A few weeks ago, I wrote a post entitled “Patching Is Not Security.” Among other elements, I described a bug in some Linksys routers that was not patched and was supporting the Moon worm.

Today, I received word that the same unpatched flaw in the router is being used to support DDOS attacks. These are not likely to be seen by the owners/operators of the routers because all the traffic involved is external to their networks — it is outbound from the router and is therefore “invisible” to most tools. About all they might see is some slowdown in their connectivity.

Here’s some of the details, courtesy of Brett Glass, the ISP operator who originally found the worm on some customer routers; I have replaced hostnames with VICTIM and ROUTER in his account:

Today, a user reported a slow connection and we tapped in with a packet sniffer to investigate. The user had a public, static IP on a Linksys E1000, with remote administration enabled on TCP port 8080. The router was directing SYN floods against several targets on the Telus network in Canada. For example:

10:00:44.544036 IP ROUTER.3070 > VICTIM.8080: Flags [S],
seq 3182338706, win 5680, options [mss 1420,sackOK,TS val 44990601 ecr 0,nop,scale 0], length 0
10:00:44.573042 IP ROUTER.3071 > VICTIM.8080: Flags [S],
seq 3180615688, win 5680, options [mss 1420,sackOK,TS val 44990603 ecr 0,nop,scale 0], length 0
10:00:44.575908 IP ROUTER.3077 > VICTIM.8080: Flags [S], se
q 3185404669, win 5680, options [mss 1420,sackOK,TS val 44990604 ecr 0,nop,scale 0], length 0
10:00:44.693528 IP ROUTER.3072 > VICTIM.8080: Flags [S],
seq 3188188011, win 5680, options [mss 1420,sackOK,TS val 44990616 ecr 0,nop,scale 0], length 0
10:00:44.713312 IP v ROUTER.3073 > VICTIM.http: Flags [S],
seq 3174550053, win 5680, options [mss 1420,sackOK,TS val 44990618 ecr 0,nop,scale 0], length 0
10:00:45.544854 IP ROUTER.3078 > VICTIM.http: Flags [S],
seq 3192591720, win 5680, options [mss 1420,sackOK,TS val 44990701 ecr 0,nop,scale 0], length 0
10:00:45.564454 IP ROUTER.3079 > VICTIM.http: Flags [S],
seq 3183453748, win 5680, options [mss 1420,sackOK,TS val 44990703 ecr 0,nop,scale 0], length 0
10:00:45.694227 IP ROUTER.3080 > VICTIM.http: Flags [S],
seq 3189966250, win 5680, options [mss 1420,sackOK,TS val 44990716 ecr 0,nop,scale 0], length 0
10:00:45.725956 IP ROUTER.3081 > VICTIM.8080: Flags [S], se
q 3184379372, win 5680, options [mss 1420,sackOK,TS val 44990719 ecr 0,nop,scale 0], length 0
10:00:45.983883 IP ROUTER.3074 > VICTIM.8080: Flags [S],
seq 3186948470, win 5680, options [mss 1420,sackOK,TS val 44990745 ecr 0,nop,scale 0], length 0
10:00:46.985034 IP ROUTER.3082 > VICTIM.http: Flags [S],
seq 3194003065, win 5680, options [mss 1420,sackOK,TS val 44990845 ecr 0,nop,scale 0], length 0

In short, the vulnerability used by the "Moon" worm is no longer being used just to experiment; it's being used to enlist routers in botnets and actively attack targets.

One interesting thing we found about this most recent exploit is that the DNS settings on the routers were permanently changed. The router was set to use domain name servers at the addresses

107.170.168.61

and

107.170.189.30

The "Moon" worm was completely ephemeral and did not change the contents of flash memory (either the configuration or the firmware). The exploit I found today changes at least the DNS settings.

Shame on Belkin for dragging their feet on getting a fix out to the public. But more to the point, this is yet another example why relying on patching to provide security is fundamentally a Bad Thing.

Over the past couple of months I’ve been giving an evolving talk on why we don’t yet have secure systems, despite over 50 years of work in the field. I first gave this at an NSF futures workshop, and will give it a few more times this summer and fall.

