RE: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 17 May 2004, Dana Nowell wrote:

> <snip>
> > Yes, but hundreds of thousands of Cisco routers allow connections from the
> > "inside."  Things like the "Poisonbox worm" are old history now- once
> > again, the ubiquity of the target means that success is hideously
> > powerful.
>
> I was concentrating on external attacks causing worm/virus spread, internal
> attacks are a different threat as I do not believe that deliberate worm
> release within a network by an insider is the typical vector.  Under the

That's why I used Poisonbox as an example, it wormed Solaris and targeted
IIS.  Partially, I want people to start thinking now "What would I do
if..." because by preparing for the worst, we can hopefully be prepared
if/when the time comes.  When we start to worry about bad guys/gals and
reputations, I start to worry about infrastructure.

> As to the issue of the internal router interface being less than tight,
> well that kind of implies either you think the worm was released internally
> OR that some other vector was initially successful and THEN the Cisco was
> attacked.  One COULD argue that if you hadn't been compromised via the
> Windows/Linux/Solaris/Acme box FIRST the router was not too viable a
> target.  (No I'm not really arguing that defense in depth is unnecessary,
> so save the blow torch :-).

That's why automated multi-platform attacks worry me.  It's about that
time again.

> I think we agree that 'ubiquity doesn't equal targeting'.  I just think
> your message/example was not clear :-).  The 'ubiquity doesn't equal

Fair enough...

[snip]

> > Which hasn't stopped all the exploits in services the router must expose
> > when certain configuration options are on.
>
> Isn't that a DOH, more 'services' implies more surface? Now marry that to
> less frequently used functions get less real world testing and less real
> world testing frequently implies more 'breakability' and I think we agree.

Sure, my point (because I don't think you were clear - touche') was that
things like SNMP and the "We must MANAGE the router!" brigade increase
exploitability, but that hasn't yet seen widespread attacks, even though
I'd hazard to guess that most folks don't patch their routers.

> > > So while I agree that there are alot of Cicso boxes on the net, I think the
> > > exposed code base is small, special, and reasonably free of UI/entry things
> > > like buffer overflows and such due to function.  It is also unlikely that
> >
> > They come with HTTP servers now...
>
> Internally only, unless the admin is a moron ;-).

Seen it.

[snip]

> > Adding a SOCKS v4 proxy wouldn't take all that much code...
>
> OK, but adding a SOCKS proxy on a router running IOS is probably a bit
> beyond the average script kiddie while installing a proxy via a canned
> windows hack script isn't.  So what do you think the ratio of attackers in

The same was said for Windows at one point, both of proxies and SMTP
servers.

> those two classes are?  Which is probably a bigger short term threat to Joe
> Sixpack or Mr. Average Small Business?  Yeah, I know long term is a better
> way think.  However that implies that thinking occurs and that short term
> needs do not overwhelm long term thought (how many guys in a foxhole under
> fire think about what's for dinner or what they're going to do in two years
> when they get out?, yeah bad analogy but best I could do on a Monday.).

You don't put all your general officers in fox holes ;)  If we don't worry
about it, there's nobody else who's going to come to the rescue, that
darned Bat Signal isn't working again!

> So I agree that long term thought is better, I agree that this list is a
> good place for it, I agree that the 'professionals' are the ones to do it.
> But any long term thought that does not account for short term needs has an
> obvious uselessness.  Which leads to: any examples that even tangentially

You need to do both.  Most places don't have room for both strategic and
tactical security, so we've all got to timeslice it...

> imply that external router interfaces are in the same class as windows
> boxes better be REALLY clear as to WHY or WHY NOT because the average guys
> ducking the bullets aren't going to take time to figure it out and change
> will not occur.

By the same token, those folks have to know where their infrastructure
lies, and when it might need attention.  Before the attack, if possible.

[snip]

> I'm still unclear on any weighting factors that should be applied.  Things
> like reputation also factor in to some degree, Windows has a 'bad rep' and
> Linux has a 'good rep' in security (visceral relativity, so to speak).  I
> honestly think that if Windows became more secure than Linux tomorrow, it
> would still be the target of choice for awhile.  I'm sure there is a
> lead/lag function to the 'rep' process.  I guess we could replace
> 'breakability' with 'perceived breakability' but that's going to get
> nastily subjective (not that this topic isn't already subjective to a big
> extent).

Actually, Linux boxes tend to get attacked more often- just in terms of
script kiddie attacks and poor administration.  Check any defacement
mirror for examples.  The kiddies feel they don't score as many points for
Windows systems, or perhaps they're just not as vulnerable by default when
they're out-of-the-box Web servers.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards