[thelist] Network Security (WAS: Re: [OT - For USA] Got any special plans for November 2nd?)
Allen Schaaf
techwriter at sound-by-design.com
Wed Oct 20 23:49:57 CDT 2004
At 12:35 AM 10/20/04 - Ken Schaefer wrote:
>----- Original Message -----
>From: "Allen Schaaf" <techwriter at sound-by-design.com>
>Subject: Re: [thelist] [OT - For USA] Got any special plans for November
>2nd?
>
>
> > /TIP ----->
> > Be very careful about posting any exe files that might
> > have been created by Windows NT, 2000, XP, or any
> > executable file like screen savers, GIF animations, etc.,
> > to your web site.
> >
> > The reason is ADS - no, not advertising, but rather
> > Alternate Data Streams. They work sort of like pre-OSX
> > Mac file in that they have two forks. There is the visible
> > one which is the cute greeting card or whatever and the
> > other is quietly installing a back door or Trojan on the
> > computer of the person who downloaded it.
> >
> > At the very least run all files through software
> > like <adscheck.exe>.
>
>a) I don't see the concern with placing .exe files onto your /own/ website.
>Presumably, if you have the files you know they are safe.
But is your source a trusted source? Do you know for sure that it was not
compromised? Did you run a MD5 or SHA2 hash before and after to check that
it had not been meddled with?
>The question is whether it's safe for you to download files from someone
>else's website.
The question also is, do you want to protect the integrity of your site?
The other question is, do you want it so common a problem that people are
leery of visiting your site out of fear?
>b) The article linked is incorrect in stating that most security software
>is incapable of scanning ADS (whilst that may have been true when the
>words are written, I've been assured by people in the AV industry that
>this is no longer the case). Every major AV program is now capable of
>scanning ADS in files as you access them. Keep your AV up-to-date.
But, if it is not a virus, only an executable, will it be detected?
According to my sources it is somewhat hit and miss. I've tested three AV
softwares and not one got the Word macro and only one got one of the ADS
executables.
Granted this is not exhaustive, but I think it has the potential to be a
bigger problem than we realize.
Look at the potential for problems with Javascript - see
www.computerbytesman.com - and yet most use it because the trust that most
sites do not put malicious code on their sites but if people lose their
trust all the effort you have put into those pretty pages with nice whiz
bangs will be useless as default browser setting for scripting languages
that execute on the client will become "off" as it is now on mine. There
are many site I no longer even bother visiting because they depend on too
much code that I do not have time to study.
Do you think I'm being foolish? Perhaps, but then you have not seen an
entire group of 15 people behind a good firewall suddenly start getting
pop-up ads all day long. Every single machine had to be rebuilt from
scratch as they could not find the cause. Almost a week's lost productivity.
I'll give you another scenario that has happened at a large financial
institution. A laptop was lost with a lot of financial records on it. It
was recovered from the lost and found at the airport after a few
hours. Big sighs of relief, until..., well someone very clever copied all
the files to a new drive and added a trojan that was masked from the
anti-virus scanner. The next time the laptop was connected to the corporate
network, guess what? Well, they were lucky. An alert sys admin noticed
something funny in the IDS logs and traced it back before all the private
data was uploaded to somewhere on the net.
Don't think it can be done? Then take the Certified Ethical Hacker class to
get the certificate and get your pants scared right off you in no time
flat. The two exploits I mentioned were only the very tinniest tip of the
iceberg.
Best to you and yours,
Allen Schaaf
Documentation Developer and Senior Technical Writer
Certified Network Security Analyst and
Intrusion Forensics Investigator - CEH, CHFI
Papageno: "What should we say now?"
Pamina: "The truth, the truth, ...even if it is a crime."
More information about the thelist
mailing list