Security expert Paul Vixie said the world's wealth is at greater risk today than ever before, thanks to the unprecedented...
level of threats looming over enterprises, governments and consumers alike.
As reports of ransomware and other novel attack vectors continue to accelerate, so too do reports of alarming new -- and persistent -- software vulnerabilities. Vixie, CEO of Farsight Security Inc., in San Mateo, Calif., and architect of domain name system (DNS) protocol extensions and applications, said the changing landscape of Internet crime and vulnerabilities such as the recent glibc bug have given cybercriminals and threat actors a leg up, while enterprises struggle to adequately patch their systems for even the most notorious threats.
Vixie sat down with SearchSecurity at RSA 2016 in March to talk about Internet crime, as well as the effect of pervasive and lingering software vulnerabilities. This is the first part of the conversation.
You've said the openness of the Internet is poisoning us.
Paul Vixie: Yes. I focused quite a bit on doom and gloom in recent years, and it's making a lot of money for a lot of people, but a lot of those people are criminals.
Can you say more about that?
Vixie: So, when criminals receive money, it's not because they created wealth. It's because they stole something or extorted it, or found a way to transfer wealth. And, historically, when that happens at the country level, we see that as usually some country attempting to have its businesses, its people [and] its economy profit at the expense of another.
And when I was a kid, I grew up in this town, the way the little old lady could get her money stolen was by a mugger who would run down the street and snatch the purse as he went by. And those muggers had a problem that today's muggers don't have, which is they had to put their body on the scene of the crime. They had to take the risk they'd be seen, or stopped or identified. And today, that isn't happening.
Today, any random criminal anywhere on the Internet can try to get that little old lady's money by infecting her computer with malware or some sort of drive-by infection, or some kind of an extortion. It's similar to a lot of people stealing money from senior citizens by telephone fraud, calling them up and claiming that they owe money, but they don't and so on.
But here, we're seeing just a vast scale of the Internet means that anyone in some non-First World country -- so talking secondary and tertiary economies, with a $10 laptop -- can attack victims anywhere. And I'm not in favor of this. I think that the Internet has created a lot of wealth; it's given a lot of productive people ways to create a lot of wealth, but it has, unfortunately, also put the world's wealth more at risk to criminals than it has ever been in the history of humanity.
What about the glibc bug? We've heard about this thing and we were told, 'Don't worry too much, we'll fix it,' or 'It is fixed, we patched it and everything looked good.' Then, last week, we heard, 'Well, no, now it's really bad because it's poisoned some cache site.' So, glibc, what's going on with that?
Vixie: Glibc is an extraordinarily popular piece of open source software. It is incorporated in almost everything, so if it was a smart TV, or a smartphone or whatever, it's probably got some version of glibc in there. This bug is relatively difficult to exploit, like most bugs -- for example, Shellshock and ... Heartbleed -- [that] rely on sending things through the network that will expose its vulnerability in the code path, generally by sending more data than the receiver is waiting for, and the receiver will naively just keep receiving and potentially overwriting nearby data. And then, that more or less gives the attacker the ability to set up the data inside the receiver the way they want it to be.
Normally, it involves injecting some codes so that when the receiver wants to go back to the application, it ends up executing code that belongs to the attacker instead of to the application.
The glibc bug is really difficult to exploit -- it's a complicated dance. You, as an attacker, have to get it to do a retry to a certain buffer size, and then you have to carefully set up the data you send on the second transaction to overwrite the various application data. And it was originally thought that this might be impossible to exploit, unless you can intercept traffic between the glibc client and its recursive name server. That's a relatively difficult path to exploit: Putting yourself between somebody and the recursive name server is hard. But, inevitably, some really smart people have slept not at all since this announcement was made, and have tried every trick they could think of and then thought of new ones in order to find some way that you could exploit this without being on the path between a victim and its recursive server.
And I've heard that there is now a way to force this to be done. It's still relatively difficult to exploit, but it's good because you have to force the client to do a lookup of a name, where the name is under control of the attacker. If you imagine a mail server sending email to someone, that mail server is probably going to do a lookup of whatever name it is that you put in your From header. And that would be an example of how the attacker can cause the victim to make a lookup of a name under control of the attacker.
But, of course, most things running glibc are small, embedded devices. They don't do very many DNS lookups in the first place, and they definitely don't do a lookup on something like mail. If it's this recorder [pointing to audio recorder], for example, [it] probably has glibc in it, but no one is going to send it email, and that's going to be very difficult to get that thing to make a query of a name that's under control of the attacker.
Paul VixieCEO of Farsight
So, it's a bad problem. It's not as bad as other problems that we've chosen to live with. So, right now, it's getting headlines, but I predict that in a few months, it will be right up there with Conficker, and Heartbleed, and Shellshock and so forth, that have extremely long tails, [also] the original Kaminsky flaw that was found in 2008 ... There are millions of servers that have not turned on source-port randomization -- or they turned it on, but they were behind NAT [Network Address Translation] boxes, which then turned it back off for them ... Basically, what's happening is that we're setting our hair on fire because it is convenient for us to do so, and then, shortly, we will become bored and look for some new reason to set our hair on fire.
Has this been seen in the wild by anyone?
