Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Mon, 17 May 2004 14:02:29 -0400
At 11:58 AM 5/17/2004 -0400, Paul D. Robertson wrote:
That's why I used Poisonbox as an example, it wormed Solaris and targeted IIS. Partially, I want people to start thinking now "What would I do if..." because by preparing for the worst, we can hopefully be prepared if/when the time comes. When we start to worry about bad guys/gals and reputations, I start to worry about infrastructure.
Yeah, we need the discussion. It's just that I feel most people can't see the forest, they're too busy counting trees.
As to the issue of the internal router interface being less than tight, well that kind of implies either you think the worm was released internally OR that some other vector was initially successful and THEN the Cisco was attacked. One COULD argue that if you hadn't been compromised via the Windows/Linux/Solaris/Acme box FIRST the router was not too viable a target. (No I'm not really arguing that defense in depth is unnecessary, so save the blow torch :-).That's why automated multi-platform attacks worry me. It's about that time again.
Multiplatform attacks are due but I personally doubt the router is the secondary target of choice, unfortunately my money's on PDAs and cell phones via sync software and wireless. [snip]
Which hasn't stopped all the exploits in services the router must expose when certain configuration options are on.Isn't that a DOH, more 'services' implies more surface? Now marry that to less frequently used functions get less real world testing and less real world testing frequently implies more 'breakability' and I think we agree.Sure, my point (because I don't think you were clear - touche') was that things like SNMP and the "We must MANAGE the router!" brigade increase exploitability, but that hasn't yet seen widespread attacks, even though I'd hazard to guess that most folks don't patch their routers.
SNMP, out of the box, typically has only a read-only public community[1]. You have to turn on write and you OUGHT to be bright enough to secure it (and turn off public). The default SNMP that Joe Sixpack or Mr Small Business gets is 'info leaky' but reasonably harmless (barring buffer overflows).
So while I agree that there are alot of Cicso boxes on the net, I
think the
exposed code base is small, special, and reasonably free of UI/entry
things
like buffer overflows and such due to function. It is also unlikely
that
They come with HTTP servers now...Internally only, unless the admin is a moron ;-).Seen it.
Sigh, as soon as you think something is idiot proof, nature creates a better idiot. [snip]
You don't put all your general officers in fox holes ;) If we don't worry about it, there's nobody else who's going to come to the rescue, that darned Bat Signal isn't working again!
My point is that for the majority of the net, small business and Joe SixPack, the general LIVES in the foxhole, assuming someone is actually appointed general. My background is start-ups and companies with < 100 staff, if you can find a lt. colonel your doing damn good, mostly you see a corporal or private. In my opinion, THAT'S one of the major security issues that people sidestep, because it has no good answer. In the old days, the bear joke applied[2]. Now with millions of small companies doing business with everyone and VPNs becoming the order of the day, I've forgotten to laugh and started to dig a deeper hole.
So I agree that long term thought is better, I agree that this list is a good place for it, I agree that the 'professionals' are the ones to do it. But any long term thought that does not account for short term needs has an obvious uselessness. Which leads to: any examples that even tangentiallyYou need to do both. Most places don't have room for both strategic and tactical security, so we've all got to timeslice it...
Unfortunately, I think you are wrong. What I was refering to with: "I agree that the 'professionals' are the ones to do it. But any long term thought that does not account for short term needs has an obvious uselessness." is really that mindset. Lots of places don't have time/knowledge for even tactical security. They live in the short term, it ain't broke world. The 'admin' is the last guy to install software anywhere. I'm afraid that small business/Joe Sixpack tactical security needs to be the defaults in the OS/DSL router/cable modem/wireless device. Strategic security needs to be defined by those with a clue in settings with a clue (corporate or clued individuals) and the average guy gets the vendor defaults (because he's too scared/clueless to mess with them). And some poor group of lucky individuals gets to decide the 'best practice' the vendors should use in that market and cram it down their throats. Until that occurs or VPNs get less ubiquitous we will all have issues. Depressing really, but I'm all for this list lending a hand. Meanwhile, pardon me while I continue digging.
imply that external router interfaces are in the same class as windows boxes better be REALLY clear as to WHY or WHY NOT because the average guys ducking the bullets aren't going to take time to figure it out and change will not occur.By the same token, those folks have to know where their infrastructure lies, and when it might need attention. Before the attack, if possible.
Unfortunately, I'm not sure everyone is competent enough to know they have an issue (see above comment). But yes, those with a clue should use it. [snip] [1] True unless I'm dating myself, I haven't looked recently. I'm more router/network policy wonk now, less hands on routers more hands on individual boxes as I fill in where needed and our net and services are pretty static. The REAL admin gets to play with all the toys :-). [2] Two hunters come across an angry bear in the woods. They discuss what they should do and one says, "let's run". The other says, "run, are you crazy, you can't out run a bear". The first says, "I don't have to outrun a bear, I only have to outrun you". In the 'old days' the little guy didn't really have to be secure, just more secure than most others and the attackers would pick an easier victim in the target rich environment. Unfortunately there is a reason they are called 'the old days' and not 'current times'. -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Worms, Air Gaps and Responsibility, (continued)
- RE: Worms, Air Gaps and Responsibility Mike McNutt (May 10)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Victor Williams (May 11)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 12)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 13)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 17)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)
- RE: Worms, Air Gaps and Responsibility Mike McNutt (May 10)