Professional Paranoia

If you can get in, someone else can (and will) find a way to get in without your permission. If your software and systems can be used for good, someone can (and will) find a way to exploit the same for ill.

The more I learn about development and security, the less confident I feel about working online. It’s not that I can’t keep up with the trends running through the market, it’s that I can see those trends and they terrify me.

In the world of digital security, it’s valuable to develop a certain level of professional paranoia. Essentially, even if no one is actively trying to hack or exploit your system, always assume that nefarious individuals exist and will attack you in the future.

Open Relays

Once upon a time, I was tasked with taking an existing server infrastructure, modifying it to work on a distributed cloud network, and redeploying it on that same distributed system. For the most part, there were very minor changes required. A few libraries had changed versions in the past. I also needed to move some of our data processing from one server to another since our data was now coming from a remote cloud database rather than a database server co-located with the webserver.

In a few days, I had our code switched over and deployed to the new system.

Then our sales team called me to complain.

In addition to some of the security and distribution changes on the server, we were now running on a system that lacked SMTP (Simple Mail Transfer Protocol) support. In short, our sales team stopped getting leads.

I worked hard to try to route things instead through Gmail – the server was so locked down I couldn’t offload the SMTP process. I tried to implement a message queue tied to a traditional mail-server – the message queue service wasn’t quite ready, though, and dropped 80% of our messages before delivery.

So I instead set up an SMTP relay on a local machine in our office. I used a non-standard port to confuse would-be hackers and hoped my minimal attempt at security-by-obscurity would keep things safe long enough for me to flesh out a better solution.

The open relay ran for 2 days before our company’s domain name was blacklisted. Though we didn’t use the relay server for email, the fact that DNS mapped a subdomain of our company domain to the server made it look like our mail domain was being used to send spam – on the order of 5,000 spam messages a minute.

I was devastated. We’d never been hacked before. We’d had our fair share of vulnerabilities, but no one had ever targeted any of our systems. I just assumed I could get away with my setup for a week or two while I built out the permanent solution.

I assumed wrong.

Paranoid

My biggest failure at the time was not understanding how much I was inadvertently trusting strangers. I was broadcasting an open, easily-exploited network. I was using a non-standard port to protect my system, but naively ignored the fact that attackers might use simple port scanning to detect the open door I’d left for them.

Since then, I always use the old mantra: “hope for the best, but expect the worst.”

If you can get in, someone else can (and will) find a way to get in without your permission. If your software and systems can be used for good, someone can (and will) find a way to exploit the same for ill.

Cultivate a certain level of professional paranoia and you’ll be able to anticipate many of these attacks. Some can be actively mitigated, others can be planned for (and have a remediation plan likewise set and waiting for use).