"In a time of war, when we're asking young men and women to risk their right to life, is it too much to ask that we take away the free speech of people who are encouraging the killing of not only those men and women, but of ourselves and our friends?"
While there's nothing wrong with offering IPv6, or a special hidden Tor site, or a dial-up BBS, or access over DECNet for those with PDP-11s, it sometimes comes down to only being able to offer what 99.9% of the world uses and cares about.
OK, so SQL Server prior to 2005 wasn't secured well by default, and xp_cmdshell() is like inviting a system-level compromise. But, as others have pointed out, ASP.NET/IIS isn't the only platform affected. In fact, this platform makes it easy to secure your scripts against most attacks, ans SQL Server 2k5 and IIS 6 and ASP.Net have added protections as well. On top of that, this platform has never been vulnerable to attacks due to superglobals, of file open functions which allow you to import remote files, even if disabled in the config (thanks PHP!) or a host of other things. And if you look at milw0rm.com and other such sites, you will see a majority of SQL injection vulnerabilities come out for open source products with a mySQL back-end these days. So somehow pointing out that this is an IIS problem, and that Firefox will protect you from evil IIS sites, just shows ignorance and bias. I love UNIX, I preffer it over Windows, but I am also grounded in reality. Yes, you will have a lot of compromised IIS servers, because you have a lot of clueless admins who write ASP scripts on their Windows boxes without paying any attention to security. But in those hands, LAMP is just as dangerous, if not even more so.
I have not heard of border agents doing this before, and it's interesting how sensitive this tech is, but this isn't as uncommon as you'd think. I know of a small village that is getting federal funding to install such sensors along a main road, which eventually leads to an airport.
For environments that can't switch to SFTP/SCP, a decent alternative is to use FTP with SSL/TLS. Many FTP clients already support this, so it's often a simple checkbox for users.
It's easier to protect your network, especially a corporate network, from malware that uses FTP than HTTP. Just block 21/TCP outbound -- we recommend this to most of our clients. Granted, the bad guys can change the port, and then you don't have much recourse without deep packet inspection. But most compromised servers (which have the malware) will be on a standard port and dropping outbound FTP will be effective. Of course, there are legitimate uses for FTP (some AV companies use it to update their products, for example), but you can often get away with a whitelist.
I know this is a bit off-subject, but every time I hear people talk about Apache, I wonder if it's not starting to lose ground. Look at a lot of the new "Web 2.0" sites -- they often run less monolithic servers, which often support FCGI and other features natively. I am talking about nginx, lighthttpd and the like. Will these stay a niche market or is Apache going to feel the competition?
As far as I can tell (maybe I'm wrong), this attack doesn't require a reboot. This makes it at least somewhat significant, because every other method I know for obtaining access over a computer does. Sure, you can reboot a Windows box, mount the NTFS partition and overwrite the SAM. But then you have a box that's been rebooted and the password has been changed -- obvious signs the machine has been tampered with. If you can, say, quickly unlock the machine, trojan it and lock it again, no one would be the wiser.
Well, that's true, but there are lot of regulations in the U.S dealing with bank security. Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) which deals with customer information and several others must be complied with. Other countries have them too; for example, J-SOX is Japan's SOX equivalent. This means that the bank gets audited, often by two sets of outside auditors, which helps security at least somewhat. Most banks and credit unions also often go through penetration tests and vulnerability assessments, if only to keep their examiners happy (as in, the NCUA, OTS, or whoever they happen to be chartered with.)
It's interesting to consider how these things may apply to Second Life and Linden Labs. At some point, some regulation must come into play. For example, if credit cards are processed, they must comply with the credit card industry's PCI standards. I am not saying compliance with these various regs is an answer to their problems, I just think it's interesting to consider how these apply to something non-traditional like SL.
Don't forget NT 5.2, which encompassed the ever-popular Windows 2003 Server, as well as several 64-bit releases of XP. NT6.0 also encompasses Windows Server 2008.
Cisco has a product called NAC, formerly Clean Access, which might be of use in a case like this -- or at least the idea of how it works may be of use. Of course, AFAIK, NAC only works if ActiveX works, by making sure things like AV are up to date (but I bet this can be done with FF plugins and whatever Safari/Opera use, or stand-alone programs). It's not foolproof, and it's been easily bypassed, but a similar approach might work if the bank wishes to make sure the client PCs are secure while being minimally invasive.
Now if they could just come up with cameras that read your thoughts and react before you even finished the thought, the war on terror could finally be won!
I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.
For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grsec and Bastille allow Linux to be hardened in a way which prevents race conditions, buffer overflows and more. This is a very much simplified list -- but that's exactly why I'd like to see a better breakdown.
By your logic, Wireshark is no different than tcpdump. But obviously, they are different. Wireshark is great at dissecting packets, not just dumping them in hex format. Ferret is good for sniffing broadcast information, such as NetBIOS traffic and iTunes DAAP, which can assist you in getting a picture of the current network. That's all it does. Yes, they are all pcap based, but they serve different purposes.
Just like you could use Wireshark to sniff for passwords (or, hell, even tcpdump + ngrep), but it's a lot easier to use dsniff or Cain. I think Ferret is interesting stuff, as long as they develop it beyond a proof-of-concept. (Note that I only spent a few minutes reading about the tool, sorry for any misinformation.)
Even if you can't become both the entry/exit...
on
Tor Open To Attack
·
· Score: 4, Interesting
Even if you aren't able to become both the entry and exit mode, using the technique of faking your bandwidth/uptime can lead to more traffic for your exit node, which means more passwords to sniff. Not everyone seems to realize that just because the Tor protocol is encrypted doesn't mean the exit node can't sniff unencrypted traffic. Granted, the exit node has no idea where the traffic came from, but often information such as login information for a personal account can give that away. That's even better than having just an IP. All it takes is to set yourself up as a Tor node (the uptime/bandwidth faking helps) and run a tool like Cain or dsniff.
Slashdot Mirror
"In a time of war, when we're asking young men and women to risk their right to life, is it too much to ask that we take away the free speech of people who are encouraging the killing of not only those men and women, but of ourselves and our friends?"
I thought we were fighting for freedom?
When did we start calling clusters "supercomputers"?
Does this mean that Opera can finally implement something above Flash 7 on embedded devices like the Nintendo Wii?
While there's nothing wrong with offering IPv6, or a special hidden Tor site, or a dial-up BBS, or access over DECNet for those with PDP-11s, it sometimes comes down to only being able to offer what 99.9% of the world uses and cares about.
They can argue and fork all they want, but while that's happening, the world is quickly switching to Digsby or numerous other multi-protocol clients.
OK, so SQL Server prior to 2005 wasn't secured well by default, and xp_cmdshell() is like inviting a system-level compromise. But, as others have pointed out, ASP.NET/IIS isn't the only platform affected. In fact, this platform makes it easy to secure your scripts against most attacks, ans SQL Server 2k5 and IIS 6 and ASP.Net have added protections as well. On top of that, this platform has never been vulnerable to attacks due to superglobals, of file open functions which allow you to import remote files, even if disabled in the config (thanks PHP!) or a host of other things. And if you look at milw0rm.com and other such sites, you will see a majority of SQL injection vulnerabilities come out for open source products with a mySQL back-end these days. So somehow pointing out that this is an IIS problem, and that Firefox will protect you from evil IIS sites, just shows ignorance and bias. I love UNIX, I preffer it over Windows, but I am also grounded in reality. Yes, you will have a lot of compromised IIS servers, because you have a lot of clueless admins who write ASP scripts on their Windows boxes without paying any attention to security. But in those hands, LAMP is just as dangerous, if not even more so.
I have not heard of border agents doing this before, and it's interesting how sensitive this tech is, but this isn't as uncommon as you'd think. I know of a small village that is getting federal funding to install such sensors along a main road, which eventually leads to an airport.
I am not sure that you need a USB Gecko -- I thought an SD Gecko was all that was needed?
For environments that can't switch to SFTP/SCP, a decent alternative is to use FTP with SSL/TLS. Many FTP clients already support this, so it's often a simple checkbox for users.
It's easier to protect your network, especially a corporate network, from malware that uses FTP than HTTP. Just block 21/TCP outbound -- we recommend this to most of our clients. Granted, the bad guys can change the port, and then you don't have much recourse without deep packet inspection. But most compromised servers (which have the malware) will be on a standard port and dropping outbound FTP will be effective. Of course, there are legitimate uses for FTP (some AV companies use it to update their products, for example), but you can often get away with a whitelist.
I know this is a bit off-subject, but every time I hear people talk about Apache, I wonder if it's not starting to lose ground. Look at a lot of the new "Web 2.0" sites -- they often run less monolithic servers, which often support FCGI and other features natively. I am talking about nginx, lighthttpd and the like. Will these stay a niche market or is Apache going to feel the competition?
