RE: Worms, Air Gaps and Responsibility

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 11:58 AM 5/17/2004 -0400, Paul D. Robertson wrote:
> That's why I used Poisonbox as an example, it wormed Solaris and targeted
> IIS.  Partially, I want people to start thinking now "What would I do
> if..." because by preparing for the worst, we can hopefully be prepared
> if/when the time comes.  When we start to worry about bad guys/gals and
> reputations, I start to worry about infrastructure.

Yeah, we need the discussion.  It's just that I feel most people can't see
the forest, they're too busy counting trees.

> > As to the issue of the internal router interface being less than tight,
> > well that kind of implies either you think the worm was released internally
> > OR that some other vector was initially successful and THEN the Cisco was
> > attacked.  One COULD argue that if you hadn't been compromised via the
> > Windows/Linux/Solaris/Acme box FIRST the router was not too viable a
> > target.  (No I'm not really arguing that defense in depth is unnecessary,
> > so save the blow torch :-).
>
> That's why automated multi-platform attacks worry me.  It's about that
> time again.

Multiplatform attacks are due but I personally doubt the router is the
secondary target of choice, unfortunately my money's on PDAs and cell
phones via sync software and wireless.

[snip]
> > > Which hasn't stopped all the exploits in services the router must expose
> > > when certain configuration options are on.
> >
> > Isn't that a DOH, more 'services' implies more surface? Now marry that to
> > less frequently used functions get less real world testing and less real
> > world testing frequently implies more 'breakability' and I think we agree.
>
> Sure, my point (because I don't think you were clear - touche') was that
> things like SNMP and the "We must MANAGE the router!" brigade increase
> exploitability, but that hasn't yet seen widespread attacks, even though
> I'd hazard to guess that most folks don't patch their routers.

SNMP, out of the box, typically has only a read-only public community[1].
You have to turn on write and you OUGHT to be bright enough to secure it
(and turn off public).  The default SNMP that Joe Sixpack or Mr Small
Business gets is 'info leaky' but reasonably harmless (barring buffer
overflows).

> > > > So while I agree that there are alot of Cicso boxes on the net, I
think the
> > > > exposed code base is small, special, and reasonably free of UI/entry
things
> > > > like buffer overflows and such due to function.  It is also unlikely
that
> > > They come with HTTP servers now...
> >
> > Internally only, unless the admin is a moron ;-).
>
> Seen it.

Sigh, as soon as you think something is idiot proof, nature creates a
better idiot.

[snip]

> You don't put all your general officers in fox holes ;)  If we don't worry
> about it, there's nobody else who's going to come to the rescue, that
> darned Bat Signal isn't working again!

My point is that for the majority of the net, small business and Joe
SixPack, the general LIVES in the foxhole, assuming someone is actually
appointed general.  My background is start-ups and companies with < 100
staff, if you can find a lt. colonel your doing damn good, mostly you see a
corporal or private.  In my opinion, THAT'S one of the major security
issues that people sidestep, because it has no good answer.  In the old
days, the bear joke applied[2].   Now with millions of small companies
doing business with everyone and VPNs becoming the order of the day, I've
forgotten to laugh and started to dig a deeper hole.


> > So I agree that long term thought is better, I agree that this list is a
> > good place for it, I agree that the 'professionals' are the ones to do it.
> > But any long term thought that does not account for short term needs has an
> > obvious uselessness.  Which leads to: any examples that even tangentially
>
> You need to do both.  Most places don't have room for both strategic and
> tactical security, so we've all got to timeslice it...

Unfortunately, I think you are wrong.  What I was refering to with:

 "I agree that the 'professionals' are the ones to do it. But any long term
thought that does not account for short term needs has an obvious
uselessness." 

is really that mindset.  

Lots of places don't have time/knowledge for even tactical security.  They
live in the short term, it ain't broke world.  The 'admin' is the last guy
to install software anywhere.  I'm afraid that small business/Joe Sixpack
tactical security needs to be the defaults in the OS/DSL router/cable
modem/wireless device.  Strategic security needs to be defined by those
with a clue in settings with a clue (corporate or clued individuals) and
the average guy gets the vendor defaults (because he's too scared/clueless
to mess with them).  And some poor group of lucky individuals gets to
decide the 'best practice' the vendors should use in that market and cram
it down their throats.  Until that occurs or VPNs get less ubiquitous we
will all have issues. Depressing really, but I'm all for this list lending
a hand.  Meanwhile, pardon me while I continue digging.


> > imply that external router interfaces are in the same class as windows
> > boxes better be REALLY clear as to WHY or WHY NOT because the average guys
> > ducking the bullets aren't going to take time to figure it out and change
> > will not occur.
>
> By the same token, those folks have to know where their infrastructure
> lies, and when it might need attention.  Before the attack, if possible.

Unfortunately, I'm not sure everyone is competent enough to know they have
an issue (see above comment).  But yes, those with a clue should use it.

[snip]


[1] True unless I'm dating myself, I haven't looked recently. I'm more
router/network policy wonk now, less hands on routers more hands on
individual boxes as I fill in where needed and our net and services are
pretty static.  The REAL admin gets to play with all the toys :-).

[2] Two hunters come across an angry bear in the woods. They discuss what
they should do and one says, "let's run".  The other says, "run, are you
crazy, you can't out run a bear".  The first says, "I don't have to outrun
a bear, I only have to outrun you".  In the 'old days' the little guy
didn't really have to be secure, just more secure than most others and the
attackers would pick an easier victim in the target rich environment.
Unfortunately there is a reason they are called 'the old days' and not
'current times'.



-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards