Penetration Testing mailing list archives
Re: Botnets
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 14 Apr 2009 13:43:25 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 12 Apr 2009, Aarón Mizrachi wrote: [SNIP] < also noting here that the original direction of the discussion has moved far from the original>
Handling your point of view... about how to avoid being infected, its a big deal... Like you, i also remember a week ago, how conficker was spreading on banks and sites that we suppose were secured and armored... Is not something new, and its a shame that a worm using old "already-used" techniques comprommised a big amount of "secured" computers... - Weak password detection (already used in the past) - Exploits that wasn't a zero day... (already used in the past) - Shared folders (already used in the past) - Pendrives (already used in the past)Interesthing thing to note was that the folks both homeside and workwidethat avoided that "intrusion"did not allow those ports into or out of their networks. They may well, like me have allowed internal machines to use those ports though.Like you mentioned, the people tendence on security is to trace a border and build a wall (firewall)... inside the wall, we dont care about security issues... ("let me work" phrase), outside the wall, we are concerned about how this wall doesn't have any open port. But the security are the compendium of many visions... There is not a unique solution... Ex. - How many times we talked about blocking autorun.inf? (A simple registry key) - How many times we talked about study the business process and adapt the network infraestructure and user policy to it? (creating network segments according to the business, blocking traffic between vlans or segments, etc...) - How many times we talked about software patch managment? (from AV updates, to Windows Updates..) - How many times we talked about the importance of antivirus... - How many times we talked about the importance of not to run non-essencial services... - How many times we talked about the importance of a security plan... - And... its fud or like you need to name it: How many times we talked about we need to be aware of the risks... - etc. And do you know, why, if we as security consultants said all these statements, there is happening disasters like conficker? Its a simple answer...: Cost. - adapt your network and user policies to your business have a big cost... poor scalation without a costly mantain of this plan... - patch managment have also have a cost... that starts on license managment and update, and something very nasty: product lifetime and legacy systems. - Antivirus have an implicit cost... - run non-essencial services have also an implicit cost of usability (you prefer to right click and share a folder when you want, without call for support...) - Security plan? do you have one? complains with ISO 27001 or something? and its well implemented? Hehe, There is when the equation has to be completed with a firewall or AV vendor saying that his product will solve the 99.999999999999% of your security problems, from this statement, the sysadmin lost the fear of have a weak passwords and mantain C$||ADMIN$ && IPC$ shared... Well, Finally its not about fear, its about understand EVERY risk, to make the best strategy and decisions. There is a lot of things to do and to develop... to protect ourselves, we will need strategy and new developments... But, also we have to be aware that we NEVER should think that we have seen everything... if you study about malwares, conficker was using a tiny spectrum of harmful techniques to propagate itself...
You make some good points here, and fully go into how the same things are constantly being driven home again and again by those in the various areas of systems/network security. And still the same problems persist and the same old holes are found and used again and again to wreck havoc on the net <smile>. They happen to home based PC's as well as to large corporate networks. Over and over. And I'm willing to bet some compnaies that do most only pen testing find that when they review the same company yearly find many of the same holes open each time around.
Thing is; Few are truely interesting in a solution as pertains to network/systems security. You close a hole just after the findings of a pentest, only to have a upper mgt person need it reopened to twitter their kids and friends, etc...or they really really do need to mount compnay windwos shares on their infected home PC's that the kids use to wander the web and play games with. Costs get to be too much to maintain, especially in a bad economy, or the local security guru's move on and security takes a back channel in the course of running the company. And how many companies send their employees to the same security classes year after year to learn the same security saftey tips over and over, to no avail?
Look at what we are left with after 9/11, airports and ports and borders as insecure as they were before making it a pain in the butt to travel.
SEcurity is not a major priority, we have hot flashes now and them about it after BIG incidents, but, they are fast forgotten, kinda like the memroy of the vast voting public. But this is prolly a good thing <TM> for those in the industry, it pays their/our bills...
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 These things happened. They were glorious and they changed the world..., and then we fucked up the endgame. --Charlie Wilson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFJ5MtAst+vzJSwZikRAqtxAJ0TvfKp/jfPZsLH96Qq/9PghzKetACfQ663 4EsHkw8JzqLbxkGk3NaDnOs= =Ey/Y -----END PGP SIGNATURE-----
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Botnets, (continued)
- Re: Botnets Aarón Mizrachi (Apr 03)
- Message not available
- Re: Botnets Aarón Mizrachi (Apr 14)
- --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 14)
- Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 14)
- Re: --++[Preventing the spread of USB malware]++-- Nathan Sportsman (Apr 15)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
- Re: Botnets Aarón Mizrachi (Apr 03)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 15)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 16)
- Re: --++[Preventing the spread of USB malware]++-- Razi Shaban (Apr 14)
- Re: Botnets R. DuFresne (Apr 14)