As I was last reviewing my notes, it occurred to me that many of the themes I’ve spoken about have been included in past posts here in the blog, and are things I’ve been talking about for nearly my entire career. It’s disappointing how little progress I’ve seen on so many fronts. The products on the market, and the “experts” who get paid big salaries to be corporate and government advisors and who get the excessive press coverage, also serve to depress.

My current thinking is to write a series of blog posts to summarize my thinking on this general topic. I’m not sure how many I’ll write, but I have a list of probable topics already in mind. They break out roughly into (in approximate order of presentation):

• Definition & metrics
• History
• Changes in technology
• Research & Development
• Legacy and Inertia
• Bad practices
• Media & milieu focus
• Funding
• Law enforcement
• National policies
• International issues

Each of these will be of moderate length, with some references and links to material to read. If you’re interested in a preview, I recommend looking at some of my recent talks archived on YouTube, some of my past blog posts here, and oral histories of various pioneers in the field of infosec done by the Babbage Institute (including, perhaps, my own).

I’ll start with the first posting sometime in the next few days, after I get a little more caught up from my vacation. But I thought I’d make this post, first, to solicit feedback on ideas that people might like me to add to the list.

My first post will be about the definition of security — and why part of the problem is that we can’t very well fix something that we can’t reliably define and thus obviously don’t completely understand.

I have long argued that the ability to patch something is not a security “feature” — whatever caused the need to patch is a failure. The only proper path to better security is to build the item so it doesn’t need patching — so the failure doesn’t occur, or has some built-in alternative protection.

This is, by the way, one of the reasons that open source is not “more secure” simply because the source is available for patching — the flaws are still there, and often the systems don’t get patched because they aren’t connected to any official patching and support regime. Others may be in locations or circumstances where they simply cannot be patched quickly — or perhaps not patched at all. That is also an argument against disclosure of some vulnerabilities unless they are known to be in play — if the vulnerability is disclosed but cannot be patched on critical systems, it simply endangers those systems. Heartbleed is an example of this, especially as it is being found in embedded systems that may not be easily patched.

But there is another problem with relying on patching — when the responsible parties are unable or unwilling to provide a patch, and that is especially the case when the vulnerability is being actively exploited.

In late January, a network worm was discovered that was exploiting a vulnerability in Linksys routers. The worm was reported to the vendor and some CERT teams. A group at the Internet Storm Center analyzed the worm, and named it TheMoon. They identified vulnerabilities in scripts associated with Linksys E-series and N-series routers that allowed the worm to propagate, and for the devices to be misused.

Linksys published instructions on their website to reduce the threat, but it is not a fix, according to reports from affected users — especially for those who want to use remote administration. At the time, a posting at Linksys claimed a firmware fix would be published “in the coming weeks."

Fast forward to today, three months later, and a fix has yet to be published, according to Brett Glass, the discoverer of the original worm.

Complicating the fix may be the fact that Belkin acquired Linksys. Belkin does not have a spotless reputation for customer relations; this certainly doesn’t help. I have been copied on several emails from Mr. Glass to personnel at Belkin, and none have received replies. It may well be that they have decided that it is not worth the cost of building, testing, and distributing a fix.

I have heard that some users are replacing their vulnerable systems with those by vendors who have greater responsiveness to their customers’ security concerns. However, this requires capital expenses, and not all customers are in a position to do this. Smaller users may prefer to continue to use their equipment despite the compromise (it doesn’t obviously endanger them — as yet), and naive users simply may not know about the problem (or believe it has been fixed).

At this point we have vulnerable systems, the vendor is not providing a fix, the vulnerability is being exploited and is widely known, and the system involved is in widespread use. Of what use is patching in such a circumstance? How is patching better than having properly designed and tested the product in the first place?

Of course, that isn’t the only question that comes to mind. For instance, who is responsible for fixing the situation — either by getting a patch out and installed, or replacing the vulnerable infrastructure? And who pays? Fixing problems is not free.

Ultimately, we all pay because we do not appropriately value security from the start. That conclusion can be drawn from incidents small (individual machine) to medium (e.g., the Target thefts) to very large (government-sponsored thefts). One wonders what it will take to change that? How do we patch peoples’ bad attitudes about security — or better yet, how do we build in a better attitude?

