{"id":1223,"date":"1999-08-16T00:00:00","date_gmt":"1999-08-16T00:00:00","guid":{"rendered":"https:\/\/seegras.discordia.ch\/Blog\/?p=1223"},"modified":"2019-01-17T23:50:56","modified_gmt":"2019-01-17T22:50:56","slug":"network-security-by-half-wittedness","status":"publish","type":"post","link":"https:\/\/seegras.discordia.ch\/Blog\/network-security-by-half-wittedness\/","title":{"rendered":"Network Security by Half-Wittedness"},"content":{"rendered":"<div id=\"fortune\"><i><br \/>\nHow to base your network security on misinformation, overreaction, nervousness and lawyers<\/i><\/div>\n<div id=\"container\">\n<p>Security cautiousness is a good thing, in the vast and wild cyberspace. A lot of networks don&#8217;t even have somebody who cares. But there are some sites which are security cautious, and there are different kinds of these: Those who care, and those who fear.<\/p>\n<h3>Fear and Loathing in Cyberspace<\/h3>\n<p>There are a lot of companies out there who fear they could be attacked by some misfit and in turn create policies, buy firewalls and try to detect any behaviour which could be interpreted as attack. Particularly<br \/>\na lot of those companies are in the consulting or even network security<br \/>\nbusiness. And some of them quite internationally renowned. As soon some<br \/>\npossible sign of an attack is detected, hell breaks loose: sysadmins of<br \/>\nthe originating site of the possible attack are emailed, upstream<br \/>\nproviders informed, the CERT gets an email, even the police might be<br \/>\ncalled or a lawyer to write threatening letters. In the end it probably<br \/>\nturns out to be some user who tried to test it&#8217;s newest movie-streaming<br \/>\nsoftware. Or the sysadmin of the ISP did a portscan &#8220;to see what that<br \/>\nmachine does&#8221;. Maybe it even was intended maliciously, but it came<br \/>\nfrom somewhere in China. What had happened was in any case something<br \/>\nwith no importance and no actual impact which is now turned into a<br \/>\ngreat spectacle.<\/p>\n<p>A very nice case is the one of the Israeli &#8220;security&#8221;<br \/>\ncompany <a href=\"https:\/\/web.archive.org\/web\/20041212104312\/http:\/\/www.leb.net:80\/hzo\/ioscount\/minor_problem.html\">COMSEC<br \/>\nversus IOS++<\/a>, the Internet Operating Systems Counter. With great<br \/>\nincompetence COMSEC interpreted some weird packets which reached their<br \/>\nwebservers as attack, didn&#8217;t even bother to contact IOS++ but informed<br \/>\nthe press instead which promptly took up a story about widespread attacks<br \/>\nagainst the isreali part of the internet.<\/p>\n<p>Another typical case is people who want their DNS Zone transfers<br \/>\nblocked. Why would one want that when you just can do a zone transfer<br \/>\nof in.addr-arpa and get the whole thing anyway? This is typical for<br \/>\nwrong understood network security. It&#8217;s called security by obscurity,<br \/>\none tries to hide something, and it never works. There are certainly<br \/>\nthings outsiders ought not know, but certainly not which hosts you&#8217;ve<br \/>\ngot on your external network. If you&#8217;ve got no internal (private) and<br \/>\nexternal (for the public) network, you&#8217;ll be probably in trouble<br \/>\nanyway&#8230;<\/p>\n<p>Of course, this is not the only case, I had at least three cases of<br \/>\noverreaction last year (one involving a user trying to stream some<br \/>\nmovies and two portscans), and one demand of restriction of<br \/>\nzone-transfers from a big international consulting company which<br \/>\nreally should know better.<\/p>\n<p>What we have here is security cautiousness backed by a half-witted<br \/>\nknowledge about network security. People who know nothing about<br \/>\nnetwork security don&#8217;t fear a security breach, neither do people<br \/>\nwhich really know what network security is all about. It&#8217;s those who<br \/>\nknow a bit, but not enough, who fear and cry.<\/p>\n<p>Why should a sysadmin start crying about some possible attack which<br \/>\nfailed anyway, because the sysadmin keeps his systems updated and<br \/>\nknows that some 13 year-old script-kiddie will fail against his<br \/>\nwalls anyway?<\/p>\n<h3>How-NotTo<\/h3>\n<p>Essentially, there are two forms of misbehavior when it comes to<br \/>\nsecurity (not counting the case of being NOT security cautious):<\/p>\n<ul>\n<li>Security By Obscurity<\/li>\n<li>Overreaction<\/li>\n<\/ul>\n<p>In the first case, we&#8217;ve got the idea of being secure just because<br \/>\nthe enemy does not know you are not. Or where you are located. The<br \/>\neffect is badly designed programs which appear secure just because<br \/>\nnobody should be able to proof they&#8217;re not; IP-adresses which do<br \/>\nnot resolve but which can be found by broadband-scanning anyway;<br \/>\ncrypto-software which can cracked in seconds, and so on. A strong<br \/>\nlock is one where you can see how it works but are still unable to break<br \/>\nit. The international crypto-community has condemned obscurity long<br \/>\nago, see the <a href=\"http:\/\/www.interhack.net\/people\/cmcurtin\/snake-oil-faq.html\"><br \/>\nSnake Oil FAQ<\/a> for details.