Re: CRIME AOL Backdoor?

From: Crispin Cowan (crispin@private)
Date: Mon Jun 24 2002 - 18:47:22 PDT

  • Next message: Andrew Plato: "RE: CRIME AOL Backdoor?"

    Jeffrey_Korte/Security/FCNB/Spgla@private wrote:
    
    >Information Classification: Public.
    >
    "Public" is the /de facto/ status of anything posted to CRIME. Be aware.
    
    >Due  to  security/virus  concerns,  several  months  ago I killed access to
    >Internet  based E-mail services at our Bank. (Yahoo, MSN, AOL, etc.)  After
    >monitoring several Internet usage reports, I found traffic in the thousands
    >to:  http://ar.atwola.com.   Once  you visit the sight it immediately takes
    >you  to  the  "AOL  Anywhere"  portal.   I have also found numerous hits to
    >http://toolbar.aol.com.
    >
    >Can  anyone  in the group confirm for me whether or not a backdoor into AOL
    >exists  allowing  a  user  to  by-pass  Firewall  restrictions  in order to
    >retrieve their E-mails?
    >
    There certainly are a vast number of back doors that will bypass your 
    firewall restrictions, whether or not the above web portals are 
    effective bypasses. For instance, this script will throw an SSH 
    encrypted tunnel from my Linux laptop to the OGI web site:
    
    #!/bin/sh
    ssh -C -L 10347:www.cse.ogi.edu:80 ccowan@private sleep 30000
    
    With that running, I can browse "http://localhost:10347" and get OGI. A 
    similar crypto tunnel will deliver you to some arbitrary off-site 
    server, which in turn can connect to an arbitrary webmail site. You will 
    never see any of the traffic, other than see that it is encrypted.
    
    Object lesson: Firewalls are *useless* at preventing the exporting of 
    content from your site. If someone inside is determined to get some kind 
    of protocol to talk to something outside, and you allow *any* kind of 
    connection out, then they can obscure or encrypt the traffic so that you 
    won't see it.
    
    Proof: Marcus Ranum (one of the father's of the firewall) allegedly once 
    implemented Telnet to run over top of DNS requests and responses. You 
    can, in principle, tunnel TCP/IP overtop of DNS. To understand how this 
    works, evilinside dude requests a DNS lookup on 
    outboundpacket.evildomain.com, and evildomain.com sends back a reply 
    packet encoded as the 32-bit IP address of that domain name. Carry on as 
    long as needs be. Good luck blocking outbound DNS, and no, a DNS proxy 
    will not stop this attack.
    
    Corollary: your security policy had best *not* be based on the delusion 
    that you can prevent people from exporting whatever they want with 
    firewall rules. Confidential data can only be kept confidential by not 
    showing it to bad people. Similarly, the firewall cannot prevent people 
    from downloading whatever they want, if they are sufficiently determined.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 19:14:14 PDT