On Fri, Jul 06, 2001 at 04:35:05PM -0400, Rich C wrote:
> Yes, but that is not practical in a trojan setup, since modifying windows
> system files can be undone with the system file checker, version conflict
> manager or other such verification tool.
...assuming you're aware of such tools AND care to dedicate the time
to installing them. The vast majority of Home users are neither.
Your checker might foil the script kiddies, but they'll still succeed
more often than they won't.
> Also, changing files like this usually requires a reboot before
> anything else happens, since the DLLs can get out of sync and can
> cause a system crash.
Which is par for the course on a windows machine. And many, if not
most home users boot their machine each time they want to use it. In
all likelihood, your script kiddie will need to wait at most a day
before they reap the fruits of someone else's labor... All in all,
this really isn't a big problem for your attacker. Maybe YOU have a
machine well enough protected to foil their automated attacks, but for
every one of you there are a hundred home users that don't.
Moral? Be the one, not the hundred. Remember, most of the exploits
that are in use today work against vulnerabilities that have been
reported quite some time ago -- often two years ago or more! The
reason they're successful is not because there is no cure for them,
but because people don't make use of said cure...
>> Actually with all of the Windows trojans floating around I'm
>> surprised that someone hasn't written a kit that alters the system
>> to allow spoofing, since it is so advantageous in ddos attacks...
>
> And I am also surprised that the Linux "root kits" that are around don't
> also include tools to spoof source IPs. Or maybe they do and the kiddies
> don't know how to use them? Otherwise, how would the ISPs find the offending
> machines and shut them off? (I must be missing something here.)
IP spoofing is HARD. At least, it is if you want to get something
BACK. It works great for DoS attacks, because usually the source
machine doesn't care about return traffic (or more accurately,
specifically doesn't want it). It's not quite so easy to pull off a
spoofing attack from multiple hops away if you need the return
traffic... it simply won't get to you. It used to be a lot easier
before people started configuring routers and firewalls to drop source
routed packets, and it's still not impossible, but it's pretty tough.
Probably requires subversion of (at least) one upstream router, to
help control where the packets go or to do NAT (or maybe both). And
you have to worry about asymmetric routing... But in any case, it's a
much more complicated hack.
One of the more interesting questions, I think, is this: What happens
when the hundred catch on to what the one is doing, and all start
follwing suit? Or, said another way, what happens if the average home
user starts practicing the same methodologies for protecting systems that
the security-conscious users practice?
If that ever happens, then suddenly all the machines on the 'net
require the same investment in knowledge and time to break into
(barring a further increase in dilligence on the part of the
previously security conscious user -- there's only so much time in a
day, and no one wants to spend the whole of it watching system
security). Let's assume that the old network security tennet is true:
No system is unbreakable. It's only a question of time and skill
required to break a given system.
So, if all the systems are equally hard, but hard nonetheless, to
break into, will the attacks stop at that point? History suggests
that they won't. More likely, the attackers will raise the level of
their attacks, to account for the security measures that are in common
use. Now, suddenly, you've got to be even MORE dilligent to keep your
system from being broken into. The attackers work in concert, in a
way, and they're persistent, so ultimately they WILL win... They'll
find a way to get into a bunch of systems.
In reality though, I think the security concious user is safe, because
the average user probably will never take the time to worry about the
threats that they face in connecting to the Internet. It just isn't
meaningful to most people... And maybe, if my conclusions above are
correct, maybe that's best for those of us who really do want to
protect our data.
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
