Thanks for the feedback. I agree that technological gaps exist in Firewalls - I couldn't find it WRT this issue. Yes, policy is our recourse tool and security awareness another valuable part of the equation. Regards, Jeffrey B. Korte, Corporate Security Manager First Consumers National Bank Voice: 503.520.8398 The information contained in this E-mail message and its attachments, if any, may be privileged, confidential and protected from disclosure. This information is the property of First Consumers National Bank. If you are not the intended recipient, any disclosure, copying, distribution, reading, or the taking of any action in reliance on or in response to this information (except as specifically permitted in this notice) is strictly prohibited. If you have received this transmission and you are not a named recipient or a person authorized to receive email and email attachments on behalf of a named recipient, or if you think you have received this E-mail message in error, please E-mail the sender at jeffrey_korte@private Crispin Cowan <crispin@wire To: Jeffrey_Korte/Security/FCNB/Spgla@private x.com> cc: crime@private Subject: Re: CRIME AOL Backdoor? 06/24/02 06:47 PM Jeffrey_Korte/Security/FCNB/Spgla@private wrote: >Information Classification: Public. > "Public" is the /de facto/ status of anything posted to CRIME. Be aware. >Due to security/virus concerns, several months ago I killed access to >Internet based E-mail services at our Bank. (Yahoo, MSN, AOL, etc.) After >monitoring several Internet usage reports, I found traffic in the thousands >to: http://ar.atwola.com. Once you visit the sight it immediately takes >you to the "AOL Anywhere" portal. I have also found numerous hits to >http://toolbar.aol.com. > >Can anyone in the group confirm for me whether or not a backdoor into AOL >exists allowing a user to by-pass Firewall restrictions in order to >retrieve their E-mails? > There certainly are a vast number of back doors that will bypass your firewall restrictions, whether or not the above web portals are effective bypasses. For instance, this script will throw an SSH encrypted tunnel from my Linux laptop to the OGI web site: #!/bin/sh ssh -C -L 10347:www.cse.ogi.edu:80 ccowan@private sleep 30000 With that running, I can browse "http://localhost:10347" and get OGI. A similar crypto tunnel will deliver you to some arbitrary off-site server, which in turn can connect to an arbitrary webmail site. You will never see any of the traffic, other than see that it is encrypted. Object lesson: Firewalls are *useless* at preventing the exporting of content from your site. If someone inside is determined to get some kind of protocol to talk to something outside, and you allow *any* kind of connection out, then they can obscure or encrypt the traffic so that you won't see it. Proof: Marcus Ranum (one of the father's of the firewall) allegedly once implemented Telnet to run over top of DNS requests and responses. You can, in principle, tunnel TCP/IP overtop of DNS. To understand how this works, evilinside dude requests a DNS lookup on outboundpacket.evildomain.com, and evildomain.com sends back a reply packet encoded as the 32-bit IP address of that domain name. Carry on as long as needs be. Good luck blocking outbound DNS, and no, a DNS proxy will not stop this attack. Corollary: your security policy had best *not* be based on the delusion that you can prevent people from exporting whatever they want with firewall rules. Confidential data can only be kept confidential by not showing it to bad people. Similarly, the firewall cannot prevent people from downloading whatever they want, if they are sufficiently determined. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 10:33:14 PDT