Tuesday, April 30, 2013

So much for Internet security!

It seems that Internet security often isn't.  MIT's Technology Review reports:

You probably haven’t heard of HD Moore, but up to a few weeks ago every Internet device in the world, perhaps including some in your own home, was contacted roughly three times a day by a stack of computers that sit overheating his spare room. “I have a lot of cooling equipment to make sure my house doesn’t catch on fire,” says Moore, who leads research at computer security company Rapid7. In February last year he decided to carry out a personal census of every device on the Internet as a hobby. “This is not my day job; it’s what I do for fun,” he says.

Moore has now put that fun on hold. “[It] drew quite a lot of complaints, hate mail, and calls from law enforcement,” he says. But the data collected has revealed some serious security problems, and exposed some vulnerable business and industrial systems of a kind used to control everything from traffic lights to power infrastructure.

. . .

Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all.

Those vulnerable accounts offer attackers significant opportunities, says Moore, including rebooting company servers and IT systems, accessing medical device logs and customer data, and even gaining access to industrial control systems at factories or power infrastructure.

. . .

Moore believes the security industry is overlooking some rather serious, and basic, security problems by focusing mostly on the computers used by company employees. “It became obvious to me that we’ve got some much bigger issues,” says Moore. “There [are] some fundamental problems with how we use the Internet today.” He wants to get more people working to patch up the backdoors that are putting companies at risk.

There's more at the link.

It's almost unbelievable to think that so many of the control mechanisms for networks society takes for granted - including power grids, water circulation, sewage disposal, railway control units, traffic control centers, and so on - use completely unsecured systems that anyone can access in this way.  Why terrorists haven't yet taken advantage of so elementary an error, I really don't know . . . but I'm profoundly grateful!

I think this might be a very good 'litmus test' to assess those in charge of our security establishment.  Never mind their (usually self-proclaimed) 'successes' in combating terrorism, or seizing drugs, or what have you - what have they done, and what are they doing, to secure the basic infrastructure on which our society depends?  If the answer's not satisfactory, then neither are they - and they should be replaced, at once if not sooner.



Matt said...

I've met HD a few times, he is a brilliant man. I know how horribly vulnerable systems actually are and to make it worse, I'm working with a bunch of folks who don't care about security at all. Lots of default passwords, they send root passwords around in email, etc.

Anonymous said...

Someone I overheard a few years ago was pondering this exact same thing. His best guess was that the terrorists' goals and worldviews simply didn't consider the logical conclusions of assymetrical warfare, instead focusing solely on the large, the bloody, and the destructive, rather than on infrastructure. That they perceived attacks on the image of a country as more valuable than attacks on the infrastructure. That which cripples people is worth more to them than that which cripples countries.

And frankly, considering how many vulnerable gas lines, electric conduits, water supplies, etc, are out there - not counting those which are vulnerable via internet - I must wonder if he had a point. I don't think they think that way.

PS to add: What the heck is "fegrical"? My word verification is "supplies fegrical," and I can't figure out if that's complimentary or derogatory to preppers.