Cyber security relics: 4 older technologies still plaguing the infosec world

Understanding the issues of the past can help us be better equipped to deal with seemingly new issues in the present.

a clock half-submerged in water
Jonny Lindner (CC0)

If you bumped into me on the street, you would probably not guess that I am a cyber security professional. I am, one might say, well-seasoned. Given my history of chasing bad actors who were attacking my mainframe, some may wonder if I have the skills necessary for such a bleeding edge profession (one CEO asked me exactly that). While I can certainly make that case effectively, there are many times my knowledge of the “olden days” comes in very handy.

Case in point: some years ago I was re-engineering the transaction system for a credit bureau. When I started, they were running black-box servers with custom DOS-based software. I had finished an 18-month project to replace everything with systems and software from the current century, and we had successfully gone live. Unfortunately, our largest client, still using modems to communicate for many of its locations, was complaining of connectivity issues. When the development team could not identify the issue, I jumped in.

I remember sitting in the break room late one night talking to the communications developer about how he wrote his software. He was only a couple of years out of one of the top engineering schools in the country. I asked him about how he was handshaking with the modems.  When he responded with a blank stare, I knew the problem.  Having never worked with a modem in his life, he had no idea how to properly interface with them.  Once I showed him, we had the system modified, testing, and operating properly in 30 minutes.

You might think knowing how to work with modems is not particularly useful for 2018. Consider, however, the recent discovery of a vulnerability in some Android devices, allowing someone with physical device access to interact with many of the basic phone functions. It seems the implementation of phone controls in these very modern devices is based on the old Hayes modem command set. Since nobody has learned about this commend set in years, it took a fellow relic to discover the vulnerability.

The fact is, much of our modern technology has its roots in systems that were in use many years ago. And in certain industries, including healthcare, utilities and manufacturing, those original systems are still in use. In order for a cyber security professional today to fully understand the risks and how to address them, it helps to have a foundation in the old fundamentals.

Here are four examples of older technologies that are still plaguing the information security world:

Faxsploit

As I discussed in 5 cyber security basics you can't afford to ignore, Faxsploit allows a bad actor to access and exfiltrate data using only a fax line connected to multi-function printer, HP in this case. The problem is that the driver software for the fax port is ancient.  It has not changed significantly in 15 years. On the other hand, newer network connectivity software has been added, with nobody stopping to think about its interaction with the fax software.

Heartbleed

Heartbleed, which was first reported in 2014, allowed clear text data to be obtained from SSL encrypted web sites. It is believed to have affected at least one third of all web sites at the time, and is considered one of the most serious sever vulnerabilities of all time. It was likely exploitable long before 2014, but was not discovered and reported until then.

Social engineering

I suspect many people think social engineering is a recent phenomenon, but this could not be further from the truth.  In the early days of phone hacking, people crawled around in dumpsters looking for discarded manuals to help them understand the inner workings of the phone systems of the day.  These dives were often followed by phone calls to technical folks, under some pretense, to get additional information.  Together, this information allowed hackers, known as "phone phreaks," to build devices allowing them to obtain free long distance.  This practice got its start in the 1950s, peaking in the late 1960s.

Today, dumpster diving is still a common practice, as is posing as someone you're not and using some pretense to obtain information.

Cross-site scripting

In 2007, cross-site scripting (XSS), which allows a bad actor to inject code into a user's browser session, was added to the OWASP Top 10 Vulnerabilities list.  It has never gone away.  This vulnerability can still be found on many web sites, and is actively being exploited by bad actors.

The bottom line

As I noted above, everything old is new again, and this certainly applies to cyber security.  Many of the attack strategies used and vulnerabilities exploited today have their roots in what happened many years ago.  You are well served if you understand these roots, and if you keep a few of us relics around to help with that perspective.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)