As a penetration test trainer to fortune 500 companies, I often see a few students in the class phase out and stare off with glossy-eyed disinterest when I cover legacy systems and protocols. Examples of these "boring" topics include Windows NT, WEP, and ancient attacks like the 'Ping of Death'. They ask me "Why do we need to learn this stuff when it was fixed years ago?"
The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.
A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.
To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.
The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.
The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.
0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.
No comments:
Post a Comment