Re: Ok, so now we have a firewall, we're safe, right?

[Fritz Ames <fritzames () earthlink net>]

Ben,
	Along with the part that stays the same is the part about getting a 
business to change its approach to security, or, "How does the security 
zealot at the company sell their position?"  Sure it sells faster 
(somewhat, and for a little while) when there is a traumatic event, but 
then the large-scale traumatic events, as you pointed out, have been 
mere nuisances to-date.  How does our hero pitch the solution to 
preventing anihilation by the 
"Code-Red-that-steals-your-data-nukes-your-hard-drive-and-then-steals-your-wife,-and-unplugs-the-fridge 
on-the-way-out" trojan?
	It's the  same old problem.  "Here's your new fire extinguisher 
budget..."  I get the sense that *really* going after the education of 
the users is the opportunity to make the biggest difference.  (The 
biggest difference?  Really?)  Savvy users will be less likely to click 
on that link to Hades.  Savvy users who run companies will have better 
ideas of how to evaluate their risks and their mitigations--and spend 
their dollars more carefully.  Savvy users who run companies and who 
read "MJR/Fred/Paul" will buy less marketing hype, less BS process and 
documentation masquerading as security, and more secure systems.  Savvy 
network admins will...  Savvy DB folks will...  Savvy Web site folks 
will...  Savvy developers will...  All those folks out there who are 
busy doing their jobs, getting things done, building real stuff, and who 
haven't had time or inclination to really get security will catch on and...
	OK, so this has been tried before.  ...or has it?  "Personal Firewall 
Day" is great idea for *providing* information, but you can't simply 
suck people in--without hacking the DNS so that every site resolves to 
http://www.personalfirewallday.org/, or hacking Google so that the 
personalfirewallday site appears at the top of every search result--and 
the results display *looks* like one of your hits.  What happened to 
http://www.humanfirewall.org/, by the way?  (I guess they never hacked 
their way into our minds.)  There's got to be some kind of candy to lure 
people in to like learning it.
	So increasing security awareness isn't directly relevant to firewall 
technology ...in the hardware sense.  But if not us, who?  If not now, 
when?  Ah!  To heck with it.  I can't make it work if better minds than 
mine haven't succeeded in this area.  Please pass the fire extinguisher...


--Fritz
P.S.  I'll use the same caveat that Ben used, about "awful hurry."

Ben Nagy wrote:

