General: January 2005 Archives

Embedded Security

Our copier rep was onsight today to discuss some printing oddness. As long as he was there I gave him a hard time about the copier still running an NT4 print server. This copier once had the distinction of being the most insecure thing in the entire enterprise. In fact it lapped the field with a blank administrator password and the lack of patches.

The copier rep commented that all the copiers were comming with Linux now days for security.

Oh you mean like the Toshiba copiers we used to have that ran Linux, but had every service running. The one with the unused FTP server that could be exploited to get root privelidges?

To be true the appliances that are running Linux now days are a bit smarter than that copier from a few years ago. Like Windows XP SP2, by default the Operating System is protected by a firewall. That should take care of most of the vulnerabilties.

The copier rep wasn't being dishonest. He's just repeating what he had heard. Linux is secure, Linux is secure. Then faced with reality, they mutter something about "well, its less patches than microsoft. Of course when the vendor never comes out to install any patches, what does it matter how many critical patches are missing. Let the firewall protect from remote attacks.

The I suspect the real reason for the copiers with linux print server boards is cost rather than security.

By Roger on January 27, 2005 10:12 PM |

What is the danger in allowing ping?

A tech republic q/a was pointed out to me recently that asked about the dangers inherent in allowing internal hosts to ping the hosts on the internet.

One user responded that the primary reason to not allow ping is to avoid virus attacks. I wouldn't consider this a primary reason. It is something to consider though. Worms from several years ago would ping first and then probe. So if you dont allow ping, then the worm wouldn't spread through your equipment. Also the pinging itself ran the risk of a denial of service. So you get two benefits in blocking.

Another answer isn't worth repeating. It basically advises removing the gateway address on clients so NO ONE can get to the internet. Yep, that sounds like security through turning off the machine and burying it in cement.

The next answer advises the original poster to use a default deny rule, remove telnet from workstations!!! and verify that outsiders cant ping in.

I dont feel like any of these answers adequately answered the problem of ping. Let me start by saying that ping is a necessary troubleshooting tool.

When I saw the post title, I expected to be reading about ICMPTunnel. This is where a hacker, or just someone who wants around your firewall and monitoring capability sends the traffic out within ICMP packets. That alone isn't a reason to block ping because they could do the same thing across any open outbound internet port.

Next, I figured the thread might be about the dangers of allowing ICMP to hosts on the DMZ. People on the internet can learn much about a system by looking at how it responds to various ICMP commands.

The bottom line is to know your firewall config. The original poster was surprised to find he could ping. You should never be surprised by your own configuration. ICMP has many configuration opens. Some are an important part of internet communication and others might as well be closed off.

By Roger on January 24, 2005 9:04 PM |

GMU Intrusion

Earlier this week a server containing information used to create IDs at George Mason University was reported compromised. The article I read on it made me chuckle because the reporter mentioned all the Security designations the University has. Commonwealth Center for Security This and NSA Center of Excellence that. Clearly the reported was rubbing their noses in it and they deserved it.

The server contained names and social security numbers. As a former student I've been wondering if I should take some action. Unfortunately, GMU has reported that they dont know the extent of the data on server. They dont know if former students were purged!

They dont believe the data was actually downloaded. Rather a hacker uploaded reconnaissance tools to that server after compromising it was used it as a base of operations to scan other GMU servers.

By Roger on January 15, 2005 10:50 PM |

Engineering

In the beginning of Practical Cryptography by Niels Ferguson and Bruce Schneier, the authors make a comparison between structural engineering and computer engineering. They make the argument that structural engineers learn from their mistakes and build stronger and better. Yet, they claim software engineers make the same mistake time and time again. People are satisfied with patchwork solutions.

I dont think the analogy is apt. When structural engineers screw up, gas tanks explode, bridges collapse, space shuttles disintegrate. People die. There isn't a large margin of error. There isn't a tendency after a bridge collapse to use a crane to put the span back in place, give it a quick weld and move on. This is why large latitude for safety and security is built into the product.

When software engineers screw up, people generally dont die. The damage isn't immediate, it often isn't visible. Its much harder to get people to pay for security. Even if you wanted to, its not like a bridge that you can condemn and start over. Its widely deployed. You've got to patch and the patch will have unintended consequences.

By Roger on January 14, 2005 9:12 PM |

The Art of War

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather not the fact that we have made our position unassailable"
--The Art of War, Sun Tzu

This quote was at the beginning of Chapter 1 of Cryptography and Network Security by William Stallings. Its an interesting statement to meditate on in the context of computer security. Can a networked computer ever be made unassailable. I would think it is a safe statement to say no.

When I first read the quote, I was afraid this was more fodder for those who warn of a Digital Pearl Harbor. I thought of the U.S.S.R. spending itself into oblivion over fear of the United States. But we dont need to spend ourselves into oblivion in the name of I.T. security. Rather, we need to put up reasonable defenses, and then continue to be vigilent about the sufficiency of those defenses moving into the future.

By Roger on January 10, 2005 6:27 PM |

I Predict 2005

I predict
- Microsoft's new antispyware beta will not be released until march. Upon releae it will quarantine as spyware both the real player and iTunes clients.
- Steve Gibson will issue dire warnings that Windows Longhorn includes a dastardly denial of service attack weapon known as "ping".
- Sick of the constant negativity, one of the two readers of Roger's Infosec Blog will hack the webserver and replace the website with sales literature from Computer Associates.
- An Antivirus company will be severely embarassed when it is discovered that several of their former engineers now work for the mafia developing spyware and spam designed to circumvent filters
- Rob Rosenburger will get a late night show on comedy central. It will be canceled after three episodes because no one gets antivirus humor.

By Roger on January 1, 2005 1:31 AM |
« General: December 2004 | Main Index | Archives | General: February 2005 »

Search