Comments on: San Fransisco Officials Locked Out of Their Own Network

By: Morgan Storey

Morgan Storey — Wed, 06 Aug 2008 11:12:11 +0000

@Navin: I read an article about a guy who using the playstation3’s FPU managed to on the fly, inject data in to bittorrent chunk, using the PS3 to manipulate the packet so that its MD5 would match and therefore the reciever and their software would be none the wiser. This is another similar vector for attack. Imagine downloading the latest copy of some linux distro, power it up and it installs some unknown binary that phones home and pops open a port.
There is no single solution, security is a process not a product (to quote Schnier).

By: Navin

Navin — Mon, 04 Aug 2008 14:09:24 +0000

@ morgan hehehehehe (tht’s for the last comment)

For the one before tht, yeah, it’d be comparably easy to even pair up rootkits with Windows updates and get thousands/millions of users affected. That was was many had expected had happened when one of the MS sites was hacked a few yrs ago (MS-Europe if I remember right)…but of course tht was a hoax.

By: Morgan Storey

Morgan Storey — Mon, 04 Aug 2008 05:44:23 +0000

@Darknet: see some spammers get through. Suprisingly few though. COUGH Nagios….
Ahhh irony, the WP spam blocker blocked this message several times.

By: Morgan Storey

Morgan Storey — Mon, 04 Aug 2008 01:36:10 +0000

@Navin: I can’t believe there hasn’t been a MITM attack yet with windows update. How hard would it be, as there is no ssl. Simply just redirect the domain, and mirrors, and publish a few security updates malformed via a wsus server or own custom build.

By: Navin

Navin — Sun, 03 Aug 2008 13:25:40 +0000

Ya, there was this article I’d read a long time back about how malware was recognised as legitimate Windows updates and got installed on PC’s of guys who’d stumbled onto malware infected sites and had automatic windows updates turned on!! Since tht day, my Windows Update (automatic) has been turned off

By: Morgan Storey

Morgan Storey — Sun, 03 Aug 2008 01:12:54 +0000

@Zukakomputer and Navin: I was doing the work on a Friday before a long weekend, that was the point, we could have hopped a plane Saturday and no one would have known until Tuesday. Fortunately though we don’t have FBI here, only Federal Police. I reacon I could have got away with it, but I couldn’t do that, I think how many people may have lost their job if I had, or the damage done to the consulting firm I was working with at the time.
It was funny to joke about though.
Maybe internal attack vectors will be more subtle in the future, it isn’t that hard to write/buy some custom piece of malware, roll it into an update or into the soe and push it out to the company. Years later it is still sending data your way, and you can use it for what you will. I am sure this is being done, and it is rather hard to defend against.

By: Navin

Navin — Sat, 02 Aug 2008 10:55:37 +0000

Oh yeah….. morgan’d prolly be surrounded by a battalion of the FBI before he could even collect his passport….but perhaps if he did this from lets say Yugoslavia and got the cash tranferred to some bank account in China using proxies in Nigeria, India, Iran, Turkey, Vietnam, Canada and Venezuela, maybe it’d be some time before the FBI tracked him down…..hmmmm….I got a great idea….honey, pack up your bags!!

By: gmckee

gmckee — Fri, 01 Aug 2008 19:41:54 +0000

‘me a cowboy’ I did get it. Perhaps it was my Scottish half speaking to me down the ages. Of course the Irish side was slowing things down a bit…

By: zupakomputer

zupakomputer — Fri, 01 Aug 2008 14:02:57 +0000

But realistically though if you’d transfered that money to yourself they’d have known it was you, and you’d have been easily caught anyway (unless - you happen to be a master of disguise and hold an array of fake passports?! private planes, etc; in which case you wouldn’t have been working a job!).

By: Morgan Storey

Morgan Storey — Fri, 01 Aug 2008 10:03:26 +0000

@zukakomputer: very true, a chain is only as strong as it’s weakest link. I guess it would limit damage, but is also limits knowledge, and limits the work that one of these people has to do, which would also limit experience. There is no answer I can think of, short of very granular control and an IT literate upper manager. This is where CIO/CSO’s who are IT literate enough to control the admin passwords would be useful; they could simply be very granular in the control they give to one person, and have backup accounts.
It still doesn’t stop my attack vector, the only thing that could do that is the same upper manager monitoring key systems, and they don’t really have time for that.
I don’t know. Maybe having a code of ethics, and or Psych-reviews like the armed services. I myself believe I have a high level of ethics, I have had access to a corporate bank account user/pass that had access to a few million dollars (unlimited transfer too), I did nothing but my job and used these details to setup, test and deploy the system. I then encouraged the user to change their password, and went on about my day. That didn’t stop the jokes from colleagues; “cmon just hit transfer and next week we can both be on a beach in spain drinking margaritas”.

@navin & Darknet: I spoke too soon, I tried to post the above and got the WP error again.