lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: hellnbak at nmrc.org (hellNbak) Subject: http://security.tombom.co.uk/moreshatter.html -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I guess I will add my $.02 to this discussion. A note, I am neither attacking or defending ANYONE in this post just offering my twisted view of things. Quoting from http://security.tombom.co.uk/response.txt "Also, if I understand things correctly, the attack you describe either requires the user to run an attacker's program on their system or the attacker needs to have access to the user's system. In either case, the attacker has been allowed to cross a security boundary. In our essay, the "Ten Immutable Laws of Security", these are Law #1-- "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore," and Law #3 -- "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." (see http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp for the full essay)." In general this is correct, allow unknown malicious code and you will get owned. But, physical access isn't always required. It is not uncommon for an attacker to first gain a shell via this weeks latest IIS exploit (or even Apache win32 for that matter) then upload tools to a poorly secured directy then run bad code. This is so common many pen-testers have scripted the entire process as it is usually the easiest form of attack. As much as I hate to use the latest and greatest buzzwords but this would be one of those nifty "blended attacks" that we are hearing all the security vendors start to talk about. This is nothing new. Now quoting from http://security.tombom.co.uk/shatter.html "Basically, there is no simple solution, which is why Microsoft have been keeping this under their hat. Problem is, if I can find this, I can guarantee that other people have as well. They might not tell anyone about it, and the next time they get into your system as a low-priv user, you wouldn't have a clue how they got LocalSystem out of it. After all, you're all up to date on patches, aren't you?" You are obsolutely right -- I think this is the entire problem. These flaws are at such a low level that they cannot be fixed without some major rewrites. I think we all know that a major rewrite of the Win32 API is very unlikely so how do we at least remediate some of the risk. 1.) Physically secure your critical systems. If a system contains critical data don't put it online and lock it up. This is plain common sense. Oh, and your website probably isn't critical data or at least it shouldn't be. 2.) If the system needs to be online not only should your physically secure it but also logically. In this day and age just patching a system is the bare minimum. If the system is a web server, turn off all other services, lock down file system privledges, harden harden harden. If you don't know how hire me to do it for you. :-) Other services like SQL, Exchange, etc etc.. should not be directly exposed to the net. 3.) Configure your firewall to DENY ALL both directions. Only allow exactly what you need for the box to function. Note the BOTH DIRECTIONS comment. So many times while doing a pen-test I see firewalls only allowing 80, 443, inbound but allowing anything outbound making launching a reverse shell easy. Most of all DO NOT allow any type of TFTP and have alarms go off in the event of someone trying to upload (via any method) files to the box. 4.) Application level firewalls anyone? 5.) Did I mention that you should harden and lock down all boxes that are online? Before everyone on the list breaks out their flame thrower yes I understand that this isn't foolproof or as easy as it sounds. You can only protect against what you know about. Regardless of what O/S you run all it takes is someone with the latest and greatest zero-day and all your bases belong to them. If my time in the security game has taught me anything its that all operating systems have risks associated with them and they all require hardening and reconfiguration before plugging in the network cable. Some of us would rather complain to the vendors in a hope to change things while others do their best to lock things down. Its never a bad idea for an organization to come up with standard hardening procedures for various operating systems. I am not saying that this is right, I too hope for the days of a truly secure O/S but I'm not holding my breath. On Tue, 17 Sep 2002, Georgi Guninski wrote: > Date: Tue, 17 Sep 2002 18:35:05 +0300 > From: Georgi Guninski <guninski@...inski.com> > To: "Schmehl, Paul L" <pauls@...allas.edu> > Cc: full-disclosure@...ts.netsys.com, secure@...rosoft.com > Subject: Re: [Full-Disclosure] > http://security.tombom.co.uk/moreshatter.html > > CC'ing secure@...rosoft.com to throw some light on this. > secure@...rosoft.com: > Are you taking this seriously? Really really seriously? > Or are some application writers irresponsibly writing insecure code which opens > windows on windows - like in "net send 127.0.0.1 lol" ? > > Georgi Guninski > http://www.guninski.com > > > Schmehl, Paul L wrote: > > Interesting. I had a lengthy email argument with a MS rep about > > shatter. He swore up and down that it wasn't a MS problem, but a bad > > applications programmer problem. He finally grudgingly admitted that MS > > probably shouldn't make it so easy to be a bad applications programmer > > and said he would forward my concerns to MS Security. Maybe now they'll > > actually take the issue seriously (yeah, right!) > > > > Paul Schmehl (pauls@...allas.edu) > > Department Coordinator > > The University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/~pauls/ > > > > > > > >>-----Original Message----- > >>From: Georgi Guninski [mailto:guninski@...inski.com] > >>Sent: Tuesday, September 17, 2002 4:56 AM > >>To: full-disclosure@...ts.netsys.com > >>Subject: [Full-Disclosure] > >>http://security.tombom.co.uk/moreshatter.html > >> > >> > >>http://security.tombom.co.uk/moreshatter.html > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak@...c.org http://www.nmrc.org/~hellnbak - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9h1U3ueD73xSa+/ARAsL4AJ9EwR72MdJdG1iGZ4IWLXx5WU68YQCfYj+X 464oHikMZHYsznTifkmgcgQ= =NZQJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists