Re: Symantec: Boom Times For Hackers

[InfoSec News <isn () c4i org>]

Forwarded from: matthew patton <pattonme () yahoo com>

--- InfoSec News <isn () c4i org> wrote:
> http://www.informationweek.com/story/showArticle.jhtml?articleID=18400171
>
> By Gregg Keizer
> TechWeb News 
> March 15, 2004

It's fun to read comments from a class-mate of mine...

> Zero-day threats are those that target vulnerabilities before
> they're announced and patches posted. Needless to say, they're the
> most dangerous, and difficult to contain.
>
> "So far, every exploit we've seen has been against known
> vulnerabilities, for which patches are available," Dunphy said,

er, wasn't the Linux Kernel memory problem a zero-day that got found
because it was successfully used on a fairly high-visibility machine?
Or did the Linux Kernel mailing list 'find' the problem first and
somebody was quick on the draw with a 'sploit?

> More malicious code is also packed with its own mail server, a
> tactic that hackers have used to bypass gateway defenses companies
> have established for outgoing messages.

Which basically means said companies (and purhaps their paid security
experts) haven't locked outbound network traffic down like they should
have long ago. Allowing any old outbound connection to leave the
network is classic failure to do a firewall correctly. If the ONLY way
to send SMTP out is from a known set of mail servers which in turn
have rules on forwarding and such then the compromised machine can
attempt SMTP connections all it wants and accomplish nothing except
trip all kinds of policy violation alarms.

> Although Dunphy drew a dark picture of the state of security, there
> are some hints that the future will be a bit brighter. One area:  
> automated updating on the part of operating systems to patch
> vulnerabilities.
>
> "The trend is to automate [patches] and do this in the background,"  
> said Dunphy, pointing to announced plans such as Microsoft's to
> integrate automatic vulnerability patching in Windows XP Service
> Pack 2 this summer. "Operating system vendors are moving in the
> right direction to make patching easier."

Easier purhaps. But secure? Redhat's RHN at least signs the packages
with a signature. Does MS? nope. How hard would it be really to
subvert the DNS records to put up one own's SUS server for some
segment of the world to grab trojaned packages from? Not hard at all I
submit. Even if we suppose that corporate IT can somehow differentiate
between trojans and not (I'm not optimistic at all), what possibly
reason should I have to be confident that joe home user won't just
randomly click on the "ok" box to install the patches when prompted?
Heck, if I were writing the next great worm I'd pop up a dialog box
the spitting image of the SUS dialog box and then have it go fetch my
trojan wares directly from a server I control. It doesn't have to *be*
SUS, just fool the user into thinking their dealing with SUS. How hard
is that?

> "If you have a half-million home users infected or controlled by
> hackers, these machines can be used target companies," he said. "We
> need to harden up the home user computers, since they also feed back
> into the corporate network" via at-home workers connecting back to
> the enterprise.

Which is why I submit that 'home' machines be they the user's own or a
desktop given to them from corporate needs to be treated an
untrustworthy and otherwise hacked machine. They should not be allowed
access to any corporate assets directly (eg. thru a VPN) but rather be
dumped onto a DMZ where they can work by proxy if that.

> "It's all one big public road that we're on," he said. "We're all in
> the same boat."

when will M$ (and frankly most big software outfits to include
purveyors of "security" products) figure out they owe the community
some real security in their applications? What's the tool to force
them to wake up and take notice?



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.