Vixie: I have seen no reports of this being seen in the wild.
OK, do you anticipate that someday we will see it exploited?
Vixie: Yeah, I do. But again, you have to divide your victim pool into people who know that they are running software at all and are planning to update it ever, versus those [who] either don't know, or 'Yeah, I know it's got software in there somewhere, but I'm not planning on updating that TV, for example.' And most of the infectable, most of the vulnerable clients are the second classification. So, it's good that we get really excited about this, and that we fix it and try and raise awareness, but, ultimately, it's going to fade in the background, and the problem will just be out there forever like all the other ones.
Is there a solution to it, or is it just a nuisance that we have to live with?
Vixie: There is a solution for the small set of devices that are managed. If you're patching your device, you're going to end up patching it to not be vulnerable to this. And so pretty much for most of us who actually care, we will be protected by natural updates that we would have done anyway, just keeping our software up to date, or if it is a short-lived device ... I do know that iPhones are only kept for a year or two, then people trade them in. And so Apple's devices get a lot of software updates over the air, and then they get replaced. So that segment of the population is going to be made safe, just because they were going to get updated no matter what. And the rest of the population of vulnerable nodes will never get updated. And what we can hope is that I don't own anything like that, and that the friends that I exchange email with and might have copies of my personal information, like the letters I've sent them, will themselves not be broken into using this vulnerability, right? But it is the last category of third-party or proxy vulnerability that should concern us.
Recently, we've seen stories about devices that have bugs or vulnerabilities or exploits, or the design has been insufficient to keep everything safe. So, if my router or even my consumer devices are vulnerable, do consumers need to be getting the word that they've got to take note of security?
Vixie: I think so. Consumers don't really want to listen to their government tell them how to be safe. They tend not to want to listen to their vendors about how to be safe, but they will certainly jump onto a whole bunch of online Web forums and listen to each other talk about how to be safe.
So, you have the quality of your average home gateway, whether it's a DSL modem, cable modem, Wi-Fi gateway, whatever, these small plastic boxes ... are crap, and the software on them was years old even before they bought the device … the best thing that can happen to the rest of us is if those devices would rot out, if somehow they would get UV poisoning, or dust poisoning or something, so that you'd have to go buy a new one from time to time -- because if the whole economy is exposed to certain defects, then that means that the whole economy is capable of participating in attacks against you.
So, there are certain devices that are updatable, that [to do] the factory update, they've got a button you press, and it downloads a new image and it reboots itself -- kind of like we're used to doing on our PCs and phones. And what I'm hoping is that those devices become more popular and people start to say, 'Oh man, if you're using a whatever the certain manufacturer that has this model number, you're screwed and you're wide open to the Internet. There's all kinds of terrible things that can happen to you. You should get one like this or one like that.'
I know that the Apple AirPort has a very good reputation for being both secure and frequently updated by Apple. So, hopefully, with greater emphasis on sort of government-proofing things and criminal-proofing things, we'll start to see some competitive advantage from things based on security that's never been true before, when consumers did not used to care if one device was more secure than another, what they cared about was feature level and price. But that's going to shift a little bit as we get more and more of these attacks. If companies could sell more, make more money or hold a higher profit margin simply by earning a reputation for being more secure, then that would be a market force I would welcome.
On the consumer side, I see that, but what about enterprise side? What are the enterprises doing wrong, what should they be doing, should they be looking at spending more on their devices?
Vixie: So, enterprises are the real drivers of the economy, certainly the tech economy. But if you think about your average midlevel executive attending the RSA show, if they have a per diem, they could spend a certain amount of money on food and then charge that to the company. That may be the difference between a $3 cup of coffee and $4 cup of coffee -- [it] doesn't matter to them and there's a huge amount of that type of thinking throughout enterprise. You just can't get people to make the same types of high-sensitivity decisions at work that they would make if the money was their own.
So, what that means is when I moved into an office building in Redwood City, [Calif.] in, I guess, 1996, we had to pull ... about two miles of old-style, grade 25 pair telephone cable out from the old key system, those then five buttons across the bottom. So, this weighed as much as a pickup truck, and it was just all sitting in the building. And it's a bunch of stranded copper, where the copper that was inside all this wire probably had a value to somebody if they could figure out a way to get rid of the insulation, but there it just sat because the last person who had rented the building, yeah, they didn't have a system like that. They didn't care that that wire was sitting there, or they didn't have a system like that or they didn't care that it was 25 years old. ...
There have been a number of researchers who've scanned the whole Internet looking for things that are open to the Internet that shouldn't be, just trying to tell that to every possible address to see what you get. And then, if you get something back, then maybe you can tell by the banner that it prints what it is, what kind of device. And there was an awful lot of stuff, thousands of things that if you logged in and had no password, or still had the factory password, you could log in and see exactly what was going on inside of some industrial system -- that certainly in these days of international terrorism, we would not like those things to be misused. But again, things at the enterprise level and things at the consumer level are going to be exactly as bad as they can be. We're going to optimize for cost, then we're going to solve the problems we have, or resolve the problems we know we have, we're not going to go look for trouble for the most part.
Read about the top 10 cybercrime stories from 2015.
Learn about how third-party DNS providers may pose security risks.
Find out more about securing the DNS infrastructure.