Firewall Wizards mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: Fritz Ames <fritzames () earthlink net>
Date: Tue, 31 May 2005 08:23:27 -0400
Ben,Along with the part that stays the same is the part about getting a business to change its approach to security, or, "How does the security zealot at the company sell their position?" Sure it sells faster (somewhat, and for a little while) when there is a traumatic event, but then the large-scale traumatic events, as you pointed out, have been mere nuisances to-date. How does our hero pitch the solution to preventing anihilation by the "Code-Red-that-steals-your-data-nukes-your-hard-drive-and-then-steals-your-wife,-and-unplugs-the-fridge on-the-way-out" trojan? It's the same old problem. "Here's your new fire extinguisher budget..." I get the sense that *really* going after the education of the users is the opportunity to make the biggest difference. (The biggest difference? Really?) Savvy users will be less likely to click on that link to Hades. Savvy users who run companies will have better ideas of how to evaluate their risks and their mitigations--and spend their dollars more carefully. Savvy users who run companies and who read "MJR/Fred/Paul" will buy less marketing hype, less BS process and documentation masquerading as security, and more secure systems. Savvy network admins will... Savvy DB folks will... Savvy Web site folks will... Savvy developers will... All those folks out there who are busy doing their jobs, getting things done, building real stuff, and who haven't had time or inclination to really get security will catch on and... OK, so this has been tried before. ...or has it? "Personal Firewall Day" is great idea for *providing* information, but you can't simply suck people in--without hacking the DNS so that every site resolves to http://www.personalfirewallday.org/, or hacking Google so that the personalfirewallday site appears at the top of every search result--and the results display *looks* like one of your hits. What happened to http://www.humanfirewall.org/, by the way? (I guess they never hacked their way into our minds.) There's got to be some kind of candy to lure people in to like learning it. So increasing security awareness isn't directly relevant to firewall technology ...in the hardware sense. But if not us, who? If not now, when? Ah! To heck with it. I can't make it work if better minds than mine haven't succeeded in this area. Please pass the fire extinguisher...
--Fritz P.S. I'll use the same caveat that Ben used, about "awful hurry." Ben Nagy wrote:
-----Original Message-----From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D. RobertsonSent: Monday, May 30, 2005 6:18 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Ok, so now we have a firewall, we're safe, right? http://www.theinquirer.net/?article=23575[...]AV isn't going to be effective against most custom Trojan Horses. We're going to see more of this in the future.I wrote the below in an awful hurry, but it amplifies Paul's point. The threats we're looking at today aren't really anything like they were when we all got into this business. Sure, the _vectors_ are the same, and the patented MJR/Fred/Paul methodology will still help you out against the huge bulk of them. The point is that there is less and less margin for error. Anyway, small, self-indulgent rant follows. I didn't focus on defense techniques at all. Feel free to draw your own conclusions about your own favourite protection strategies; Marcus, feel free to plug your wirecutter posters. (hey can I get one of those shipped to Switzerland, btw? ;) --- Threats Facing Organisations Right Now A Short Essay by ben As more and more crime gets into hacking, we're seeing a whole lot of activity which was extremely rare 5-10 years ago. Most of the significant attacks these days are a result of organised crime, it's much less about pranksters, "true" hackers and those on a quest for knowledge. Identity Theft The biggest targets are consumer databases. High profile cases include ChoicePoint, Bank of America. Here's a para from a Fortune article: http://www.fortune.com/fortune/technology/articles/0,15114,1056163,00.html "In February data aggregator ChoicePoint acknowledged that identity thieves had stolen vital information on 145,000 people. Less than two weeks later Bank of America admitted it had lost backup tapes that held the account information of 1.2 million credit card holders. In March shoe retailer DSW said its stores' credit card data had been breached; the U.S. Secret Service estimated that at least 100,000 valuable numbers had been accessed. More than a month later DSW released the real number: 1.4 million. Reed Elsevier's LexisNexis, a ChoicePoint rival, followed suit, revealing first that unauthorized users had compromised 32,000 identities, then upping the number to 310,000." These attacks are targeted - it's like traditional hacking, except for lots of cash instead of for fun. The guys running them are criminal gangs - they're not a bunch of mischievous green haired pranksters. Here's quite a good article about Shadowcrew, which was a recent high profile takedown. We're talking seasoned hackers in their early twenties with guns, wads of cash and a profoundly criminal bent. Unfortunately it's just one such gang out of dozens. http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm?chan=t