General: June 2004 Archives

False Sense of Security

News.com has a pretty interesting article challenging security assumptions. One of the more common assumptions is that if you put up a firewall, install antivirus on computers and perhaps get an IDS than you'll be all right. There is this assumption that hackers will always attack the way they did n 1995 with a little bit of reconnaissance, and some doorknob rattling.

The article says why run the full gauntlet of defenses when you can compromise a users home system and piggyback on the company VPN past all of the network security.

The principle of low hanging fruit does not apply, the article says, when you are trying to secure a valuable target. A determined hacker isn't going to just move on to the next target. Thus you need defense in depth and defense at every level of connection.

The article concludes by admonishing against a false sense of security. Also awareness of network activity. Would you know today if one of your servers started behaving more like a client?

By Roger on June 17, 2004 10:54 AM |

Attack on Akamai takes down top Websites

The Washinton Post is reporting that the Tuesday morning outage of sites that use akamai (google.com, microsoft.com, liveupdate.symantec.com, etc) was due to a distributed denial of service attack.

Akamai is a content distributer used by high-traffic websites. When you go to a site like liveupdate.symantec.com you are given a site close to your geographic region (and also via dns round robin). Often large ISPs have their own akamai server to limit the amount of bandwidth used on their internet pipes. Because of the large number of Akamai servers, it is very difficult to attain a world wide effect. It would take a large number of compromised hosts being used for a denial of service attack. Russ Cooper of TruSecure speculates that this could be an exploit in the Akamai software itself.

At the time of Code Red, many companies were rudely surprised to find their servers being used in a denial of service attack on www.whitehouse.gov. We need to take the steps necessary to make sure that corporate computers are not vulnerable to this type of exploit. And also that this is detected quickly when installed on employee systems.

By Roger on June 15, 2004 3:35 PM |

Wireless Insecurity

Looks like the wireless routers we all use are getting some attention. And not for the insecurity we all know about in 802.11x. Last week the Linksys WRT54G was reported to allow remote users access to the admin console even if remote access was turned off. If a user hadn't changed the default password that was an immediate problem.

What could happen? I'm just thinking here, but a hacker could potentially set the linksys to allow all ports through to your desktop. So all you people who have been letting the linksys do the work, and not running a desktop personal firewall and not doing you're patching would be in serious trouble.

Is something like this going to end up in a worm? More likely a hacker would scan a range of known cablemodem/dsl IP addresses to collect vulnerable linksys routers. Then they'd do the work of changing the machine as necessary, then they'd try to own your box. Just when you think you're secure, you're busted.

Enough about last weeks vulnerability. This week the NetGear WG602 is reported by ARS TECHNICA to suffer from a trapdoor left by a Netgear partner.

Any user logging in with the username "super" and "5777364" is in complete control of the device.
Fortunately this cant be accessed by just anyone on the internet like the Linksys problem.
Unfortunately, they dont seem to provide us with a way to restrict administration to only the WIRED portion of the local network! The Orinoco would allow us to not let wireless users administrate the product.

So to hack my Netgear you need to be in my house connected via the wired network, OR you could be outside my house trying to first break my wireless security. Of course if you did either of those, you'd pretty much have direct access to my network anyway.

With all the easier targets out there, you'd need to specifically be after me to go to all that trouble to break into Netgear.

In an informal survey of system between my home and office, more than half were running Linksys. I did not stop to see if the Linksys routers were vulnerable. :)

By Roger on June 13, 2004 3:00 PM |

No Honor Among Thieves

According to a Kevin Poulsen article over at Security Focus, the Optix Pro backdoor program has a trapdoor left by the programmer. Trap doors are flaws that designers place in programs so that specific security checks are not performed under certain conditions. In this case it is a special "master" password that will let the author into any system on which the agent is installed.

It is quite common to try to amass armys of computer under your control to sell for use by spammers or to perform denial of service attacks on your enemies. It wouldn't do much good for anyone who wanders by to be able to take control, so the systems are secured so that only the hacker can control it. The most rudimentary method of controlling access is the password. This trapdoor gives the programmer access to any infected system, not just those that he installed.

The lesson to be learned here is that the code you download is only as trustworthy as the programmer. If you think you are playing with hacker tools, you're probably best off using a test machine that will never be used to connect to anything of importance. Even when downloading "legit" software, you need to remember that you are placing trust in the programmer, the website operator, and your internet connection.

By Roger on June 12, 2004 4:09 PM |

this office virus free for x days

Do you I.T. workers ever notice that you get a bonus check for when things don't go well? A virus gets through the defenses and the company loses the ability to work for a period of time. You rack up the overtime and get an award check and maybe even lunch. Does that seem right to you? You work and work to keep the company virus free to little recognition, but when the goalie lets one slip through its recognition time.

I should put a disclaimer here since I know my management reads this. Where I work is really cool. They realize that although I feel like any virus incident equals complete failure on my part to secure the network, it really isn't possible to do that. The users want to maintain too many rights so a balance has to be struck between security and usability. Sometimes that causes problems. And they have rewarded me for keeping the place virusfree for the most part.

I was thinking it would be funny to put up a sign,"this office virus free for x days. Do your part to keep us safe." The thought of that just cracked me up and became the impetuous for this entire post. :)

(click to enlarge)

By Roger on June 11, 2004 9:25 PM |

The real world and the classroom

I thought this review of one of my books for last semester is quite apt. It expresses the unnecessary dichotomy between classroom and professional life. I also see the same separation between the infosec group and corporate computer security.

The following is not my review, but I did find is amusing enough to share.
"The book was written based on university lecture notes and it shows. It is quite obvious that Mr. Gollmann has never been in charge of the security of a corporate network (I doubt that he had SEEN one), so his knowledge regarding the real-life issues is rather limited. There are hardly any case studies in the book. Consequently, the usefulness of the book depends on the audience. If you are a university professor, trying to "entertain" your students with theories that they can forget as soon as they graduate, look no further, buy this book NOW. The same thing applies if you are a student wanting to survive such a course. (The back cover of the book quotes someone from Linköping University: "...the book I have been looking for for years". I can easily believe that.) On the other hand, if you are an IS security expert, a security manager or an auditor, I doubt that you will be fired if you know nothing about, say, the Harrison-Ruzzo-Ullmann Model. However, if your knowledge about security policies is limited to what's written in the book, you may be in trouble soon. Those topics that are covered are descriptive and not action-oriented. For example, there is ample information about the types of viruses and anti-virus software that exist, but practically nothing about the controls that should be in place to prevent viruses from spreading. Still, I think everyone interested in computer security will find SOME information in the book that they can use some day. "

By Roger on June 2, 2004 1:12 PM |

Will Hack for Food?

Rob Rosenberger of Vmyths.com has done it again. It has been reported that North Korea possesses an elite hacking squad on the level anything the CIA can do. Rob responds this this satellite picture. Ask yourself, what's wrong with this picture?(click for larger image)

By Roger on June 1, 2004 1:09 PM |
« General: May 2004 | Main Index | Archives | General: July 2004 »

Search