The nature of security problems has been changing with some regularity. If this only deals with disclosures regarding a certain vendor, ok...this plan will cover things nicely. But what about questions of disclosure with respect to protocols that aren't bound to (or invented by) any one entity? What about, for example, problems in new wireless technologies? IPv6? And so on? The IETF does not move as quickly as things in the security space do...not that they should, but still, I wonder if this will only go partway, and leave the rest of the problem harder to address.
Battery power is no longer an issue, flat screens are cheap, displays come even close to the contrast and resolution of ink on paper, and content producers get comfortable with the truth that they can never prevent all copying. When that all happens, this may be possible...
This will be so useful, since all terrorists here with false ID have credit cards in their real names, right? Or credit cards at all? Or perhaps magic cash that can be traced back to the original owner AND the books that were bought?:)
So what? SNMP is so ludicrously insecure as a protocol in the first place, this bit of news is like saying "new security vulnerability in the doors of cars that don't have locks in the first place." Between the fact that there's no granular access control, no widely accepted authentication that isn't plaintext, and simply no reason for the outside world to be able to communicate with anyone's network via SNMP in the first place, if anyone has SNMP accessible by others they were screwed long before this discovery. I doubt this changes much one way or the other.
Let's all come up with all sorts of interesting information to submit to Slashdot about their websites...the resulting DoS of all those sites getting slashdotted will bring them to their knees!
Now, I don't doubt that Cloud 9 was/is a great ISP, but I have to take their statements with just a wee grain of salt. I don't see anything there that indicates that they came under any worse of a DoS attack than scores of ISPs before them...why is it, then, that this particular ISP decided to just pack up and die over it? Something smells a little funny here, and I can't just take their attribution of the business failure to hackers as gospel.
Because, simply put, in the past the record companies have filed suit. They filed suit against several universities, forcing them to block Napster access. They'll sue again if it suits them, and they'll win as well. Whether we like the law or not, it is what it is at this moment in time, and trying to ignore it is like ignoring a speeding car as you cross the street when you have a "don't walk" sign.
I did a security assessment at a large university late last year, and found something astonishing. The number one expenditure of time for the computer security staff was dealing with cases of "copyright infringement" from the representatives of record companies. And I mean, it was something like 80% of the manpower. What was also infuriating was that a lot of these cases involved MP3s that had been posted by the band to their own website (that week that I was onsite, most of the warnings given to the university had to do with a song by Incubus, if I remember correctly, that had been downloaded from the official Incubus website.)
This is a problem that has already come to cause others harm. Almost three years ago, hackers seized control of a British military satellite and demanded ransom for it. All that is needed to communicate with these satellites is an antenna, and proper knowledge of the protocols involved. While these things are out of reach to script kiddie types, it's not that much of a stretch for the kind of people you really have to worry about (foreign governments and large/resourceful criminal organizations). So, you should think of these systems as being addressable by anyone. Consequently, I would take any and all lessons you can from the ways that people securely authenticate users on publicly-addressable computer systems.
What effect might this have down the road on the few countries like Bulgaria where neither the culture nor the law recognizes things like copyright protection? If one of these countries wishes to join, what laws will be imposed upon them?
I think it's fantastic that Linux is getting better and better features, options, software, and support for security-critical large environments. However, isn't it a bit premature to say, the instant that ONE application comes out that provides auditing, to say, "Ok, cool! Linux is now on par with all those other OSes that have had stuff like this developed for them for years...let's all adopt Linux now!" I wouldn't bet that there will be major changes just yet...security people who are on the cutting edge are not usually first adopters unless necessary, and it's not necessary to choose first-generation auditing in Linux over more proven equivalents for Solaris, for example. It's good to see Linux getting there, though:)
What exactly had them poking around in the first place, looking for evidence of this? Not that I think they're being disingenous or have anything to hide, but it's not like we all just get the idea into our heads to run strings on drivers and come up with ways to "quackify" binaries:)
One, they don't keep dangerous pathogens at NIH in Bethesda. NIH is across the street from where the President gets his checkup, and is only a few miles from the DC border. If they're worried about him carrying out a smallpox/ebola/lassa fever/whatever culture, they have the rent-a-cops in front of the wrong building.
Two, he probably did sign something, but there's also a difference between what he consented to then as opposed to what they are doing now. The contract may be vague, but that vagueness is often interpreted in context of what was to be expected at the time. And again, NIH is not a high-security super-secret facility.
Three, the fact that we're facing a biowar attack is irrelevant...what, he's more likely to steal something because another entity has mailed anthrax to various public figures? See under "non sequitur."
