Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 17 May 2004 11:58:01 -0400 (EDT)
On Mon, 17 May 2004, Dana Nowell wrote:
<snip>Yes, but hundreds of thousands of Cisco routers allow connections from the "inside." Things like the "Poisonbox worm" are old history now- once again, the ubiquity of the target means that success is hideously powerful.I was concentrating on external attacks causing worm/virus spread, internal attacks are a different threat as I do not believe that deliberate worm release within a network by an insider is the typical vector. Under the
That's why I used Poisonbox as an example, it wormed Solaris and targeted IIS. Partially, I want people to start thinking now "What would I do if..." because by preparing for the worst, we can hopefully be prepared if/when the time comes. When we start to worry about bad guys/gals and reputations, I start to worry about infrastructure.
As to the issue of the internal router interface being less than tight, well that kind of implies either you think the worm was released internally OR that some other vector was initially successful and THEN the Cisco was attacked. One COULD argue that if you hadn't been compromised via the Windows/Linux/Solaris/Acme box FIRST the router was not too viable a target. (No I'm not really arguing that defense in depth is unnecessary, so save the blow torch :-).
That's why automated multi-platform attacks worry me. It's about that time again.
I think we agree that 'ubiquity doesn't equal targeting'. I just think your message/example was not clear :-). The 'ubiquity doesn't equal
Fair enough... [snip]
Which hasn't stopped all the exploits in services the router must expose when certain configuration options are on.Isn't that a DOH, more 'services' implies more surface? Now marry that to less frequently used functions get less real world testing and less real world testing frequently implies more 'breakability' and I think we agree.
Sure, my point (because I don't think you were clear - touche') was that things like SNMP and the "We must MANAGE the router!" brigade increase exploitability, but that hasn't yet seen widespread attacks, even though I'd hazard to guess that most folks don't patch their routers.
So while I agree that there are alot of Cicso boxes on the net, I think the exposed code base is small, special, and reasonably free of UI/entry things like buffer overflows and such due to function. It is also unlikely thatThey come with HTTP servers now...Internally only, unless the admin is a moron ;-).
Seen it. [snip]
Adding a SOCKS v4 proxy wouldn't take all that much code...OK, but adding a SOCKS proxy on a router running IOS is probably a bit beyond the average script kiddie while installing a proxy via a canned windows hack script isn't. So what do you think the ratio of attackers in
The same was said for Windows at one point, both of proxies and SMTP servers.
those two classes are? Which is probably a bigger short term threat to Joe Sixpack or Mr. Average Small Business? Yeah, I know long term is a better way think. However that implies that thinking occurs and that short term needs do not overwhelm long term thought (how many guys in a foxhole under fire think about what's for dinner or what they're going to do in two years when they get out?, yeah bad analogy but best I could do on a Monday.).
You don't put all your general officers in fox holes ;) If we don't worry about it, there's nobody else who's going to come to the rescue, that darned Bat Signal isn't working again!
So I agree that long term thought is better, I agree that this list is a good place for it, I agree that the 'professionals' are the ones to do it. But any long term thought that does not account for short term needs has an obvious uselessness. Which leads to: any examples that even tangentially
You need to do both. Most places don't have room for both strategic and tactical security, so we've all got to timeslice it...
imply that external router interfaces are in the same class as windows boxes better be REALLY clear as to WHY or WHY NOT because the average guys ducking the bullets aren't going to take time to figure it out and change will not occur.
By the same token, those folks have to know where their infrastructure lies, and when it might need attention. Before the attack, if possible. [snip]
I'm still unclear on any weighting factors that should be applied. Things like reputation also factor in to some degree, Windows has a 'bad rep' and Linux has a 'good rep' in security (visceral relativity, so to speak). I honestly think that if Windows became more secure than Linux tomorrow, it would still be the target of choice for awhile. I'm sure there is a lead/lag function to the 'rep' process. I guess we could replace 'breakability' with 'perceived breakability' but that's going to get nastily subjective (not that this topic isn't already subjective to a big extent).
Actually, Linux boxes tend to get attacked more often- just in terms of script kiddie attacks and poor administration. Check any defacement mirror for examples. The kiddies feel they don't score as many points for Windows systems, or perhaps they're just not as vulnerable by default when they're out-of-the-box Web servers. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re[2]: Worms, Air Gaps and Responsibility, (continued)
- Re[2]: Worms, Air Gaps and Responsibility Jean-Denis Gorin (May 07)
- RE: Worms, Air Gaps and Responsibility Mike McNutt (May 10)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Victor Williams (May 11)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 12)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 13)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 17)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)