Re: Terrifying results from online test
From: Michael J. Pelletier (mjpelletier_at_mjpelletier.com)
Date: 12/10/04
- Next message: Jason Bosaw: "Re: Evidence Eliminator v Encase"
- Previous message: Michael J. Pelletier: "Re: Terrifying results from online test"
- In reply to: winged: "Re: Terrifying results from online test"
- Next in thread: Stuart M: "Re: Terrifying results from online test"
- Reply: Stuart M: "Re: Terrifying results from online test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 09 Dec 2004 21:13:18 -0800
winged wrote:
> spamme2@mailinator.com wrote:
>> I did this test, which simulates an unknown Trojan attack on a windoze
>> computer. The program successfully bypasses my beloved (and well
>> configured) Kerio firewall. It also evades my universities hardware
>> firewall, which is configured very well (the admins are the block all
>> apart from port 80 type :-( )
>> Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
>> The program works by causing applications that have the privileges to
>> connect to the internet to upload data to their server.
>> I thought I would be safe because I configure kerio so it only permits
>> outbound connections to IP addresses of the resources that I connect
>> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
>> proxy:8080
>> PCAudit appears to scan its way out. Even when I click deny it gets
>> through!
>> The company behind PCAudit have publicised a vulnerability that affects
>> almost all firewalls. Their PCAudit program could easily be reverse
>> engineered by crackers, and then a real and more malicious Trojan could
>> be produced that bypasses almost all firewalls.
>>
>> What do you guys think of this? Did you pass the test (without
>> unplugging your internet wire/blocking all traffic Lol)?
>>
>
> Yes I passed the test(s) (my computer would not(it refused) allow the
> software to run :-P). I have actually met Mr. Gibson at GRC;-) No I did
> not have to disconnect. Any inappropriate software allowed to run
> inside "can" compromise security often invisible to the user. One can
> "hide" processes and files on a computer that are not easy to discern.
>
> One can attach files to other legitimate processes or programs using
> alternate data streams that can really make life an adventure. The key
> is keeping crap out. If one runs inside a VM it is an easy matter to
> identify what, where, who, and how and throttle/kill the offending
> processes.
>
> The code you allow to run inside is only as trustworthy as the
> individual who wrote the code, and the security of the code.
>
> If you are using IE as your default browser you have many more issues to
> worry about. My current count is 5 known unpatched vulnerabilities in IE
> where the system can run code of the attackers choice at varying
> permission levels. One should constrain where IE is allowed to talk
> (Microsoft was right you break things when you remove it) as well as how
> it can communicate.
>
> The default browser should not be "allowed" to run with system level
> permissions. The browser should not be run as an administrator of a
> system, nor even permissions of a standard user but only with restricted
> permissions required to meet the user requirement securely.
>
> Winged
If there are people reading this who are new to security, re-read the last
paragraph. Then re-read it again.....
As a general rule, su to root when needed then exit (translated for Windoze
users, you should not login as administrator unless you are installing
something, etc).
- Next message: Jason Bosaw: "Re: Evidence Eliminator v Encase"
- Previous message: Michael J. Pelletier: "Re: Terrifying results from online test"
- In reply to: winged: "Re: Terrifying results from online test"
- Next in thread: Stuart M: "Re: Terrifying results from online test"
- Reply: Stuart M: "Re: Terrifying results from online test"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