William Wyatt Starnes passed away unexpectedly on May 10th, 2014 at the age of 59. Wyatt was a serial entrepreneur, known for his work in computing — and especially cyber protection — as well as for his mentorship and public service.

Wyatt graduated from Ygnacio Valley High School in Concord, CA, in 1972, and then obtained an Associates Degree from the Control Data Institute. His first full-time job was at Data General, and he went on to hold technical positions with Monolithic Memories, Maruman Integrated Circuits, and then Megatest Corporation. While at Megatest, Wyatt moved into management, where he showed significant expertise, and was eventually promoted to VP of Sales and Marketing. He subsequently moved to Tokyo for several years as the President of Megatest Japan. Although the remainder of his career was in management positions, he continued to work in technology, and was named as inventor or co-inventor of a number of patents in later years.

Upon leaving Megatest, Wyatt moved to Portland, Oregon, where he lived for the rest of his life. In Portland, he worked for several firms before founding his own company, Eclipse Technologies, Inc., and then Infinite Pictures. During that time, he met Gene Kim (one of my former students). Wyatt then founded Visual Computing, Inc., with Gene. They had originally planned on producing an immersive MMORPG named “Piggyland.” (I still have some of the marketing literature for this!) It used some novel technology and a great deal of humor, but before it had progressed very far, a series of coincidences led them to start Tripwire Security Services as a subsidiary, to produce software to secure MMORPGs and similar games. In short order, it became clear that Tripwire was the real path to success, and they transformed Infinite Pictures and TSS into Tripwire, Inc.

Wyatt was the CEO of Tripwire from 1997 to 2004 (Gene was CTO). In 2004, after a bout with cancer weakened him and forced him to step down from managing Tripwire, Wyatt founded the first version of the company SignaCert, and served as its CEO for the next six years. In 2010, SignaCert was acquired by Harris Corporation, and Wyatt served as the VP of Advanced Concepts and CTO for Cyber until 2012, when he retired. (NB. SignaCert has since begun a “second life” after being sold by Harris.) Over his career, Wyatt also served on the boards of Swan Island Networks of Portland, Oregon; Comprehensive Intelligence Technology Training Corporation of Annapolis, Maryland; and Symbium Software of Ottawa, Ontario.

During his 15 year career as a leading executive in cyber security, Wyatt was a driven and passionate advocate for better security and better design. He spoke at industry and community events, and was asked to join several high-level government and industry advisory boards, including  TechAmerica Foundation’s CLOUD2 Commission, NIST’s Visiting Committee on Advance Technologies (VCAT), and the Oregon Executive Council of the American Electronics Association (AeA), among others. In Portland, he was cofounder of the innovative RAINS network (Regional Alliances for Infrastructure and Network Security), a nonprofit public/private alliance (now defunct) formed to accelerate development, deployment and adoption of innovative technology for homeland security.

Wyatt was known for business acumen with a human touch — he cared about the people who worked for him, his customers, and the world around him. He made time for others when they needed it, and that is a rare quality in someone serving as a CEO. Although highly focused on his business duties, Wyatt was seemingly always willing to lend a smile, and listen to what others had to say. He was also known for his fondness for good wine and good humor.

As the designer of the original Tripwire and SignaCert offerings, I have known and worked with Wyatt for nearly 20 years. When he was undergoing treatment for his life-threatening condition in the mid-2000s, we had many conversations about the nature of existence and the future. Then, and throughout the time I knew him, Wyatt expressed a strong commitment to living in the present — to not put off things (including people) that might then be forgotten…and regretted.

Some people believe that exiting life with the largest bank account is success. Wyatt believed that making the world a better place was true success. He wrote in his LinkedIn profile under “Awards and Honors”

My reward comes from the special opportunity to do something important that (hopefully) leaves the world a better place.
And it is an honor to share what I have learned with others that aspire to create lasting contributions with their lives.

By those measures, he clearly was a huge success — his companies, his advocacy, his mentoring, and his friendship changed the lives of many, many people for the better. Wyatt Starnes will be greatly missed.

Some other media accounts of Wyatt’s passing:

• News article in The Oregonian
• Obituary in the Oregon Business Journal

Purdue University is a land-grant university, founded in 1869. As a land-grant university, our focus has always been on service to the public good — providing excellent education and research results for the betterment of the world around us. While many universities take great pride at their faculty’s leverage of research to launch new companies or publish many academic papers, we’ve always been very focused on delivering a truly world-class education and performing “game changer” discovery.

The Purdue community just celebrated a reunion of astronaut alumni — a visible symbol of the spirit of service and exploration inherent in our makeup. Purdue is the alma mater of more astronauts than any other university; the first and last men to walk on the moon were Purdue alumni. They did not do it for profit or fame — they did what they did to advance science, to push back boundaries of ignorance, and to give others something to dream about. Purdue’s story is full of people like that, from around the nation and around the world. Our students come from well over a hundred countries, and our graduates go out to improve the lives of people in at least that number.

Our history of exploration and being there “first” extends to many other area, including the first degree-granting CS department (founded in 1962), the first dedicated freshman engineering program, the first television broadcast, and having the fastest campus supercomputer in the world. (A few other notable firsts are detailed here and here .)

But more to the point of this blog, Purdue is the location of CERIAS — the first multidisciplinary institute in cyber security and privacy research, and the home of the first defined degree in information security.

CERIAS is not a department within the university. We are a cross-cutting, multidisciplinary institute at the university, supported largely with soft funds: the vast majority of our funding has always come from small, outside donations by companies and foundations. Our finances depend on the generosity of others, but we are structured so as to not be beholden to the government or one or two big commercial entities that can dictate the direction of our efforts. Instead, we investigate those ideas that our faculty think will solve real problems and help others in what they want to do. Some of our organizational donors are partners in our program, providing advice and research assistance for our efforts, and they reap the rewards in new hires and new ideas (see the link for information on how your organization can join the program).

Historically, we have not done much to solicit others to support CERIAS, although it has always been possible for anyone to make a donation. But that will change, for one special day, April 30th. And we would like everyone who cares about our mission and our future to consider making a donation, even if it is only a small amount.

The first-ever Purdue Day of Giving, a 24-hour online event designed to boost Purdue visibility and support, will take place Wednesday, April 30. CERIAS, and many other campus units, will be promoting Purdue efforts -- granting opportunities, launching dreams, and achieving greatness while promoting an affordable and accessible Purdue.

Plus, every (tax-deductible in the US, at least) donation to CERIAS will receive an additional percentage match from the University. Thus, your donation on April 30th will support CERIAS at even a great extent than your donation alone! This is a special one-day-only opportunity for your gift, large or small! Also, If your employer does charitable matches, please be sure to let them know to match your donation, thus, increasing your impact even further!

Your donation can be made through the website http://dayofgiving.purdue.edu/ (click on “CERIAS” near the bottom of the page), by texting “PurdueCERIAS” (case non-sensitive) to 41444 (you will receive a reply text with more details) or by the telephone at 1-800-319-2199.

But the Purdue Day of Giving is much more than an opportunity to support CERIAS; it’s about helping spread the word about us, our great history and our brighter future along with Purdue's drive to re-define college education. If you’re associated with Purdue and whether you make a donation or not, you can help by posting your story -- or sharing/re-tweeting one of ours – in social media; just add @cerias and #PurdueDayofGiving to your posts and tweets. The University has contests and incentives in place for CERIAS and other units who have friends and alumni posting about #PurdueDayofGiving.

Track our progress and enjoy the day-long series of announcements and highlight videos (one of them featuring on a certain bearded professor known for his fondness of bowties) at http://dayofgiving.purdue.edu/. Don’t wait until April 30 to join the fun; visit http://dayofgiving.purdue.edu/ now, view videos of some of the exciting student success stories, plus sign up for an email to remind you on the 30th to pay it forward. And please, pass along a link to this blog entry to others who you think might be interested in helping.

Thank you to all of our friends, alumni, and partners for their past support, and thank you in advance for helping to “spread the word.” We do hope that you will take this opportunity to provide a donation that day — even if it’s a small one — to help us advance our work towards a more safe and security future.