Re: Fw: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors

[Paul Robertson <proberts () patriot net>]

On Fri, 1 Aug 2003, Jeremiah Cornelius wrote:

> >     <snip>
> >
> > > > Because 9 times out of 10 port 135 is blocked by some sort of
> firewall,
> > > > whilst port 80 is not blocked on a web server.
> > >
> > > Not telecommuters on dial-up IP's and Blue-Toothed into the net thru
> > > their Ericsson phones, and surfing from the airport and WIFI cafes of
> the
> > > world.

Telecommuters should have explicit security controls on their machines, as 
should laptop users.  That's true no matter how they connect to your 
network, so it's not going to get any more worrisome if it's blue tooth 
versus a leased line.

> >     </snip>
> >
> > Bluetooth phones as modems!  I have been calling on this issue for some
> > time, and generally received a dismissive response from System
> > Administrators and IT management.  No one wants the work load or
> > responsibility this entails.  I suppose that if you don't acknowledge the
> > problem's existence, you can't be faulted for lack of due care!  If they
> > keep their heads in the sand long enough, somebody is  going to find out
> > what Ostrich meat tastes like...
> >
> > As this technology becomes more prevalent over the next 2 years or so, you
> > can kiss your idea of perimeter goodbye.  A better argument for 'defence
> in
> > depth' and 'crunchy centers' could not be made.  All hosts should be
> handled
> > as if they were accessible from untrusted segments - they soon will be, if
> > they are not already.

The same was said of desktop modems years ago when they started to become 
cheap (Back when Baud and BPS matched.)  Then again, when folks started 
deploying restrictive firewalls.  It's been said of VPNs, WiFi...  

> > This is just the technology we already have on hand.  Remote, mobile, FAST
> > communications technologies are springing up like weeds.  Bluetooth
> scanning
> > is inherently more problematic than looking for a rogue WiFi AP.  The
> > technology is mobile, VERY short range/low power, and has legitimate
> > business use on multi-function devices.  You can't expect to wrap your
> > building in a Faraday cage -  there is no way to gatekeep this.  It will
> > have to be a condition we adapt ourselves to deal with.  Begin with
> hardened
> > hosts.  Even marketroid laptops.  Ultimately, something like mutual host
> > authentication/authorization is going to be needed everywhere on the
> > inside - but it's obviously not a cure-all.  If my laptop is a router for
> my
> > phone, which is a router for kiddeez...  Kiddee is authed to my server.
> >
> > It's gonna' be a fun ride, and the best is yet to come!
[snip]
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[-Wiz's address left in since this is crossposted.]

It's not going to be that difficult to check at the host end.  One of my 
employer's security assurance program includes a desktop-based TAPI-aware 
tool for finding modems, and has for years.  Looking for whatever 
characteristics blue tooth devices have is going to be significantly 
easier than looking for AV signature versions for even half a dozen AV 
companies (they generally obfuscate the heck out of signature files, since 
that's the bulk of their intellectual property, OEMs put files in 
different places...)

War dialing will be less useful, but I don't think handling alternative 
communications paths will be all that difficult for the majority of 
desktop users, most especially in Microsoft environments, and especially 
if it's tied to either domain authentication or better-yet down the road 
something 802.1x-based.

Finally, there are other vectors for discovering things like that on Win* 
boxes- such as network-based scanning for multiple IP addresses (which 
current Windows platforms will tell you about if you ask nicely at the 
NIC.)

Paul  
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards