h a l f b a k e r yWe got your practicality ... right here.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
An automated scanning tool should be developed that
detects machines connected to the network that are either running
obsolete or unpatched network software with known vulnerabilities, or
are actually infected with a known virus. Tools for doing the former
are already in wide use by malicious hackers,
but the latter is
considerably less useful to them.
This system could be shared with large organizations and ISPs, who
would then be encouraged to use it to scan their internal networks. Users of vulnerable machines could be warned, infected machines might be disconnected, and so on.
The system might also be used by third parties to assess network-wide vulnerabilities, and to identify the most worrisome unsecured networks.
Any
organization that leaves machines vulnerable, gets compromised, and
then is used to inflict economic damage on a third party, could be
considered negligent, giving large, responsible organizations an incentive to secure their networks.
MIT Information Systems has done this kind of scanning in the past,
for major vulnerabilities being actively exploited elsewhere on the
Internet. If this kind of scan-and-repair operation were widely
adopted, it could significantly reduce the opportunity for hackers to
hijack innocent third-party machines for DOS attacks, in addition to
directly protecting participating parties against intrusion.
MIT I/S announcement about campus scan
http://diswww.mit.e...laus/security-fyi/7 Scans at MIT are announced to interested parties by a mailing list. This is an example of an early announcement for a pop2 vulnerability. [beland, Oct 04 2004]
Self-scan
http://web.mit.edu/...ty/www/webscan.html Cool! MIT I/S now has a page where you can request a rather detailed scan of your own machine. [beland, Oct 04 2004]
HFNetChk
http://www.microsof.../tools/hfnetchk.asp "It's critical to know which patches have been applied to your system and, more importantly, which haven't. Microsoft has released a tool called HFNetChk that will significantly aid system administrators in this task." [phoenix, Oct 04 2004]
Security Administrator Tool for Analyzing Networks (SATAN)
http://www.fish.com/satan/ "SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them." [phoenix, Oct 04 2004]
Please log in.
If you're not logged in,
you can see what this page
looks like, but you will
not be able to add anything.
Annotation:
|
|
This is so wrong for so many reasons. |
|
|
No one has yet given any concrete reasons why they dislike the idea. Please explain your disapproval so that I may be enlightened and have better ideas in the future. |
|
|
[significantly re-worded in more neutral language to encourage better comments; comments responding to politically irrelevent aspects removed] |
|
|
1. Yes, I did give concrete reasons. 2. It's still incredibly intrusive. 3. Please consider the network traffic involved for your ISP to download and scan all the files from all the computers hooked up to it. They aren't on all the time; they'll need to be scanned when they log into the system. How long would it take you to upload the entire contents of your hard drive to your ISP over your connection? Would you be willing to wait that long to get an Internet connection? How often would you be willing to do it? |
|
|
Now those are some interesting observations. (Sorry, I was in the middle of re-booting this idea when your comment came in.) |
|
|
Allow me to clarify somewhat: I did not really envision ISP actually scanning the contents of everyone's hard drives. I was thinking of the kind of testing that malicious hackers are already doing - connecting to a port on the target, sending a small amount of data, and examining the reply for clues about system vulnerabilities. For example, many programs send version information back to anyone who asks for it. It is relatively easy for a potential intruder to scan a large number of addresses looking for a version of Sendmail or Apache or Exchange or even an operating system, that has a known security hole, and then exploit that hole to gain acccess. |
|
|
I suppose this method doesn't catch vulnerabilities in software that require user intervention to trigger; for example, in MS Outlook. |
|
|
As I see it, this technique is no more intrusive and requires (for the end-user) no more bandwidth than being connected to the (unfiltered) Internet normally does. (Since malicious hackers routinely make scans of this kind through random tracts of IP space.) |
|
|
By way of example, it's not an idea. It's advocating MIT's solution to the problem. |
|
|
1) Who pays for this?
2) "Any organization that leaves machines vulnerable, gets compromised, and then is used to inflict economic damage on a third party, could be considered negligent, giving large, responsible organizations an incentive to secure their networks."
How is this different than what happens now?
3) "...might also be used by third parties to assess network-wide vulnerabilities, and to identify the most worrisome unsecured networks."
There are already tools to do this. |
|
|
> How is this different than what happens now? < |
|
|
If active scanning and repair were standard practice, or if an organization were actually warned about vulnerabilities, then the stanarded "knew or should have known" is much easier to meet. This is not the case today. |
|
|
> There are already tools to do this. < |
|
|
Pointers would be enlightening. I'm not familiar with any that identify machines that have already been compromised (and which I've never heard of MIT using). |
|
|
Incindentally, I am wondering if any are open source, and at what point, if any, making these tools public does more harm than good. (Perhaps only for vulnerabilities for which no good fixes are available?) |
|
|
"Pointers would be enlightening. I'm not familiar with any that identify machines that have already been compromised (and which I've never heard of MIT using)."
I've posted links to two, but I'm not doing anymore research for you. Nothing personal. Yes there are similar open source tools. |
|
|
As far as I can tell from the sites linked, neither SATAN nor HfNetChk identify which machines have actually been broken into, only those that are vulnerable to break-in. |
|
|
Isn't that what your idea is? |
|
|
This is sold as a commercial service already: |
|
|
www.qualys.com
www.foundstone.com |
|
|
Scanning techniques do NOT examine hard drives and passive scans do not intrude at all: they use variations in banners, responses, IP header flags and the like to identify O/S and patch levels. As MS is now deliberately "marking the cards" (i.e., formatting different banner responses for different patch levels) , this has become very accurate (circa 90%). |
|
|
Its not intrusive using these techniques, as this is simply querying IP ports you have already deliberately activated or, by act of omission, failed to deactivate; you are therefore inviting connection. If you find this intrusive, close your unwanted IP ports (which, in turn, makes you less vulnerable to these attacks). |
|
|
Other techniques actually directly query the Windows registry to ascertain patch levels: as anadministrative logon is required, the only way to achieve this is by (a) hacking the box and getting those credentials and (b) getting consent. Some security purists might argue that by leaving your admin account open to being hacked (e.g., bruteforced) means you were never serious about protecting your privacy. |
|
|
And finally, before anyone Sm*** A** responds by saying that "Nessus doesn't work that way, it actually tests the vulnerabilities", I've excluded that as a valid approach as using such tests can be dangerous. On an individual machine, fine, but across millions, now that would be dodgy. Also, it would really screw everyone's NIDS, so that's a no-no straightaway. |
|
|
So do I think its a good idea? Nope. Whatever happened to people getting that elusive material called "clue"? If you're connecting, its your responsibility and in your interests to protect yourself. And as for those people who don't bother? They'll find themselves increasingly cut-off by ISPs and networks looking to reduce their liability for botnet attacks. |
|
| |