Wednesday, November 14, 2007

gov't snakeoil/fud... sigh...

ok, so unfortunately this article was dugg up...

it says:

two members of the U.K. government intelligence group Serious Organized Crime Agency connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software

ok, what a great start... now, this demo these brit feds did was for small business owners, who in my experience seem to have the infosec bar set pretty low... but, using an os release which was, what, 3 years ago??? and, should i assume that this means that no security patches released after 2004 were applied to this target machine?

and for my next trick, i shall pwn a fbsd 4 server running ssh, sendmail, and an ssl webserver! phear my fed leeetness... sigh...

Mick used a common, open-source exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK not to divulge the name of the tool.

erm, metasploit?

Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box

...

Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system

nessus? back to metasploit for this next one:

Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes

do you mean a cmd window? cause i kinda doubt even a 1337 govt h4x0r still boots into straight DOS...

well turns out the feds are trying to make a point...

purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it

ahh, brit tax dollars at work... soooo, using this information as a stepping stone, is it fair for me to deduce that said system probably won't boot up without the power cable plugged into an active electrical outlet?...

seriously though, is this the level that we believe infosec has w/ the populace? do we think that we haven't given most people the message that there are real threats out there, many of which are generally solved via windows update? or should i believe that since XP SP2 includes a "firewall" (a burning wall of bricks... quite impressive really... the burning security in the blinky thing scares off most of the germs in the tubes) it is difficult to integrate it into the business environment?

well, it does get worse...

Nick McGrath, head of platform strategy for Microsoft U.K., was surprised by the incident.

"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said McGrath. "But the computer was new, not updated, and not patched."

ok, well the ms exec knows enough to know that an unpatched windows machine is vulnerable... i guess i can count this as a positive and raise the bar a tad off of the ground... but seriously, if there is _any_ ms exec who doesn't understand that unpatched security vulns can be exploited quickly and easily, then i'll go on the record as saying that whoever is responsible for internal evangilism at MS is utterly failing...

here's a genius idea... do a 10 min web-quiz for the people who run the #(@%&*@% company that makes the OS which runs most desktops on this planet...

oh, and i'd be remiss not to mention cnet and the author of this stellar article (which, btw, is what the nameless masses [who don't yet understand that patching is important] will read to find stuff out about infosec)... i can't believe that the technical prowess demonstrated in the article is what ZD considers appropriate for their infosec presence on the web... this "expert" writes pointless articles about unrealistic security ideas... they should just pick a schneier cryptogram blurb to publish once a month... cheaper and more effective...

i am now officially in a foul mood... sigh...

3 comments:

Jens "jdm" Meyer said...

I liked this post, but you didn't really take the flip side into account -- the dramatization of new threats by the security community. I'm not saying this is necessarily a bad thing (you gotta get the word out somehow), but how about all the FUD w/ the Mac-targeted Trojan? It's not a threat, but for the first couple days the sky was falling.

I do have a little bit of beef with things like this getting published (as do you). Sometimes it's good to rehash the same point. But sometimes it's not, especially for the sake of publishing. This expert is the whitehat equivalent of a defacer. l4m3r.

Jens "jdm" Meyer said...

** I should say, the Mac trojan isn't *really* a serious threat, not a non-threat.

rwnin said...

yea man, i completely feel you on sky is falling stuff. i think my next post might be kinda along those lines unfortunately tho... :-\

read up and tell me what you think... i mean, there is snakeoil and fud (like the article i ref'd here and the mac trojan fear mongering), but then there are also issues that aren't being legitimatley addressed today...

i personaly believe (and could very well be wrong) that a lot of layer 7 attacks don't have reasonable defenses today... if i point out that a large number of users are potentially at risk just by surfing the net like they do every day, am i fear mongering? am i a digital pearl harbor guy, or am i making a legit point that defense sec isn't keeping up w/ offense???