[thelist] Network Security (WAS: Re: [OT - For USA] Got any special plans for November 2nd?)

Allen Schaaf techwriter at sound-by-design.com
Wed Oct 20 23:49:57 CDT 2004 

At 12:35 AM 10/20/04 - Ken Schaefer wrote:
>----- Original Message -----
>From: "Allen Schaaf" <techwriter at sound-by-design.com>
>Subject: Re: [thelist] [OT - For USA] Got any special plans for November
>2nd?
>
>
> > /TIP ----->
> > Be very careful about posting any exe files that might
> > have been created by Windows NT, 2000, XP, or any
> > executable file like screen savers, GIF animations, etc.,
> > to your web site.
> >
> > The reason is ADS - no, not advertising, but rather
> > Alternate Data Streams. They work sort of like pre-OSX
> > Mac file in that they have two forks. There is the visible
> > one which is the cute greeting card or whatever and the
> > other is quietly installing a back door or Trojan on the
> > computer of the person who downloaded it.
> >
> > At the very least run all files through software
> > like <adscheck.exe>.
>
>a) I don't see the concern with placing .exe files onto your /own/ website.
>Presumably, if you have the files you know they are safe.

But is your source a trusted source? Do you know for sure that it was not 
compromised? Did you run a MD5 or SHA2 hash before and after to check that 
it had not been meddled with?

>The question is whether it's safe for you to download files from someone 
>else's website.

The question also is, do you want to protect the integrity of your site? 
The other question is, do you want it so common a problem that people are 
leery of visiting your site out of fear?

>b) The article linked is incorrect in stating that most security software 
>is incapable of scanning ADS (whilst that may have been true when the 
>words are written, I've been assured by people in the AV industry that 
>this is no longer the case). Every major AV program is now capable of 
>scanning ADS in files as you access them. Keep your AV up-to-date.

But, if it is not a virus, only an executable, will it be detected? 
According to my sources it is somewhat hit and miss. I've tested three AV 
softwares and not one got the Word macro and only one got one of the ADS 
executables.

Granted this is not exhaustive, but I think it has the potential to be a 
bigger problem than we realize.

Look at the potential for problems with Javascript - see 
www.computerbytesman.com - and yet most use it because the trust that most 
sites do not put malicious code on their sites but if people lose their 
trust all the effort you have put into those pretty pages with nice whiz 
bangs will be useless as default browser setting for scripting languages 
that execute on the client will become "off" as it is now on mine. There 
are many site I no longer even bother visiting because they depend on too 
much code that I do not have time to study.

Do you think I'm being foolish? Perhaps, but then you have not seen an 
entire group of 15 people behind a good firewall suddenly start getting 
pop-up ads all day long. Every single machine had to be rebuilt from 
scratch as they could not find the cause. Almost a week's lost productivity.

I'll give you another scenario that has happened at a large financial 
institution. A laptop was lost with a lot of financial records on it. It 
was recovered from the lost and found at the airport after a few 
hours.  Big sighs of relief, until..., well someone very clever copied all 
the files to a new drive and added a trojan that was masked from the 
anti-virus scanner. The next time the laptop was connected to the corporate 
network, guess what? Well, they were lucky. An alert sys admin noticed 
something funny in the IDS logs and traced it back before all the private 
data was uploaded to somewhere on the net.

Don't think it can be done? Then take the Certified Ethical Hacker class to 
get the certificate and get your pants scared right off you in no time 
flat. The two exploits I mentioned were only the very tinniest tip of the 
iceberg.


Best to you and yours,


Allen Schaaf
Documentation Developer and Senior Technical Writer
Certified Network Security Analyst and
Intrusion Forensics Investigator - CEH, CHFI

Papageno: "What should we say now?"
Pamina: "The truth, the truth, ...even if it is a crime."

More information about the thelist mailing list