We are now releasing videos of our sessions at this year’s CERIAS Symposium from late March.
We had a fascinating session with David Medine, chair of the PCLOB discussing privacy and government surveillance with Mark Rasch, currently the CPO for SAIC. If you are interested in the issues of security, counterterrorism, privacy, and/or government surveillance, you will probably find this interesting:
We are also making available videos of some of our other speakers — Amy Hess, Exec. Deputy Director of the FBI; George Kurtz, President & CEO of CrowdStrike; Josh Corman, CTO of Sonatype; and two of our other panel sessions: http://www.cerias.purdue.edu/site/symposium_video/
(You have to put up with my introductions of the speakers, but into every life a little rain must fall.)
That was the 15th Annual CERIAS Symposium. Planning for the 16th Symposium is underway for March 24 & 25, 2015: http://www.cerias.purdue.edu/site/symposium2015
A few weeks ago, I wrote a post entitled “Patching Is Not Security.” Among other elements, I described a bug in some Linksys routers that was not patched and was supporting the Moon worm.
Today, I received word that the same unpatched flaw in the router is being used to support DDOS attacks. These are not likely to be seen by the owners/operators of the routers because all the traffic involved is external to their networks — it is outbound from the router and is therefore “invisible” to most tools. About all they might see is some slowdown in their connectivity.
Here’s some of the details, courtesy of Brett Glass, the ISP operator who originally found the worm on some customer routers; I have replaced hostnames with VICTIM and ROUTER in his account:
Today, a user reported a slow connection and we tapped in with a packet sniffer to investigate. The user had a public, static IP on a Linksys E1000, with remote administration enabled on TCP port 8080. The router was directing SYN floods against several targets on the Telus network in Canada. For example:
10:00:44.544036 IP ROUTER.3070 > VICTIM.8080: Flags [S],
seq 3182338706, win 5680, options [mss 1420,sackOK,TS val 44990601 ecr 0,nop,scale 0], length 0
10:00:44.573042 IP ROUTER.3071 > VICTIM.8080: Flags [S],
seq 3180615688, win 5680, options [mss 1420,sackOK,TS val 44990603 ecr 0,nop,scale 0], length 0
10:00:44.575908 IP ROUTER.3077 > VICTIM.8080: Flags [S], se
q 3185404669, win 5680, options [mss 1420,sackOK,TS val 44990604 ecr 0,nop,scale 0], length 0
10:00:44.693528 IP ROUTER.3072 > VICTIM.8080: Flags [S],
seq 3188188011, win 5680, options [mss 1420,sackOK,TS val 44990616 ecr 0,nop,scale 0], length 0
10:00:44.713312 IP v ROUTER.3073 > VICTIM.http: Flags [S],
seq 3174550053, win 5680, options [mss 1420,sackOK,TS val 44990618 ecr 0,nop,scale 0], length 0
10:00:45.544854 IP ROUTER.3078 > VICTIM.http: Flags [S],
seq 3192591720, win 5680, options [mss 1420,sackOK,TS val 44990701 ecr 0,nop,scale 0], length 0
10:00:45.564454 IP ROUTER.3079 > VICTIM.http: Flags [S],
seq 3183453748, win 5680, options [mss 1420,sackOK,TS val 44990703 ecr 0,nop,scale 0], length 0
10:00:45.694227 IP ROUTER.3080 > VICTIM.http: Flags [S],
seq 3189966250, win 5680, options [mss 1420,sackOK,TS val 44990716 ecr 0,nop,scale 0], length 0
10:00:45.725956 IP ROUTER.3081 > VICTIM.8080: Flags [S], se
q 3184379372, win 5680, options [mss 1420,sackOK,TS val 44990719 ecr 0,nop,scale 0], length 0
10:00:45.983883 IP ROUTER.3074 > VICTIM.8080: Flags [S],
seq 3186948470, win 5680, options [mss 1420,sackOK,TS val 44990745 ecr 0,nop,scale 0], length 0
10:00:46.985034 IP ROUTER.3082 > VICTIM.http: Flags [S],
seq 3194003065, win 5680, options [mss 1420,sackOK,TS val 44990845 ecr 0,nop,scale 0], length 0
In short, the vulnerability used by the "Moon" worm is no longer being used just to experiment; it's being used to enlist routers in botnets and actively attack targets.
