TORONTO --- The vulnerabilities of the past are consistently haunting some enterprises, according to a penetration tester who explained Tuesday that enterprise IT security teams often know about persistent weaknesses and system configuration issues but are doing little to correct them.
There's been a whole lot of gaps out there in how we defend systems and they've just remained in place.
Jamie Gamble, senior security consultant, Accuvant Labs
"There's been a whole lot of gaps out there in how we defend systems, and they've just remained in place," said Jamie Gamble, a senior security consultant at Denver-based Accuvant Labs. "We are ignorant as an industry. We still have ignorance toward a lot of things in security."
In his presentation at the SecTor security conference, "The More Things Change: The Vulnerabilities that Time Forgot," Gamble summed up longstanding weaknesses in Windows and Unix systems that continue to go unaddressed at many firms. Security researchers Dan Farmer and Wietse Venema authored a 1992 paper that challenged conventional thinking, prompting network analysis and some of the first penetration tests. The paper described attack techniques that are still relevant today, he said.
Network segmentation issues such as VLANs that are poorly configured are contributing to a continuous pattern of holes that can be targeted with attack tools and techniques that were built more than a decade ago, Gamble said. Many are not configured to support proper role-based access control, or RBAC.
"We've seen improvements in system architecture, but VLANs are not being implemented from a security perspective; they're being implemented with a functional perspective," Gamble said. "Even though network segmentation works, it's still very difficult to put it in place."
System to system trust has also opened persistent weaknesses, Gamble said. It started with Rlogin, which allows the user of one system to log into another system without a password. An old technique that still used by pentesters is to target the Rlogin file, exploiting it to allow anyone to log in without password. SSH was added to improve security, but it has actually done very little to correct the trust weaknesses, he said. A lot of organizations fail to put passwords in the SSH keys. "It's encrypted," he added, "but it doesn't matter."
Weak, poorly protected and mishandled passwords can also be a common way in, according to Gamble. Unix-based systems that use NIS for network authentication may have conditions set exposing a list of user directory passwords to an attacker. Using Lightweight Directory Access Protocol is not necessarily better. An attacker can attempt to root the box and if successful can pull out LDAP passwords from regions of memory, according to Gamble. It is easy to do as long as you can compile on the system, he said. Even if shell password files are being used to hide distributed passwords from users, they can be cracked easily, he said.
Security researchers say man-in-the-middle (MiTM) attacks are also commonly used by cybercriminals. Tools have gotten better at automating the process, but the attack technique has been known and available before the modern Internet was invented, Gamble said. The attack is very successful today because people often accept connections that have bad certificates, he said. There are many programs designed to create a MiTM condition, eliminate encryption and start stealing credentials.
"Most mitigations in place haven't worked at all," he said. "This stuff has been made so easy that anyone can do it."
Local Unix issues are also a major problem enterprises commonly don't address. "You can do great things with configuring Unix, but if you want to get practical about how it's being set up in big companies, you've got big problems," Gamble said.
Basic techniques designed in 1992 to target Unix configuration issues are still in use today. Insecure cron jobs or tasks, specifying privileges in the sudoers file could also lead to information exposure. Some firms configure read/write access on everything in the home directory. Gamble said as a result, getting elevated privileges on a Unix box is pretty easy if the attacker has access to it.
Local Unix configuration issues are not being tested and detected. Some weaknesses such as Address Resolution Protocol or ARP poisoning, a network attack, are expensive to fix. Organizations can begin by teaching Unix administrators proper security and proactive auditing to not only look for weaknesses, but address them.