After my post last week on the great Mirai Internet takedown of 2016, I received some email in response. One of the themes in the feedback was, roughly, that ‘Mirai really doesn’t have anything to do with those of us in enterprise IT security’.
Most large companies probably don’t have hackable consumer-grade CCTV cameras or other low cost IoT gadgetry that can be de-authed and taken over by the neighborhood teenager. At least we hope not.
I should mention that power and utility companies have leaped ahead in this area by adding lots of IoT monitoring devices to their 19th century electric infrastructure. It’s a security problem to take up on another day.
Anyway, back-doors and other vulnerabilities that we saw in the WiFi cameras exploited in the Marai incident also show up in plain business-class networking gear.
The Defenseless Perimeter
Over the summer, Cisco disclosed an exploit, known as ExtraBacon, which lets attackers remotely execute code in one of their firewall products. And in July, a zero-day exploit involving self-signed certificate was discovered in a Juniper product. It would let attackers monitor internal network traffic.
Perhaps even more disturbing is the hacking potential of firmware — the hardware-level code on which routers, phones, laptops and other gadgets rely on. Since the firmware is not typically digitally signed, it can be changed by hackers to contain special malware that can then take over the device.
Perhaps an insider in the company’s data center, but working for a cybergang, loads the firmware with a deadly implant onto a router.
Or even more sneakily, a cyber gang hacks into a router manufacturer’s website and replaces the good device firmware with the evil version, which is then downloaded to thousands of routes and firewalls around the world!
If you want to lose more sleep at night, read this article in Wired about the security holes in firmware. By the way, our frenemies at the NSA were way ahead of the curve in weaponizing this low-level code, which then recently found its way to cyber-criminal groups after our nation’s top security agency was itself … hacked.
The larger point is that in the face of these deep vulnerabilities, the standard perimeter defense provides laughably little protection.
The other lesson from the massive Mirai attack is how vulnerable we were as a result of our own IT laziness. Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it.
Unfortunately, even easy-to-use and maintenance-free consumer routers — I’m talking to you Linksys — require some attention that would include changing defaults settings and putting in place complex passwords.
So what excuse do professional IT types have for this rookie-level behavior?
Unfortunately, default-itis still plagues IT organizations.
As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”.
This is exactly the technique used in the Mirai botnet attack against the IoT cameras.
Even if hackers use other methods to get inside a corporate network — phishing, most likely — they can still take advantage of internal enterprise software in which defaults accounts were never changed.
That was the case in the mega-hack of Target. The hackers already knew about a default account and password used by a maker of popular IT management software installed on the Target network. The hackers leveraged this default account — which gave them privileged access — to copy credit card data to the exfiltration server.
For those in IT who think that the Mirai botnet incident has nothing to do with them or have to convince their managers of this, here are the two points that summarize this post:
- The lesson of the Mirai botnet attack is that the perimeter will always have leaks. For argument’s sake, even if you overlook phishing scenarios, there will continue to be vulnerabilities and holes in routers, network devices, and other core infrastructure that allow hackers to get inside.
- Human nature tells us that IT will also continue to experience default-itis. Enterprise software is complicated. IT is often under pressure to quickly get apps and systems to work. As a result, default accounts and weak passwords that were set for reasons of convenience — thinking that users will change the passwords later — will always be an issue for organizations.
Conclusion: You have to plan for attackers breaching the first line of defenses, and therefore have in place security controls to monitor and detect intruders.
In a way, we should be thankful for the “script kiddies” who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs.