RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

From: Ben Nagy (
Date: 05/30/05

  • Next message: Norman Zhang: "[fw-wiz] Re: RPC 135"
    To: "'Paul D. Robertson'" <>, <>
    Date: Mon, 30 May 2005 22:20:14 +0200

    > -----Original Message-----
    > From:
    > [] On Behalf
    > Of Paul D. Robertson
    > Sent: Monday, May 30, 2005 6:18 PM
    > To:
    > Subject: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
    > AV isn't going to be effective against most custom Trojan
    > Horses. We're going to see more of this in the future.

    I wrote the below in an awful hurry, but it amplifies Paul's point. The
    threats we're looking at today aren't really anything like they were when we
    all got into this business. Sure, the _vectors_ are the same, and the
    patented MJR/Fred/Paul methodology will still help you out against the huge
    bulk of them. The point is that there is less and less margin for error.

    Anyway, small, self-indulgent rant follows.

    I didn't focus on defense techniques at all. Feel free to draw your own
    conclusions about your own favourite protection strategies; Marcus, feel
    free to plug your wirecutter posters. (hey can I get one of those shipped to
    Switzerland, btw? ;)

    Threats Facing Organisations Right Now
    A Short Essay by ben
    As more and more crime gets into hacking, we're seeing a whole lot of
    activity which was extremely rare 5-10 years ago. Most of the significant
    attacks these days are a result of organised crime, it's much less about
    pranksters, "true" hackers and those on a quest for knowledge.
    Identity Theft
    The biggest targets are consumer databases. High profile cases include
    ChoicePoint, Bank of America. Here's a para from a Fortune article:,15114,1056163,00.html
    "In February data aggregator ChoicePoint acknowledged that identity thieves
    had stolen vital information on 145,000 people. Less than two weeks later
    Bank of America admitted it had lost backup tapes that held the account
    information of 1.2 million credit card holders. In March shoe retailer DSW
    said its stores' credit card data had been breached; the U.S. Secret Service
    estimated that at least 100,000 valuable numbers had been accessed. More
    than a month later DSW released the real number: 1.4 million. Reed
    Elsevier's LexisNexis, a ChoicePoint rival, followed suit, revealing first
    that unauthorized users had compromised 32,000 identities, then upping the
    number to 310,000."
    These attacks are targeted - it's like traditional hacking, except for lots
    of cash instead of for fun. The guys running them are criminal gangs -
    they're not a bunch of mischievous green haired pranksters. Here's quite a
    good article about Shadowcrew, which was a recent high profile takedown.
    We're talking seasoned hackers in their early twenties with guns, wads of
    cash and a profoundly criminal bent. Unfortunately it's just one such gang
    out of dozens.
    Phishing is a low grade form of identity theft, but the people I spoke to in
    banking and from the UK NHTCU (hi-tech crime unit) still agree that the only
    reason gangs are not making more money out of it is because they don't have
    enough people to make the manual account transfers. It's a HUGE money
    spinner. Phishing basically relies on stupid users giving away their logins
    to sites like electronic banking, but also things like ebay, paypal and
    other sites that let you shove cash around.
    Identity theft is very high profile, and the media has a field day with it.
    A common tactic out of Russia and Eastern Europe is to "own" thousands of
    computers - this is called a botnet - with the ideal number being 5000 to
    10000 according to Kaspersky. With this few, you have a good chance of never
    getting your malware reported to an AV company so you're "under the radar"
    and no AV will pick you up. Then, you run an old-fashioned extortion racket.
    By threatening users with a DDoS (Distributed Denial of Service) you can
    effectively shut down the website of pretty much any mid to large sized
    organisation, for days if you want to, costing them a lot of money. Most
    Long but cool article on this:
    And, while your botnet is idle, you can rent it or sell it to spammers.
    Saves you from having that investment sitting idle. Probably the bulk of
    spam is sent this way now, because it's virtually impossible to trace it
    back to the original sender.
    There are so many ways for a black hat hacker to make money out of spam it
    would take another twenty pages - it goes beyond just sending it. There is
    also money to be made from advertisers, using pay-for-click techniques.
    Great writeup here:
    Hacking for Hire
    There is much less written about this, but genuine, targeted attacks still
    happen. A good example is the theft and advance release of the Halflife 2
    source code from Valve.
    Another great one is the Cisco source code theft.
    The damage to reputation and future income from these attacks is
    significant, but probably not crippling. The attackers in these cases were
    amateurs, and probably didn't make any money out of it - but it's a fairly
    common rumour that there are professionals doing the same thing who _do_
    make money. The reason we don't read about it in the press is either because
    the theft is never detected, or if it is the company won't admit to it.
    [this was written before the Israeli targeted trojan article referenced, but
    that's another great example]
    We haven't seen a major worm for a long time, so maybe they're not
    front-of-mind anymore. However, as soon as MS announce a suitable
    vulnerability (a stack based buffer overflow in a core networking service)
    there is a good chance we'll see another one.
    Worms actually annoy real hackers. They make a lot of noise, and they get
    companies to patch perfectly viable remote vulnerabilities much more quickly
    than they otherwise would. Most worms to date have been released by amateurs
    (you can tell when you reverse engineer them). However, one worm stands out,
    which was called Witty. Great writeup here.
    What Witty demonstrates is that malicious hackers are writing worms which
    include a whole lot of techniques that are at the forefront of academic
    research. Many of the techniques in Witty had been first suggested in a
    research paper published only a year or two earlier. It was slick, well
    written - basically it was coded by a security expert. The theoretical
    damage from a _really_ nasty worm is difficult to calculate, but I was
    reading today about a completely feasible idea, where the worm could 'lock'
    any ATA hard-drive using firmware commands - not even a reformat would get
    it working again. Slammer hit half a million hosts inside 10 minutes. The
    trouble is that everyone will leave their head planted firmly in the sand
    until it happens.
    But, fundamentally, worms are only really interesting to vandals. They are
    too noisy to remain undetected, so people clean up after them. This is not
    what you want. So, I think the biggest threats right now are probably those
    coming from skilled criminals, and not from worms anymore. This is a
    reversal from how things were in 2001-2003 (worms were very rare before
    That said, a destructive worm really, honestly does have the potential to
    put you out of business - _permanently_ if your disaster recovery plans are
    not top-notch.
    Anyway, nothing above is really original. To me it all seems obvious, but
    whenever I talk about this stuff to the 'general public' they are all
    shocked, so maybe some subscribers will find it interesting.
    firewall-wizards mailing list

  • Next message: Norman Zhang: "[fw-wiz] Re: RPC 135"

    Relevant Pages

    • Re: [fw-wiz] Ok, so now we have a firewall, were safe, right?
      ... business to change its approach to security, or, "How does the security ... Savvy users who run companies will have better ... It's a HUGE money ... > Worms actually annoy real hackers. ...
    • Re: UMRA Book Club - Kate Atkinson
      ... amount of money with wineberg, before he de-umratified himself, but ... i can give them to other umrats as necessary.) ... You should have had worms with him the other day when he showed himself. ...
    • Re: UMRA Book Club - Kate Atkinson
      ... amount of money with wineberg, before he de-umratified himself, but ... i can give them to other umrats as necessary.) ... You should have had worms with him the other day when he showed himself. ...
    • Re: Evil Again
      ... money without good money. ... You can have useful programs without nasty ones like ... viruses, Trojans and worms, but there would be no point in developing viruses ...
    • Magical Casino and a silly old hacker
      ... comes trojans, hackers, worms and what not. ... all three of the above seeping through our computers ... Evil Trojans, hackers and worms ...