In the DC area, at least, a common tactic is to contact companies or other entities in the guise of a "student" looking for information for a thesis, paper, project, or whatever. The advantage of this was that the person doing the research could gather information on behalf of their company/employer without letting on to anyone that the company they work for didn't know much about the subject.
OK, this device isn't really all about these developments, but simple, I/O enabled boxes, which are ready to go through a web interface, can SNMP on to your domestic home appliances, and are secure enough would represent a good market./
SNMP to appliances? You're kidding, right? While I have to agree that the notion of centralizing management of home-based gadgets with computers is appealing, I think it's important to realize that this box means very little towards reaching that goal. It's only benefit is being small. It doesn't give you the ability to talk to your toaster, and no computer, no matter HOW radically cool, can. The problem is that the home isn't ready to talk to the computer yet. And in all truth, the thought of an SNMP-enabled home truly scares the hell out of me...do you know how unsafe SNMP really is from a security standpoint?:)
All other things aside, I'd use one of these as others have said...an MP3 server by the stereo, a simple centralized file server of some sort, or an email terminal in the kitchen. But it's just a small computer, really...nothing more special than that.
Re:Securing an open system would be hard
on
Secure IRC?
·
· Score: 2
Hey pal? READ THE ARTICLE. READ ABOUT SILC.
From the FAQ on the SILC website...
Under "What is SILC?": Biggest similarity between SILC and IRC is that they both provide conferencing services and that SILC has almost same commands as IRC. Other than that they are nothing alike.
Under "How much SILC Protocol is based on IRC?": SILC is not based on IRC. The client superficially resembles IRC client but everything that happens under the hood is nothing alike IRC. SILC could *never* support IRC because the entire network toppology is different (hopefully more scalable and powerful). So no, SILC protocol (client or server) is not based on IRC. Instead, We've taken good things from IRC and left all the bad things behind and not even tried to burden the SILC with the IRCs problems that will burden IRC and future IRC projects till the end. SILC client resembles IRC client because it is easier for new users to start using SILC when they already know all the commands.
A case cannot be made for self-defense, and here is why.
If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.
When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!":)
Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.
Mediaone has closed off port 80 inbound? WHY? The new version of the worm (the person responsible took the shellcode from the first two variants...yes, that's right, "CodeRed II" is really the third iteration) first checks to see if the machine is running a Chinese or Taiwanese version of Win2K. Ah, yes....it only works against Win2K, since that's the only offset it carries. I don't think that people need to take more action towards securing things a good bit better, but this is a reaction that does not consider the nature of the threat.
What handles HTML in the web browser? What handles HTML in email? And finally, what are default permissions in Internet Explorer with respect to ActiveX controls? There a numerous viruses out there, (I mentioned KAK before, so I'll stick with it) that are able to do various things from either a web page or from an email. It just happens that web pages are not a good way to spread a virus, so HTML email is the method of choice. But underlying both HTML mail and web browsing is the same code, the same processing. And yes, KAK relies upon an activeX control. But so what? It didn't matter...KAK spread like wildfire, and did an enormous amount of damage. In penetration testing, I make use of this functionality to test clients...I send an email with HTML scripting that fires back an email to me, with a copy of a particular file off of their computer attached. (Does that behavior sound familiar??)
You, sir, are clearly not a professional security engineer, admin, consultant, or whatever. If you were, you would stand alone in a crowd that regularly and passionately avoids HTML that comes from untrusted sources. It is for this reason that BUGTRAQ, every mailing list at SecurityFocus, NTBUGTRAQ, and numerous other mailing lists do not want their subscribers sending HTML mail of any form to the list; they have gone so far as to automatically strip off the HTML and leave the messages as plain text. Why do you think there are only a very few HTML tags permitted in Slashdot posts? I don't see the SCRIPT tag in there...do you?
As for your earlier statements concerning "trashing" something, I have no idea what you think I was trashing. Lycos has a vulnerability...so what? Welcome to the planet, guys...everyone's had a problem sooner or later. Just fix it, and we'll move on. And I certainly wasn't trashing scripting...complaining that someone putting HTML on your site without your control is bad is like saying that someone installing software on your computer without your control is bad. Actually, if it involves scripting, the two are the same.
But the point here is not permissions. The permissions will be sufficient to cause whatever damage the user can cause, PROVIDED there are hooks into the proper system calls or objects. JavaScript is abstracted such that it cannot do many things that VBScript can do.
Are you actually attempting to state that nobody can do harm if they can get a user to run arbitrary VBS on their machine? Where have you been for the past few years, man? VBS has been the language of choice for some of the most notorious worms and viruses in the past couple of years, and not all of them merely spread from user to user.
