Comments on: The Morris Worm is No Longer a Teenager http://blogs.gartner.com/john_pescatore/2008/11/03/the-morris-worm-is-no-longer-a-teenager/ A member of the Gartner Blog Network Thu, 19 Nov 2009 18:00:12 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: The Daily Incite - 11/06/08 - No sharing (and it’s a problem) [Security Incite Rants] | Small Business System http://blogs.gartner.com/john_pescatore/2008/11/03/the-morris-worm-is-no-longer-a-teenager/comment-page-1/#comment-114 The Daily Incite - 11/06/08 - No sharing (and it’s a problem) [Security Incite Rants] | Small Business System Sat, 08 Nov 2008 04:04:55 +0000 http://blogs.gartner.com/john_pescatore/?p=179#comment-114 [...] That’s kind of cool. Pescatore is one of the security bloggers and makes the point that the Morris worm is no longer a teenager. Funny thing is that I was actually at Cornell when the worm hit. I vaguely remember some [...] [...] That’s kind of cool. Pescatore is one of the security bloggers and makes the point that the Morris worm is no longer a teenager. Funny thing is that I was actually at Cornell when the worm hit. I vaguely remember some [...]

]]> By: John Pescatore http://blogs.gartner.com/john_pescatore/2008/11/03/the-morris-worm-is-no-longer-a-teenager/comment-page-1/#comment-103 John Pescatore Fri, 07 Nov 2008 12:48:01 +0000 http://blogs.gartner.com/john_pescatore/?p=179#comment-103 You most certainly could inject code - signaling tones weren't the only access point those hacks used. Dial-in modems to PBXs and switching stations were the attack surface - and they were wide open, depending on security through obscurity with unpublished phone numbers and the assumption that no one would know the arcane commands and languages used. Now, i will agree that the *bandwidth* of the attack surface was slower, and at least the user devices (phones on the telephone system and dumb terminals on mainframes) weren't attackable. Today, IP phones and PCs have huge attack surfaces. You most certainly could inject code – signaling tones weren’t the only access point those hacks used. Dial-in modems to PBXs and switching stations were the attack surface – and they were wide open, depending on security through obscurity with unpublished phone numbers and the assumption that no one would know the arcane commands and languages used.

Now, i will agree that the *bandwidth* of the attack surface was slower, and at least the user devices (phones on the telephone system and dumb terminals on mainframes) weren’t attackable. Today, IP phones and PCs have huge attack surfaces.

]]> By: Nick Gall http://blogs.gartner.com/john_pescatore/2008/11/03/the-morris-worm-is-no-longer-a-teenager/comment-page-1/#comment-101 Nick Gall Fri, 07 Nov 2008 02:15:35 +0000 http://blogs.gartner.com/john_pescatore/?p=179#comment-101 I guess it depends on how one defines "surface area". With the old phone system you couldn't inject code. With today's web pages that SOP. Code injection, whether javascript or exe malware is HUGE surface area compared to signaling tones. I guess it depends on how one defines “surface area”. With the old phone system you couldn’t inject code. With today’s web pages that SOP. Code injection, whether javascript or exe malware is HUGE surface area compared to signaling tones.

]]> By: John Pescatore http://blogs.gartner.com/john_pescatore/2008/11/03/the-morris-worm-is-no-longer-a-teenager/comment-page-1/#comment-100 John Pescatore Fri, 07 Nov 2008 00:54:56 +0000 http://blogs.gartner.com/john_pescatore/?p=179#comment-100 I worked at GTE for 11 years - the telephone system actually had huge surface area. The major, major failing was using in-band signaling and depending on "security through obscurity" - assuming no one would figure what in band signaling tones were used just because they were being filtered out, or assuming that because a dial-in modem number was not published that no one would find it. That's why most of those hacks before the PC and the Internet were telephone system hacks - the attack surface was huge and the security was almost non existent. Sorta like Windows when it first came out... I worked at GTE for 11 years – the telephone system actually had huge surface area. The major, major failing was using in-band signaling and depending on “security through obscurity” – assuming no one would figure what in band signaling tones were used just because they were being filtered out, or assuming that because a dial-in modem number was not published that no one would find it.

That’s why most of those hacks before the PC and the Internet were telephone system hacks – the attack surface was huge and the security was almost non existent. Sorta like Windows when it first came out…

]]> By: Nick Gall http://blogs.gartner.com/john_pescatore/2008/11/03/the-morris-worm-is-no-longer-a-teenager/comment-page-1/#comment-99 Nick Gall Thu, 06 Nov 2008 23:18:02 +0000 http://blogs.gartner.com/john_pescatore/?p=179#comment-99 John, Nice slide. But things weren't quite O&H before 1985. Here's a good list of hacks/cracks going back to 1961: http://www.geocities.com/SiliconValley/Lab/7378/hacker.htm ! I guess there's no free lunch: the more people who have access to interfaces with more "surface area", the more hacks/cracks there will be. Look how little surface area an old POTS phone offers, yet Cap'n Crunch found a way to hack it. John, Nice slide. But things weren’t quite O&H before 1985. Here’s a good list of hacks/cracks going back to 1961: http://www.geocities.com/SiliconValley/Lab/7378/hacker.htm !

I guess there’s no free lunch: the more people who have access to interfaces with more “surface area”, the more hacks/cracks there will be. Look how little surface area an old POTS phone offers, yet Cap’n Crunch found a way to hack it.

]]>