<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks



CQ,

maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.

let say that we have a wireless network which is guarded by  "security
in depth" network administrators. the first thing they will do is to
secure the actual network by some massive segmentation exercises...
then the connection with enhanced privacy/encryption schemes (WPA2).
They will put more layers on the top of that. For example, the users
need to authenticate with client-side certificates. Now the network
and the connection is secure (sort of), they enforce group policy for
all laptops so that these laptops cannot connect to any other network
(sending probe requests, rogue access points). Right! But now they
also kill the ethernet since a laptop cannot be connected to the
wireless and the wired network since it is also a risk (stepping stone
attacks). Each client has a firewall on the top of that. The firewall
blocks everything that comes in and lets only the browser to go out
through a proxy which requires authentication (NTLM, Basic Auth, etc).
The user of the laptop runs with the least possible privileges and
they cannot install software. They cannot use the CD (Sonny Rootkits),
they cannot use the USB (endpoint security). The laptop has a boot
password as well so in case it is stolen the attackers cannot crack
open the disk.

My question is the following: does this sound sane to you? Do you
really believe that someone will let you do all that, without causing
chaos? Laptops are good because they are mobile. You are allowed to
take them out and work from home. At home you have your own network
which you would like to connect to. Even if you use a different
account on that same laptop to connect to that network, the risk is
still there. A system is as secure as the weakest link.

Companies don't like to hear how you are going to solve all problems
once and for all with some killer security in depth solution because
it is not possible. in order to make things work you have to leave
various doors open. At GNUCITIZEN we have one maxima.. "Be
legitimate!" If the attacker try to be a legitimate user as much as
possible they will stay unnoticed and they will get in.

Now how do we handle security in 21st century the way I see it (btw, I
am not interest in selling any services, in fact, GNUCITIZEN is not
that type of organization)? First of all, careful planning - the
system has to be as secure as flexible and usable even if this means
that you need to have a shared key for all of your wireless networks.
Second, you need a crisis management plan. Natwest got hacked by a MP3
player.. how many of you have heard of it and for how long this story
was on the news? Third, you need to calculate the risk. Example?
Credit card fraud! We know that cards are getting stolen but the
calculated risk is %2 out of the whole, which can be easily
compensated. Etc, etc, etc!

As you can see it is not just technical when it comes to the real
world. In the real world the management gives you instructions and you
have to implement them in the best possible way. Projects stack up.
People leave, new people join in and work on the networks that have
been given. Chaos is the norm! How many of you have seen a network
that is done right? Yeh, there are a few of you, but you are probably
talking about your home network which does not exceed more then 20
machines. How come I have never seen a security in depth in practice.
You guys are more experienced then me, that's for sure... but I've
done quite a few tests in the past 4 years and I know what I've seen.
It is bad, but it is OK, because then we can sit together and walk
through the entire process.

I expect more flames for which I am not planning to respond. If you
think that security in depth works for you... do it! personally, I
will offer something additional to my clients. something, that gives
them that extra safe net, which has nothing to do with security in
depth.

cheers,
pdp

On 10/14/07, C Q <kyle.c.quest@xxxxxxxxx> wrote:
> I guess there's some logic in spreading FUD about security in depth
> not working. It might be a nice way to scare potential customers
> who don't know much about security into whatever services
> Gnucitizen team sells. However, these kind of tricks
> simply won't work with any seasoned  security professional.
> It'll actually backfire if you are not careful... because you
> won't be taken seriously in the industry. I'm pretty sure
> Pdp's rating in the books of many security professionals
> went down quite a few notches :-) It's a small world...
> and most likely it'll affect your and your company's
> future... because you'll need to do business with
> people like Thor (who gave a great and very logical
> description with proper supporting examples of what
> security in depth is and what's mean to do).
> The chances are that they'll simply choose to work
> with someone else... who betters understands the big
> picture in security :-)
>
> CQ
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org