Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

From: Fritz Ames (fritzames_at_earthlink.net)
Date: 05/31/05

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Re: RPC 135"
    To: Ben Nagy <ben@iagu.net>
    Date: Tue, 31 May 2005 08:23:27 -0400
    
    

    Ben,
            Along with the part that stays the same is the part about getting a
    business to change its approach to security, or, "How does the security
    zealot at the company sell their position?" Sure it sells faster
    (somewhat, and for a little while) when there is a traumatic event, but
    then the large-scale traumatic events, as you pointed out, have been
    mere nuisances to-date. How does our hero pitch the solution to
    preventing anihilation by the
    "Code-Red-that-steals-your-data-nukes-your-hard-drive-and-then-steals-your-wife,-and-unplugs-the-fridge
    on-the-way-out" trojan?
            It's the same old problem. "Here's your new fire extinguisher
    budget..." I get the sense that *really* going after the education of
    the users is the opportunity to make the biggest difference. (The
    biggest difference? Really?) Savvy users will be less likely to click
    on that link to Hades. Savvy users who run companies will have better
    ideas of how to evaluate their risks and their mitigations--and spend
    their dollars more carefully. Savvy users who run companies and who
    read "MJR/Fred/Paul" will buy less marketing hype, less BS process and
    documentation masquerading as security, and more secure systems. Savvy
    network admins will... Savvy DB folks will... Savvy Web site folks
    will... Savvy developers will... All those folks out there who are
    busy doing their jobs, getting things done, building real stuff, and who
    haven't had time or inclination to really get security will catch on and...
            OK, so this has been tried before. ...or has it? "Personal Firewall
    Day" is great idea for *providing* information, but you can't simply
    suck people in--without hacking the DNS so that every site resolves to
    http://www.personalfirewallday.org/, or hacking Google so that the
    personalfirewallday site appears at the top of every search result--and
    the results display *looks* like one of your hits. What happened to
    http://www.humanfirewall.org/, by the way? (I guess they never hacked
    their way into our minds.) There's got to be some kind of candy to lure
    people in to like learning it.
            So increasing security awareness isn't directly relevant to firewall
    technology ...in the hardware sense. But if not us, who? If not now,
    when? Ah! To heck with it. I can't make it work if better minds than
    mine haven't succeeded in this area. Please pass the fire extinguisher...

    --Fritz
    P.S. I'll use the same caveat that Ben used, about "awful hurry."

    Ben Nagy wrote:

    >>-----Original Message-----
    >>From: firewall-wizards-admin@honor.icsalabs.com
    >>[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    >>Of Paul D. Robertson
    >>Sent: Monday, May 30, 2005 6:18 PM
    >>To: firewall-wizards@honor.icsalabs.com
    >>Subject: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
    >>
    >>http://www.theinquirer.net/?article=23575
    >>
    >
    > [...]
    >
    >>AV isn't going to be effective against most custom Trojan
    >>Horses. We're going to see more of this in the future.
    >
    >
    > I wrote the below in an awful hurry, but it amplifies Paul's point. The
    > threats we're looking at today aren't really anything like they were when we
    > all got into this business. Sure, the _vectors_ are the same, and the
    > patented MJR/Fred/Paul methodology will still help you out against the huge
    > bulk of them. The point is that there is less and less margin for error.
    >
    > Anyway, small, self-indulgent rant follows.
    >
    > I didn't focus on defense techniques at all. Feel free to draw your own
    > conclusions about your own favourite protection strategies; Marcus, feel
    > free to plug your wirecutter posters. (hey can I get one of those shipped to
    > Switzerland, btw? ;)
    >
    > ---
    > Threats Facing Organisations Right Now
    >
    > A Short Essay by ben
    >
    > As more and more crime gets into hacking, we're seeing a whole lot of
    > activity which was extremely rare 5-10 years ago. Most of the significant
    > attacks these days are a result of organised crime, it's much less about
    > pranksters, "true" hackers and those on a quest for knowledge.
    >
    > Identity Theft
    >
    > The biggest targets are consumer databases. High profile cases include
    > ChoicePoint, Bank of America. Here's a para from a Fortune article:
    >
    > http://www.fortune.com/fortune/technology/articles/0,15114,1056163,00.html
    >
    > "In February data aggregator ChoicePoint acknowledged that identity thieves
    > had stolen vital information on 145,000 people. Less than two weeks later
    > Bank of America admitted it had lost backup tapes that held the account
    > information of 1.2 million credit card holders. In March shoe retailer DSW
    > said its stores' credit card data had been breached; the U.S. Secret Service
    > estimated that at least 100,000 valuable numbers had been accessed. More
    > than a month later DSW released the real number: 1.4 million. Reed
    > Elsevier's LexisNexis, a ChoicePoint rival, followed suit, revealing first
    > that unauthorized users had compromised 32,000 identities, then upping the
    > number to 310,000."
    >
    > These attacks are targeted - it's like traditional hacking, except for lots
    > of cash instead of for fun. The guys running them are criminal gangs -
    > they're not a bunch of mischievous green haired pranksters. Here's quite a
    > good article about Shadowcrew, which was a recent high profile takedown.
    > We're talking seasoned hackers in their early twenties with guns, wads of
    > cash and a profoundly criminal bent. Unfortunately it's just one such gang
    > out of dozens.
    > http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm?chan=t
    > c
    >
    > Phishing is a low grade form of identity theft, but the people I spoke to in
    > banking and from the UK NHTCU (hi-tech crime unit) still agree that the only
    > reason gangs are not making more money out of it is because they don't have
    > enough people to make the manual account transfers. It's a HUGE money
    > spinner. Phishing basically relies on stupid users giving away their logins
    > to sites like electronic banking, but also things like ebay, paypal and
    > other sites that let you shove cash around.
    >
    > Identity theft is very high profile, and the media has a field day with it.
    >
    > Extortion
    >
    > A common tactic out of Russia and Eastern Europe is to "own" thousands of
    > computers - this is called a botnet - with the ideal number being 5000 to
    > 10000 according to Kaspersky. With this few, you have a good chance of never
    > getting your malware reported to an AV company so you're "under the radar"
    > and no AV will pick you up. Then, you run an old-fashioned extortion racket.
    > By threatening users with a DDoS (Distributed Denial of Service) you can
    > effectively shut down the website of pretty much any mid to large sized
    > organisation, for days if you want to, costing them a lot of money. Most
    > pay.
    >
    > Long but cool article on this:
    > http://www.csoonline.com/read/050105/extortion.html
    >
    > Spam
    >
    > And, while your botnet is idle, you can rent it or sell it to spammers.
    > Saves you from having that investment sitting idle. Probably the bulk of
    > spam is sent this way now, because it's virtually impossible to trace it
    > back to the original sender.
    >
    > There are so many ways for a black hat hacker to make money out of spam it
    > would take another twenty pages - it goes beyond just sending it. There is
    > also money to be made from advertisers, using pay-for-click techniques.
    > Great writeup here:
    > http://www.lurhq.com/ppc-hijack.html
    >
    > Hacking for Hire
    >
    > There is much less written about this, but genuine, targeted attacks still
    > happen. A good example is the theft and advance release of the Halflife 2
    > source code from Valve.
    > http://money.cnn.com/2003/10/07/commentary/game_over/column_gaming/
    >
    > Another great one is the Cisco source code theft.
    > http://www.theregister.co.uk/2005/05/10/cisco_hack_investigation/
    >
    > The damage to reputation and future income from these attacks is
    > significant, but probably not crippling. The attackers in these cases were
    > amateurs, and probably didn't make any money out of it - but it's a fairly
    > common rumour that there are professionals doing the same thing who _do_
    > make money. The reason we don't read about it in the press is either because
    > the theft is never detected, or if it is the company won't admit to it.
    >
    > [this was written before the Israeli targeted trojan article referenced, but
    > that's another great example]
    >
    > Worms
    >
    > We haven't seen a major worm for a long time, so maybe they're not
    > front-of-mind anymore. However, as soon as MS announce a suitable
    > vulnerability (a stack based buffer overflow in a core networking service)
    > there is a good chance we'll see another one.
    >
    > Worms actually annoy real hackers. They make a lot of noise, and they get
    > companies to patch perfectly viable remote vulnerabilities much more quickly
    > than they otherwise would. Most worms to date have been released by amateurs
    > (you can tell when you reverse engineer them). However, one worm stands out,
    > which was called Witty. Great writeup here.
    >
    > http://www.caida.org/analysis/security/witty/
    >
    > What Witty demonstrates is that malicious hackers are writing worms which
    > include a whole lot of techniques that are at the forefront of academic
    > research. Many of the techniques in Witty had been first suggested in a
    > research paper published only a year or two earlier. It was slick, well
    > written - basically it was coded by a security expert. The theoretical
    > damage from a _really_ nasty worm is difficult to calculate, but I was
    > reading today about a completely feasible idea, where the worm could 'lock'
    > any ATA hard-drive using firmware commands - not even a reformat would get
    > it working again. Slammer hit half a million hosts inside 10 minutes. The
    > trouble is that everyone will leave their head planted firmly in the sand
    > until it happens.
    >
    > But, fundamentally, worms are only really interesting to vandals. They are
    > too noisy to remain undetected, so people clean up after them. This is not
    > what you want. So, I think the biggest threats right now are probably those
    > coming from skilled criminals, and not from worms anymore. This is a
    > reversal from how things were in 2001-2003 (worms were very rare before
    > then).
    >
    > That said, a destructive worm really, honestly does have the potential to
    > put you out of business - _permanently_ if your disaster recovery plans are
    > not top-notch.
    > ---
    >
    > Anyway, nothing above is really original. To me it all seems obvious, but
    > whenever I talk about this stuff to the 'general public' they are all
    > shocked, so maybe some subscribers will find it interesting.
    >
    > Cheers,
    >
    > ben
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > __________ NOD32 1.992 (20050205) Information __________
    >
    > This message was checked by NOD32 antivirus system.
    > http://www.nod32.com
    >
    >
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] Re: RPC 135"