• United States




Cyber security relics: 4 older technologies still plaguing the infosec world

Nov 02, 20184 mins
AndroidSecuritySocial Engineering

Understanding the issues of the past can help us be better equipped to deal with seemingly new issues in the present.

If you bumped into me on the street, you would probably not guess that I am a cyber security professional. I am, one might say, well-seasoned. Given my history of chasing bad actors who were attacking my mainframe, some may wonder if I have the skills necessary for such a bleeding edge profession (one CEO asked me exactly that). While I can certainly make that case effectively, there are many times my knowledge of the “olden days” comes in very handy.

Case in point: some years ago I was re-engineering the transaction system for a credit bureau. When I started, they were running black-box servers with custom DOS-based software. I had finished an 18-month project to replace everything with systems and software from the current century, and we had successfully gone live. Unfortunately, our largest client, still using modems to communicate for many of its locations, was complaining of connectivity issues. When the development team could not identify the issue, I jumped in.

I remember sitting in the break room late one night talking to the communications developer about how he wrote his software. He was only a couple of years out of one of the top engineering schools in the country. I asked him about how he was handshaking with the modems.  When he responded with a blank stare, I knew the problem.  Having never worked with a modem in his life, he had no idea how to properly interface with them.  Once I showed him, we had the system modified, testing, and operating properly in 30 minutes.

You might think knowing how to work with modems is not particularly useful for 2018. Consider, however, the recent discovery of a vulnerability in some Android devices, allowing someone with physical device access to interact with many of the basic phone functions. It seems the implementation of phone controls in these very modern devices is based on the old Hayes modem command set. Since nobody has learned about this commend set in years, it took a fellow relic to discover the vulnerability.

The fact is, much of our modern technology has its roots in systems that were in use many years ago. And in certain industries, including healthcare, utilities and manufacturing, those original systems are still in use. In order for a cyber security professional today to fully understand the risks and how to address them, it helps to have a foundation in the old fundamentals.

Here are four examples of older technologies that are still plaguing the information security world:


As I discussed in 5 cyber security basics you can’t afford to ignore, Faxsploit allows a bad actor to access and exfiltrate data using only a fax line connected to multi-function printer, HP in this case. The problem is that the driver software for the fax port is ancient.  It has not changed significantly in 15 years. On the other hand, newer network connectivity software has been added, with nobody stopping to think about its interaction with the fax software.


Heartbleed, which was first reported in 2014, allowed clear text data to be obtained from SSL encrypted web sites. It is believed to have affected at least one third of all web sites at the time, and is considered one of the most serious sever vulnerabilities of all time. It was likely exploitable long before 2014, but was not discovered and reported until then.

Social engineering

I suspect many people think social engineering is a recent phenomenon, but this could not be further from the truth.  In the early days of phone hacking, people crawled around in dumpsters looking for discarded manuals to help them understand the inner workings of the phone systems of the day.  These dives were often followed by phone calls to technical folks, under some pretense, to get additional information.  Together, this information allowed hackers, known as “phone phreaks,” to build devices allowing them to obtain free long distance.  This practice got its start in the 1950s, peaking in the late 1960s.

Today, dumpster diving is still a common practice, as is posing as someone you’re not and using some pretense to obtain information.

Cross-site scripting

In 2007, cross-site scripting (XSS), which allows a bad actor to inject code into a user’s browser session, was added to the OWASP Top 10 Vulnerabilities list.  It has never gone away.  This vulnerability can still be found on many web sites, and is actively being exploited by bad actors.

The bottom line

As I noted above, everything old is new again, and this certainly applies to cyber security.  Many of the attack strategies used and vulnerabilities exploited today have their roots in what happened many years ago.  You are well served if you understand these roots, and if you keep a few of us relics around to help with that perspective.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.