One interesting thing we found about this most recent exploit is that the DNS settings on the routers were permanently changed. The router was set to use domain name servers at the addresses
The "Moon" worm was completely ephemeral and did not change the contents of flash memory (either the configuration or the firmware). The exploit I found today changes at least the DNS settings.
Shame on Belkin for dragging their feet on getting a fix out to the public. But more to the point, this is yet another example why relying on patching to provide security is fundamentally a Bad Thing.
Over the past couple of months I’ve been giving an evolving talk on why we don’t yet have secure systems, despite over 50 years of work in the field. I first gave this at an NSF futures workshop, and will give it a few more times this summer and fall.
As I was last reviewing my notes, it occurred to me that many of the themes I’ve spoken about have been included in past posts here in the blog, and are things I’ve been talking about for nearly my entire career. It’s disappointing how little progress I’ve seen on so many fronts. The products on the market, and the “experts” who get paid big salaries to be corporate and government advisors and who get the excessive press coverage, also serve to depress.
My current thinking is to write a series of blog posts to summarize my thinking on this general topic. I’m not sure how many I’ll write, but I have a list of probable topics already in mind. They break out roughly into (in approximate order of presentation):
Each of these will be of moderate length, with some references and links to material to read. If you’re interested in a preview, I recommend looking at some of my recent talks archived on YouTube, some of my past blog posts here, and oral histories of various pioneers in the field of infosec done by the Babbage Institute (including, perhaps, my own).
I’ll start with the first posting sometime in the next few days, after I get a little more caught up from my vacation. But I thought I’d make this post, first, to solicit feedback on ideas that people might like me to add to the list.
My first post will be about the definition of security — and why part of the problem is that we can’t very well fix something that we can’t reliably define and thus obviously don’t completely understand.
I have long argued that the ability to patch something is not a security “feature” — whatever caused the need to patch is a failure. The only proper path to better security is to build the item so it doesn’t need patching — so the failure doesn’t occur, or has some built-in alternative protection.
This is, by the way, one of the reasons that open source is not “more secure” simply because the source is available for patching — the flaws are still there, and often the systems don’t get patched because they aren’t connected to any official patching and support regime. Others may be in locations or circumstances where they simply cannot be patched quickly — or perhaps not patched at all. That is also an argument against disclosure of some vulnerabilities unless they are known to be in play — if the vulnerability is disclosed but cannot be patched on critical systems, it simply endangers those systems. Heartbleed is an example of this, especially as it is being found in embedded systems that may not be easily patched.
But there is another problem with relying on patching — when the responsible parties are unable or unwilling to provide a patch, and that is especially the case when the vulnerability is being actively exploited.
In late January, a network worm was discovered that was exploiting a vulnerability in Linksys routers. The worm was reported to the vendor and some CERT teams. A group at the Internet Storm Center analyzed the worm, and named it TheMoon. They identified vulnerabilities in scripts associated with Linksys E-series and N-series routers that allowed the worm to propagate, and for the devices to be misused.
Linksys published instructions on their website to reduce the threat, but it is not a fix, according to reports from affected users — especially for those who want to use remote administration. At the time, a posting at Linksys claimed a firmware fix would be published “in the coming weeks."
Fast forward to today, three months later, and a fix has yet to be published, according to Brett Glass, the discoverer of the original worm.
Complicating the fix may be the fact that Belkin acquired Linksys. Belkin does not have a spotless reputation for customer relations; this certainly doesn’t help. I have been copied on several emails from Mr. Glass to personnel at Belkin, and none have received replies. It may well be that they have decided that it is not worth the cost of building, testing, and distributing a fix.
I have heard that some users are replacing their vulnerable systems with those by vendors who have greater responsiveness to their customers’ security concerns. However, this requires capital expenses, and not all customers are in a position to do this. Smaller users may prefer to continue to use their equipment despite the compromise (it doesn’t obviously endanger them — as yet), and naive users simply may not know about the problem (or believe it has been fixed).
At this point we have vulnerable systems, the vendor is not providing a fix, the vulnerability is being exploited and is widely known, and the system involved is in widespread use. Of what use is patching in such a circumstance? How is patching better than having properly designed and tested the product in the first place?
Of course, that isn’t the only question that comes to mind. For instance, who is responsible for fixing the situation — either by getting a patch out and installed, or replacing the vulnerable infrastructure? And who pays? Fixing problems is not free.
