[ISN] Confessions Of A Gray-Hat Networker

From: InfoSec News (isn@private)
Date: Tue Mar 01 2005 - 01:48:05 PST


http://www.securitypipeline.com/trends/60404004

By David Strom
Tom's Networking 
www.tomsnetworking.com
February 28, 2005 

It is getting harder to tell the good guys from the bad these days.  
Life up to about last year used to be so simple. There were white hat
networkers and black hat networkers. The white hats are the ones who
try to gain entry into your network with your permission, to stress
test your security and pinpoint vulnerabilities. The black hats are
mostly the bad guys. But now we have grey hat networks, the ones that
aren't so easy to characterize as evildoers.

I guess this mirrors life, where nothing is black and white anymore
(at least outside the perspective of our own president, but don't get
me started on that). These grey networks are becoming more common as
corporate IT staffs do their best to stem the tide of peer-to-peer,
instant messaging, and other incidental applications that have become
mission critical to some of their users. The reason they are called
grey is because while they are still far from the accepted corporate
standard portfolio of "approved" applications, they are useful and in
common use across the corporate network.

Actually, the problem is not new. When I worked in IT departments
during the 1980s, we had our standard apps and platforms and plenty of
renegade users who promptly and in some cases pointedly ignored us and
took their computing needs into their own hands. It was a constant
battle, but back then the only real networks we had were the 3270 kind
of IBM mainframes, and well, everything was pretty black and white for
the mainframe guys. Of course the shoe was on the other foot when I
became a user. I must confess that even as recently as last year I was
a bit of a renegade user myself, wanting to run apps that weren't part
of the corporate portfolio. Ask my IT people and they will tell you
tales of woe.

I thought about this recently when I was attending the RSA conference
and was listening to one of the talks on how to stem the tide of
unmonitored IM usage. Jonathan Christensen, the CTO of FaceTime was
the one who coined the grey hat moniker. He even said IM is the "next
generation of security threat" " well, he would, given as his company
can sell you products to try to protect you against this threat.

Does this mean that I am still part of the problem? Can I ever shake
those renegade days completely, or am I always going to be a thorn in
the side of IT?

I have become a grey hat networker, I must confess.

What brought me into the grey world was Skype. Since joining Tom's, I
have been using Skype as the main means of communicating with my staff
across Europe and the US. (Well, it IS our corporate standard.) It is
a wonderful application when it works, and perplexing and annoying
when it doesn't. For those of you that haven't had the opportunity to
use it yet, it is an IM client and a voice communications system
rolled into one. Like any good IM client, you have presence detection
(you can see when someone is online and ready to talk or text chat
with you). Unlike the commercial services from AOL, Microsoft, and
Yahoo, the list of your "buddies" isn't maintained by the network but
kept on your individual PC. This means that if you use more than one
machine to communicate, you will have to Skype yourself and send your
buddies list to the other PCs. But this is a minor annoyance.

The voice quality is superb. For talking to people halfway across the
world, they sound like they are in the next room. And it works with
relative ease with my little laptop, and even on my home Mac. It
doesn't interoperate with other IM networks (that is the bad news),
but it does a great job of penetrating corporate firewalls and routing
around network problems (good for me, bad for most network
administrators who are trying to deal with it). This is why it is a
grey app.

Skype is the fastest growing Internet-based communications application
in history. They have reached more than 70 million users in a year,
when other IM products took five or more years to get to this
population. "Skype me" has become a verb, I am sorry to admit.

So what's the problem? Well, there are two things at work here. First,
because Skype is so facile at getting through network blockades, it
has become a disease vector for virus writers to use to infect
corporate networks. Over the past couple of weeks, several IM-based
attacks (not just using Skype, but all kinds of IM products) have
wreaked havoc on various commercial networks. Second, because the user
population is growing so quickly, it is becoming more useful as more
people join up, making it more of an opportunity for the bad guys to
exploit. What this means is that corporate IT admins are having fits
trying to contain it. The problem with these attacks is that you are
more likely to click on a URL coming from one of your buddies via IM
than from email, because you have already authenticated their identity
and established some level of trust.

Yet trusting an IM screen name is somewhat misplaced. I can remember
plenty of times that I started conversations with my buddies, only to
find out that someone else was using their screen name. There really
isn't a lot of security behind the system: all it takes is to know
someone's password.

So what to do? Banishment of all IM and Skype doesn't work. Blocking
the app doesn't work. Setting up a Skype proxy server isn't yet
technically available " there are such things for AOL and MSN. You
just have to deal with it, I guess. At the RSA show, the panel offered
several lukewarm suggestions (such as using their own security
software that they just happen to have handy in a nearby booth), but
nothing to really stem the tide. In the meantime, I do the best I can:  
keep my firewall and anti-virus software up to date, and hope that my
grey network doesn't go completely black on me one day.

This article appears courtesy of Tom's Networking.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Tue Mar 01 2005 - 03:46:09 PST