General: October 2004 Archives
Over the weekend a document connecting a Russian writer of spam software with the Sobig virus appeared on the internet.
This document is further evidence of virus writers with a for profit bent. Viruses open smtp proxies that are then used by spammers.
According to SC magazine FUD (Fear Uncertainty Doubt) is still a prime persuasive technique used by IT pros when talking to senior management.
In a unscientific survey of 150 network and security administrators, 49% admitted to pushing the IT Security Booga Booga factor rather than pushing facts.
It is much easier to talk about what might happen using worst case senarios than to collect facts and statistics. Its easy to be a purveyor of FUD. All you need to do is be imaginative and create an apocalypic scenario to back up what you want to do. Then when the scenario doesn't occur, it must be because you saved the day. The problem with this is that sooner or later people catch on.
ROI is the language of the boardroom. While its not always possible to show the ROI to buying antivirus or SecurID without talking about the problems that will occur if it is not purchased. Your prime sales pitch shouldn't be fear.
I was pretty surprised to click on the title "trojans send message" and receive an article which said "Top-ranked Southern California makes a statement with a dominating 45-7 victory over fifteenth-ranked Arizona State on Saturday. by AP on 10/16/2004 10:18 PM"
What?! Took me a second to realize this article has nothing to do with internet security.
A couple weeks back, I was driving over to Taco Bell listening to the Kim Kommando show. (Crappy tech show on the radio aimed at the masses). When I heard a commercial for gotomypc.com. That reminded me that I needed to check if that was being used in my company. Gotomypc is a web based remote access solution that allows you to access your computer remotely using them as a proxy. Your remote computer will carry a client software that connects to the proxy as well. And so when you log in with your password, you can connect into your desktop. This is pretty slick, but also against our security policy. The corporate VPN with SecurID or digital certificate are the only allowed remote methods of access.
When I got back to work, I installed an eval copy of gotomypc.com (You have to provide a credit card number even for the eval). I found that I was able to connect to that computer from outside the firewall. The next step was to look at who else might be using it. There are two ways to do this. One is to look at the firewall log and see who is going to poll.gotomypc.com on 80, 443, or 8200. The next step is to use SMS or similar softwarae to check for the presence of g2svc.exe.
Your company can contact gotomypc to register for free and block these types of connections, or block poll.gotomypc.com. Unfortunately if they change the IP of that server, you'll be vulnerable you just wont know it. So it would be better to register with them. I suppose you could write a script that verifies the resolution of the name so you are notified when the change occurs. Its also a good idea if anyone was using the product to talk with them and explain why the corporate vpn solution must be used. Otherwise they may find another hole through the firewall using even less secure methods.
The October issue of Information Security Mag came this week and has come interesting articles.
- Help - a test of 5 antivirus vendors tech support prowess
- Power Grid - a look at self defending networks. Is it just marketing hype. A question not answered by the article
- Beware Spyware - No new ground covered, but a good article.
Ran across a cool article over at cybercrime.gov. It originally appeared in Newsweek last year. In it, the author comments about rites of passage in growing up. Huge effort in training is put into drivers ed. There are sex ed classes. But when it comes to computer security, many parents never have "the talk" with their kids.
Its the same at work. Many employee's have never been given "the talk." They think they are too old to be lectured about online safety. So instead they play fast and loose with their privacy giving their email address to every tom dick and harry who has a bag of seed to trade. They download all sorts of unknown games leaving the computer infested with God knows what.
Before you have to take their computer down to the clinic for a shot, give your kids, give your employees THAT talk about safe computing.
Saw this posted over on NTBugtraq. Sharp-ideas.net has an example program that uses AIM to run programs and send the result back to the requestor. Basically a wrapper interacts with the person sending the message and it runs a basic set of commands. The example uses nmap, but a fleet of hacking/reconaisance tools could potentially be used. AIM works very hard at traversing firewalls. So someone outside a firewall could send a command to a computer inside the firewall.
This solution doesn't sound like it will scale very well. I suppose with AIM groups you could control a bunch of bots. A one-to-one connection could already be pulled off by sending someone a trojan and then waiting for it to connect back on a specific port.
