Re: Terrifying results from online test
From: winged (winged_at_nofollow.com)
Date: 12/10/04
- Next message: winged: "Re: Question about proxies"
- Previous message: winged: "Re: question"
- In reply to: spamme2_at_mailinator.com: "Terrifying results from online test"
- Next in thread: Michael J. Pelletier: "Re: Terrifying results from online test"
- Reply: Michael J. Pelletier: "Re: Terrifying results from online test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 09 Dec 2004 22:51:36 EST
spamme2@mailinator.com wrote:
> I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type :-( )
> Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
>
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?
>
Yes I passed the test(s) (my computer would not(it refused) allow the
software to run :-P). I have actually met Mr. Gibson at GRC;-) No I did
not have to disconnect. Any inappropriate software allowed to run
inside "can" compromise security often invisible to the user. One can
"hide" processes and files on a computer that are not easy to discern.
One can attach files to other legitimate processes or programs using
alternate data streams that can really make life an adventure. The key
is keeping crap out. If one runs inside a VM it is an easy matter to
identify what, where, who, and how and throttle/kill the offending
processes.
The code you allow to run inside is only as trustworthy as the
individual who wrote the code, and the security of the code.
If you are using IE as your default browser you have many more issues to
worry about. My current count is 5 known unpatched vulnerabilities in IE
where the system can run code of the attackers choice at varying
permission levels. One should constrain where IE is allowed to talk
(Microsoft was right you break things when you remove it) as well as how
it can communicate.
The default browser should not be "allowed" to run with system level
permissions. The browser should not be run as an administrator of a
system, nor even permissions of a standard user but only with restricted
permissions required to meet the user requirement securely.
Winged
- Next message: winged: "Re: Question about proxies"
- Previous message: winged: "Re: question"
- In reply to: spamme2_at_mailinator.com: "Terrifying results from online test"
- Next in thread: Michael J. Pelletier: "Re: Terrifying results from online test"
- Reply: Michael J. Pelletier: "Re: Terrifying results from online test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
