On Wednesday 29 December 2004 07:57, Christopher Erickson wrote:
> It should NOT be assumed to be fine.
>
> An excellent book that every potential security expert should
> read is called "The Codebreakers". It is out of print now but
> can be found on eBay and periodically on Amazon used books.
Hmm, can't say i've read that one. Is it any good? Though, While not as
potentially thrilling and exciting as "The Codebreakers", I suggest "Maximum
Security" (Full Text: http://docs.rinet.ru/LomamVse ) and "Security Alert"
by Becky Worley as primers in computer security. I hear "Tao of Network
Security Monitoring" by Richard Bejtlich is pretty good and been meaning to
pick up a copy myself. All and all, books are good, but reading one doesn't
necessarily make you an expert.
> Some exploits exist that can compromise a system vulnerability
> even before the source IP is extracted and the IP packet
> evaluated and potentially approved for forwarding. I am not
> sure about Linux but there are certainly ones that exist in XP.
> And if they are confirmed to exist in XP then at least the
> potential exists in Linux.
> If a worm writer were to discover such a vulnerability in Linux
> and were to naturally incorporate a pseudo-random destination IP
> probe then the machine in question would be completely vulnerable
> without the worm author ever having any specific knowledge about
> that machine.
Whoa. Whoa. Any decent firewall/ip filter will apply filtering before the
packet hits the core of the TCP/IP stack when the firewall in the very same
machine as the service you are trying to provide. (Queue Zone Alarm and
netfilter) If you are too worried about this, an external solution should
more than calm your fears.
Futhermore, This is an issue that has far more implications then for just
exploiting a simple IP filter for port 139. If you are not using any sort of
filtering/firewall at all, you should have no external access to that machine
what so ever. No single port filter is ever gonna solve the problem with
exploitable holes in your OS'es TCP/IP stack.
> And lastly, the COM21 cable modem network is a layer-2 network.
Ick! I suspected that, but wasn't 100% sure. That sucks. Not being able
to trust the security of the local loop to your ISP is a big factor and
changes things a bit. Nothing but a little bit of skill and knowledge is
stopping someone from compromising the filters at the demarcation point and
snooping everyones traffic on that segment. Thats really scary. Especially
since a lot of important traffic on the internet is not encrypted by design.
This includes your email and passwords (via SMTP) BTW.
> That means network-wide broadcast traffic and quite likely the
> box in question is advertising its shares for the rest of the
> unfiltered modems to see.
An egression filter fixes this. Easy.
> And since it is a layer-2 network,
> bidirectional IP spoofing works just fine. Also note that all
> Windows networking traffic is completely unencrypted.
>
> Hopefully 'nuff said.
Not even close. :P
- Beau
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Dec 30 02:38:22 2004
This archive was generated by hypermail 2.1.8 : Thu Dec 30 2004 - 02:38:23 AKST