You might think that you’ve said “Hasta la vista, baby” to outdated stuff, but old zombie internet standard protocols still haunt 21st Century IT users.
The security landscape is constantly changing as adversaries find new techniques to attack businesses and people. Consequently, defenders adapt their game to stay one step ahead of the criminal mind.
At the same time, certain legacy internet protocols are still in use. Three of the worst zombies roam below.
F-Secure’s Attack Landscape H1 2019 report shows that the largest share of attack traffic for the first six months of 2019 – 760 million events – was attacks against the Telnet protocol. This is used by insecure Internet of Things (IoT) devices.
Telnet was replaced in the 1990s by more secure protocols on servers across the industry. Standard practice removes and hides unnecessary ports, protocols, and services to harden devices. IoT is bringing back Telnet with a vengeance, however. This is one reason that the IoT has been dubbed a “[cyber] security nightmare”.
The Telnet protocol, which was developed in 1969, stands for “teletype network” and is used by administrators or other users to access computers remotely. Security was not as large a concern before the bandwidth and connectivity explosion of the 1990s as it is today. Most users of networked computers were in the computer departments of academic institutions or at large private and government research facilities.
Fennel Aurora, security advisor at F-Secure, says that “there is no good reason for IoT to have Telnet available. It’s been dead for 20 years. Even if this was a secure protocol like Secure Shell (SSH), there is no good reason to have a remote access port open to the Internet for your fridge or coffee machine.”
“This obvious lack of basic hardening by the manufacturers is beyond negligent. We’re going to continue to see this kind of irresponsible endangerment of consumers by IoT makers until consumer protection laws for the security and privacy of IoT devices are as stringent as those around poisonous toys and household fire hazards.”
Old SSH versions are not shh
Secure Shell, which was designed as a replacement for Telnet, is a cryptographic protocol for operating network services securely over an unsecured network. It is a more secure replacement for Telnet. SSH’s Finnish father, Tatu Ylönen, a researcher at the Helsinki University of Technology, designed the first version (now called SSH-1) in 1995. He developed it in response to a password sniffing attack on his institution’s network.
2006 saw SSH-2 adopted as a standard. While it is incompatible with the previous version, it features both security and feature improvements. Still, three vulnerabilities were discovered in versions between 1998 and 2008. In 2014, Germany’s Der Spiegel published classified information leaked by whistleblower Edward Snowden. It suggested that the NSA could decrypt some SSH traffic.
A recent report by Alert Logic, a threat intelligence and defense company, shows that adversaries use ports 22 (SSH), 80 (unencrypted web traffic), and 443 (encrypted web traffic) to carry out attacks on small and medium-sized businesses.
SAMBA: Your business, your baby
Server Message Block (SMB) – sometimes called SAMBA – is far from being a joyful dance. It is a network communication protocol that provides shared access to files, printers, and serial ports between nodes on a network. Computers running Microsoft Windows OS account for most usage of this protocol.
The Attack Landscape H1 2019 report by cyber security company F-Secure states that their honeypots recorded 556 million events involving Traffic to SMB port 445 during the period. EternalBlue, a cyber attack exploit developed by the NSA made public by the Shadow Brokers and used as part of the WannaCry ransomware attack in 2017, is an attack against SAMBA.
Two years after WannaCry, related exploits are still popular. This is due to large numbers of still unpatched servers around the world.
The EternalBlue exploit allows remote attackers to execute arbitrary code on the target computer because the SMB version 1 (SMBv1) server mishandles specially-crafted packets – a unit of data that is routed between internet-facing computers. SMB is often configured in a way that means it is open to the Internet. Some of the older versions – the first going back to 1983 – are filled with many security holes.
“For the record, the Product Manager for SMBv1 says you should smother it in the crib because it’s nightmare bullshit,” tweets SwiftOnSecurity, an author and systems security and industrial safety person. Microsoft Product Manager NerdPyle has confirmed this statement in reply to that tweet.
SMB version 1.0 was superseded by versions 2.0, 2.1, 3.0, 3.02. 3.1.1 and introduced with Windows 10 and Windows Server 2016. Encryption was beefed up to support two AES 128-bit encryption standards, amongst others.
Not doom and gloom
Here are some other zombie blasts from the Internet’s past, protocols that should be hidden from the Internet, and bad security practices that IoT are resurrecting:
- Java RMI
- Weak / hard-coded / no passwords
- Not enabling MFA
- Not turning on encryption
- Out-of-date / unpatched software
- Not uninstalling unused software
“Patches exist, yet there are hundreds of thousands of machines running these internet protocols. Less is more when it comes to security. We always want to reduce the attack surface. Connecting millions of random unhardened open devices to the Internet is the opposite of security. There are vaccines against all these zombies, we just need to make manufacturers apply them,” Fennel concludes.