Shostack + Friends Blog Archive

 

Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention.

Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you play MP3s, etc. through your stereo. I got it because it was a cute little system running Linux, had a MIPS processor, a web site for developers, extension and enhancement tools in Java, and so on.

I used it for a couple of months, and played with the Java-based remote control application for it and then decided to do some more serious work on it. I rolled my eyes that it only had telnet to get to it, but telnetted to it and was met with:

#

which I just stared at for a moment. It didn’t even register for a good twenty or thirty seconds before I had the wit to type

ls

and was met with something akin to:

bin   dev  home  mnt  proc  tmp
boot  etc  lib   usr  sbin

and that didn’t even register with me until I finally then typed

pwd

and was met with

/

and I made a loud two-word exclamation, of which the former was “oh” and the latter is left as an exercise for you, Gentle Reader, but there are two obvious candidates.

Yup, for the last couple of months, sitting bear-ass nekkid on the Internet was a Linux box with open telnet and a root shell. No username, no password, just a root shell. I said the other obvious candidate word. I also considered (again) getting a firewall. My network doesn’t have a firewall. Part of it is that I like the road feel of the packets whizzing by. Part of it is that by the time I open up enough ports to do useful things, I’m just closing down the ones that don’t have services on them anyway. Part of it is also that of the three times I’ve had serious security problems on my network, one of them was because my IDS box got rooted, and one was because the firewall got rooted. For me, adding a firewall adds complexity, and that lowers security. (That last time was when I was traveling with my SO who wanted to send me an email from an utterly ancient netnews program that knows nothing of SMTP-AUTH. Never reconfigure your email infrastructure from five thousand miles away while jetlagged. A couple of days later, you will ask yourself, “I wonder why the SMTP server logs have gotten so big.” Fortunately for me, I caught it before the blacklists did.)

I yanked the music box off the network and connected to it directly (one cable, just it and me). Looking through the thing, I didn’t see what anyone who was now using it for anything. I checked the IDS logs and there was nothing that leapt out at me to as suspicious traffic. That seemed odd, because how could it not have been owned? I thought about it for a bit, and thought about it more as I reflashed the critter. Then I laughed, because I realized that the tools that probe for vulnerable boxes are not going to be looking for #. It was then too late to tell, but I allowed myself to think that maybe the box hadn’t been compromised, as the evidence suggested.

With the machine rebuilt, I connected to it directly with telnet and started probing around for putting a password (like /etc/passwd). There was none. There was no SSH, either. I fulminated on the developer fora about this security stupidity. I found the instructions on how to build the right cross-compiled Linux setup to build binaries for it, and it was filled full of warnings about how to make sure you did this, set that compiler switch, and if you didn’t, things wouldn’t work, and you get to reflash the box.

This wasn’t how I was wanting to spend my Saturday, so I turned the box off, and went to do something else. As I did, I thought about the situation. I became increasingly amused that (apparently) the box hadn’t been compromised. I convinced myself that this is because the bad guys wouldn’t recognize the box as vulnerable.

As I grumbled and thought more about how to lock down the box and then something occurred to me — anyone who wants to own the box has to go to the same trouble to make it be a productive member of their botnet community as I do to do the opposite, but they’re at a disadvantage because they also have to protect it from me. Since it’s easier to find some unpatched Windows box than it is to set up a MIPS cross-compile sandbox, even if they can tell that has an open root shell, it’s not economically viable. Think of it as Mutual Assured Annoyance, Economic-Based Intrusion Prevention, Security Through Stupidity, or proving old adage, “In the land of the blind lion, the one-eyed zebra doesn’t have to run very fast.”

A couple of weeks later, I solved the whole problem when a new product was introduced that did exactly what I wanted (to be able to play music on my laptop on my stereo) at half the price and no icky telnet. The poor little music box now sits face-down, forlorn, and dust-covered on a shelf.

4 comments on "Security Through Stupidity"

  • John says:

    Just wondering if you want to share the brands/models of the boxes, especially the one that you are using now?

  • Mordaxus says:

    I have intentionally not said who they are, because they may have fixed things in the last couple of years, and I don’t want to get into a pissing contest. I genuinely do not care. If you buy something, the easy thing to do it to nmap the box and telnet to it during the time you can return it.
    I hope that somewhere the development groups of music player companies are downloading Nessus.
    What I’m using now is an Airport Express from Apple. I have one that is just a piece of stereo equipment, plugged into the aux port of the receiver.

  • Orv says:

    I know what you mean about a firewall often just mimicking the list of ports that don’t have services on them. I find, though, that a firewall can be especially helpful when dealing with devices that have totally brain-dead security — like your music box, or most networked printers. There’s usually no reason for these devices to communicate with the Internet. I’ll often set up a firewall with just a blocklist of IPs that never, ever, ever should talk to anyone, and list all the network printers and other embedded devices. The other machines get free reign.
    A firewall is also vital when setting up Windows. Most fresh Windows installs can be compromised in less time than it takes you to download the patches. I’ve observed less than half an hour from connection to infection for an unpatched Windows 2000 system on dialup.

  • Teltariat says:

    > Most fresh Windows installs can be compromised in less time than it takes you to download the patches. I’ve observed less than half an hour from connection to infection for an unpatched Windows 2000 system on dialup.
    Less than half an hour? This is no longer the case.
    Today, your freshly set up Windows machine can be compromised in 5 minutes flat.

Comments are closed.