[thelist] Network Security (WAS: Re: [OT - For USA] Got any special plans for November 2nd?)

[Ken Schaefer]

On Wed, 20 Oct 2004 21:49:57 -0700, Allen Schaaf
<techwriter at sound-by-design.com> wrote:

> > > Be very careful about posting any exe files that might
> > > have been created by Windows NT, 2000, XP, or any
> > > executable file like screen savers, GIF animations, etc.,
> > > to your web site.
> > >
> > > The reason is ADS - no, not advertising, but rather
> > > Alternate Data Streams. 
> >
> >a) I don't see the concern with placing .exe files onto your /own/ website.
> >Presumably, if you have the files you know they are safe.
> 
> But is your source a trusted source? Do you know for sure that it was not
> compromised? Did you run a MD5 or SHA2 hash before and after to check that
> it had not been meddled with?

Before and after what? Before and after you placed them onto your
website? If someone's tampering with files you've placed onto your own
website I think you have bigger issues.

If you're redistributing .exe files, then presumably you have some
licence to do so, and you'd have some kind of trust relationship with
the original vendor.

If you're a software developer yourself and distributing your own .exe
files, then presumably you take steps to ensure that your development
environment isn't trojaned.

On the other hand, if you found dodgy.exe on some
www.freemp3warezp0rn.com site and stick it up on your own, then I
think you have bigger issues than ADS :-)

> >The question is whether it's safe for you to download files from someone
> >else's website.
> 
> The question also is, do you want to protect the integrity of your site?
> The other question is, do you want it so common a problem that people are
> leery of visiting your site out of fear?


Hmmm...I've never seen anything in the security community about
widespread problems with people redistributing .exe files that have
somehow been trojaned with malicious code embedded in ADS.

Please note that the issue here is your highlighting of ADS, as
distinct from malicious executables themselves.
 
> >b) The article linked is incorrect in stating that most security software
> >is incapable of scanning ADS (whilst that may have been true when the
> >words are written, I've been assured by people in the AV industry that
> >this is no longer the case). Every major AV program is now capable of
> >scanning ADS in files as you access them. Keep your AV up-to-date.
> 
> But, if it is not a virus, only an executable, will it be detected?
> According to my sources it is somewhat hit and miss. I've tested three AV
> softwares and not one got the Word macro and only one got one of the ADS
> executables.

But what does the executable do? As mentioned, most (if not all) AV
products will detect and scan ADS. If there is executable code in the
ADS, and it appears to be a virus or trojan, or exhibits "virus like
activity", then the AV scanner will catch it. If it's just executable
code in general, then I don't think your AV will try to stop it
running, in the same way that it doesn't stop you running word.exe or
calc.exe or notepad.exe

Personally, I'm not so sure about embedding a Word macro virus into
ADS - how exactly will that be executed by Word?

 
> Granted this is not exhaustive, but I think it has the potential to be a
> bigger problem than we realize.

I think I'm reasonably cognizant of security threats, risks,
countermeasures, technologies, tools etc on the Windows platform. As I
mentioned, I don't think ADS is some "smoking gun" or "elephant in the
room" that the community is ignoring.


> Look at the potential for problems with Javascript - see
> www.computerbytesman.com - and yet most use it because the trust that most
> sites do not put malicious code on their sites but if people lose their
> trust all the effort you have put into those pretty pages with nice whiz
> bangs will be useless as default browser setting for scripting languages
> that execute on the client will become "off" as it is now on mine. There
> are many site I no longer even bother visiting because they depend on too
> much code that I do not have time to study.

People are already leery of downloading straight executables. What's
so special about ADS? Nothing as far as I can tell.


> Do you think I'm being foolish? Perhaps, but then you have not seen an
> entire group of 15 people behind a good firewall suddenly start getting
> pop-up ads all day long. Every single machine had to be rebuilt from
> scratch as they could not find the cause. Almost a week's lost productivity.


You don't know what I have, and haven't seen. :-)
Unless this firewall is some kind of Application layer firewall (like
ISA Server), then it's pretty much useless for stopping people
downloading malicious code and running it. You might as well have said
that they had a good surge protector.

Detecting malware that causes "popups" certainly can be done. If it
can't in a particular case, then either the administrator doesn't have
the requisite knowlegde or (if they do have the knowledge) doesn't
have the requisite resources (time, money).


> I'll give you another scenario that has happened at a large financial
> institution. A laptop was lost with a lot of financial records on it. It
> was recovered from the lost and found at the airport after a few
> hours.  Big sighs of relief, until..., well someone very clever copied all
> the files to a new drive and added a trojan that was masked from the
> anti-virus scanner. The next time the laptop was connected to the corporate
> network, guess what? Well, they were lucky. An alert sys admin noticed
> something funny in the IDS logs and traced it back before all the private
> data was uploaded to somewhere on the net.

I think we all realise this is an issue. Certainly any financial
institution that has a laptop in the hands of unknown, and then wants
to return it to a sensitive network would reimage the machine to a
known good state before doing so.

The company I work for is doing a lot of work on Microsoft's VPN
quarantine technology, which is designed to allow the quarantine of
machines from a sensitive network until they have been certified as
"clean". If anyone's interested, we can be hired at exhorbi....sorry
"good value" rates. :-)


> Don't think it can be done? Then take the Certified Ethical Hacker class to
> get the certificate and get your pants scared right off you in no time
> flat. 

I don't mean to demean the certification you mention, but I doubt that
I'd learn anything by preparing for such an exam. :-)

I was hoping that previous posts on security related topics on this
list might have conveyed what I thought was my understanding of
security issues, but perhaps I have an inflated sense of what I
actually know :-)

Cheers
Ken