Firewall Wizards mailing list archives
Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare)
From: "M. Dodge Mumford" <dodge () nfr net>
Date: Thu, 10 Jan 2002 10:25:52 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 9 Jan 2002, Crispin Cowan wrote:
Chad Schieken wrote:Exactly how does a firewall protect against this type of attack?By blocking IM protocols so you won't use these vulnerable applications :-)
In order to write NFR's rapid response to the AIM issue, I made a deliberate choice to not directly circumvent our firewall. While I won't say how I did it, getting through was easy. First off, it the client can't connect, it will present a popup saying it can't connect, and offer to take you to a help screen which points you to a network preferences screen. On the network preferences screen, there's an Auto Configure button which, when pressed, initiates a traditional full-open sequential portscan (using selected ports) of login.oscar.aol.com. If you've got any plug-gw's in there, it uses that port and the user can continue. At least it doesn't use port 20 as a source port. If your site has an HTTP proxy, it will happily use that. Including using port 443. In all of these situations, the protocol doesn't change drastically and is still in cleartext. The only way to block AIM is by blocking all communication with login.oscar.aol.com, which currently has the IP addresses 64.12.161.185 and 64.12.161.153. The addresses have changed before, so you should check it once every few months to make sure you keep blocking it. Ironically, tunneling AIM over SSH is kinda hard because after you authenticate you switch to another server for actual AIM stuff. So either you need to guess which server you'll be assigned to or you need to see which server you've been assigned and open another SSH tunnel very quickly. I did not look at the AIM proxy because my main concern was with detecting the specific attack, followed by making sure nobody in my company could "accidentally" use the client. This is not to say that all instant messaging is bad. It can be quite valuable, especially for communication within a company. But it's a _very_ bad idea for employees to discuss company business (1)going through a third-party network (2)in cleartext. As always, user education is the best way to go. Dodge -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjw9soMACgkQNFi+2PpLB5HrXQCgyGcWCIeOaeBjHW8TGGsj0gwD ajsAn2jLcVHkFOBQd0sf8lgEK52Elihp =F+EW -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: w00w00 on AIM Filter (Backdoors & SpyWare) Chad Schieken (Jan 09)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Joseph S D Yao (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) M. Dodge Mumford (Jan 11)
- <Possible follow-ups>
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Carl Friedberg (Jan 10)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Frank Knobbe (Jan 12)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)