Thanks for the feedback.
I agree that technological gaps exist in Firewalls - I couldn't find it WRT
this issue.
Yes, policy is our recourse tool and security awareness another valuable
part of the equation.
Regards,
Jeffrey B. Korte,
Corporate Security Manager
First Consumers National Bank
Voice: 503.520.8398
The information contained in this E-mail message and its attachments, if
any, may be privileged, confidential and protected from disclosure. This
information is the property of First Consumers National Bank. If you are
not the intended recipient, any disclosure, copying, distribution, reading,
or the taking of any action in reliance on or in response to this
information (except as specifically permitted in this notice) is strictly
prohibited. If you have received this transmission and you are not a named
recipient or a person authorized to receive email and email attachments on
behalf of a named recipient, or if you think you have received this E-mail
message in error, please E-mail the sender at jeffrey_korte@private
Crispin Cowan
<crispin@wire To: Jeffrey_Korte/Security/FCNB/Spgla@private
x.com> cc: crime@private
Subject: Re: CRIME AOL Backdoor?
06/24/02
06:47 PM
Jeffrey_Korte/Security/FCNB/Spgla@private wrote:
>Information Classification: Public.
>
"Public" is the /de facto/ status of anything posted to CRIME. Be aware.
>Due to security/virus concerns, several months ago I killed access
to
>Internet based E-mail services at our Bank. (Yahoo, MSN, AOL, etc.)
After
>monitoring several Internet usage reports, I found traffic in the
thousands
>to: http://ar.atwola.com. Once you visit the sight it immediately
takes
>you to the "AOL Anywhere" portal. I have also found numerous hits
to
>http://toolbar.aol.com.
>
>Can anyone in the group confirm for me whether or not a backdoor into
AOL
>exists allowing a user to by-pass Firewall restrictions in order
to
>retrieve their E-mails?
>
There certainly are a vast number of back doors that will bypass your
firewall restrictions, whether or not the above web portals are
effective bypasses. For instance, this script will throw an SSH
encrypted tunnel from my Linux laptop to the OGI web site:
#!/bin/sh
ssh -C -L 10347:www.cse.ogi.edu:80 ccowan@private sleep 30000
With that running, I can browse "http://localhost:10347" and get OGI. A
similar crypto tunnel will deliver you to some arbitrary off-site
server, which in turn can connect to an arbitrary webmail site. You will
never see any of the traffic, other than see that it is encrypted.
Object lesson: Firewalls are *useless* at preventing the exporting of
content from your site. If someone inside is determined to get some kind
of protocol to talk to something outside, and you allow *any* kind of
connection out, then they can obscure or encrypt the traffic so that you
won't see it.
Proof: Marcus Ranum (one of the father's of the firewall) allegedly once
implemented Telnet to run over top of DNS requests and responses. You
can, in principle, tunnel TCP/IP overtop of DNS. To understand how this
works, evilinside dude requests a DNS lookup on
outboundpacket.evildomain.com, and evildomain.com sends back a reply
packet encoded as the 32-bit IP address of that domain name. Carry on as
long as needs be. Good luck blocking outbound DNS, and no, a DNS proxy
will not stop this attack.
Corollary: your security policy had best *not* be based on the delusion
that you can prevent people from exporting whatever they want with
firewall rules. Confidential data can only be kept confidential by not
showing it to bad people. Similarly, the firewall cannot prevent people
from downloading whatever they want, if they are sufficiently determined.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 10:33:14 PDT