Data center vulnerability a serious matter
May 26, 2015
Data centers operated by state and local governments may be at risk due to the discovery of a new security vulnerability. According to ZDNet, the zero-day vulnerability known as Venom may allow attackers to manipulate older technology to get inside the servers located within data centers.
“Move over Heartbleed. There’s a new catastrophic vulnerability in town,” wrote Zach Whittaker for the source.
Governments and federal IT services will remember Heartbleed as one of the largest security worries of recent time. The bug was discovered in April 2014 as a result of a flaw in the OpenSSL cryptographic software library, and according to Netcraft, 17.5 percent of websites utilizing SSL certification were at risk. This meant individuals could exploit the vulnerability and steal information that would normally be protected, such as emails, instant messaging and virtual private networks. Heartbleed was so severe it prompted federal officials to issue a statement about the government’s knowledge on zero-day bugs.
According to Wired magazine, the NSA and other security agencies at times keep knowledge of software vulnerabilities secret, however, officials routinely notify vendors of zero-day bugs in their software.
What is Venom?
Venom is shortened from “Virtualization Environment Neglected Operations Manipulation.” Data centers are particularly vulnerable because of how many are organized. For example, if a local government has implemented a cloud solution, rather than investing in its own data center, the small government can rent servers from a cloud provider. As cloud computing becomes widely used, cloud providers tend to condense customers and operating systems onto a server. Data centers use this method to increase efficiency by reducing costs and physical server space. These virtualized servers are then designed to remain separate, but still share important resources that are all controlled by the hypervisor.
Venom is particularly worrisome because it gains access to servers by exploiting a legacy virtual floppy disk, which has been said to be ignored often. A virtual floppy disk is similar to the physical floppy drives used years ago, except this time, the disk is a file, according to TechTarget. These files are used because some software can only be installed via floppy disks but physical disks are rarely sold anymore.
Essentially, the attacker sends the virtual floppy drive malicious code that can crash the hypervisor. From there, the attacker can create his or her own virtual machine on the server to then access information from other organizations and people.
“Venom allows a person to break into a house, but also every other house in the neighborhood as well,” said researcher Jason Geffner, the man who discovered the bug.
Veteran security expert Dan Kaminsky told ZDNet Venom had gone unnoticed for more than a decade because the disk drive system was routinely ignored.
“It’s definitely a real bug for people running clouds to patch against,” said Kaminsky
Effect on government
State and local governments need to pay extra attention to this data center vulnerability. In February 2010, the Federal Data Center Consolidation Initiative was created to curb the expansive growth of data centers. This led to data center consolidation or the shutdown of underperforming data centers. With Venom, these consolidated facilities are an ideal target for attackers.
How to protect information
Smaller governments tend to rent out data center space due to a lack of funds to construct their own. There is nothing wrong with this approach, but with dangerous bugs, local governments need to consult with IT professionals to ensure all information is protected and what can be done to guard against future attacks.
A strong cybersecurity plan and proper coordination with federal IT services will reassure state and local governments critical information and services stored in data centers are protected from Venom.