c Phishing is a low grade form of identity theft, but the people I spoke to in banking and from the UK NHTCU (hi-tech crime unit) still agree that the only reason gangs are not making more money out of it is because they don't have enough people to make the manual account transfers. It's a HUGE money spinner. Phishing basically relies on stupid users giving away their logins to sites like electronic banking, but also things like ebay, paypal and other sites that let you shove cash around. Identity theft is very high profile, and the media has a field day with it. Extortion A common tactic out of Russia and Eastern Europe is to "own" thousands of computers - this is called a botnet - with the ideal number being 5000 to 10000 according to Kaspersky. With this few, you have a good chance of never getting your malware reported to an AV company so you're "under the radar" and no AV will pick you up. Then, you run an old-fashioned extortion racket. By threatening users with a DDoS (Distributed Denial of Service) you can effectively shut down the website of pretty much any mid to large sized organisation, for days if you want to, costing them a lot of money. Most pay. Long but cool article on this: http://www.csoonline.com/read/050105/extortion.html Spam And, while your botnet is idle, you can rent it or sell it to spammers. Saves you from having that investment sitting idle. Probably the bulk of spam is sent this way now, because it's virtually impossible to trace it back to the original sender. There are so many ways for a black hat hacker to make money out of spam it would take another twenty pages - it goes beyond just sending it. There is also money to be made from advertisers, using pay-for-click techniques. Great writeup here: http://www.lurhq.com/ppc-hijack.html Hacking for Hire There is much less written about this, but genuine, targeted attacks still happen. A good example is the theft and advance release of the Halflife 2 source code from Valve. http://money.cnn.com/2003/10/07/commentary/game_over/column_gaming/ Another great one is the Cisco source code theft. http://www.theregister.co.uk/2005/05/10/cisco_hack_investigation/ The damage to reputation and future income from these attacks is significant, but probably not crippling. The attackers in these cases were amateurs, and probably didn't make any money out of it - but it's a fairly common rumour that there are professionals doing the same thing who _do_ make money. The reason we don't read about it in the press is either because the theft is never detected, or if it is the company won't admit to it. [this was written before the Israeli targeted trojan article referenced, but that's another great example] Worms We haven't seen a major worm for a long time, so maybe they're not front-of-mind anymore. However, as soon as MS announce a suitable vulnerability (a stack based buffer overflow in a core networking service) there is a good chance we'll see another one. Worms actually annoy real hackers. They make a lot of noise, and they get companies to patch perfectly viable remote vulnerabilities much more quickly than they otherwise would. Most worms to date have been released by amateurs (you can tell when you reverse engineer them). However, one worm stands out, which was called Witty. Great writeup here. http://www.caida.org/analysis/security/witty/ What Witty demonstrates is that malicious hackers are writing worms which include a whole lot of techniques that are at the forefront of academic research. Many of the techniques in Witty had been first suggested in a research paper published only a year or two earlier. It was slick, well written - basically it was coded by a security expert. The theoretical damage from a _really_ nasty worm is difficult to calculate, but I was reading today about a completely feasible idea, where the worm could 'lock' any ATA hard-drive using firmware commands - not even a reformat would get it working again. Slammer hit half a million hosts inside 10 minutes. The trouble is that everyone will leave their head planted firmly in the sand until it happens. But, fundamentally, worms are only really interesting to vandals. They are too noisy to remain undetected, so people clean up after them. This is not what you want. So, I think the biggest threats right now are probably those coming from skilled criminals, and not from worms anymore. This is a reversal from how things were in 2001-2003 (worms were very rare before then). That said, a destructive worm really, honestly does have the potential to put you out of business - _permanently_ if your disaster recovery plans are not top-notch.---Anyway, nothing above is really original. To me it all seems obvious, but whenever I talk about this stuff to the 'general public' they are all shocked, so maybe some subscribers will find it interesting. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________ NOD32 1.992 (20050205) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32.com
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 30)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 30)
- RE: Ok, so now we have a firewall, we're safe, right? Ben Nagy (May 30)
- RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Fritz Ames (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Roel Jonkman (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)