|Copyright © 2001,2002 eyeonsecurity
Inc., All Rights Reserved. No portions of eyeonsecurity
may be used without express, written permission
- What they forget to secure
- Obscure^ firstname.lastname@example.org
You set up firewalls, e-mail filtering, Intrusion
Detection Systems (IDS), personal firewalls, Censor
Software (both on network and personal level)
and they still get in. What I'm referring to is
those pesky VBS, similar worms inhibiting the
Windows platform right now and maybe a few real
life crackers here and there. For the network
administrator, this can be a real problem. Even
when he has secured his network with the latest
tools and patches, there is still a big chance
of his kingdom getting infected, especially if
it's made up of MS Windows machines, and its trusting
The main problem lies in the user's activities.
Normally, the administrator is expected to shut
off inbound connections so that malicious users
cannot connect to the internal network. However,
we are increasingly seeing that this is only one
side of the coin. Most users will be accessing
hostile networks, like IRC, even if they have
no business to do so.
In this article I will be outlining some of the
protocols that most Security related tools do
not cover or even think of protecting users from.
The HTTP protocol provides a backdoor for hackers
and malicious crackers to get into your network;
much the same goes for e-mail. While this is getting
a lot of press right now, there's a lot more to
network security than just HTTP and e-mail.
Newsgroups basically have the same problems as
e-mail. The difference is that instead of infecting
just the target user, a malicious newsgroup post
targets more than just one. So if you're using
Outlook Express to read Newsgroups, and have your
mind at rest 'cause you're filtering your e-mails
from known exploits and attachments, you could
be in trouble.
Newsgroups although similar to e-mail, cannot
be filtered in the exactly same way. A solution
to this would be to deploy a newsgroup relay,
that copies and filters all newsgroup posts to
an internal host from a public newsgroup. Of course
this can produce a number of problems, like slow
updating times, clogged servers, and large hard
disk space. Of course you could always perform
a secure installation of the newsgroups clients
on each and every machine in your network, but
this is certainly not the most practical way to
improve security, especially in a large network.
Then there are the so called instant
messenger and similar networks like IRC, ICQ,
AOL-CHAT and other similar networks. With difference
to Newsgroups and e-mail, these offer almost instant
message reply. Obviously, these networks allow
support for sending and receiving files, and many
users are very, maybe overly willing to receive
any file as longs it's named myself_nude.jpg.exe
or anything similar.
This also means that users are more easily fooled
into giving out personal information, some of
which can give attackers some real advantage when
trying to get into your network. Apart from this,
accessing IRC and similar networks, exposes your
firewall's IP address, or the user's NAT.
It is very common for users on IRC to get scanned
for vulnerabilities. So if any user is accessing
IRC, and has for example, PCAnywhere, telnetd
or whatever running on the IP address shown on
IRC, you'll be sure to get some bruteforcing one
day or another.
ICQ is also known to be a very unsecured "protocol".
In fact, ICQ makes no claim on the security of
their product. Much the same goes to most other
chatting networks, since they are generally not
designed with security in mind, but rather overall
"efficiency" and multitude of features
to satisfy a big number of users. Of course, giving
access to these services to users on a supposedly
secure network, will create a backdoor in the
network, and easily compromise the overall security.
The relatively new file sharing applications,
which allow users to download MP3s, videos, multimedia
and apps. Napster is the most notorious of all
current file sharing applications. No public exploits
exist for the protocol in Napster, and it has
not produced any significant security problems
until now. This might be due to the fact that
it only allows audio files (mp3s) to be shared,
rather than any files.
Another similar application, which has produced
a lot less legal controversy is IMesh. This allows
executables to pass, thus allowing viruses, Trojans
and worms to flow through the network. Of course
the user has to be fooled into running the file,
similar to the IRC and ICQ file sharing problems.
We should also keep in mind that this is quite
unexplored territory as far as security goes,
so ... any evil thoughts ?
Similar to this, we have Gnutella which boasts
of decentralization. While testing this Network,
I have found it quite unreliable. However I think
that this will improve in terms of reliability.
The idea of Gnutella gives me evil loads of ideas.
For example worms could communicate through the
Gnutella protocol, making them virtually impossible
to shut off and difficult to detect. Maybe a virus
writer could implement a system so that commands
and files are tunneled through the protocol so
that the worms can communicate between each other.
All is perfect: the source code is available and
the protocol is public. Of course I'll leave the
details for your private research.
These kindof problems exist in any network that
trusts it's own users. It's quite necessary to
only allow users to only access trusted or filtered
protocols and maybe sites where security is critical
and data simply cannot be shared unless legal
access is given. This applies to most Corporate
networks, where compromising just one machine
means a compromise on the whole network. The solution
would be to add the required rules to the firewall
and restrict access. Besides that it's very reasonable
to educate the users and set up security policies.
The traditional virus scanner always helps as