Jeffrey_Korte/Security/FCNB/Spgla@private wrote: >Information Classification: Public. > "Public" is the /de facto/ status of anything posted to CRIME. Be aware. >Due to security/virus concerns, several months ago I killed access to >Internet based E-mail services at our Bank. (Yahoo, MSN, AOL, etc.) After >monitoring several Internet usage reports, I found traffic in the thousands >to: http://ar.atwola.com. Once you visit the sight it immediately takes >you to the "AOL Anywhere" portal. I have also found numerous hits to >http://toolbar.aol.com. > >Can anyone in the group confirm for me whether or not a backdoor into AOL >exists allowing a user to by-pass Firewall restrictions in order to >retrieve their E-mails? > There certainly are a vast number of back doors that will bypass your firewall restrictions, whether or not the above web portals are effective bypasses. For instance, this script will throw an SSH encrypted tunnel from my Linux laptop to the OGI web site: #!/bin/sh ssh -C -L 10347:www.cse.ogi.edu:80 ccowan@private sleep 30000 With that running, I can browse "http://localhost:10347" and get OGI. A similar crypto tunnel will deliver you to some arbitrary off-site server, which in turn can connect to an arbitrary webmail site. You will never see any of the traffic, other than see that it is encrypted. Object lesson: Firewalls are *useless* at preventing the exporting of content from your site. If someone inside is determined to get some kind of protocol to talk to something outside, and you allow *any* kind of connection out, then they can obscure or encrypt the traffic so that you won't see it. Proof: Marcus Ranum (one of the father's of the firewall) allegedly once implemented Telnet to run over top of DNS requests and responses. You can, in principle, tunnel TCP/IP overtop of DNS. To understand how this works, evilinside dude requests a DNS lookup on outboundpacket.evildomain.com, and evildomain.com sends back a reply packet encoded as the 32-bit IP address of that domain name. Carry on as long as needs be. Good luck blocking outbound DNS, and no, a DNS proxy will not stop this attack. Corollary: your security policy had best *not* be based on the delusion that you can prevent people from exporting whatever they want with firewall rules. Confidential data can only be kept confidential by not showing it to bad people. Similarly, the firewall cannot prevent people from downloading whatever they want, if they are sufficiently determined. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 19:14:14 PDT