.

What is the worst vulnerability out there?

<<

Kev

Post Sun Jul 30, 2006 11:31 pm

What is the worst vulnerability out there?

    One could say with some justification that it’s vulnerable systems that have not been updated.  Yes that’s very true but that would imply that if every box out there happened to be up to date, running anti-virus and a good firewall, there would be no more hacking. We know that’s not true.  Fortunately or unfortunately, depending on what side you are on, and just like there is more than one way to skin a cat, there are a number of ways to slip in.

    To me, one of the most dangerous things that has developed is all the unsecured wireless access points out there.  Just take an hour and drive around any neighborhood in a reasonably populated city and you will see default installs everywhere! I mentioned this to a security pro once and he responded with “Yeah isn’t that great? Any time I want to pull off the road and check my email I can!”  I responded with “You know that’s considered theft of bandwidth?” He just leered at me.

    It would be so easy to launch any attack I wanted and  it would be completely untraceable! I mean as far as I am concerned.  Just find a place to park that’s not too conspicuous and change my mac address just to be safe. Then hack away to my hearts content. Hmm, maybe send a nasty or threatening email to my local government official? Wow, I don’t even have to worry about spoofing my IP or being all that stealth.  The FBI is going to be showing up at this poor fool’s house not mine!

    There was a very interesting case in Washington DC where a person attempted to blackmail a company by sending emails from several unsecured residential homes. His mistake was that he used the same three places over and over again when he accessed the net to do his blackmail.  The FBI checked out all three homes and realized that the people in those homes couldn’t be connected, so they set up surveillance.  Shortly after that they caught the guy sitting outside of one the three houses in his car with his laptop. I feel sorry for the innocent people that came under the scrutiny of the FBI.

  There is no reason why manufactures of wireless routers can’t warn consumers in a more substantial way.  Package in the box some kind of very obvious warning and tutorial about security.  We as security professionals should do what we can to promote that I think.  Ok, I am done and now will get off my soap box !
Last edited by Kev on Sun Jul 30, 2006 11:35 pm, edited 1 time in total.
<<

LSOChris

Post Mon Jul 31, 2006 8:42 am

Re: What is the worst vulnerability out there?

a more dangerous situation is that being on the unsecured wireless AP gives you "trusted" status on the network, now you can do things as a anothe user on the network instead of a non-trusted outsider.

do i think that chris running an unsecured wireless access point in his home is as big a problem as say, allowing NetBIOS thru the firewall, no i dont. 

i can go to any internet cafe, airport, mall and do the same things you mentioned and that was by design, not because someone failed to set up their home route correctly.  if you want to send a mean email to someone anonymously, you can do it, that functionality was around long before open WAPs.

on another note, i think the WAP makers are coming around.  i just got a Dlink WAP and it had the steps to enable WEP and create a key and all that in the little quick start guide.

of course there is always the WEP is crackable argument which you can usually follow up with "can YOU (person making this argument) crack the WEP encryption on this wireless access point" which usually gets the message across.  i wouldnt call it difficult with all the tools out there but its not a double click get your WEP key thing either...

just my thoughts on it.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Jul 31, 2006 9:17 am

Re: What is the worst vulnerability out there?

Not only entries in the quick start guides of wireless routers, but also a more general awareness is taking place. When you drive around, sure you can find APs with no security, but I'm sure you're finding less and less. Also, as part of the setup, some ISPs that offer wireless routers are putting in security. Even printer vendors are starting to add securing to their internal NICs.

Is the problem solved... No! But I agree that with more awareness comes more compliance. As always, it all comes down to the human factor.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Kev

Post Mon Jul 31, 2006 10:21 am

Re: What is the worst vulnerability out there?

  I am sure each part of the country is experiencing something a little different. In my area we are experiencing a dramatic increase in unsecured AP points for whatever reason. The one thing that stands out about unsecured access points is that it requires no skill whatsoever to gain access.

