Vulnerabilities Part 1: What Are Vulnerabilties?
About three months ago I started drafting a blog about vulnerabilities. This is a topic that I speak about frequently and is often misunderstood so I thought it would make for an easy and informative blog.
What I discovered is writing about this topic demands a lot more work than just speaking about it and this one blog has turned into many. So this week I am finally going to start a blog series on vulnerabilities where I will explain vulnerabilities at a level where the average computer user can understand the topic. Here is the tentative list of blog titles:
What are vulnerabilities?
Discovering vulnerabilities
Public disclosure of vulnerabilities
Patching vulnerabilities
What are Vulnerabilities?
The formal definition of a vulnerability can be found here. If you’re not in the IT industry, you probably just read a few buzz words in between what sounded like the teacher in the Peanuts cartoon. To put it in layman’s terms, a vulnerability is a weakness in software that, when exploited, can give an attacker the means to do something malicious or unauthorized. While a vulnerability in the context of this article is a weakness in software, it is similar to vulnerabilities in the physical world as well.
Remember the Kryptonite bicycle lock? The Kryptonite lock was synonymous with strength. The steel tube was much stronger than traditional chain locks and easier to use and store. However, in 2004 someone figured out that these tough locks could easily be hacked with the innards of cheap ballpoint pen. There were other instances of similar bicycle locks being opened with canned air and a hammer.
It’s unlikely that bike lock manufacturers purposely placed a “backdoor” in their products so they could be hacked by pens and cans of compressed air. Creative thieves discovered these tricks so they could steal bikes. The same thing happens with software and there are people making millions of dollars a year just by finding vulnerabilities.
Why should You care about vulnerabilities?
Let’s start with your smartphone and home computers. As you probably know, Apple, Microsoft and Google create software updates every month for those devices. Some of those updates add new features but many of them are bug fixes or patches for vulnerabilities. These devices get updates automatically so you don’t have to think much about it beyond your computer or mobile device forcing you to reboot. There are generally three categories of software that the average person uses and each can have vulnerabilities.
Operating Systems - All major operating systems, including Windows, MacOS, Linux, iOS, and Android get automatic updates.
Software Applications/Apps - Apps in the iOS and Android app store also get automatic updates from the vendor. However just because it’s in the app store doesn’t mean that the software developer is supporting and updating those apps so be careful what you install. Software that you install on your computer, like Adobe’s Photoshop, Microsoft Office, finance or tax software, and even games, may or may not come with automatic updates and the more software you install, the more likely you are to have vulnerabilities.
Firmware - Some systems on your network will have the operating system and software all bundled up into one package called firmware. Firmware is mostly found on Internet of Things (IoT) devices like a smart doorbell or smart light bulb. When these are updated, the whole package of operating system and software are replaced by the new, patched version.
Automatic updates are an essential part of good security hygiene to keep your systems and network secure.
Speaking of your network, you might not think about your home Internet connection as a “home network” but that’s what it is. In fact, your home network has probably grown a lot in the past few years.
There are generally 6 types of systems on a home network.
Infrastructure devices - router, hub, switch, Wi-Fi repeaters/extenders
Laptops and desktops
Gaming systems (gaming PCs, XBOX, Playstation, etc.)
Mobile devices (smartphones, tablets, wearables)
Network-attached storage (NAS), printers and other output devices
Internet of Things (IoT) devices - “Smart” devices like smart TVs, smart light bulbs, smart thermostats, smart doorbells
Just like your computers and mobile devices, these most certainly have vulnerabilities. Some have been discovered and patched and others will be discovered in the future. Whether you know it or not, you are responsible for securing, patching and keeping all of these devices updated with the latest patches. This is a pretty easy job when it comes to your computers and mobile devices since they update automatically, but what you may not know is that many of the other devices on your network, likely do not get automatic updates.
Now that you are aware of your job as a system and network administrator, let’s talk about how you manage that work. A good exercise is to count how many of each of these devices that you have in your home. Once you make that list, do some research to see which devices on your network get updates automatically. What’s left is a list of devices that you need to update manually.
The epicenter of your home network is your home router. It’s the device that connects to the Internet and also protects the devices in your home from regular attacks coming from the Internet. The router contains a lot of functionality.
Firewall – Protects your home network from constant attacks from the Internet
DHCP server – Assigns an IP address to each of the devices that connect to your network
NAT server – Acts on behalf of each device on your network to make requests to servers on the Internet. Then, when the reply comes back, it sends the reply to your device.
Your router also may include a time server, DNS relay, and maybe even a VPN server.
Unlike your smartphone and personal computer, many home routers do not have the ability to receive automatic updates and patches for known vulnerabilities. This is insane, right? I mean this is the one device that is protecting your home network from regular Internet attacks and the only way that it will be patched is if you, the owner, checks the website of the manufacturer of the router to see if there is an update. If so, you have to manually download and install that update. Did anyone tell you this? No, and as a result, there are countless numbers of vulnerable routers that are directly connected to the Internet and vulnerable to an attack. Check if your router updates automatically, if not, it’s probably time to get a new router.
How Common Are Vulnerabilities?
Most people don’t hear about vulnerabilities on a daily basis but when a story about a vulnerability in software hits the news, the public outcry is often to stop using that software. In many cases, this is an overreaction. Vulnerabilities are a part of all of our lives whether we know it or not. We are all using unpatched, vulnerable computers, it’s just not part of our daily concerns, and it shouldn’t be. However, we need to be aware that vulnerabilities exist in all computers and take defensive action.
Physically, our cars have a lot of vulnerabilities. The windows, for example, are easy to break which allows someone to gain entry without a key. This can be used for bad, to steal things from your car, or steal the car itself. It can also be used for good, to save a pet or child who is locked in the car on a hot day. We all know about this vulnerability and we take defensive action, such as parking the car in a garage, or installing an alarm, or just keeping our belongings out of site if the car is parked in public.
Now back to computers. All computers have vulnerabilities. With very few exceptions, this is a reasonable assumption. Additionally, all IoT devices are computers so all IoT devices have vulnerabilities. Since we now know that your router is protecting your home network, and all the devices on that network, from attacks, let’s see how frequent those attacks are.
I installed a consumer-grade intrusion prevention system (IPS) outside of my home firewall to not only block malicious attacks, but also report them to me. You can see in the screenshot that over a 24-hour period, my consumer-grade home network was attacked 3,552 times. That is 148 attacks per hour or almost 2.5 attacks per minute. Your home network is likely under the same level of attack.
The good news is that your router is great at stopping these attacks. The bad news is that if your router has a known, unpatched vulnerability, attackers will eventually find and attack your router which could give them access to your home network.
Take a look at the companies who make the operating systems for your PC, Mac, iPhone, Android phone, almost all of your IoT devices (which probably run some version of Linux), and the servers that run almost all of our cloud systems (also Linux). They are all listed in the top 10 vendors with the most vulnerabilities, as shown in the picture below. Now keep in mind, all or almost all of these vulnerabilities have been patched. The point is that every month, we get patches for all of these systems because every month, new vulnerabilities are discovered. Next week, we’ll find out who is finding these vulnerabilities, and why.