configurations,” he says. He may be selling something, but he still has a point.
Symantec’s Wack Week
You may have noticed that the hackers in Tufin’s survey excluded websites when they said that misconfigured infrastructure is the easiest IT resource to exploit. Websites, by implication, are even easier, a fact apparently lost on Symantec, leaving the company with a rather large helping of egg on its corporate face last week.
The company launched a “Hack is Wack” website with Snoop Dogg, inviting hip young things to submit two minute anti-cybercrime rap videos and to “have fun fo’shizzle.” When staid corporations try to act cool it almost never works, and the competition itself is rather ridiculous. Now Symantec may not care about its dignity, but as a security company you’d expect it to care about, well, security. However, as Mike Bailey at Skeptikal.org points out:
“the Hack is Wack site is chock full of holes. For example, there’s the publicly available, indexed cache directory with all that SQL, JSON and other data. There’s the XSS vulns … CSRF holes, and the Flash upload issues in the video upload script.”
You get the idea. Perhaps Symantec should have borne Murphy in mind: If a website can have cross site scripting vulnerabilities, it will have them…
Microsoft, on the other hand, is not a company that you would necessarily associate with security, but last week it launched version 2 of its interesting Enhanced Mitigation Experience Toolkit (EMET). The tool aims to make legacy software, especially line of business applications, more secure by deploying new(ish) security mitigations to older applications which might be vulnerable.
Two new mitigations which can be applied to applications are included in the latest version of the tool, in addition to four mitigations which were present in version 1. The new ones are mandatory Address Space Layout Randomization (ASLR), which makes the exploitation of buffer overflow vulnerabilities very hard indeed, and Export Address Table Access Filtering, which helps stop malicious shell code from doing anything harmful. The other mitigations which can be applied to applications are Dynamic Data Execution Prevention (DEP), Structure Exception Handler Overwrite Protection (SEHOP), Heap Spray Allocation, and Null Page Allocation. Technet provides a fuller explanation of the tool, and you can download it free from Microsoft.
_Marshaled_pUnk gains purpose in life
Not that mitigations like DEP and ASLR are the answer to all your security worries, as security researcher Ruben Santamarta illustrated rather neatly recently. He discovered “_Marshaled_pUnk”, an unused and forgotten parameter in Apple’s Windows QuickTime player. Due to a flaw in the way the QuickTime ActiveX controller handles a supplied parameter and treats it as a trusted pointer, it can be used to shunt malicious code into memory. He then sidestepped DEP and ASLR using a technique which involved loading Microsoft’s WindowsLiveLogin.dll – which does not have the ASLR flag set – into memory and executing the code.
“The bug is pretty bizarre,” is how H.D. Moore, legendary hacker and now CSO of Rapid 7, put it, talking to The Register last week. “It’s not a standard vulnerability in the sense that a feature was implemented poorly. It was more kind of a leftover development piece that was left in production. It’s probably an oversight.”
_Marshaled_pUnk has probably been in the code for almost a decade, and it was an oversight of seemingly little significance until a week or so ago. But just by being there, it was a potential problem. So Santamarta’s work only goes to illustrate a corollary of Murphy’s Law, that if something can cause a problem, it will cause a problem…