First off, I wouldn't necessarily say that these guys are "jerks," especially not on the sliding scale of the security industry. If someone who would warn Lycos has enough time and talent to find this, so does someone who would exploit it. And I know first hand how quickly vendors move when they don't have the motivation that results from public disclosure.
Second, for everyone who's saying how harmless JavaScript is, you're somewhat right, but it doesn't matter. Why? Because the person releasing the vulnerability was just using JavaScript as an example. It could also be VBScript, just as easily...and THAT is NOT harmless by any stretch of the imagination. Imagine doing a search on Lycos, and getting smacked with a new variant of KAK.
Combine this with the impact of playing games in general and it makes you wonder just how badass we might all become! Just imagine...brains of a geek, moves of a streetfighter, reflexes of a rabbit. But, like all superheroes, we would be powerless without something, and in our case...caffeine!
120 years, yes, idealism, duty, etc...whatever. I'm speaking from experience, and it doesn't always work out that way. When it comes to computers and things technical, the flow chart goes like this:
Do I understand this well? If so...proceed.
If not...
Is this big enough that we need to ram it over to the couple of computer guys we have? (child porn, theft, hacking...ohh, if it's hacking, we'd better set up a big stake and some firewood too) If so, send it over...
If not...
If not, then it gets stale. I know that the cops are SUPPOSED to represent the public, but let's be realistic. I've seen cops unwilling to even make a report of a crime, a multi-thousand dollar property crime, even just for the sake of a number that was needed by the victim to file an insurance claim. And it's clear common knowledge that even the FBI doesn't want to hear about hacking cases unless the damage caused exceeds a rather large sum, typically about $10K now.
The bottom line is, this is the real world, and most cops are intimidated by technology. They are also not willing to admit to that in front of civilians. And I'm willing to bet that the sort of person who would think to trace a thief by taking advantage of a SirCam infection is also quite computer literate. I bet dollars to doughnuts (no pun intended ) that he can get this accomplished in far less time than it would take a police officer. If I were him, I'd do it out of civic duty, just to make it easier on the already-overloaded police force where I live (in Washington, DC).
Ah, no...it won't work out that way. I've actually seen something somewhat similar to this. The police probably have no experience with this, and will be lost ("what's a header?") unless you do enough of the leg work for them that it's plain and simple in a realm that is more familiar to them. In other words, instead of time GMT and an IP address, a physical address and user's real name.
Slashdot Mirror
The nature of security problems has been changing with some regularity. If this only deals with disclosures regarding a certain vendor, ok...this plan will cover things nicely. But what about questions of disclosure with respect to protocols that aren't bound to (or invented by) any one entity? What about, for example, problems in new wireless technologies? IPv6? And so on? The IETF does not move as quickly as things in the security space do...not that they should, but still, I wonder if this will only go partway, and leave the rest of the problem harder to address.
Battery power is no longer an issue, flat screens are cheap, displays come even close to the contrast and resolution of ink on paper, and content producers get comfortable with the truth that they can never prevent all copying. When that all happens, this may be possible...
This will be so useful, since all terrorists here with false ID have credit cards in their real names, right? Or credit cards at all? Or perhaps magic cash that can be traced back to the original owner AND the books that were bought? :)
So what? SNMP is so ludicrously insecure as a protocol in the first place, this bit of news is like saying "new security vulnerability in the doors of cars that don't have locks in the first place." Between the fact that there's no granular access control, no widely accepted authentication that isn't plaintext, and simply no reason for the outside world to be able to communicate with anyone's network via SNMP in the first place, if anyone has SNMP accessible by others they were screwed long before this discovery. I doubt this changes much one way or the other.
Let's all come up with all sorts of interesting information to submit to Slashdot about their websites...the resulting DoS of all those sites getting slashdotted will bring them to their knees!
Now, I don't doubt that Cloud 9 was/is a great ISP, but I have to take their statements with just a wee grain of salt. I don't see anything there that indicates that they came under any worse of a DoS attack than scores of ISPs before them...why is it, then, that this particular ISP decided to just pack up and die over it? Something smells a little funny here, and I can't just take their attribution of the business failure to hackers as gospel.
Because, simply put, in the past the record companies have filed suit. They filed suit against several universities, forcing them to block Napster access. They'll sue again if it suits them, and they'll win as well. Whether we like the law or not, it is what it is at this moment in time, and trying to ignore it is like ignoring a speeding car as you cross the street when you have a "don't walk" sign.
