As well as backdoors being used by governments to monitor web traffic and user activity, they are put in by attackers of retrieving data.
In a recent
story, it was revealed that software which is used to manage equipment in power plants, military environments and ships contained an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorisation.
I spoke to Adrian Davis, principal research analyst at the Information Security Forum, who confirmed that backdoors can be present in technology because of four factors:
1) It is part of the development or upgrade cycle, as developers will often create a fast and easy way into the system, bypassing the built-in security functions. That enables them to work quicker, make changes more easily and write code. Unfortunately, these backdoors aren’t always removed before ‘go live’;
2) They are created to help with remote troubleshooting/maintenance because it makes it easier for the service engineer, call centre or field engineer to get in the system and do their jobs;
3) They are inserted maliciously by system administrators or other privileged users, who may wish to ‘secure’ their jobs (logic bombs are a part of this);
4) They are created because the OS/storage/configuration of the platform that the code is running on does not have the capability to handle multiple accounts, store passwords etc, so you can only have one account and one password.
So if these backdoors can be present because of varying factors, how can these be mitigated? TK Keanini, chief technology officer at Lancope, said: “The reality is that backdoors are everywhere and it is just matter of time as to when they will be discovered. The problem we have right now is that the bad guys are the ones more motivated and funded to find them first.
“Meet with your vendors and make sure you learn about their policy regarding backdoors early in the procurement process, not when the bad guys find another, this will at least reduce the targeting to those backdoors that were not intentionally designed into product.”
Keanini said that while those backdoors put in intentionally and only protected by secrecy and those not intentionally designed in but offer an alternative access path are both dangerous when disclosed and well known, but the discovery process in finding them and the countermeasures are different.
Asking why anyone would build in a backdoor by design, he said that there was a time when this was a feature for support to restore access. “The threat landscape has advanced so much in the past few years that no one can afford this ‘feature’ anymore, yet they still exist. What is worse is that even when the manufacture finally gets around to removing the backdoor, getting the masses to apply this upgrade is an entirely different story – advantage goes to the bad guys.”
Sean Powers, security operations manager at DOSarrest, said that a challenge with backdoors as well as not knowing about them is where they can direct data to – be it an IRC channel or a government network. “We don’t see a lot of this as we deal with web traffic, and if we do see it then it is immediately changed. That is not to say that the attacker cannot send it through a back-end channel, but most likely it is put in there
and forgotten about,” he said.
It does seem surprising that a “route out” could be introduced and forgotten about, but maybe this is a call for better monitoring of what is leaving your enterprise. Then again you could implement the best web traffic monitoring, but a clever attacker, or dare we say nation-state, may be able to ENCRYPT that traffic so it is invisible to you.
Regardless, those silent holes that are put in via a variety of options are either present from the start, or put in with or without your knowledge, and there is no simple solution to mitigate them. Keanini suggested the following four tactics to solve the issue:
· Make the assumption that new backdoors will be disclosed sometime in the future
· Ensure that you have some behavioral (non-signature based) detection deployed enterprise wide
· Ensure that you have partitioned your network topology into enclaves that can be monitored and managed
· Ensure that you have a well-established incident response process because you will want to act quickly to mitigate and remediate
Lamar Bailey, director of security research at Tripwire, argued that when it comes to backdoors into a network, the biggest vulnerabilities are personally-owned mobile devices and laptops, as when a business opens up to “BYOD”, they open up the network to the unknown.
“Attackers are targeting these devices and employee laptops when they are used outside of the corporate environment. Attackers are targeting these personal accounts with spear phishing, social media attacks, or exploit consumer routers to gain a foothold on the systems so that they can be hand carried back into an organisation,” he said.
“Once back in an organisation, malware on the devices notices the new IP address and attacks are launched. Organisations need be diligent about security practices for these devices by enforcing best practices such as segregating network access, host intrusion protection on laptops, network intrusion protection and patching vulnerabilities in software/apps on these devices.”
So even if you have detected and patched all current backdoors in the network, and are defending against attackers who are trying to insert backdoors, and are managing devices which connect to your network, perhaps you will be protected.