In a world where even the dimmest network manager understands the need to deploy stripped-down, hardened servers behind bulletproof firewalls, Core Security’s product manager, Max Caceres, told attendees to Black Hat Federal 2006 that attackers should take the easy route: Users.
Users offer a sloppy, target-rich environment with nearly unlimited access to trouble. They form a poorly guarded bridge between the internal network and the Internet.
Admins who allow email clients to receive unadulterated HTML documents are opening a hole in network security that can be very difficult to defend… especially once an attacker is inside the network perimeter.
HTML makes it easy to duplicate the appearance of groups from whom the end user regularly receives HTML messages, like banks, credit card companies and online auction houses. And hiding links to phishing or malware sites beneath apparently legitimate URLs is elementary.
When you add the potential havoc caused by attachments, ActiveX, Java, VBscript, and javascript… well, you get the picture. You open the door to all manner of rootkit, backdoor, keylogger, etc.
Caceres says that your best tools to avoid network penetration include spam and web content filters augmented by anti-virus, anti-malware and anti-phishing tools.
If you don’t funnel email through a defanger at the network perimeter, you’ll live to regret your leniency. According to Caceres, once an exploit has penetrated your perimeter, you must depend on HTTP proxies, personal firewalls and Host Intrusion Prevention Systems (HIPS) to limit damage.
As you know, that can be problematic. Rootkit creators often scoff at personal firewalls. The creator of the infamous rootkit, Hacker Defender, told Email Battles that no personal firewall on the market can protect against his full product line. Similarly, Joanna Rutkowska of invisible things demonstrated how easily her product, deepdoor, bypassed both Norton Personal Firewall 2006 and ZoneAlarm Security Suite.
While locked-down personal computers are a critical element of network security, keeping track of users can be like herding cats. It’s nearly impossible to keep them all in line all of the time.
As far as email goes, it’s much easier to defang and control incoming HTML messages at the perimeter, then do your best to keep users’ machines locked down.
And how long have we been telling you this?
Email Battles Backgrounder:
4 comments
Comments feed for this article
February 7th, 2006 at 4:36 am
Tony Swash
It may be worth pointing out that as a Macintosh user none of the dangers so vividly described in your article apply. I have used many different Macs on the net without any virus protection installed for 15 years and my last virus infection was under the old MacOs 9 around 1995. What you describe is a Windows problem and could be solved by simply switching to a Mac.
February 7th, 2006 at 10:07 am
KB
blah blah… Macs are invincible.. yeah.
February 7th, 2006 at 1:34 pm
Joshua Paine
Macs aren’t immune, but they really aren’t targetted, which is a heck of a lot better than nothing. Then again, I’ve been using Windows XP for a some time without anti-virus or anti-spyware and with nothing better than the built-in personal firewall (currently disabled because I was running an FTP server for my own use and it was too much bother) and I have not had a virus or spyware problem in almost 10 years. (I know XP came out in 2001–I used Windows 2000, 98, and 95 much the same way before that.)
It helps that I’m suspicious of flashy free downloads, use(d) Netscape then Mozilla then Firefox/Thunderbird for my ‘Net activities, and don’t try to “borrow” copyrighted works from strangers over P2P.
February 16th, 2006 at 12:24 pm
mick4394
In the coming months and years mac users may be eating their words. The use of Intel architecture will make a lot of things a lot easier than they were before, like cross platform hacking/viruses.
I relish the thought that someday smarmy mac users will have to crawl off their tiny clouds.