Re: CRIME AOL Backdoor?

From: Jeffrey_Korte/Security/FCNB/Spgla@private
Date: Tue Jun 25 2002 - 09:06:03 PDT

  • Next message: George Heuston: "CRIME Daily Report 06/25/02"

    Thanks for the feedback.
    
    I agree that technological gaps exist in Firewalls - I couldn't find it WRT
    this issue.
    
    Yes,  policy  is  our recourse tool and security awareness another valuable
    part of the equation.
    
    Regards,
    
    Jeffrey B. Korte,
    Corporate Security Manager
    First Consumers National Bank
    Voice: 503.520.8398
    
    The  information  contained  in this E-mail message and its attachments, if
    any,  may  be privileged, confidential and protected from disclosure.  This
    information  is  the property of First Consumers National Bank.  If you are
    not the intended recipient, any disclosure, copying, distribution, reading,
    or  the  taking  of  any  action  in  reliance  on  or  in response to this
    information  (except  as specifically permitted in this notice) is strictly
    prohibited.  If you have received this transmission and you are not a named
    recipient  or a person authorized to receive email and email attachments on
    behalf  of a named recipient, or if you think you have received this E-mail
    message in error, please E-mail the sender at jeffrey_korte@private
    
    
    
    
    
                                                                                                                       
                        Crispin Cowan                                                                                  
                        <crispin@wire        To:     Jeffrey_Korte/Security/FCNB/Spgla@private                        
                        x.com>               cc:     crime@private                                                  
                                             Subject:     Re: CRIME AOL Backdoor?                                      
                        06/24/02                                                                                       
                        06:47 PM                                                                                       
                                                                                                                       
                                                                                                                       
    
    
    
    
    Jeffrey_Korte/Security/FCNB/Spgla@private wrote:
    
    >Information Classification: Public.
    >
    "Public" is the /de facto/ status of anything posted to CRIME. Be aware.
    
    >Due  to  security/virus  concerns,  several  months  ago I killed access
    to
    >Internet  based E-mail services at our Bank. (Yahoo, MSN, AOL, etc.)
    After
    >monitoring several Internet usage reports, I found traffic in the
    thousands
    >to:  http://ar.atwola.com.   Once  you visit the sight it immediately
    takes
    >you  to  the  "AOL  Anywhere"  portal.   I have also found numerous hits
    to
    >http://toolbar.aol.com.
    >
    >Can  anyone  in the group confirm for me whether or not a backdoor into
    AOL
    >exists  allowing  a  user  to  by-pass  Firewall  restrictions  in order
    to
    >retrieve their E-mails?
    >
    There certainly are a vast number of back doors that will bypass your
    firewall restrictions, whether or not the above web portals are
    effective bypasses. For instance, this script will throw an SSH
    encrypted tunnel from my Linux laptop to the OGI web site:
    
    #!/bin/sh
    ssh -C -L 10347:www.cse.ogi.edu:80 ccowan@private sleep 30000
    
    With that running, I can browse "http://localhost:10347" and get OGI. A
    similar crypto tunnel will deliver you to some arbitrary off-site
    server, which in turn can connect to an arbitrary webmail site. You will
    never see any of the traffic, other than see that it is encrypted.
    
    Object lesson: Firewalls are *useless* at preventing the exporting of
    content from your site. If someone inside is determined to get some kind
    of protocol to talk to something outside, and you allow *any* kind of
    connection out, then they can obscure or encrypt the traffic so that you
    won't see it.
    
    Proof: Marcus Ranum (one of the father's of the firewall) allegedly once
    implemented Telnet to run over top of DNS requests and responses. You
    can, in principle, tunnel TCP/IP overtop of DNS. To understand how this
    works, evilinside dude requests a DNS lookup on
    outboundpacket.evildomain.com, and evildomain.com sends back a reply
    packet encoded as the 32-bit IP address of that domain name. Carry on as
    long as needs be. Good luck blocking outbound DNS, and no, a DNS proxy
    will not stop this attack.
    
    Corollary: your security policy had best *not* be based on the delusion
    that you can prevent people from exporting whatever they want with
    firewall rules. Confidential data can only be kept confidential by not
    showing it to bad people. Similarly, the firewall cannot prevent people
    from downloading whatever they want, if they are sufficiently determined.
    
    Crispin
    
    --
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 10:33:14 PDT