http://www.securitypipeline.com/trends/60404004 By David Strom Tom's Networking www.tomsnetworking.com February 28, 2005 It is getting harder to tell the good guys from the bad these days. Life up to about last year used to be so simple. There were white hat networkers and black hat networkers. The white hats are the ones who try to gain entry into your network with your permission, to stress test your security and pinpoint vulnerabilities. The black hats are mostly the bad guys. But now we have grey hat networks, the ones that aren't so easy to characterize as evildoers. I guess this mirrors life, where nothing is black and white anymore (at least outside the perspective of our own president, but don't get me started on that). These grey networks are becoming more common as corporate IT staffs do their best to stem the tide of peer-to-peer, instant messaging, and other incidental applications that have become mission critical to some of their users. The reason they are called grey is because while they are still far from the accepted corporate standard portfolio of "approved" applications, they are useful and in common use across the corporate network. Actually, the problem is not new. When I worked in IT departments during the 1980s, we had our standard apps and platforms and plenty of renegade users who promptly and in some cases pointedly ignored us and took their computing needs into their own hands. It was a constant battle, but back then the only real networks we had were the 3270 kind of IBM mainframes, and well, everything was pretty black and white for the mainframe guys. Of course the shoe was on the other foot when I became a user. I must confess that even as recently as last year I was a bit of a renegade user myself, wanting to run apps that weren't part of the corporate portfolio. Ask my IT people and they will tell you tales of woe. I thought about this recently when I was attending the RSA conference and was listening to one of the talks on how to stem the tide of unmonitored IM usage. Jonathan Christensen, the CTO of FaceTime was the one who coined the grey hat moniker. He even said IM is the "next generation of security threat" " well, he would, given as his company can sell you products to try to protect you against this threat. Does this mean that I am still part of the problem? Can I ever shake those renegade days completely, or am I always going to be a thorn in the side of IT? I have become a grey hat networker, I must confess. What brought me into the grey world was Skype. Since joining Tom's, I have been using Skype as the main means of communicating with my staff across Europe and the US. (Well, it IS our corporate standard.) It is a wonderful application when it works, and perplexing and annoying when it doesn't. For those of you that haven't had the opportunity to use it yet, it is an IM client and a voice communications system rolled into one. Like any good IM client, you have presence detection (you can see when someone is online and ready to talk or text chat with you). Unlike the commercial services from AOL, Microsoft, and Yahoo, the list of your "buddies" isn't maintained by the network but kept on your individual PC. This means that if you use more than one machine to communicate, you will have to Skype yourself and send your buddies list to the other PCs. But this is a minor annoyance. The voice quality is superb. For talking to people halfway across the world, they sound like they are in the next room. And it works with relative ease with my little laptop, and even on my home Mac. It doesn't interoperate with other IM networks (that is the bad news), but it does a great job of penetrating corporate firewalls and routing around network problems (good for me, bad for most network administrators who are trying to deal with it). This is why it is a grey app. Skype is the fastest growing Internet-based communications application in history. They have reached more than 70 million users in a year, when other IM products took five or more years to get to this population. "Skype me" has become a verb, I am sorry to admit. So what's the problem? Well, there are two things at work here. First, because Skype is so facile at getting through network blockades, it has become a disease vector for virus writers to use to infect corporate networks. Over the past couple of weeks, several IM-based attacks (not just using Skype, but all kinds of IM products) have wreaked havoc on various commercial networks. Second, because the user population is growing so quickly, it is becoming more useful as more people join up, making it more of an opportunity for the bad guys to exploit. What this means is that corporate IT admins are having fits trying to contain it. The problem with these attacks is that you are more likely to click on a URL coming from one of your buddies via IM than from email, because you have already authenticated their identity and established some level of trust. Yet trusting an IM screen name is somewhat misplaced. I can remember plenty of times that I started conversations with my buddies, only to find out that someone else was using their screen name. There really isn't a lot of security behind the system: all it takes is to know someone's password. So what to do? Banishment of all IM and Skype doesn't work. Blocking the app doesn't work. Setting up a Skype proxy server isn't yet technically available " there are such things for AOL and MSN. You just have to deal with it, I guess. At the RSA show, the panel offered several lukewarm suggestions (such as using their own security software that they just happen to have handy in a nearby booth), but nothing to really stem the tide. In the meantime, I do the best I can: keep my firewall and anti-virus software up to date, and hope that my grey network doesn't go completely black on me one day. This article appears courtesy of Tom's Networking. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Mar 01 2005 - 03:46:09 PST