> > -----Original Message-----
> > From: firewall-wizards-admin () honor icsalabs com 
> > [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> > Of Paul D. Robertson
> > Sent: Monday, May 30, 2005 6:18 PM
> > To: firewall-wizards () honor icsalabs com
> > Subject: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
> >
> > http://www.theinquirer.net/?article=23575
>
> [...]
>
> > AV isn't going to be effective against most custom Trojan 
> > Horses.  We're going to see more of this in the future.
>
>
> I wrote the below in an awful hurry, but it amplifies Paul's point. The
> threats we're looking at today aren't really anything like they were when we
> all got into this business. Sure, the _vectors_ are the same, and the
> patented MJR/Fred/Paul methodology will still help you out against the huge
> bulk of them. The point is that there is less and less margin for error.
>
> Anyway, small, self-indulgent rant follows.
>
> I didn't focus on defense techniques at all. Feel free to draw your own
> conclusions about your own favourite protection strategies; Marcus, feel
> free to plug your wirecutter posters. (hey can I get one of those shipped to
> Switzerland, btw? ;)
>
> ---
> Threats Facing Organisations Right Now
>
> A Short Essay by ben
>
> As more and more crime gets into hacking, we're seeing a whole lot of
> activity which was extremely rare 5-10 years ago. Most of the significant
> attacks these days are a result of organised crime, it's much less about
> pranksters, "true" hackers and those on a quest for knowledge.
>
> Identity Theft
>
> The biggest targets are consumer databases. High profile cases include
> ChoicePoint, Bank of America. Here's a para from a Fortune article:
>
> http://www.fortune.com/fortune/technology/articles/0,15114,1056163,00.html
>
> "In February data aggregator ChoicePoint acknowledged that identity thieves
> had stolen vital information on 145,000 people. Less than two weeks later
> Bank of America admitted it had lost backup tapes that held the account
> information of 1.2 million credit card holders. In March shoe retailer DSW
> said its stores' credit card data had been breached; the U.S. Secret Service
> estimated that at least 100,000 valuable numbers had been accessed. More
> than a month later DSW released the real number: 1.4 million. Reed
> Elsevier's LexisNexis, a ChoicePoint rival, followed suit, revealing first
> that unauthorized users had compromised 32,000 identities, then upping the
> number to 310,000."
>
> These attacks are targeted - it's like traditional hacking, except for lots
> of cash instead of for fun. The guys running them are criminal gangs -
> they're not a bunch of mischievous green haired pranksters. Here's quite a
> good article about Shadowcrew, which was a recent high profile takedown.
> We're talking seasoned hackers in their early twenties with guns, wads of
> cash and a profoundly criminal bent. Unfortunately it's just one such gang
> out of dozens.
> http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm?chan=t
> c
>
> Phishing is a low grade form of identity theft, but the people I spoke to in
> banking and from the UK NHTCU (hi-tech crime unit) still agree that the only
> reason gangs are not making more money out of it is because they don't have
> enough people to make the manual account transfers. It's a HUGE money
> spinner. Phishing basically relies on stupid users giving away their logins
> to sites like electronic banking, but also things like ebay, paypal and
> other sites that let you shove cash around.
>
> Identity theft is very high profile, and the media has a field day with it.
>
> Extortion
>
> A common tactic out of Russia and Eastern Europe is to "own" thousands of
> computers - this is called a botnet - with the ideal number being 5000 to
> 10000 according to Kaspersky. With this few, you have a good chance of never
> getting your malware reported to an AV company so you're "under the radar"
> and no AV will pick you up. Then, you run an old-fashioned extortion racket.
> By threatening users with a DDoS (Distributed Denial of Service) you can
> effectively shut down the website of pretty much any mid to large sized
> organisation, for days if you want to, costing them a lot of money. Most
> pay.
>
> Long but cool article on this:
> http://www.csoonline.com/read/050105/extortion.html
>
> Spam
>
> And, while your botnet is idle, you can rent it or sell it to spammers.
> Saves you from having that investment sitting idle. Probably the bulk of
> spam is sent this way now, because it's virtually impossible to trace it
> back to the original sender.
>
> There are so many ways for a black hat hacker to make money out of spam it
> would take another twenty pages - it goes beyond just sending it. There is
> also money to be made from advertisers, using pay-for-click techniques.
> Great writeup here:
> http://www.lurhq.com/ppc-hijack.html
>
> Hacking for Hire
>
> There is much less written about this, but genuine, targeted attacks still
> happen. A good example is the theft and advance release of the Halflife 2
> source code from Valve.
> http://money.cnn.com/2003/10/07/commentary/game_over/column_gaming/
>
> Another great one is the Cisco source code theft.
> http://www.theregister.co.uk/2005/05/10/cisco_hack_investigation/
>
> The damage to reputation and future income from these attacks is
> significant, but probably not crippling. The attackers in these cases were
> amateurs, and probably didn't make any money out of it - but it's a fairly
> common rumour that there are professionals doing the same thing who _do_
> make money. The reason we don't read about it in the press is either because
> the theft is never detected, or if it is the company won't admit to it.
>
> [this was written before the Israeli targeted trojan article referenced, but
> that's another great example]
>
> Worms
>
> We haven't seen a major worm for a long time, so maybe they're not
> front-of-mind anymore. However, as soon as MS announce a suitable
> vulnerability (a stack based buffer overflow in a core networking service)
> there is a good chance we'll see another one.
>
> Worms actually annoy real hackers. They make a lot of noise, and they get
> companies to patch perfectly viable remote vulnerabilities much more quickly
> than they otherwise would. Most worms to date have been released by amateurs
> (you can tell when you reverse engineer them). However, one worm stands out,
> which was called Witty. Great writeup here.
>
> http://www.caida.org/analysis/security/witty/
>
> What Witty demonstrates is that malicious hackers are writing worms which
> include a whole lot of techniques that are at the forefront of academic
> research. Many of the techniques in Witty had been first suggested in a
> research paper published only a year or two earlier. It was slick, well
> written - basically it was coded by a security expert. The theoretical
> damage from a _really_ nasty worm is difficult to calculate, but I was
> reading today about a completely feasible idea, where the worm could 'lock'
> any ATA hard-drive using firmware commands - not even a reformat would get
> it working again. Slammer hit half a million hosts inside 10 minutes. The
> trouble is that everyone will leave their head planted firmly in the sand
> until it happens.
>
> But, fundamentally, worms are only really interesting to vandals. They are
> too noisy to remain undetected, so people clean up after them. This is not
> what you want. So, I think the biggest threats right now are probably those
> coming from skilled criminals, and not from worms anymore. This is a
> reversal from how things were in 2001-2003 (worms were very rare before
> then).
>
> That said, a destructive worm really, honestly does have the potential to
> put you out of business - _permanently_ if your disaster recovery plans are
> not top-notch.
> --- 
>
> Anyway, nothing above is really original. To me it all seems obvious, but
> whenever I talk about this stuff to the 'general public' they are all
> shocked, so maybe some subscribers will find it interesting.
>
> Cheers,
>
> ben
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> __________ NOD32 1.992 (20050205) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards