Security Roundup – January 22, 2016


The Morris Worm

This week marks 26 years since the conviction of Robert Tappan Morris for releasing the first widely-reported computer worm. The “Morris Worm” (or, in those simpler days, just the “Internet Worm”) was supposed to silently replicate across and map the 60000 or so hosts then making up the pre-WWW internet.

Due to some poor design decisions, Morris’ brainchild became instead the internet’s first widespread denial of service attack. The event led to the first conviction under the Computer Fraud and Abuse Act, the creation of the Computer Emergency Response Team (CERT) – and, of course, folk songs.

One of the requirements for the Morris Worm to spread? Weak and easily guessable passwords. Good thing that’s no longer the case, right?

Storm Jonas got you snowed in? Throw a brick of punch cards on the fire and settle back for a quick review of the security issues’s been following this week.

Weakening Encryption

The sides are choosing up in the currently-raging encryption backdoor debate. Despite encryption playing little or no role in the recent Paris and San Bernadino attacks, that hasn’t stopped state lawmakers from submitting bills in both New York and California calling for backdoors in devices sold therein. Presidential candidates have weighed in on the subject, and Randall Stephenson, CEO of AT&T, declared that the best position for technology companies was, at best, supine.

However, it’s by no means a one-sided conversation. Stephenson was replying to strong pushback against government-imposed backdoors by Tim Cook of Apple (and a host of others), while the digital affairs minister of France blocked similar efforts, stating that weakening encryption “is not the right solution”. Even Admiral Mike Rogers said arguments for breaking encryption are “a waste of time to me” – and he’s head of a little talking shop called the National Security Agency.

STATUS: Well, you should know where we stand by now – with the forces of reality and math. Lest we forget, the Juniper Networks cluster-fiesta (which we wrote about at length last week) was a direct result of multiple (bad) decisions allowing backdoors in ScreenOS software. Magical thinking is fun, but don’t build your security on it.

This Week’s Hardcoded Backdoor News

Only a month after Juniper’s disclosure, hard-coded SSH passwords have been discovered in devices sold by security company Fortinet. These appear to have been in place since at least 2014, allow unauthorized access to a plethora of Fortinet products, and are described by that company, not as a “root backdoor that totally owns your box”, but as a “management authentication issue”.

Meanwhile, audiovisual devices from vendor AMX – used by clients from Lord’s Cricket Ground to the US military – turn out to have backdoor accounts created by folks who sure like their comic book heroes. As reported (entertainingly) by researchers at SEC Consult, the first mystery account discovered allowed access to a user named “Black Widow”. After much exchanging of emails, AMX replaced the username with another – “1MB@tMaN” – but left the account (and the associated security hole) in place.

STATUS: If you happen to be running Fortinet hardware, you’ll want to patch your firmware immediately – the good folks at the Internet Storm Center report a strong uptick in scanning for vulnerable devices (mostly from two IP addresses in China). Similarly, patch any AMX devices you’re using to get rid of that *cough* “debugging account”.

Mass Surveillance Declared Actually Illegal

Finally, British tech site The Register reports on a case decided by the European Court of Human Rights with big implications across that continent. Szabó and Vissy v. Hungary (warning: legalese) sharply narrowed the scope of a broadly-written Hungarian surveillance law to require a case-by-case determination “whether sufficient reasons for intercepting a specific individual’s communications exist”. The European Convention on Human Rights includes a specific right to privacy, and wide nets which scoop up internet data for later parsing tend to violate this – so they’re now illegal.

This is, of course, only applicable to Europe, but throws an axle-breaking stump in the path of surveillance laws the current UK government would dearly like to adopt. As El Reg notes, Parliament can pass any laws it chooses, but the proposals now on tap would immediately be challenged – and successfully – in Europe’s human rights courts.

STATUS: We do try to end on the upswing. Let’s just note a small victory for sanity in a faraway place to kick off our weekend, shall we?

As always, we appreciate your reading the Security Roundup, and remind you what truly believes –  a safer internet is a better internet.

Image by Go Card USA from Boston, USA – Museum of Science – Morris Internet Worm, CC BY-SA 2.0