http://www.eweek.com/article2/0,1759,1756636,00.asp?kc=EWRSS03119TX1K0000594
Did you see this article “New Virus Attack Technique Bypasses Filters”? (1/31/2005 in eWeek)
I’d really like to know what antivirus vendors were so incompetent that they couldn’t scan inside of the rar compressed format.
Was this caused by people not scanning all files?
Was it the usual case of virus defs being a reactive protection measure?
Was the antivirus software unable to look inside the rar format?
Is it really new for viruses to be inside rar file? I could have sworn mydoom was doing that back when antivirus vendors failed to protect us from password protected zips.
If you you must take action each time the enemy thinks of a new attack, you’re AV solutions obsolete.
Archive for January 2005
eWeek: Virus attack surmounts AV Defenses
Security Problems for RFID?
Graduate students at Johns Hopkins University have uncovered a method of cracking the encryption surrounding RFID, so reports news.com.
Non-technical results are posted at www.rfidanalysis.org
RFID systems are used in automotive keys so that a signal from the key is necessary to start the car. It is used in Mobil SpeedPass and it is used in Wal-Mart inventory.
The writers point out that the 40 bit encryption is rather trivial to hack. What is needed is AES encryption. The problem is with the long rollout cycles for automobiles, this is not a change that will occur immediately.
Of course with speedpass I still think the primary issue is when someone steals your keys they now have access to your credit card (without signature necessary) at every Mobil/Exxon station.
Embedded Security
Our copier rep was on-site today to discuss some printing oddness. As long as he was there I gave him a hard time about the copier still running an NT4 print server. This copier once had the distinction of being the most insecure thing in the entire enterprise. In fact it lapped the field with a blank administrator password and the lack of patches.
The copier rep commented that all the copiers were coming with Linux now days for security.
Oh you mean like the Toshiba copiers we used to have that ran Linux, but had every service running. The one with the unused FTP server that could be exploited to get root privileges?
To be true the appliances that are running Linux now days are a bit smarter than that copier from a few years ago. Like Windows XP SP2, by default the Operating System is protected by a firewall. That should take care of most of the vulnerabilties.
The copier rep wasn’t being dishonest. He’s just repeating what he had heard. Linux is secure, Linux is secure. Then faced with reality, they mutter something about “well, its less patches than Microsoft. Of course when the vendor never comes out to install any patches, what does it matter how many critical patches are missing. Let the firewall protect from remote attacks.
The I suspect the real reason for the copiers with Linux print server boards is cost rather than security.
What is the danger in allowing ping?
A tech republic q/a was pointed out to me recently that asked about the dangers inherent in allowing internal hosts to ping the hosts on the internet.
One user responded that the primary reason to not allow ping is to avoid virus attacks. I wouldn’t consider this a primary reason. It is something to consider though. Worms from several years ago would ping first and then probe. So if you don’t allow ping, then the worm wouldn’t spread through your equipment. Also the pinging itself ran the risk of a denial of service. So you get two benefits in blocking.
Another answer isn’t worth repeating. It basically advises removing the gateway address on clients so NO ONE can get to the internet. Yep, that sounds like security through turning off the machine and burying it in cement.
The next answer advises the original poster to use a default deny rule, remove telnet from workstations!!! and verify that outsiders cant ping in.
I don’t feel like any of these answers adequately answered the problem of ping. Let me start by saying that ping is a necessary troubleshooting tool.
When I saw the post title, I expected to be reading about ICMPTunnel. This is where a hacker, or just someone who wants around your firewall and monitoring capability sends the traffic out within ICMP packets. That alone isn’t a reason to block ping because they could do the same thing across any open outbound internet port.
Next, I figured the thread might be about the dangers of allowing ICMP to hosts on the DMZ. People on the internet can learn much about a system by looking at how it responds to various ICMP commands.
The bottom line is to know your firewall config. The original poster was surprised to find he could ping. You should never be surprised by your own configuration. ICMP has many configuration opens. Some are an important part of internet communication and others might as well be closed off.