I did a security assessment at a large university late last year, and found something astonishing. The number one expenditure of time for the computer security staff was dealing with cases of "copyright infringement" from the representatives of record companies. And I mean, it was something like 80% of the manpower. What was also infuriating was that a lot of these cases involved MP3s that had been posted by the band to their own website (that week that I was onsite, most of the warnings given to the university had to do with a song by Incubus, if I remember correctly, that had been downloaded from the official Incubus website.)
This is a problem that has already come to cause others harm. Almost three years ago, hackers seized control of a British military satellite and demanded ransom for it. All that is needed to communicate with these satellites is an antenna, and proper knowledge of the protocols involved. While these things are out of reach to script kiddie types, it's not that much of a stretch for the kind of people you really have to worry about (foreign governments and large/resourceful criminal organizations). So, you should think of these systems as being addressable by anyone. Consequently, I would take any and all lessons you can from the ways that people securely authenticate users on publicly-addressable computer systems.
What effect might this have down the road on the few countries like Bulgaria where neither the culture nor the law recognizes things like copyright protection? If one of these countries wishes to join, what laws will be imposed upon them?
Simple...I was told to "upgrade the NT servers," so I installed FreeBSD :)
I think it's fantastic that Linux is getting better and better features, options, software, and support for security-critical large environments. However, isn't it a bit premature to say, the instant that ONE application comes out that provides auditing, to say, "Ok, cool! Linux is now on par with all those other OSes that have had stuff like this developed for them for years...let's all adopt Linux now!" I wouldn't bet that there will be major changes just yet...security people who are on the cutting edge are not usually first adopters unless necessary, and it's not necessary to choose first-generation auditing in Linux over more proven equivalents for Solaris, for example. It's good to see Linux getting there, though :)
What exactly had them poking around in the first place, looking for evidence of this? Not that I think they're being disingenous or have anything to hide, but it's not like we all just get the idea into our heads to run strings on drivers and come up with ways to "quackify" binaries :)
Um, a few things...
One, they don't keep dangerous pathogens at NIH in Bethesda. NIH is across the street from where the President gets his checkup, and is only a few miles from the DC border. If they're worried about him carrying out a smallpox/ebola/lassa fever/whatever culture, they have the rent-a-cops in front of the wrong building.
Two, he probably did sign something, but there's also a difference between what he consented to then as opposed to what they are doing now. The contract may be vague, but that vagueness is often interpreted in context of what was to be expected at the time. And again, NIH is not a high-security super-secret facility.
Three, the fact that we're facing a biowar attack is irrelevant...what, he's more likely to steal something because another entity has mailed anthrax to various public figures? See under "non sequitur."
In the DC area, at least, a common tactic is to contact companies or other entities in the guise of a "student" looking for information for a thesis, paper, project, or whatever. The advantage of this was that the person doing the research could gather information on behalf of their company/employer without letting on to anyone that the company they work for didn't know much about the subject.
You don't happen to work for Microsoft, do you?
From the FAQ on the SILC website...
Under "What is SILC?":
Biggest similarity between SILC and IRC is that they both provide conferencing services and that SILC has almost same commands as IRC. Other than that they are nothing alike.
Under "How much SILC Protocol is based on IRC?":
SILC is not based on IRC. The client superficially resembles IRC client but everything that happens under the hood is nothing alike IRC. SILC could *never* support IRC because the entire network toppology is different (hopefully more scalable and powerful). So no, SILC protocol (client or server) is not based on IRC. Instead, We've taken good things from IRC and left all the bad things behind and not even tried to burden the SILC with the IRCs problems that will burden IRC and future IRC projects till the end. SILC client resembles IRC client because it is easier for new users to start using SILC when they already know all the commands.
If you are in a dark alley somewhere, and there is one other person, and he draws a gun on you, indicates an intent to harm you, you have the right to use your weapon ONLY IF that is your last resort. And I won't even go into the notion of the "danger to life and limb" that is present in that scenario, but suffice it to say that generally speaking, you can do things you can't otherwise get away with if it's for the purpose of saving a life.
When it comes to your web server, nobody's going to die if you get defaced, rooted, bent over, etc. It costs some money to fix, ok, but that does not give you carte blanche to break the law at a similar level. Keep in mind that nearly every law that outlaws hacking is based on "unauthorized access." It doesn't matter WHY you're doing it, just that you know you're not supposed to be there. And if you're basing your code upon a notorious worm...well...good luck trying to say "I didn't know!" :)
Final point, you have other options. Keep up with your patches. Install IDS and watch the logs. Yes, this takes work, but so does writing a counter-worm every time a new worm comes out, and at least this way you can be protected BEFORE it hits, not after. And if all those Code Red-nailed boxen are knocking any of your systems offline, I gotta tell ya, you need to do something about your network, because as severe as the scanning is, I haven't heard from a single client who has actually had downtime from it.