<\/p>\n<p>The second case is a bit more difficult to grasp. Is a portscan or weird<br \/>\npackets an attack or not? You can simply ignore it if you&#8217;re confident<br \/>\nenough of your security, or you can investigate, meaning taking a look<br \/>\nat the originating host, portscan it yourself, query whois-databases and<br \/>\nfinally sending the sysadmin of the originating host a note. There are<br \/>\na lot of sysadmins out there who portscan without any intention of<br \/>\nattacking you. And a sysadmin of a system into which was broken in<br \/>\nwill be very glad if you tell him some portscan originated at his site.<br \/>\nThe wrong answer is of course to panick and make a big fuss about it. If<br \/>\nyou detect a portscan, chances are low the portscanning person will ever<br \/>\nbreak in, because you already updated your system &#8212; otherwise you&#8217;d be<br \/>\na complete moron. On the other hand, if you&#8217;ve been already broken in,<br \/>\nyou can investigate and collect evidence that there actually was a break-in<br \/>\n&#8212; then it&#8217;s time to make a fuss. So it either has nothing to say, or<br \/>\nit&#8217;s a failed attempt, in which case you&#8217;d better update your system, or<br \/>\nthe breakin already occurred.<\/p>\n<p>There are also several projects like the<br \/>\n<a href=\"https:\/\/web.archive.org\/web\/20010401065659\/https:\/\/www.securityfocus.com\/templates\/forum_message.html?forum=2&amp;head=32&amp;id=32\"><br \/>\nInternet Security Auditing Project<\/a>, or the above mentionned<br \/>\n<a href=\"https:\/\/web.archive.org\/web\/20041212104312\/https:\/\/leb.net\/hzo\/ioscount\/minor_problem.html\">IOS++<\/a> which<br \/>\nmight appear as &#8220;attackers&#8221;, but surely don&#8217;t have the intention to<br \/>\nbreak into your systems. So you better get informed before you<br \/>\nstart crying out loud.<\/p>\n<p>So if you detect something which could be a failed attack, what you<br \/>\nshould do is to simply inform the sysadmin of the originating host<br \/>\n(the sysadmin of the provider, if it originated from a dialup-machine,<br \/>\nor the sysadmin of the company. You should be smart enough to know<br \/>\nwho you should contact, otherwise you&#8217;d better stay away from network<br \/>\nsecurity altogether). In the case of an actual break-in, the most<br \/>\nstupid thing you can do is also panicking. If you don&#8217;t feel experienced<br \/>\nenough to handle the incident, you probably get help at your internet<br \/>\nprovider or from a specialized company. In the other case, you&#8217;ll have<br \/>\nto investigate what the attacker did, and most important, where it<br \/>\ncame from. Then you mail the sysadmins of the originating hosts &#8212;<br \/>\nchances are it was a dialup-machine (so mail or call up the ISP) or<br \/>\nanother compromised system, so be polite and don&#8217;t threaten him with<br \/>\nlegal action or somesuch. Normally they&#8217;ll be very glad to hear one<br \/>\nof their machines was compromised (actually they&#8217;re not glad to hear<br \/>\nthat, but glad that you tell them ;))<\/p>\n<h3>Prevention<\/h3>\n<p>So what do security cautious people do who actually know what<br \/>\nthey&#8217;re doing? Simple. Updating. First, all security-relevant<br \/>\nmailinglist need to be read, and as soon as some vulnerability<br \/>\nis found, the systems need to be fixed. Either there is already<br \/>\na fix, then it needs to be applied, or the services need to<br \/>\nbe replaced or turned off until a fix comes. Sometimes even the<br \/>\nwhole system needs to be either shut down or replaced, unless you want<br \/>\nto risk it; particularly the case with Windows NT since Microsoft<br \/>\nnormally needs weeks to fix something. Another possibility is of<br \/>\ncourse to firewall such systems\/services off.<\/p>\n<p>And if someone seems portscan or to probe the network for<br \/>\nvulnerabilities or somesuch? Don&#8217;t panic. The Walls are strong<br \/>\nenough to whithstand a script-kiddie attack. Probably send an<br \/>\nemail to the attacker or its sysadmin. It will either be harmless or a real attacker who will go away and seek something easier to penetrate; probably after he gets a new ISP. ;)<\/p>\n<p>Peter Keel,<\/p>\n<div id=\"date\">1999-08-16<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How to base your network security on misinformation, overreaction, nervousness and lawyers Security cautiousness is a good thing, in the vast and wild cyberspace. A lot of networks don&#8217;t even have somebody who cares. But there are some sites which are security cautious, and there are different kinds of these: Those who care, and those [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,67],"tags":[],"class_list":["post-1223","post","type-post","status-publish","format-standard","hentry","category-computers","category-security"],"_links":{"self":[{"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/posts\/1223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/comments?post=1223"}],"version-history":[{"count":1,"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/posts\/1223\/revisions"}],"predecessor-version":[{"id":1272,"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/posts\/1223\/revisions\/1272"}],"wp:attachment":[{"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/media?parent=1223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/categories?post=1223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seegras.discordia.ch\/Blog\/wp-json\/wp\/v2\/tags?post=1223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}