Hack the Gibson #88


Read the reason for these posts. Read Steve Gibson’s response.

A question which popped up twice in this episode was the problem with broadband user and the answer provided was very good: even if 50% of the people who have broadband would to turn off their connection when they are not using it, the other half still pose a very big (and ever growing as we get more and more bandwidth world wide) risk. There are some things ISPs can do, but ultimately it comes down to user education. I’m in favor of a required computer drivings license (because computers are clearly much more complex than cars and you can inflict big – although mostly material not physical – damages if you’re not knowing what you’re doing – but you can imagine even extreme cases when you’re computer becomes part of a botnet attacking a hospital which looses pacients because it’s network becomes unusable) or managed security, but these are not things I would consider becoming real very soon, given how the marketing departments of IT companies want to convince that computers are simple, everybody can use them.

To the listener who discovered XSS flaws in its banks websites, it would recommend first of all to report his finding anonymously, and second of all, watch two great videos from Shmoocon 2007 (better yet, watch all of them since they all are great, but these two are pertinent to the matter at hand:

  • Assess the security of your online back without going to jail – Chuck Willis
  • Vulnerability Disclosure Panel Palaver (or 0-day OK, No Way, or For Pay) – Katie Moussouris

Regardin the Vista / UAC problem: I don’t use Vista, so maybe I misunderstand the problem, but there are possibilities of elevating a program explicitly (most probably they are still present in Vista) without logging out and logging back as a privileged user. On earlier versions of Windows running unprivileged and privileged programs on the same desktop was not 100% safe, because of the possibility of the privileged program being vulnerable to the shatter attack, however that is more of a theoretical vulnerability which wasn’t used at all in real malware as far as I know and the message system in Vista was redesigned to remove the possibility of this happening.

To the fellow wondering if malware can’t re-enable feature he disabled: it can and many times it does. This is why running as limited user is such an important things. Programs running under limited accounts can not do these things. However programs running with high privileges can do anything you can (including stopping your AV product or firewall). This is a point that companies and security professionals tend to forget to mention (the reasons of companies are clear, however I don’t know why there is so little discussion in he security professional circle about this topic). The fact that most programs won’t run in low rights mode is entirely false: I’ve been running with low rights on Windows XP and 2003 for the past year of so and had very few problems. And products which are rumored to have the most problems (like developer tools – MS Visual Studio including 6.0) worked flawlessly.

And here is a little plug (because Steve also plugged his password generator): when you use mine, you don’t have to trust anyone. In Steve’s case you have to trust him that he’s not keeping a log with every IP and the passwords which got generated for it. Now I’m not implying that he is, I’m just saying that he could be. If you choose my solution, you can inspect the source code to make sure that nothing funky is going on.

About malware detection and cleaning: Windows offers a very limited set of tools to properly diagnose the health of the system. The best thing you can do is to watch this presentation by Mark Russinovich (co-author of Windows Internals!) about the topic.

Regarding question nine: while technically correct that you can’t prevent tunneling trough SSH but enable SSH at the same time, there is something you can do: enable outgoing connections only to a limited set of addresses (which are probably work related), and make sure that those SSH servers are configured not to do forwarding (and also make sure that the user accounts given to your employees don’t have enough rights to change the configuration).

To the admin who got caught by the Webmin vulnerability: configure your firewall to be as restrictive as possible with both inbound and outgoing connections. Limit the access to important files through other means too (like .htaccess files in Apache).

Regarding the question of the student with IP/ShieldsUp Leo kept mixing public and static IP (btw, the student seemed also confused about it). You can have one or the other. They have no realtion to another (in fact you can have public/private and static/dynamic IP addresses in any combination). Also buying a router doesn’t help much if it doesn’t get properly configured (because otherwise you have a public facing administration interface with default passwords on many routers). And if you are knowledgeable enough to configure the router, you are probably knowlegable enough to secure your computer without it.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *