Why is This Computer Connected to the Internet?
by Porter Payne
I was listening to a recent edition of 2600's weekly audio program Off The Hook, and I heard the host, Evil Corley, asking the question, "Why does this computer need to be connected to the Internet?"
Ahh.... An excellent question, and one that is more complicated and convoluted than one might think at first.
I used to work at an unnamed electrical utility. Much of my experience comes from that and from previous work experience as a network administrator and engineer.
So, why are computers that seemingly have no need for internet access connected to the Internet?
The short answer: Laziness and expediency.
Even as a security-conscious network administrator, I was inevitably confronted with situations like this one: Someone would tell me, "We have this computer that needs to print labels for visitors to the utility."
"Ok," I'd think. "Sounds like a standalone application."
Then, I'd be told, "We would also like to be able to maintain a list of visitors," and suddenly the system needed to have a database.
Finally, I'd be asked, "Could we also have access to that database from other locations on the LAN and publish the information on the internal web server?" This means that I'd need to give the system network access and easy access for anyone, especially an intruder.
Because network access also inevitably means internet access, we now have the proverbial highway to Hell. This machine could have been standalone, if only the corporate management nitwits had allowed it to be that way.
Other reasons for connecting machines to a network include access to network printers; access to the machine for management reasons such remote access or support, anti-virus updates, and the like; or the need for the computer to be able to access or store files on file servers.
So, because Information Technology (IT) departments are poorly managed, and workers and administrators already have an overabundance of daily work and artificial and real IT emergencies, it is expedient to be able to access all computers, workstations, printers, alarm systems, and so forth from network management consoles, IT department PCs, and anti-virus management servers.
Of course, since IT managers have lower ethics than the average third-world dictator, we must also be able to monitor the usage of each PC, including any web browsing that might be done from that PC. The fact that monitoring an employee's web browsing is tantamount to mental rape is not an issue. In the United States and some other countries, anything done on business computers is subject to monitoring by the IT department. You have no rights to privacy on work computers, period. Whether this is right or wrong is immaterial; it is the law.
Because of all this, computers that have no business being on Internet-connected networks quite inevitably end up on them.
Most people would be surprised to know that electrical grids, water distribution systems, and many other critical infrastructure elements are connected, one way or another, to the Internet. If they aren't connected to the Internet, they are connected to modems for dial-in access. Because of modems' low bandwidth, we are seeing lower utilization of modems as time goes on. Shivas and other RAS devices have all but dried up, as the applications that used to require modems are now utilizing internet connectivity.
Yes, it is indeed possible to breach these systems with rootkits, buffer overflows, or other tricks of the trade; to install VNC or other remote access software and thus open and close floodgates or gain control of electrical grids; to compromise medical computers with diagnostic images; or to do other terrifying things. The potential for mass mayhem and massive loss of life cannot be overstated. The United States and many other countries have a ticking time bomb of massive proportions within the IT infrastructure they have grown addicted to having access to.
To date, I have not seen any major catastrophes related to computer intrusions. By major catastrophes, I mean events that would make natural catastrophes like Katrina, earthquakes, and tsunamis seem small. I attribute this to incredibly good luck and to the fact that the people that want to harm us have not spent any significant effort, or they have not had the mental acuity to perceive the possibility of what they could accomplish.
Even though better security is always an option, budgetary reasons usually prevent it from being pursued. VLANs do not provide substantive security, as switch security is usually questionable. SNMP is a security nightmare, and most switches in use can be compromised with the typical public and private SNMP community strings. VLANs and switch port assignments can then be reassigned rather easily. So, if VLANs are not the answer, are separate networks a possibility?
Sometimes. But you know what happens. Inevitably there is some "business need," usually imaginary, that necessitates the connection of the secure network to the main production, Internet-accessible network, thus making the "secure network" insecure. The connection of secure to production networks can be done through a firewall, but this is still substantially less secure than "not connected." The lamentations and death gasps of the network administrator are for naught; if something can be connected with copper or fiber, it will eventually be connected.
Only in rare cases, in companies or government organizations that have some grasp of security, do we end up with computer facilities that are secure from the Internet. This is the exception rather than the norm.
In Bruce Willis's movie Live Free or Die Hard, Bruce Willis and the kid hacker have to physically go to electrical transmission and generation centers to get access to the power grids. This, unfortunately, is wishful thinking.
Even if the entity responsible for maintaining that grid uses something approaching a reasonable security policy, they are connected, presumably over a secure network (yeah, right), to computers maintaining downstream distribution grids that are not as secure. You are only as secure as the weakest link in your armor, and smaller distribution grids are the Achilles' heel of electrical grid security. Related to this, System Control And Data Acquisition (SCADA), which is used to control electrical and hydro facilities, has its own set of security problems. A facility in Idaho, maintained by the Department of Energy, performs research into cybersecurity issues that pertain to SCADA systems. They perform demonstrations for interested, Government-approved parties to show how SCADA systems can become compromised.
A concentrated attack on SCADA, EMS, telephone, traffic control, E911, and Internet services is the current-day cyber-Armageddon. Industry representatives rant that such a scenario is beyond the bounds of possibility, but we know better, don't we?
I won't spell out, anymore than I already have, how such a nightmare scenario could be achieved, but the astute reader should be able to read between the lines, to Google or Wikipedia anything they need to know more about, and to arrive at a conclusion similar to mine. All of the typical attack vectors are in play: Internet access, security vulnerabilities in computers and networks, and social engineering.
The innocent question posed by the Off The Hook host has very real and demonstrably dangerous ramifications that are prevalent throughout the infrastructure of the United States and the world.
The best answer for why a computer is connected to the Internet is because it can be done.
The way to mitigate this problem is to have good security personnel that are allowed to perform their jobs. This means having a security policy that is adhered to using security devices that provide a significant level of layered security, using security devices that are themselves secure, using applications and operating systems that are secure, and having secure virus protection, which may in fact not be possible.
The best security policy for any machine is for it to have no network connection, no modem, no software updates, and no anti-virus software, and for all input to be entered by a little old lady from Kentucky.
Why no anti-virus software?
Because, as some of my referenced material and other Internet-accessible material point out, anti-virus software is rampant with insecure coding that can itself be an attack vector for compromising a computer. So, scan the machine with an anti-virus program when it is set up, but don't install any anti-virus software.
Indeed, after the initial install, don't install any additional software. If it works, don't fix it; if it's secure, don't booger it up or risk a virus infection by adding new software. Remove the floppy drive, and put glue from a glue gun into the network, modem, and USB ports.
Why the little old lady from Kentucky?
She doesn't fit the hacker profile, but are we really sure about her? I think I saw a copy of 2600 and a Phrack printout inside her handbag, along with a USB thumb drive labeled "rootkits."
Some of these security measures are not within the grasp of some business environments, but some of them are possible, with the most fundamental and most critical piece being the security policy.
What is the best recipe for a good security policy? That is the topic for another article.
References