Older application vulnerabilities and long-standing configuration weaknesses are repeatedly haunting organizations, according to penetration testers and security experts, who say the issues are either being ignored or are long forgotten.
Systems configured with open ports for remote access, easily discoverable application vulnerabilities, and holes in rarely used server components are just a few of the attack vectors that are coveted by penetration testers to gain access into corporate networks. The common issues are well known by white hat hackers and cybercriminals alike, and often lead to embarrassing, high-profile data breaches, says H.D. Moore, CTO of Rapid7 and creator of the Metasploit penetration testing platform.
“If you look at how far we’ve come over the last 25 to 30 years of doing Internet security, we’re still using unencrypted management protocols for the most part,” Moore says.
Since May, Moore has been probing the Internet, scanning for transmission control protocol (TCP) and user datagram protocol (UDP) services, the Internet communication protocols used by a wide variety of devices, applications and servers. During his probe, he found that Port 8080, an alternative communications channel used by Web services, had a lot of application framework admin interfaces and device admin interfaces exposed to the Internet. Proxy gateways, admin interfaces for embedded devices and a lot of network-attached storage (NAS) admin interfaces were all exposed, says Moore, who spoke about the issues he identified at the recent DerbyCon security conference in Louisville, Ky.
“When new vulnerabilities come out, it’s very fun to watch a small subset of the population patch immediately, and then you see a small section of the populous never patching at all,” Moore says.
Moore discovered over 1,000 clear text passwords exposed to the Internet—passwords that enable anyone to access secure shell servers, databases and retail applications. More than 1.5 million MySQL database management systems were exposed to brute-force password attacks or had default passwords, ripe for any attacker. In all, over 43 million devices were detected that exposed the popular simple network management protocol (SNMP), which provided easy access to routers, addresses and listening ports.
“It’s amazing that something as easy as SNMP, which a lot of vendors will enable on an otherwise totally locked down, patched system, will expose clear text passwords to other servers because you don’t have the services configured properly and no one ever took that into account,” Moore says.
Misconfigured VPNs, poorly deployed encryption and weak and mishandled passwords can be found at just about any firm, says Jamie Gamble, a senior security consultant at Denver-based security firm Accuvant Labs, and who spoke at the SecTor security conference in Toronto, where he discussed the vulnerabilities he commonly exploits during tests with his clients. Gamble, who focuses his time and research into Unix systems, says companies often neglect them because they consider Windows errors a bigger threat.
“I’m using many of the same ways [exploits] that were used in the 1990s,” Gamble says. “Some of the early papers on exploitation can still easily be applied in today’s environments.”
Unix-based systems that provide network authentication could have been configured years ago and easily left with settings that expose a list of user directory passwords to an attacker, Gamble says. Lightweight Directory Access Protocol (LDAP) passwords can often be pulled from regions of memory in a rooted Solaris machine. Even shell password files can be easily cracked.
Network switches are often susceptible to man-in-the-middle attacks. Network auditing and pen testing sniffer tools have automated the process of carrying out a man-in-the-middle attack, Gamble says.
“This stuff has been made to be so easy that anyone can do it,” Gamble says. “We now have the automated tools to attack networks with fundamental flaws.”
Grayson Lenik, a security consultant at Chicago-based security firm Trustwave, says he often sees e-commerce companies compromised and thousands of credit cards stolen because of a simple coding error that is vulnerable to a SQL injection attack. Remote file inclusion and directory traversal, both old-style attacks, are also very common, Lenik says. A crafty SQL injection attack, combined with other exploits, can pull out large sums of data, helping cybercriminals get past firewalls, pull up a shell and execute code on a remote server.
“Back-end databases have gotten much more powerful and storage is cheaper, but SQL injection is one thing that hasn’t changed,” Lenik says. “We figured out how to stop much of this in 2000, but I still see it regularly.”
Robert Westervelt is news director of TechTarget’s Security Media Group and SearchSecurity.com. Send comments on this article to firstname.lastname@example.org