Infrastructure Attacks: A Growing Concern
So the general theme of my talks for the last year has been about the extraordinary damage that infrastructure attacks are capable of. I do believe it’s possible to bolster endpoint security — to achieve end-to-end trust — but it will take more than what we’re doing right now. It will take, somewhat to my surprise, DNSSEC.
It will also take treating infrastructure itself with more care, and more security due diligence, than we do today. Forget patching infrastructure. When my DNS bug hit, a remarkable number of sites suddenly found themselves simply identifying the DNS servers they were dependent on. We can do better. We need better operational awareness of our infrastructure. And we need infrastructure, over time, to become a lot safer and easier to update. That means automatic update isn’t just for desktops anymore, that firmware patches need to have a much higher likelihood of not bricking the hardware, and possibly, that we need fewer builds with more testing for the new production environment, that is increasingly under attack.
The reality is the bad guys are out there, and they’re learning. Just as attackers moved from servers to clients, some are moving from compromising a single client to compromising every client behind vulnerable infrastructure. Psyb0t, a worm that has been bouncing around since January, was recently found by DroneBL and reported on by Ryan Naraine. It targets home routers, and early estimates are that it has hit over 100K of them. Home routers are a wonderful, enabling technology for users, and even for security, they carried us through 2001-2004’s years of widespread server side vulnerabilities. So we shouldn’t be too down on them. But they do have vulnerabilities, and they are getting exposed.
This, of course, is something quite a few people have been talking about. CSRF — Cross Site Request Forgery — attacks have affected everyone from Linksys to Motorola to Siemens to Cisco. More problematically, the DNS Rebinding attacks discussed by myself, David Byrne, Dan Boneh/Adam Barth/Collin Jackson, and others in 2007 still affect home routers. And I’m not talking about Java and Flash sockets, like at this year’s CanSecWest talk. I’m talking about simply running rebinding against the browser itself, to make a remote website and a local router appear to be the same name, thus able to script against one another.
This should sound familiar, because this is what I discussed at RSA last year.
Yep, that still works, in all browsers. It has to. Moral of the video, please don’t have a default password on your home router — and, maybe, home routers can someday only allow default passwords to work 10 minutes after power cycling.
Why can’t this be fixed in the browser? Now that’s a fascinating question, which we’ll discuss in another blog post.