Why it's important to defend against historical vulnerabilities

How do you justify maintaining a defence against historical vulnerabilities that should be well out of common circulation or not viable against a modern system?

An infected system on the International Space Station (ISS) has demonstrated the importance of maintaining such a posture just last week when it was infected with a worm that was more than a year old.

Somewhat surprisingly, it seems that there are a number of systems related to the ISS that do not have any antivirus protection, despite this not being the first time that computer malware has gone into orbit.

Because of a general lack of direct network connectivity between the ISS and the ground, it is suspected that an infected thumb drive or other infected system was introduced with new supplies or crew.

Suggested improvements include sending up an update disk with each resupply mission, allowing for updates to be applied to whichever antivirus solutions are being run in space, and to make sure that viable antimalware solutions are actually there in the first place.

Sometimes the past comes creeping up on you without a lot of warning, bringing back malware and distribution methods that have otherwise gone out of favour.

As USB thumb drives gained more widespread acceptance, the dreaded autorun-type viruses and worms made a bit of a resurgence, as the thumb drives rely upon autorun when they are initially connected to a system. Since they could be written to and copied from easier than optical media, as well as their ability to appear almost anywhere, it is more attractive than distributing infected CDs. With FAT as the primary filesystem not only on many thumb drives, but also on many digital cards, other FAT-related malware has also gained a new lease of life.

In other cases, it isn't so much the past creeping up as it is a historical design decision that has current security implications. Network infrastructure and protocol issues seem to be the threat du jour at the moment, with Kaminsky's DNS vulnerability disclosure, and now a BGP weakness disclosed at DefCon gaining a lot of attention.

If the security of the core setup of the Internet is being called into question then perhaps the next target should be the Tier 1 peering agreements which can be arbitrarily terminated by one side or another. In terms of the everyday use of the Internet, this is more disruptive than pretty much any of the other vulnerabilities being discussed (though the DNS vulnerability is being actively attacked).

Page Break

Both of these recent vulnerability disclosures are somewhat intriguing, as those who understand and who have worked with the underlying technologies knew there were inherent risks associated with their use and regard those vulnerabilities to mostly be design decisions. Successful exploitation requires the right circumstances where these design decisions become design errors, or it can be errors in implementation that allow for attack at any time.

Trust has been placed in the system so that those responsible for managing these resources aren't going to exploit that trust, and the barrier to entry for new people to gain that trust is high enough that few individuals or companies can make it across. There are methods to work around these barriers, with the DNS issue demonstrating that the barrier to entry for that particular vulnerability is quite low. So far, the barrier to the BGP vulnerability is still quite high but it gets weaker by the day.

When Pakistan took over the routing for Youtube earlier this year it should have been the wakeup call for everyone who didn't completely understand the potential problems with BGP routing. Perhaps this is the incident that people need to understand that the Internet really isn't the sort of place to be putting or transmitting information that is sensitive. This doesn't just mean sending files or content from one place to another, it also includes proper encryption for emails - and no, SSL to the server doesn't count for much.

An effective Information Security defence requires accounting for not only current and potential future attacks, but requires a strong defence against historical attacks and weaknesses. With the US Government announcing a two year window for secure DNS lookups to be deployed, these historical decisions - now current vulnerabilties - are going to be a problem for some time to come.