Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Blaster worm: Lessons learned a decade later

Aaron Turner | Aug. 19, 2013
Aaron Turner remembers the frantic days, and sleepless nights, around battling Blaster a decade ago, and reflects on what we've learned, and work still yet to be done.

The underlying technology problems have not been solved. The root cause of Blaster was a vulnerability in Microsofts operating systems. But the contributing factor which exponentially increased the impact of the worm was the fact that Microsoft's customers were not properly managing their technology infrastructures.

When I go to conferences and speak on the topic of mobile security today, this is one of the key points I focus on: Configuration Management is getting WORSE, not better. A few years ago, I started playing a game which I called Smartphone Bingo. It required everyone sitting in the room to take out their smartphone or tablet, open up the settings of the device and then find the version of the operating system. I then start a sort of reverse auction, calling out version numbers to see who had the oldest, un-patched version.

Sometimes we would limit the devices in our Bingo game to just corporate-issued devices. It is shocking to me that even the most-mature organizations are completely ignoring the very-hard-learned lessons about configuration management on the ever-increasing numbers of mobile devices. Within one organization that I spoke with last year, they had 60,000+ smartphones and they estimated that they had 20,000+ different configurations/versions of those smartphones deployed. Over the last few years, we've seen more and more evidence of how attackers are targeting mobile technology for either direct financial gain or to steal intellectual property for longer-term advantages. The lack of effective configuration management on enterprise-connected mobile devices makes their jobs incredibly easy.

Imagine I had a time machine and I went back to August of 2004. On that imaginary trip, I sit down with the CIOs/CISOs of the Microsoft customers I had just spent the last year helping to recover from Blaster and tell them that in 2013 they are relying on the good-will of mall kiosk employees to keep their enterprise mobile technology configured in a way to prevent a system compromise. I'm sure they would laugh in our imaginary conversation. How would it ever be possible to believe that we as technology and information security professionals would ever set ourselves up to fail like we did in 2003?

Unfortunately, the reality is that we ARE setting ourselves up to fail. Every un-patched Android or iOS device that you let have full access to Exchange Activesync is an invitation to the miscreants to steal your company's email, attachments and contact lists. Every time I bring this up at a conference, there are always people who respond, "I'm just a little company in an obscure industry! Surely the attackers are going after bigger fish than me!"

The reality is that attackers are going after targets of opportunity just as often as they are dedicating their efforts to attack a specific organization. If you are not enforcing strict mobile technology configuration management policies, you are getting on a risk management treadmill that will grind you down, chew you up and leave you worn out. While I do not believe we will ever see another Blaster-level event which impacts billions of systems, I am certain that configuration management failures are being exploited every day both opportunistically as well as during targeted attacks. We've seen some very interesting non-persistent exploits run against iOS and Android devices that leave very few forensic traces as weve helped our consulting customers.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.