Security Basics mailing list archives
RE: Windows Remote Desktop
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 13 Feb 2004 09:47:47 -0800
Prasad S. Athawale [mailto:athawale () cse Buffalo EDU] ...Although step 4 is not technically part of the SSL protocol, it provides the only protection against a form of security attack known as a Man-in-the-Middle Attack. Clients must perform this step and must refuse to authenticate the server or establish a connection if the domain names don't match. If the server's actual domain name matches the domain name in the server certificate, the client goes on to Step
5." There are ways around that, as with anything. Using our current situation, with MyDoom A's open port and file transfer accept we can upload a host file to a targets system, thus bypassing this client side check. Lets play out a situation: We have our mark, whose a frequent of E-Trade and a multimillion day trader. We have already determined that Mr. Smith always connects directly to the E-Trade member site and not through the www main page link. A quick nmap scan of his system reveals that port 1327 is open, (MyDoom A) and we craft the correct packet using Scrappy (or whatever) and we transfer a exe package for the virus to run, which modifies his host file to point E-Trade to our hax0r server, which is just a proxy and captures all transmitted traffic from E-Trade and from Mr. Smith. Now because we are l33t hax0r we already got access to the E-Trade server's SSL cert, don't ask me how, I have no clue, social engineering? Another way is the most SOHO's use Linksys/Netgear, etc NAT routers which use DHCP. You could set the router to point to your hax0r DNS server and it would push that to the clients, then you would have control of their Forward and Reverse DNS lookups. Seaming the protocol implementation is most likely an rDNS against the IP to confirm the servers common name (www.watever.com). I'm not saying ANY of this is easy, what I'm saying is that SSL is TRANSPORT security with M-T-M protection as kind of a afterthought. The original argument was that SSL prevented M-T-M attacks, but it doesn't is only mitigates the risk down to a acceptable level. None of us should EVER think that we are completely devoid of risk, because were not, there is always a way to defeat a system and no system is completely secure.
Any additions anyone ?
Save me, anyone? The users are at the door, it won't hold much longer! Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- RE: Windows Remote Desktop Prasad S. Athawale (Feb 02)
- <Possible follow-ups>
- RE: Windows Remote Desktop Shawn Jackson (Feb 13)