Mediaone has closed off port 80 inbound? WHY? The new version of the worm (the person responsible took the shellcode from the first two variants...yes, that's right, "CodeRed II" is really the third iteration) first checks to see if the machine is running a Chinese or Taiwanese version of Win2K. Ah, yes....it only works against Win2K, since that's the only offset it carries. I don't think that people need to take more action towards securing things a good bit better, but this is a reaction that does not consider the nature of the threat.
What handles HTML in the web browser? What handles HTML in email? And finally, what are default permissions in Internet Explorer with respect to ActiveX controls? There a numerous viruses out there, (I mentioned KAK before, so I'll stick with it) that are able to do various things from either a web page or from an email. It just happens that web pages are not a good way to spread a virus, so HTML email is the method of choice. But underlying both HTML mail and web browsing is the same code, the same processing. And yes, KAK relies upon an activeX control. But so what? It didn't matter...KAK spread like wildfire, and did an enormous amount of damage. In penetration testing, I make use of this functionality to test clients...I send an email with HTML scripting that fires back an email to me, with a copy of a particular file off of their computer attached. (Does that behavior sound familiar??)
You, sir, are clearly not a professional security engineer, admin, consultant, or whatever. If you were, you would stand alone in a crowd that regularly and passionately avoids HTML that comes from untrusted sources. It is for this reason that BUGTRAQ, every mailing list at SecurityFocus, NTBUGTRAQ, and numerous other mailing lists do not want their subscribers sending HTML mail of any form to the list; they have gone so far as to automatically strip off the HTML and leave the messages as plain text. Why do you think there are only a very few HTML tags permitted in Slashdot posts? I don't see the SCRIPT tag in there...do you?
As for your earlier statements concerning "trashing" something, I have no idea what you think I was trashing. Lycos has a vulnerability...so what? Welcome to the planet, guys...everyone's had a problem sooner or later. Just fix it, and we'll move on. And I certainly wasn't trashing scripting...complaining that someone putting HTML on your site without your control is bad is like saying that someone installing software on your computer without your control is bad. Actually, if it involves scripting, the two are the same.
Are you actually attempting to state that nobody can do harm if they can get a user to run arbitrary VBS on their machine? Where have you been for the past few years, man? VBS has been the language of choice for some of the most notorious worms and viruses in the past couple of years, and not all of them merely spread from user to user.
Second, for everyone who's saying how harmless JavaScript is, you're somewhat right, but it doesn't matter. Why? Because the person releasing the vulnerability was just using JavaScript as an example. It could also be VBScript, just as easily...and THAT is NOT harmless by any stretch of the imagination. Imagine doing a search on Lycos, and getting smacked with a new variant of KAK.
Combine this with the impact of playing games in general and it makes you wonder just how badass we might all become! Just imagine...brains of a geek, moves of a streetfighter, reflexes of a rabbit. But, like all superheroes, we would be powerless without something, and in our case...caffeine!
Do I understand this well? If so...proceed.
If not...
Is this big enough that we need to ram it over to the couple of computer guys we have? (child porn, theft, hacking...ohh, if it's hacking, we'd better set up a big stake and some firewood too) If so, send it over...
If not...
If not, then it gets stale. I know that the cops are SUPPOSED to represent the public, but let's be realistic. I've seen cops unwilling to even make a report of a crime, a multi-thousand dollar property crime, even just for the sake of a number that was needed by the victim to file an insurance claim. And it's clear common knowledge that even the FBI doesn't want to hear about hacking cases unless the damage caused exceeds a rather large sum, typically about $10K now.
The bottom line is, this is the real world, and most cops are intimidated by technology. They are also not willing to admit to that in front of civilians. And I'm willing to bet that the sort of person who would think to trace a thief by taking advantage of a SirCam infection is also quite computer literate. I bet dollars to doughnuts (no pun intended ) that he can get this accomplished in far less time than it would take a police officer. If I were him, I'd do it out of civic duty, just to make it easier on the already-overloaded police force where I live (in Washington, DC).
Ah, no...it won't work out that way. I've actually seen something somewhat similar to this. The police probably have no experience with this, and will be lost ("what's a header?") unless you do enough of the leg work for them that it's plain and simple in a realm that is more familiar to them. In other words, instead of time GMT and an IP address, a physical address and user's real name.