    While it’s true there have been certain areas that have offered free internet access, these are a small number in my area as opposed to what I can count within one mile of my home!  Just from my living room I can pick up 5 wireless networks with no encryption. In my opinion, hacking from an airport or coffee shop would be the last place I would do that.  Sure you could,  but would you?  I would choose a place not under so many watchful eyes or police or even surveillance cameras.  I remember reading in a network security book that sometimes network admin don’t always  make the best security testers. His reason was to be really effective you have to think like a criminal. Most admin are very ethical people and spend their time trying to make an organized structure, not break it apart. I am not saying I believe that nor would I feel comfortable with an admin that could think like a criminal , but an interesting thought.


  I am hearing more and more stories from locals that maintain networks for the larger school systems in my area that they are becoming the brunt of mischievous activity. No doubt from teenagers with too much time on their hands. So far it’s been more of an annoyance than any thing too serious. 

  We all heard about how some people were war driving through neighborhoods and if they found an unsecured wireless network, they would go up to front door of the house and for a fee of $75 they would offer to make it more secure. I used to think that was a bit pushy but now I am starting to think that’s not such a bad idea.
Last edited by Kev on Mon Jul 31, 2006 1:51 pm, edited 1 time in total.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Mon Jul 31, 2006 3:08 pm

Re: What is the worst vulnerability out there?

While wireless security is certainly lacking, I think Internet Explorer is the more important vulnerability. There still finding huge exploits in 6.0, wait till 7.0 goes mainstream it will be even worse. IE is the most ubiquitous portal that essentially serves as the gateway to spyware/adware/malware etc. I think that once companies start running a WPA2 wlan with AES encryption and a Radius server, hacking that network becomes extremely difficult and will rely more on trickery then an actual technical flaw.
<<

Kev

Post Mon Jul 31, 2006 3:23 pm

Re: What is the worst vulnerability out there?

Thats certainly a very valid point. I.E is still the most used around the world and can create a way into our system. 
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Mon Jul 31, 2006 3:43 pm

Re: What is the worst vulnerability out there?

As illustrated by H.D. Moore's month of browser bugs. H.D. Moore of Metasploit fame, put out a new browser vulnerability every day for the month of July. Suposedly to spite Microsoft and how they handled previously discovered vulnerabilities.

http://browserfun.blogspot.com/2006_07_ ... chive.html
CISSP
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Jul 31, 2006 4:12 pm

Re: What is the worst vulnerability out there?

Keep in mind that it was a Browser Bug a Day for a Month, not an IE Bug a Day. Not to defend IE... I agree with the points in this post, but IE is not alone.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Jul 31, 2006 6:26 pm

Re: What is the worst vulnerability out there?

Everything that has been said in this thread is right - but I think the worse vulnerability is simply the user. If the users would know what they are doing even an unpatched XP with IE running over a wireless network would not be that easy to hack.
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

Kev

Post Mon Jul 31, 2006 6:54 pm

Re: What is the worst vulnerability out there?

  Most certainly and that is the ultimate vulnerabilty. The people that operate the computers. The problem is people are so darn hard to educate on a mass level it seems, so we look for other ways of dealing with those issues. Like make a patch that downloads automatically, etc...
 
  A very good point that pcsneaker made and I guess we computer people should try not to forget about the human side of things even though we get so involved with technology and our boxes. People can be the weakest link and the social engineers ( fancy term for con artist )  have proven that! 
<<

tmartin

Recruiters
Recruiters

Posts: 46

Joined: Tue Sep 20, 2005 9:36 pm

Post Mon Jul 31, 2006 7:04 pm

Re: What is the worst vulnerability out there?

I agree, it's people. They're the only ones who can plug the holes and practice safe computing. Sure you can mandate and push updates and quarantine people off the network if they're not up-to-date, etc., but in the end, it's the uninformed/naive user that's the biggest threat, along with the trusted but untrustworthy insider.

IE is bad, too, along with other browsers, but again, users point and click the mouse...

KEV,
Thanks for spacing out your posts. Appreciated.:)
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Tue Aug 01, 2006 9:35 am

Re: What is the worst vulnerability out there?

Point well taken Don. You are 100 percent correct. Sometimes being to brief sensationalizes your point. ; )
CISSP

Return to Opinions

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software