Universal Plug & Pray?

Citizens of the internet may have noticed some speed related issues lately.  A malware attacking Internet Of Things devices (IP connected cameras, DVRs, cloud-based routers, etc) has been running rampant scanning the entire internet and launching major attacks from these devices.

“But Zack, I don’t have anything an attacker would want!”  Well, yes, you do.  Your internet connection, when combined with those of your friends, family, neighbors, and strangers who also bought a vulnerable device, can be used to bring down websites for a time.  Think of it as death by a thousand paper cuts.  All of the traffic caused by these devices overwhelms the target server and stops it from being able to handle any legitimate requests.  We call this a DDoS, a Distributed Denial of Service attack.  Does what it says on the tin, a bunch of things keep something else from providing a service.

“But wait!  I have a router and don’t forward any ports for my vulnerable thing!”  There’s a feature in most routers called Universal Plug & Play that will automatically expose desired services to the outside world.  This means that you may not even know about these devices being exposed to the outside world because it just happened automatically and your permission was never required.

I am not trying to say UP&P is a bad thing.  It simplifies a lot of things for people, especially anyone that uses gaming consoles or wants to be able to set their DVR to record something remotely.  It is certainly a big security risk especially since these things are exposed automatically without warning.  It is up to you to weigh the risk on leaving it enabled.

Compartmentalization

Virtualization has been the best thing to happen for sysadmins in the past 10 years or so.  A data center’s worth of servers can now be condensed into a single rack.  Hardware can die and the servers running on it can live migrate to another host and keep running as if nothing ever happened.  Building a new server no longer requires hauling and racking new hardware.

So what are the big benefits to virtualization?  Reduced hardware costs, mainly.  You’re buying more expensive servers, but you only need 3 or 4 instead of 50.  A reduced hardware footprint also saves you in data center costs.  If you colocate in a data center, you pay far less for fewer racks.  If you’re running your own, you don’t have to dedicate as much space.  You also gain compartmentalization.  I’ll come back to that in a moment.

What about drawbacks?  Peripherals can be difficult to manage, so if your server requires specialized hardware, such as a security DVR, you probably won’t be able to virtualize it.  Older call accounting servers that connect with a serial cable to a phone switch could be virtualized, but generally are not worth the headache.  Newer network-connected PBXs and VoIP systems can have their management and accounting virtualized with no problems.  Some vendor-specific software will not run on VMs because the vendor refuses to accept that virtualization is a thing and is not going away.

So what is this compartmentalization thing I mentioned earlier?  Compartmentalization is where you separate tasks so that if one goes down or is compromised, you don’t necessarily lose everything.  For example, let’s say you have a physical server that’s running your email, your website, and acting as a database server for the website backend and your accounting database.  Your CMS has an exploit that lets the attacker execute arbitrary code and a SQL injection vulnerability as well.  (Jeez, you need a new CMS)

On that physical server, the attacker can literally do anything (execute arbitrary code) such as install backdoors, create user accounts, or trash your setup.  The SQL injection vulnerability also allows them access to your DB server.   An attacker honestly wouldn’t even need that for this case since they can execute Whatever They Damn Well Please, including the command line tool for your database server.  They also have full access and control of your email.

What if we compartmentalize this so that one server isn’t running the entire kingdom?  Email is on its own VM, the database server is on its own VM, and so is the website.  Now if they compromise your web server, all they get is the web server.  Sure, it’s still bad, but it’s less bad than the first scenario.  But that SQL injection exploit is still lingering over our heads.  Good database practices can mitigate that risk, too.

Compartmentalize your databases.  Use separate users for your databases.  Your CMS’s DB user has no business even being able to see the accounting DB.  A SQL injection exploit’s range is limited to what the current user account can access.  If you segment things so that one part being compromised doesn’t provide access to everything, you’re compartmentalizing.

Virtualization makes compartmentalization easy.  You can create separate VMs for things that need to be separated without spending more money on hardware or taking the time to install it into the data center.

Compartmentalization takes a nice, fat target for attackers and separates it into little boxes so that a single exploit isn’t putting your entire infrastructure at risk.  You should be doing this as much as possible, especially on any public-facing systems.

A few thoughts about Marvel’s Agents of S.H.I.E.L.D.

I just finished binge-watching the first season of Marvel’s Agents of S.H.I.E.L.D.  Wow.  This series turned out significantly better than I had expected from the beginning.

A little background:  so far, I’ve really enjoyed the Marvel Cinematic Universe movies.  I think the Captain America movies were the best with Iron Man holding a special place in my heart.  I mean, what geek wouldn’t want to be a genius billionaire inventor with a flying power suit?  When The Avengers came out, I went with my girlfriend at the time to see it.  We were blown away, and when she saw Joss Whedon’s name in the credits, she went nuts.  She is a huge Whedon fangirl.  So when Agents of S.H.I.E.L.D. came out, she saw Joss Whedon’s name attached to it and was expecting something along the lines of Firefly or Dollhouse.  That’s not what Agents of S.H.I.E.L.D. was supposed to be.

She ended up bored with the series pretty early on.  I had recorded the whole thing on the DVR and planned to watch it at some point, but I lost interest after she stopped talking about it.  I wasn’t big on TV back then anyway.

I recently found myself with lots of free time and decided to give the series another chance after hearing how it really picked up after the revelations in Captain America: The Winter Soldier.  I sat down and watched all 22 episodes including the ones I had already seen.  It started off slow, but definitely picked up the pace.  The last 7 episodes are incredible.  If you don’t want to watch the whole thing, at least watch the pilot and the last 7.  You’ll miss out on a few major plot points, but they do a pretty good job of catching you up on the important stuff in the “Previously, on…” bit at the beginning of the episodes.

If you’re a geek, and if you’re reading this, you probably are, do yourself a favor.  Get this show, a big bowl of popcorn, and spend a weekend or two watching it.  I’m looking forward to the next season and seeing what other MCU tie-ins happen!