Cyber security protection enters a new era
Watch for a backdoor cyber security assault. The Juniper Networks incident in December 2015 changed how industry looks at device security as hackers exploit deliberate weaknesses being installed into software. End users, integrators, and device manufacturers need to adapt and prepare for this new reality. Follow these cyber security steps.
A software engineer is trying to complete a major block of code, but his boss cut out a large section including some open-source routines downloaded from the Internet. Replacing those routines will add days to the project. He runs to his boss' office and pleads: "I need to use that software in the system."
"You can't use it. It's been compromised."
The engineer nods, having anticipated that reply. "Yes, it's open-source and came from the Web, but we've used it before. I also talked with the software engineers, and they will do a line-by-line review of the source and object code."
The boss looks up and glances at his award for years of service at an undisclosed location. "You can never be sure something isn't in there," he says.
That brief scene might sound like something from a suspense movie, but the situation could be very real given recent events in the cyber security community. Most think of software as something that does what it's supposed to most of the time and therefore sometimes neglect lurking danger.
Software engineers trying to write code for devices and industrial systems want to avoid re-inventing the wheel. If someone has already written code to do a certain job, and it works, they don't want to write it again. They'd rather save time by downloading freeware and open-source code off the Web. Or, they could pick up existing code from earlier products with a proven track record. All of this gets cobbled together and loaded into a new device. As long as it does what it's supposed to, nobody needs to know or care where it came from.
This has been the working assumption for quite a while, but the landscape is changing. The cyber security world is becoming more confusing with nation-states, hacktivists, and cyber criminals making their presence known. Hackers and their efforts reflect a wide spectrum of skill levels. Some are clumsy and easy to spot. Others are more insidious and undetectable by all except the most sophisticated forensic cyber specialists.
While the engineer looking to streamline the project means well, his boss is correct: unsecure code can lurk within such software. Sometimes it can be found and removed, but a recent example of a cyber security breach proves that the threat can be well camouflaged.
The Password is "<<< %s(un='%s') = %u"
Those of us old enough can remember hearing the "Password" game show announcer whispering the key word for viewers at home. Nobody would guess this one, but it will become prevalent to the casual user because it is changing the threat landscape.
In December 2015, Ars Technica published a stunning report: "On Dec. 17 , Juniper Networks issued an urgent security advisory about 'unauthorized code' found within the operating system (OS) used by some of the company's NetScreen firewalls and secure service gateway (SSG) appliances. A patch was issued to the affected device OS, and forensic investigation determined the unauthorized code acted as a backdoor into the device" (see Figure 1).
What makes this stunning is the way the password was hidden. Forensic investigations determined the administrator password used to evade normal authentication was "<<< %s(un='%s') = %u." Security researchers looking at this bit of gibberish might recognize that it was crafted to appear as debugging or test code within a software source code file. This suggests two conclusions:
- The unauthorized backdoor was put there intentionally.
- It was carefully designed to evade detection.
This is the beginning of a new era of cyber criminal threats. We are all used to the notion of attackers exploiting vulnerabilities caused by software flaws. It is a common tactic, and everyone is aware of it. Software patches are supposed to fix these flaws and address these vulnerabilities.
Now we seem to be moving into an era where vulnerabilities are built into software deliberately and then carefully hidden. Attackers aware of the hidden code's function can use such planted vulnerabilities when they like.
Naturally, some companies are taking this threat very seriously. Cisco, for example, undertook an effort to see if similar backdoors exist in its products and discovered that they do. Like Juniper, Cisco is developing patches to prevent breaches.
Fortinet has also acknowledged that a backdoor exists in a variety of its products. The hard-coded password has been characterized as a feature for remote management.
Other companies have not always been so quick to respond. Before Juniper, there was also RuggedCom, which included a backdoor in products with its Rugged Operating System. However, they did not inform purchasers of this. A user discovered it in 2011, but the company was reluctant to address the situation. This backdoor was also apparently installed deliberately.
Returning to the Juniper case, the purpose of the backdoor was apparently to gain access to the network device's configuration and its seed parameters for virtual private network (VPN) encryption routines. Juniper used a nonstandard set of parameters to initialize encryption, and the only way to obtain the encryption parameters was to gain administrator access. There has been much speculation as to who did this, but the "why" question is easy to answer. A backdoor's purpose is to create an entrance to a network.
A door to the network
Network device vendors are targeted in this manner because their products are entry points to networks. Access to a router or gateway provides entry to an industrial or enterprise system. Network device security thus often proves to be the soft underbelly of many organizations' defensive strategies. The value of such a backdoor secretly placed in a device, hidden with normal-looking code, is huge, and the larger implications are frightening.
Many organizations view their network devices simply as infrastructure; specifically, waypoints in their information distribution systems. The thought of information switches being accessed in an undetectable way is truly disturbing. The larger and more alarming message is that much of the last 20 years of network security best practices have now been rendered obsolete.
Best practices are no longer best
Why? Let's consider some examples of how this new network device threat will change security best practices:
- Using network switches to implement virtual local area network (VLAN) separation between industrial control and business networks is no longer adequate. No organization can design networks with VLAN separation and expect them to be secure. If devices can be compromised at the administrative level, then any virtual separation cannot be guaranteed. It will be time to return to physical separation, creating huge communication problems.
- Depending on VPN encryption as a magic bullet to protect confidentiality is no longer adequate. An organization will need to start looking at how deeply it depends on VPN techniques as their "go to" solution to move information on secured networks. A VPN tunnel is no longer safe across any network-particularly for long-distance communication within global organizations.
- Assuming all is well with network device configuration isn't safe anymore. Many organizations follow a basic practice: if nobody touches a device, it has the same configuration it had before. That is no longer true. Companies will need to ramp up configuration control and auditing to account for the possibility of device configurations being changed by unauthorized means.
These are obvious security threats, and more will emerge as the full effect of this situation is realized. With the Pandora's Box of suspect code in networking devices now open, no one really knows how far the trail goes into rethinking cyber security. With this new reality in mind, there are some tips that end users, integrators, and device manufacturers, respectively, should follow.
Learn more about the tips that could benefit end users, integrators, and device manufacturers.