As far as I can tell (maybe I'm wrong), this attack doesn't require a reboot. This makes it at least somewhat significant, because every other method I know for obtaining access over a computer does. Sure, you can reboot a Windows box, mount the NTFS partition and overwrite the SAM. But then you have a box that's been rebooted and the password has been changed -- obvious signs the machine has been tampered with. If you can, say, quickly unlock the machine, trojan it and lock it again, no one would be the wiser.
Well, that's true, but there are lot of regulations in the U.S dealing with bank security. Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) which deals with customer information and several others must be complied with. Other countries have them too; for example, J-SOX is Japan's SOX equivalent. This means that the bank gets audited, often by two sets of outside auditors, which helps security at least somewhat. Most banks and credit unions also often go through penetration tests and vulnerability assessments, if only to keep their examiners happy (as in, the NCUA, OTS, or whoever they happen to be chartered with.)
It's interesting to consider how these things may apply to Second Life and Linden Labs. At some point, some regulation must come into play. For example, if credit cards are processed, they must comply with the credit card industry's PCI standards. I am not saying compliance with these various regs is an answer to their problems, I just think it's interesting to consider how these apply to something non-traditional like SL.
How did they forget Greg Graffin of Bad Religion fame? Two bachelors degrees, masters degree geology, a Ph.D in zoology, professor at UCLA, etc.
Don't forget NT 5.2, which encompassed the ever-popular Windows 2003 Server, as well as several 64-bit releases of XP. NT6.0 also encompasses Windows Server 2008.
Can the real purpose be to stop piracy, i.e copying files off computers that are not yours, or can you authorize it before plugging it in?
Cisco has a product called NAC, formerly Clean Access, which might be of use in a case like this -- or at least the idea of how it works may be of use. Of course, AFAIK, NAC only works if ActiveX works, by making sure things like AV are up to date (but I bet this can be done with FF plugins and whatever Safari/Opera use, or stand-alone programs). It's not foolproof, and it's been easily bypassed, but a similar approach might work if the bank wishes to make sure the client PCs are secure while being minimally invasive.
Now if they could just come up with cameras that read your thoughts and react before you even finished the thought, the war on terror could finally be won!
Get a job.
(Seriously, if you know something about security or computers in general, can it be that hard?)
I would like to see something different: a breakdown of proactive security measures taken by OS (or available in the OS) as a way of mitigating security issues. Security problems will pop up no matter what (whether in the OS or third-party software), and I'd like to see what OS do to prevent or reduce the impact of exploitation.
For example, WinXP SP2 introduced stack randomization and various other enhancements. Solaris has an option to mark parts of the stack non-executable. Third-party extensions like grsec and Bastille allow Linux to be hardened in a way which prevents race conditions, buffer overflows and more. This is a very much simplified list -- but that's exactly why I'd like to see a better breakdown.
...the article doesn't try to explain the reasons behind IPv6's meager adoption since its introduction 12 years ago.
That's pretty easy to answer, in my opinion, at least. For the most part, the answer is: NAT.
By your logic, Wireshark is no different than tcpdump. But obviously, they are different. Wireshark is great at dissecting packets, not just dumping them in hex format. Ferret is good for sniffing broadcast information, such as NetBIOS traffic and iTunes DAAP, which can assist you in getting a picture of the current network. That's all it does. Yes, they are all pcap based, but they serve different purposes.
Just like you could use Wireshark to sniff for passwords (or, hell, even tcpdump + ngrep), but it's a lot easier to use dsniff or Cain. I think Ferret is interesting stuff, as long as they develop it beyond a proof-of-concept. (Note that I only spent a few minutes reading about the tool, sorry for any misinformation.)
And everyone said Microsoft was evil.
Even if you aren't able to become both the entry and exit mode, using the technique of faking your bandwidth/uptime can lead to more traffic for your exit node, which means more passwords to sniff. Not everyone seems to realize that just because the Tor protocol is encrypted doesn't mean the exit node can't sniff unencrypted traffic. Granted, the exit node has no idea where the traffic came from, but often information such as login information for a personal account can give that away. That's even better than having just an IP. All it takes is to set yourself up as a Tor node (the uptime/bandwidth faking helps) and run a tool like Cain or dsniff.
This man is married to Carolyn Meinel. I propose we let him go based on time served (i.e married to her) and arrest her instead.