LIVE FROM IT NATION, ORLANDO, FL: Being one of the few dedicated security leaders for the MSP community attending IT Nation, is a great honor. Not to mention a great opportunity to raise a big megaphone for the industry.
The famous warrior poet of our time, Jay-Z, penned a song for this year’s MSP community. “I have 99 Problems and Windows Server 2003 is one,” it proclaims. So says I—in my usual unsubtle way—and so says the US Computer Emergency Response Team (CERT), located in the state of Pennsylvania on Campus of Carnegie Mellon University.
US-CERT’s alert (TA14-310A) will have floated into your inboxes like other cyber-apocalyptic warnings about Cryptolocker, Point of Sale (POS) Backoff Malware, Zeus Game Over AKA Zbot and the like. But, TA14-310A is different, boldly proclaiming: “Microsoft Ending Support for Windows Server 2003 Operating System.” The scheduled date for this is July 14, 2015.
Sometimes we print an email because it’s way too important to just forward. TA14-310A is one of those emails. When you go charging into your boss’s office shouting, “We just talked about this two weeks ago and now US CERT says it’s a thing”; you need that on paper.
What’s interesting is that, the email states that “as of July 2014, there were 12 million physical servers world wide still running Windows Server 2003.” OK, that’s a problem, and with the sudden surge in virtualization, hypervisors and VMware how many virtual 2003 machines are out there? I suspect a whole lot more, maybe even as high as six to 10 million more your guess is as good as mine.
One of the great things about Windows Server 2003, and this may go some way to explaining its popularity, was that once you put in the license code, it didn’t really check in and get all “militant” about being licensed. Unlike later Microsoft operating systems, it certainly didn’t become progressively more annoying and prone to shutting down.
So, why is the end of support for Server 2003 any more apocalyptic than, say, the end of Windows XP?
That’s a good question. As I explain why, I need to provide some careful analysis. I think the end of Windows XP has actually been pretty bad, especially from the view of the continuous and unrelenting attacks on POS machines—there is a coincidence here which bears examining. Even embedded Windows XP lacks key defenses against modern malware, the primary technology that would defeat or at least significantly degrade the preferred POS malware—ALSR (Address Layout Space Randomization)—is lacking in Windows XP but present in Windows Vista and Windows 7.
ALSR is used to prevent a malicious program from reliably jumping to a particular exploited function in memory. It works by randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process’s address space. It’s interesting how a security technology such as ASLR was originally designed to offer protection from buffer overflow attacks, yet has also become a great benefit against Backoff and a family of POS RAM Scrapers.
Without ALSR, cyber criminals were able to reverse engineer the POS application and identify the area of memory where the unencrypted credit card information was stored—it was that simple. They copied the RAM location over and over again to a file, and away they went grabbing millions of cards from vendors like Target, Home Depot, and others. All of these organizations had fairly sophisticated network defences, but it was Windows XP’s (or earlier versions, or in-house developed software) lack of memory address randomization that allowed the continuous flood of stolen information, once the malware was installed on the end point.
As you well know, to infect workstations, users—or some other mechanism—have to move the malware onto the machine. ALSR would have prevented, or certainly made it far more difficult, to conduct a successful POS system attack. This is how many PCI-compliant organizations with end-to-end data encryption ended up being breached and loosing millions of credit and debits card details alongside other personal information on their customers.
The Windows Server 2003 situation is so horrifying to me. Many of these Windows Server 2003 machines host business applications utilizing Internet Information Server, Microsoft’s answer to the ubiquitous Apache web server. Many of these servers have custom business-to-business connections, such as Electronic Data Interfaces, Custom API’s and the ever-popular MS Exchange 5.5. More alarming is that Windows Server 2003 Small Business Server included such things as poorly secured Terminal Services (now called Remote Desktop Protocol) over Http bound through a complicated nest of Windows services to the Internet Information Server.
The scary word in the above sentences is “host”. These machines are on the Internet, and in many cases a simple port forward through the corporate firewall can land the bad guys into a server that in July 2015 is no longer going to be updated. Exploitation of this Operating System potentially puts any bad guys at the very heart of your business.
A look back to the early days of the Internet, gives me definite cause for concern. Code Red and then Nimda were not good news for Windows Server owners, especially early versions of Internet Information Server. These were worms that tore through the Internet. Nimda utilized several types of propagation techniques and this caused it to become the Internet’s most widespread virus/worm within 22 minutes (the Internet was small back then). It hit Windows Server on September 18, 2001.
Nimda was so effective because it used four different infection vectors (Does this sound at all familiar?), including email attachment, open network shares, and browsing of compromised web sites. But, it was the last attack vector that has me the most worried for where we are today: Nimda exploited several Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. Both Code Red and Nimda were hugely successful at taking advantage of well-known and long solved vulnerabilities in the Microsoft IIS server. The message here is to patch all your things, but when the patches stop the hacking begins.
So, in the words of the Anonymous Hactivist Collective: “Expect Us”. Cyber criminals will actively search out these machines. I know if I wanted to “Hack all the things” for profit I’d target those machines, but, how hard is it to find them?
There is a new tool called Zmap—built by a group of Michigan researchers—that has the ability to perform an Internet-wide scan in about 45 minutes, while running on an ordinary server. “Leveraging methodology similar to ZMap, it would only have taken a matter of hours from the time of disclosure to infect every publicly available vulnerable host,” the researchers say.
So, in the fall of 2015 it seems predictable that cyber criminals will pivot from attacking users at the end point with spear phishing attacks and drive by downloads, to over the wire attacks specifically targeting Windows 2003 Servers that have services exposed on the Internet. Sitting back and letting as Internet Worm grant you access to millions of servers is a whole lot easier, and cyber criminals are generally lazy and looking for the easiest and most effective way to turn a profit from unauthorized access.
So, maybe it won’t be the Internet of New Things that kills us in 2015, Maybe, it will be the Internet of Old Things that Kills us.
If you want to know how to protect your Windows Server 2003 system download our free whitepaper Solving the Windows Server 2003 end-of-life problem