Ultimately, we all pay because we do not appropriately value security from the start. That conclusion can be drawn from incidents small (individual machine) to medium (e.g., the Target thefts) to very large (government-sponsored thefts). One wonders what it will take to change that? How do we patch peoples’ bad attitudes about security — or better yet, how do we build in a better attitude?
William Wyatt Starnes passed away unexpectedly on May 10th, 2014 at the age of 59. Wyatt was a serial entrepreneur, known for his work in computing — and especially cyber protection — as well as for his mentorship and public service.
Wyatt graduated from Ygnacio Valley High School in Concord, CA, in 1972, and then obtained an Associates Degree from the Control Data Institute. His first full-time job was at Data General, and he went on to hold technical positions with Monolithic Memories, Maruman Integrated Circuits, and then Megatest Corporation. While at Megatest, Wyatt moved into management, where he showed significant expertise, and was eventually promoted to VP of Sales and Marketing. He subsequently moved to Tokyo for several years as the President of Megatest Japan. Although the remainder of his career was in management positions, he continued to work in technology, and was named as inventor or co-inventor of a number of patents in later years.
Upon leaving Megatest, Wyatt moved to Portland, Oregon, where he lived for the rest of his life. In Portland, he worked for several firms before founding his own company, Eclipse Technologies, Inc., and then Infinite Pictures. During that time, he met Gene Kim (one of my former students). Wyatt then founded Visual Computing, Inc., with Gene. They had originally planned on producing an immersive MMORPG named “Piggyland.” (I still have some of the marketing literature for this!) It used some novel technology and a great deal of humor, but before it had progressed very far, a series of coincidences led them to start Tripwire Security Services as a subsidiary, to produce software to secure MMORPGs and similar games. In short order, it became clear that Tripwire was the real path to success, and they transformed Infinite Pictures and TSS into Tripwire, Inc.
Wyatt was the CEO of Tripwire from 1997 to 2004 (Gene was CTO). In 2004, after a bout with cancer weakened him and forced him to step down from managing Tripwire, Wyatt founded the first version of the company SignaCert, and served as its CEO for the next six years. In 2010, SignaCert was acquired by Harris Corporation, and Wyatt served as the VP of Advanced Concepts and CTO for Cyber until 2012, when he retired. (NB. SignaCert has since begun a “second life” after being sold by Harris.) Over his career, Wyatt also served on the boards of Swan Island Networks of Portland, Oregon; Comprehensive Intelligence Technology Training Corporation of Annapolis, Maryland; and Symbium Software of Ottawa, Ontario.
During his 15 year career as a leading executive in cyber security, Wyatt was a driven and passionate advocate for better security and better design. He spoke at industry and community events, and was asked to join several high-level government and industry advisory boards, including TechAmerica Foundation’s CLOUD2 Commission, NIST’s Visiting Committee on Advance Technologies (VCAT), and the Oregon Executive Council of the American Electronics Association (AeA), among others. In Portland, he was cofounder of the innovative RAINS network (Regional Alliances for Infrastructure and Network Security), a nonprofit public/private alliance (now defunct) formed to accelerate development, deployment and adoption of innovative technology for homeland security.
Wyatt was known for business acumen with a human touch — he cared about the people who worked for him, his customers, and the world around him. He made time for others when they needed it, and that is a rare quality in someone serving as a CEO. Although highly focused on his business duties, Wyatt was seemingly always willing to lend a smile, and listen to what others had to say. He was also known for his fondness for good wine and good humor.
As the designer of the original Tripwire and SignaCert offerings, I have known and worked with Wyatt for nearly 20 years. When he was undergoing treatment for his life-threatening condition in the mid-2000s, we had many conversations about the nature of existence and the future. Then, and throughout the time I knew him, Wyatt expressed a strong commitment to living in the present — to not put off things (including people) that might then be forgotten…and regretted.
Some people believe that exiting life with the largest bank account is success. Wyatt believed that making the world a better place was true success. He wrote in his LinkedIn profile under “Awards and Honors”
My reward comes from the special opportunity to do something important that (hopefully) leaves the world a better place.
And it is an honor to share what I have learned with others that aspire to create lasting contributions with their lives.
By those measures, he clearly was a huge success — his companies, his advocacy, his mentoring, and his friendship changed the lives of many, many people for the better. Wyatt Starnes will be greatly missed.
Some other media accounts of Wyatt’s passing: