Twenty Seconds In the Future

You Are Twenty Seconds In the Future
At the Crossroads of Business & Technology
With your Technology Coach, Dr. Bob Spencer

Dr. Bob's most current Blog posting.. .

Don't Let Friends Come In The Back Door.

We lived in the south for decades where friends came to the backdoor and salesmen came to the front door. However, there has been a lot of talk recently on the dangers of backdoors. This is program code that allows someone to enter the software without signing on, knowing passwords or having their access restricted. Those coming in a backdoor have free reign to go where they wish and do what they wish. If this frightens you, you should know that this has actually been a common practice for many decades. I could go back to the 70's (wow, that is a long time ago) where I wrote accounting software solutions in COBOL (no snickering out there) and also wrote machine and assembly language code for IBM mainframes. It was a common practice for programmers to write in backdoors for quick access to the program. We did so for speed and efficiency so we could fix problems quickly without the time it took to properly login. Plus we granted ourselves rights through this backdoor that we would not have if we have entered via a proper login. So that was forty years ago, it is obvious that this practice has not been allowed to continue, isn't it?  Sorry, but the practice of backdoors is alive and well, and pervasive. Rumors that NSA, for example, forced computer hardware and software manufacturers to include backdoors for their use to infiltrate our systems was rampant only a few months ago - gee I wonder with the reports stopped? Anyway, I do not find the notion hard to believe on a number of levels. So, not only our application software, but even the operating systems software and the Firmware that connects to the physical components all may have, I have to say that to cover myself legally, backdoors. Here is a good article my Jeremy Kirk, at IDG News Services, titled Study finds firmware plagued by poor encryption and backdoors that may be worth the read for you.

The article describes “Backdoors,” or ways to access devices that have been cemented into the firmware’s code, were also prevalent. It’s a bad security practice, but developers often forget to remove backdoors before code is released or underestimate the ability of a hackers to find them. But, also found problems in the way different firmware images employ digital certificates to enable encryption. They uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key. About 35,000 devices were online using these less-secure certificates. In other words applications that hold themselves out to our operating system as being certified as safe, are really on self-signed and may not be all that safe at all!

As I prepare to present both a Security general session as well as a new conference sessions on the Internet of Things for K2 Enterprises this fall, I have been digging into the current state of things, and this particular article found that the exact same backdoor in 44 CCTV cameras from a different vendors, and in home routers from an unnamed “major networking equipment vendor.” So the same backdoors existed in many different multiple vendor products making those products vulnerable to attack.

All the devices tested for this study, it turned out, used a networking chip from another manufacturer, who had apparently left the backdoor in the firmware for de-bugging purposes. They weren’t sure who the chip vendor was, but they planned to acquire some of the devices and do more research.

The article has a lot of scary stuff, so please do not read it to your five year old before bed. But I highly recommend you take a look, and pass it on to your IT staff with the question, "So what do we do next?"

More of Dr. Bob's  Blog? Click here...

Other Recent Post of Interest;

My Bail Out Bag

Dr. Bob Spencer Twenty Seconds In the Future
Strategic Technology Services
Technology Consultations & Assessments,
IT Audits and Security Reviews
Software Selection and Implementation

Some Browser settings store pages locally with no auto-refresh. If this page looks the same as the last time you where here, click on the refresh icon.

Copyright 1986 - 2014 Robert H. Spencer, PhD All rights Reserved