defeating firewalls made easy

good points . . . but i doubt that all these different corporations arranged for physical (versus remote) delivery of the firewall piercing software . . .

more facts will undoubtedly emerge, but the article appears to imply trespass via remote access of the target computers, and nowithstanding firewall protection enjoyed by the targets.

all good points . .but the big question this article raises:

can a criminal trespass electronically onto or in a remote computer protected by a firewall; and without any assistance from a direct or indirect physical trespass of the target computer? this article seems to imply an affirmative answer to that question.

thanks for the informative comments.

dishonest employees however, don't threaten the viability of the internet as a whole. criminal employees only threaten their employer's single business.

however, the apparent and inherent inability of firewalls to protect a target computer against purely remote and electronic trespass, does call into question the viability of the internet as a whole.

For example, if the extraordinary cost of securing a computer from electronic trespassers, (that is otherwise intended to be accessed by customers or the public), exceeds or approaches the value of the income produced by that computer, then the internet as an instrument of commerce becomes questionable. But it sounds like from your comments that even extraordinary measures taken to secure a public computer (aka a computer available to customers) does not ensure invulnerability to remote and electronic trespass.

But you are quite correct . . the proof is in the puddin . . . .if the insurance industry either stops insuring or raises liability and loss insurance premiums to a prohibitive level for business internet risks, then the internet as a means of commerce will go bye bye.

In article , itoii 3uvu wrote: :

;the criminals once again demonstrate the historic illusion of computer ;security . . .

Not quite. The article deals with some security breaches made possible by use of PROMIS software. But,

"The one essential weakness of Promis is that it must be physically installed on a targeted computer for it to be effective."

PROMIS is pretty powerful software, but before we could make any conclusions about "illusion" of computer security, we would have to know more about matters such as whether it can disable firewalls or firewall logging, or whether it communicates via other mechanisms such as would be used by "bugging".

Everyone who does non-trivial computer security work knows that computer security is not an absolute but rather a matter of how determined (and well-funded) your adversary is.

For example, how do you -know- that your reputable premises security company doesn't have a mole who plants silent override mechanisms to allow your physical security to be breached? How do you -know- that the company wasn't shown the outside of a sealed classified court order that required them to give an intelligence agent unfettered access and threatened with trumped-up theft/ fraud/ pedophilia / terrorism charges if they dared even hint of the visit to anyone?

"itoii 3uvu" wrote in news:lhkme.2756$rb6.757@lakeread07:

There are many ways to get corporate data. The number one way is still through dishonest employees, and I don't think that this will ever lose its Number 1 position. A DVD or CD filled with data fits nicely in a coat pocket or purse.

The number 2 way seems to be cracking the system. Corporate security looks important at board meetings and analysts conferences, but most firms (and governments) spend too little money and time protecting their systems from intrusion. This is evidenced by the large number of "surprising breakins" which happen daily. These aren't firewall problems. They are problems with bad code, such as most of the PHP web site code running around.

Lower down on the list is purchased software with "back doors". Look at what your company bought recently. A big portion of the software sold today has "service ports" which the vendor uses for contract maintenance and emergency repair. Do you know exactly how those ports are used when vendor assistance is required? Do you know for sure that one of the vendor's programmers didn't stick a trojan in the software? Even worse, is the $25 per hour technician fixing the problem helping him/herself to some data as well? If no one expects vendor related data theft, no one looks very hard for it.

I'm sure that other people can cite instances where back doors were installed in corporate servers by contractors/vendors. I can only recall one case with an accounting program "addon", and it was only caught because the admin decided to run a network analyzer on systems housing accounting, development and payroll data. She found where the purloined data was going. The would-be thief got a whole three years probation and was admonished to "stay away from computers" during the period.

update:

it appears mhicaoidh correctly assessed the situation.

apparently a "computer user" defect rather than a "firewall" defect accounted for the problem

the moral of the story:

a. never install or run on one's computer solicitations arriving by cd-rom; and

b. never open e-mail from unknown sender.

mhicaoidh . . goes to the head of the class . .gold star . . :)

"itoii 3uvu" wrote in news:6lnme.2763$rb6.470@lakeread07:

Actually, that always has been true. A really good firewall blocks access to prohibited internal ports, a wide range of protocol attacks and some unsolicited outbound packets. The stuff no one should access from the outside anyway.

But a firewall doesn't protect against badly written php code (phpnuke, phpbb, etc) for which constant exploits are being discovered. It doesn't protect against simple, easily cracked ssh passwords or failure to update dns or ftp server software allowing unauthorized access. The only time it can offer complete protection is if the system is running no services at all. And it sure doesn't protect against dishonest employees.

The insurance guys offer us a clue as to which is the most costly problem. Liability - yeah, it isn't cheap but it's worth a bunch of your net income. But when we tried to tack on some "inexpensive" employee theft insurance we discovered that it would increase our bill by 30%. The insurers aren't easily convinced that your employees are as honest as you think they are. This makes sense when you realize that Bank of America employees recently made off with several hundred thousand records containing juicy, exploitable private information. And since the insurers base their rates on actual experience......

apparently not . . . lol

sounds like all employers need to adopt some sort of "zero tolerance" policy.

just as transportation companies have "zero tolerance" policies with respect to intoxicated employee drivers or vehicle operators,

so perhaps all employers may need to adopt a "zero tolerance" policy with respect to employees opening e-mail from unknown senders or inserting any kind of cd-rom into an office computer that has arrived from outside the office.

John :)

well, business as usual may continue for a while, notwithstanding this latest episode, . .

but at some point, business is gonna go outta b'dness . . either from a lack of customers or a lack of insurance . . .

maybe it's time to invest in companies manufacturing pencils and paper . . . lol

John :)

Taking a moment's reflection, itoii 3uvu mused: | | all good points . .but the big question this article raises: | | can a criminal trespass electronically onto or in a remote computer | protected by a firewall; and without any assistance from a direct or | indirect physical trespass of the target computer? this article seems | to imply an affirmative answer to that question.

Not really. There is no indication in the article that access to the networks in question was gained via direct exploitation of said firewalls. As the article states, the data was obtained by "illegally planting spy software in the targeted computers and downloading their classified data." It refers to the software as "the illegal raider software called Trojan Horse."

This would seem to negate your assertion of it being without "any assistance from a direct or indirect physical trespass." This suggests a breakdown in security procedures and mandates ... not a breakdown in firewall security. The spyware was probably delivered via email , or physical trespass. Due to the gag order, however, specifics probably won't be known for some time.

It's been preached 2.5 million times. Do you think anyone is listening?

Duane :)

"itoii 3uvu" wrote in news:U0tme.2779$rb6.776@lakeread07:

If they don't have a computer, it will it become a "zero tolerance" policy.

In the meantime, it's business as usual. :)

Duane :)

"itoii 3uvu" wrote in news:Qlume.2809$rb6.2740@lakeread07:

As long as there is a fallible/dubious Human Being in the equation, there is no *Hope* as the world turns and things go on using a computer or paper and pencils. ;-)

Later!

Duane :)

"itoii 3uvu" wrote in news:U0tme.2779$rb6.776@lakeread07:

There is no danger from opening email from unknown senders unless you are using Outhouse Express... which I notice everybody posting in this thread is. So much for this forum being a home for security savvy people.

Taking a moment's reflection, Duane ;-) mused: | | It's been preached 2.5 million times. Do you think anyone is | listening?

Obviously not as it's still a popular, if not the most popular, means of circumventing security ... as long as it's got cute bunnies on it ... someone will click it. ;-)

Taking a moment's reflection, Duane Arnold mused: | | As long as there is a fallible/dubious Human Being in the equation, | there is no *Hope* as the world turns and things go on using a | computer or paper and pencils. ;-)

Yeah, because (like everything else) there's still room to say "well, that only happens to other people ... not me." Ugh! If I have a quid for every time ...

Taking a moment's reflection, elaich mused: | | There is no danger from opening email from unknown senders unless you | are using Outhouse Express... which I notice everybody posting in | this thread is. So much for this forum being a home for security | savvy people.

HAHAHA Only use it for newsgroups, and set for plain text. So, I am not real worried about it. Thunderbird gets the nod for email ...

elaich wrote in news: snipped-for-privacy@individual.net:

Well, you're wrong about that as I use Xnews and OE at times. You can go change your secuirty Pamper. ;-)

Duane :)