Have we made progress since then?
The Morris Worm is No Longer a Teenager
November 3rd, 2008 · 5 Comments
Tags: Uncategorized
-
Who's Blogging (most recent blogs first)
- Lydia Leong
- Andrea DiMaio
- Whit Andrews
- Michael Maoz
- Kathy Harris
- John Pescatore
- Bruce Robertson
- Nick Jones
- Phillip Redman
- Mark McDonald
- Adam Hils
- Jim Sinur
- Jim Holincheck
- Thomas Otter
- Donna Fitzgerald
- Jeffrey Mann
- Anthony Bradley
- Andrew White
- Eric Knipp
- Mike McGuire
- Andrew Frank
- David McCoy
- Greg Young
- David Cappuccio
- Brian Prentice
- Debbie Wilson
- Earl Perkins
- Kristin Moyer
- Neil MacDonald
- Eric Goodness
- Michael Blechar
- Richard Fouts
- Gene Alvarez
- Jim Lundy
- Scott Nelson
- Nick Gall
- French Caldwell
- Mark Raskino
- Mark Driver
- Donald Feinberg
- Benoit Lheureux
- Martin Reynolds
- Business Continuity
- David M Smith
- Tom Austin
- Frank Kenney
- Ray Valdes
- Robert DeSisto
- Roberta Witty
- Daryl Plummer
- Allen Weiner
- Frank Ridder
- Dan Sholler
- Toby Bell
- Carol Rozwell
- Wes Rishel
- Thomas Bittman
- Debra Logan
- Brian Gammage
- Van Baker
- Dwight Klappich
- Tole Hart
- Brian Burke
- David Cearley
- David Norton
- Gene Phifer
- Jeff Roster
- Steve Prentice
- Cameron Haight
- Andreas Bitterer
- Tom Murphy
- Nikos Drakos
- Val Sribar
-
Recent Posts
- Guest Blogger: John Girard on Simple Steps to Avoid Common WLAN Hot Spot Security Pitfalls
- Back from the Whirlwind - Gartner Information Security Summit Recap
- Day One: Gartner Information Security Summit
- There Is Absolutely Nothing Security-Relevant About This Weeks Top News Stories
- Point-CounterPoint: Security Issues of Top Level Domain DNS Redirection
Categories
Tags
Archives
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.
© 2009 Gartner, Inc and/or its affiliates. All rights reserved.
5 responses so far ↓
1 Nick Gall // Nov 6, 2008 at 7:18 pm
John, Nice slide. But things weren’t quite O&H before 1985. Here’s a good list of hacks/cracks going back to 1961: http://www.geocities.com/SiliconValley/Lab/7378/hacker.htm !
I guess there’s no free lunch: the more people who have access to interfaces with more “surface area”, the more hacks/cracks there will be. Look how little surface area an old POTS phone offers, yet Cap’n Crunch found a way to hack it.
2 John Pescatore // Nov 6, 2008 at 8:54 pm
I worked at GTE for 11 years - the telephone system actually had huge surface area. The major, major failing was using in-band signaling and depending on “security through obscurity” - assuming no one would figure what in band signaling tones were used just because they were being filtered out, or assuming that because a dial-in modem number was not published that no one would find it.
That’s why most of those hacks before the PC and the Internet were telephone system hacks - the attack surface was huge and the security was almost non existent. Sorta like Windows when it first came out…
3 Nick Gall // Nov 6, 2008 at 10:15 pm
I guess it depends on how one defines “surface area”. With the old phone system you couldn’t inject code. With today’s web pages that SOP. Code injection, whether javascript or exe malware is HUGE surface area compared to signaling tones.
4 John Pescatore // Nov 7, 2008 at 8:48 am
You most certainly could inject code - signaling tones weren’t the only access point those hacks used. Dial-in modems to PBXs and switching stations were the attack surface - and they were wide open, depending on security through obscurity with unpublished phone numbers and the assumption that no one would know the arcane commands and languages used.
Now, i will agree that the *bandwidth* of the attack surface was slower, and at least the user devices (phones on the telephone system and dumb terminals on mainframes) weren’t attackable. Today, IP phones and PCs have huge attack surfaces.
5 The Daily Incite - 11/06/08 - No sharing (and it’s a problem) [Security Incite Rants] | Small Business System // Nov 8, 2008 at 12:04 am
[...] That’s kind of cool. Pescatore is one of the security bloggers and makes the point that the Morris worm is no longer a teenager. Funny thing is that I was actually at Cornell when the worm hit. I vaguely remember some [...]
Leave a Comment