Forwarded from: matthew patton <pattonme@private> --- InfoSec News <isn@private> wrote: > http://www.informationweek.com/story/showArticle.jhtml?articleID=18400171 > > By Gregg Keizer > TechWeb News > March 15, 2004 It's fun to read comments from a class-mate of mine... > Zero-day threats are those that target vulnerabilities before > they're announced and patches posted. Needless to say, they're the > most dangerous, and difficult to contain. > > "So far, every exploit we've seen has been against known > vulnerabilities, for which patches are available," Dunphy said, er, wasn't the Linux Kernel memory problem a zero-day that got found because it was successfully used on a fairly high-visibility machine? Or did the Linux Kernel mailing list 'find' the problem first and somebody was quick on the draw with a 'sploit? > More malicious code is also packed with its own mail server, a > tactic that hackers have used to bypass gateway defenses companies > have established for outgoing messages. Which basically means said companies (and purhaps their paid security experts) haven't locked outbound network traffic down like they should have long ago. Allowing any old outbound connection to leave the network is classic failure to do a firewall correctly. If the ONLY way to send SMTP out is from a known set of mail servers which in turn have rules on forwarding and such then the compromised machine can attempt SMTP connections all it wants and accomplish nothing except trip all kinds of policy violation alarms. > Although Dunphy drew a dark picture of the state of security, there > are some hints that the future will be a bit brighter. One area: > automated updating on the part of operating systems to patch > vulnerabilities. > > "The trend is to automate [patches] and do this in the background," > said Dunphy, pointing to announced plans such as Microsoft's to > integrate automatic vulnerability patching in Windows XP Service > Pack 2 this summer. "Operating system vendors are moving in the > right direction to make patching easier." Easier purhaps. But secure? Redhat's RHN at least signs the packages with a signature. Does MS? nope. How hard would it be really to subvert the DNS records to put up one own's SUS server for some segment of the world to grab trojaned packages from? Not hard at all I submit. Even if we suppose that corporate IT can somehow differentiate between trojans and not (I'm not optimistic at all), what possibly reason should I have to be confident that joe home user won't just randomly click on the "ok" box to install the patches when prompted? Heck, if I were writing the next great worm I'd pop up a dialog box the spitting image of the SUS dialog box and then have it go fetch my trojan wares directly from a server I control. It doesn't have to *be* SUS, just fool the user into thinking their dealing with SUS. How hard is that? > "If you have a half-million home users infected or controlled by > hackers, these machines can be used target companies," he said. "We > need to harden up the home user computers, since they also feed back > into the corporate network" via at-home workers connecting back to > the enterprise. Which is why I submit that 'home' machines be they the user's own or a desktop given to them from corporate needs to be treated an untrustworthy and otherwise hacked machine. They should not be allowed access to any corporate assets directly (eg. thru a VPN) but rather be dumped onto a DMZ where they can work by proxy if that. > "It's all one big public road that we're on," he said. "We're all in > the same boat." when will M$ (and frankly most big software outfits to include purveyors of "security" products) figure out they owe the community some real security in their applications? What's the tool to force them to wake up and take notice? - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Mar 17 2004 - 02:15:37 PST