Firewall Wizards mailing list archives
Re: Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors
From: Paul Robertson <proberts () patriot net>
Date: Sat, 2 Aug 2003 07:33:25 -0400 (EDT)
On Fri, 1 Aug 2003, Jeremiah Cornelius wrote:
<snip>Because 9 times out of 10 port 135 is blocked by some sort offirewall,whilst port 80 is not blocked on a web server.Not telecommuters on dial-up IP's and Blue-Toothed into the net thru their Ericsson phones, and surfing from the airport and WIFI cafes oftheworld.
Telecommuters should have explicit security controls on their machines, as should laptop users. That's true no matter how they connect to your network, so it's not going to get any more worrisome if it's blue tooth versus a leased line.
</snip> Bluetooth phones as modems! I have been calling on this issue for some time, and generally received a dismissive response from System Administrators and IT management. No one wants the work load or responsibility this entails. I suppose that if you don't acknowledge the problem's existence, you can't be faulted for lack of due care! If they keep their heads in the sand long enough, somebody is going to find out what Ostrich meat tastes like... As this technology becomes more prevalent over the next 2 years or so, you can kiss your idea of perimeter goodbye. A better argument for 'defenceindepth' and 'crunchy centers' could not be made. All hosts should behandledas if they were accessible from untrusted segments - they soon will be, if they are not already.
The same was said of desktop modems years ago when they started to become cheap (Back when Baud and BPS matched.) Then again, when folks started deploying restrictive firewalls. It's been said of VPNs, WiFi...
This is just the technology we already have on hand. Remote, mobile, FAST communications technologies are springing up like weeds. Bluetoothscanningis inherently more problematic than looking for a rogue WiFi AP. The technology is mobile, VERY short range/low power, and has legitimate business use on multi-function devices. You can't expect to wrap your building in a Faraday cage - there is no way to gatekeep this. It will have to be a condition we adapt ourselves to deal with. Begin withhardenedhosts. Even marketroid laptops. Ultimately, something like mutual host authentication/authorization is going to be needed everywhere on the inside - but it's obviously not a cure-all. If my laptop is a router formyphone, which is a router for kiddeez... Kiddee is authed to my server. It's gonna' be a fun ride, and the best is yet to come!
[snip]
firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[-Wiz's address left in since this is crossposted.] It's not going to be that difficult to check at the host end. One of my employer's security assurance program includes a desktop-based TAPI-aware tool for finding modems, and has for years. Looking for whatever characteristics blue tooth devices have is going to be significantly easier than looking for AV signature versions for even half a dozen AV companies (they generally obfuscate the heck out of signature files, since that's the bulk of their intellectual property, OEMs put files in different places...) War dialing will be less useful, but I don't think handling alternative communications paths will be all that difficult for the majority of desktop users, most especially in Microsoft environments, and especially if it's tied to either domain authentication or better-yet down the road something 802.1x-based. Finally, there are other vectors for discovering things like that on Win* boxes- such as network-based scanning for multiple IP addresses (which current Windows platforms will tell you about if you ask nicely at the NIC.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors Jeremiah Cornelius (Aug 01)
- Re: Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors Paul Robertson (Aug 02)
- <Possible follow-ups>
- Re: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors R. DuFresne (Aug 03)