Businesses and government systems are at risk from
undocumented administrator accounts that provide a backdoor for
unauthorised access.
An Ovum report entitled Can you trust your vendor? has
revealed undocumented privileged administrator accounts in new
network routers belonging to two telecoms service providers.
"This is not the first time that we have seen attempts to hack
into enterprise and carrier networks by infiltrating network
routers," says Graham Titterington, information security principal
analyst at Ovum.
The unauthorised accounts were found by accident as most
security audits do not check privileged admin accounts, says
Titterington. He recommends that companies concerned about
backdoors in their network routers check that there are no
unauthorised privileged accounts.
Backdoors in routers used to be quite common, says Richard
Brain, technical director at security firm Procheckup. "In 1999,
certain Cisco routers had a backdoor maintenance account to reset
passwords. Lots of backdoors have now been removed."
However, in 2006 Cisco "forgot" about the backdoor account on
its
Cisco Security Monitoring, Analysis and Response System. The
company issued a workaround.
Although many router backdoors have been plugged, there is a
bigger problem with backdoors in software, such as the system
software providers use for online error reporting and remote
maintenance.
Chris Wysopal, CTO of Veracode, a company which specialises in
analysing software for security holes, warns that such backdoors
are very common. "We find that hard-coded admin accounts and
passwords are the most common security issue."
The problem here is that the servers software suppliers use for
collecting the errors and for distributing software updates over
the internet, may be attacked. This could lead to compromised code
being installed via the legitimate maintenance "backdoor" suppliers
use for auto updates. In 2001 the Apache Foundation servers which
host open source code were targeted by such an attack.
"CIOs need to check with software suppliers that any special
admin accounts built into the product are disabled," Wysopal says.
Open source code is prone to abuse, where backdoor code can easily
be inserted into the source code. However, Wysopal says the rogue
code is often identified quickly, within a few days, and is
removed.
Commercial, closed source software, is more problematic.
Programmers with links to organised crime may slip through the
vetting net and find ways to hide backdoors in commercial products,
which Wysopal says can be extremely difficult to find.
The only sure way to prevent backdoor hacking attacks is to
eradicate backdoors. Admin accounts should only be assigned to
internal staff, based on their job role, and suppliers must be
forced to reveal the backdoors built into their products.