AP writer attacks MS Antispyware
Matthew Fordahl identified as an AP technology writer wrote a recent review titled Microsoft Anti-Spyware Ineffective.
The article begins by berating Microsoft’s viral cleanup tool for not ridding his dumbass family members infected machine. Clearly he does not understand what this utility is supposed to be. That’s like screaming because McAfee’s Stinger utility doesn’t clean every virus off the machine. This is particularly galling when the problem is obviously spyware, and not viruses.
So half way through the article he finally gets Microsoft Antispyware installed. I dont understand people who criticize MS Antispyware. 1. Its a beta release. 2. Its still basically Giant’s product. The first thing this guy criticizes is the GUI. Clearly the author has not used other Antispyware products. This interface is head and shoulders above that used by Adaware, Spybot Search and Destroy etc. He is unable to get the machine clean, blames the product and reloads the operating system (In my opinion revealing his complete lack of technical skills).
As usual, Microsoft is criticized where other products are not.
Licensing Security
The anti-Microsoft conspiracy crowd never lets an opportunity go by. They are quick to put on the tin foil hats and devise some deep dark motive for every tiny little Microsoft move. The problem with looking at the minutia is they miss the big picture. They cry that Microsoft Anti-Spyware cant be downloaded without a valid OS license. But they fail to notice that most Microsoft downloads seem to have that test. When I downloaded it, I said NO to doing the license test, and was allowed to continue and download the software.
Mark Rasch’s thesis appears to be that software pirates need security too. I disagree with that thesis, furthermore, from my experience you can decline taking the license test and still get the software (if you’ve taken the test and failed, this is no longer true).
GMU Intrusion
Earlier this week a server containing information used to create IDs at George Mason University was reported compromised. The article I read on it made me chuckle because the reporter mentioned all the Security designations the University has. Commonwealth Center for Security This and NSA Center of Excellence that. Clearly the reported was rubbing their noses in it and they deserved it.
The server contained names and social security numbers. As a former student I’ve been wondering if I should take some action. Unfortunately, GMU has reported that they don’t know the extent of the data on server. They don’t know if former students were purged!
They don’t believe the data was actually downloaded. Rather a hacker uploaded reconnaissance tools to that server after compromising it was used it as a base of operations to scan other GMU servers.
Engineering
In the beginning of Practical Cryptography by Niels Ferguson and Bruce Schneier, the authors make a comparison between structural engineering and computer engineering. They make the argument that structural engineers learn from their mistakes and build stronger and better. Yet, they claim software engineers make the same mistake time and time again. People are satisfied with patchwork solutions.
I don’t think the analogy is apt. When structural engineers screw up, gas tanks explode, bridges collapse, space shuttles disintegrate. People die. There isn’t a large margin of error. There isn’t a tendency after a bridge collapse to use a crane to put the span back in place, give it a quick weld and move on. This is why large latitude for safety and security is built into the product.
When software engineers screw up, people generally don’t die. The damage isn’t immediate, it often isn’t visible. Its much harder to get people to pay for security. Even if you wanted to, its not like a bridge that you can condemn and start over. Its widely deployed. You’ve got to patch and the patch will have unintended consequences.
The Art of War
“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather not the fact that we have made our position unassailable”
–The Art of War, Sun Tzu
This quote was at the beginning of Chapter 1 of Cryptography and Network Security by William Stallings. Its an interesting statement to meditate on in the context of computer security. Can a networked computer ever be made unassailable. I would think it is a safe statement to say no.
When I first read the quote, I was afraid this was more fodder for those who warn of a Digital Pearl Harbor. I thought of the U.S.S.R. spending itself into oblivion over fear of the United States. But we dont need to spend ourselves into oblivion in the name of I.T. security. Rather, we need to put up reasonable defenses, and then continue to be vigilant about the sufficiency of those defenses moving into the future.
