Some very 'fun' stuff going on these days. So at my current gig they had previously banned all external email access and instant messenger clients. No big deal for me because I can IM/E-Mail on my phone. The Websense proxy also blocks suspicious and 'against policy' websites. It's a security policy thing more than an HR thing. The client, when I was an employee, had a rash of virus outbreaks. And the 'core server network' was unprotected from the general population and the remote sites were unprotected from each other. It's pretty common, in my experience, for companies to work this way.
A week or so ago, they opened Websense up to specific external email sites. The rational was sound. Hotmail, Yahoo, GMail, they all have built in AV tech now, so it's relatively safe. Anything that gets by them is going to get by our Ironport mail gateways (Ironport rocks, by the way... If you want an email filtering solution, I'd recommend them). Well, this week they've had another virus outbreak inside the perimeter. So the loosen the reigns and get burned.... It's been a debacle tracking it down. Not sure if it's a virus/worm/trojan, I'm on the outside, the SRT tech-bridge is still on going. All of this and people are already on vacation, the staffing levels are low to begin with.
Anyway, on to the other topic. Here's an interesting observation by one of the guys at Startcom Linux. The Mozilla folks had a bug submitted because mozilla was complaining that all the sites had bad SSL certs. The helpful folks at bugzilla dug a bit and found out the bug-reporter was getting man-in-the-middle attacked... Over SSL... So it really wasn't a bug, Mozilla/Firefox was correctly saying things were fishy. Well the blogger from startcom linux (can't figure out what his/her name is) found out that some of the 'trusted SSL providers' are not to be trusted. One of Comodo's resellers issued him a mozilla.com certificate with out asking any questions if he was legit or not (he's not). So now he could set up a MitM attack and not set of the SSL cert error alarm. Now the SSL cert wouldn't be the official one, but it would be encrypted. So it would look secure, but it would be 'locked' with a different lock, a lock that your browser trusts. Because browsers have a basic list of trusted providers, any cert generated by one of those providers is assumed to be legit. The browsers (and by proxy, Mozilla, Microsoft and Apple) that the cert providers on their 'approved list' are verifying the people they hand out certificates to in some fashion. Who watches the watchmen? With this breach in the web of trust, all trust becomes suspect. How do you really know with out verifying the trust on the other end of the SSL connection yourself? How on earth would you ask some one at Bank Of America if this SSL certificate was the real certificate? And the web of trust was supposed to protect me from this.
Anyway, it brings to mind the cyber-crime of the century. In the summer you start infecting machines and inserting your proxy for amazon.com into machines and then cleaning up the traces of the infection. So you clean your tracks and the person is none the wiser. You just sit and wait. Wait until the busy holiday shopping season. Then you quietly intercept the credit card numbers, dates and SVNs. And still you wait. Then slowly, you clone that information onto new cards. And then you go on shopping spree after shopping spree. You also take out your list of enemies and send them a plasma TV or two, to their real address with their real name. You do it slowly and cautiously so they never put it together that all the cards in common came from Amazon between the summer and xmas. Or perhaps instead of Amazon, you take advantage of the heavily consolidated American banking industry and siphon the money right out of their accounts. All of the pieces are there. Laundering the money would probably be your toughest hurdle, and even that's not too hard. Scary stuff.
No comments:
Post a Comment