Home > Blogs > 2011 04 23 The Weak InSecurity

2011 04 23 The Weak InSecurity

Huh?  What a week!


A few articles now disclose that RSA's hack was created by what, a Flash file embedded into an Excel spreadsheet???  Howz that work?  Howz that fair?

But if it's fairness you're looking for, forget it.  Fairness went out with parachute pants.  Expect the least path of security resistance to be the one targeted by the Dark Force.  I'm sorry; I've been watching the hilarious copy of Fanboys, purchased for me by my daughter.  And that means I can't help but giggle at Flash being a target for attack--Again!--and now, Flash's payload is conveniently 'hidden' in a ponderous Excel spreadsheet. 

(Meanwhile, if you took in this week's M86 Webinar on worker productivity and Security, you learned anti-virus seems to be detecting threats with a lofty 40% detection rate?  Huh?  Where's this site's Seth Fogie when he's needed, to see his writings proved correct???  How much more can we be expected to spend to get p0wned so well, so easily?)

Wow--I'm dizzy with confusion where all this is going.  Great proliferation of anti-virus, many versions with 'advanced heuristics [can I get that in my toothpaste?]'; Zeus goes stomping through the Internet.  What can stop this?

I will hang cloves of garlic on my laptop and hope for the best.  One last topic and then I must retreat into the growing evening...

I apologize to my loyal readers (the many ten of readers out there) for not making a big issue of--wait for it--one of the biggest and most important birthdays out there.  Important world leader?  No.  Enlightened shaman from the worlds of Religion or Philosophy, sending to us personal joy?  No, there's little that is joyful in this.  What could it be???

The Fortieth Birthday of File Transfer P0wning, er, Protocol is upon us.  FTP smiles at us with the wicked grin usually reserved for that skinny dude holding a scythe.  Now, now, I know many people still like FTP and those nice GUI's that seep passwords as surely as an old paper cup deposits your Coke throughout your car's fake wood console.  But really, The 70's called; and it wants its plaintext security model back.

Oh my, and if that were the ONLY issue with FTP!  There are novel bits in FTP, sliding window being a great instrument of traffic shaping.  But!  What about FTP bounce???  Read about it and the PORT command.  Yes, to support one FTP server depositing a file to another server, no less than hobbit himself determined the same command can make a TCP connection (on any port) to any system the FTP server can contact.  How's that for security?  Wow!  Just how did someone plant all that email spam onto your mail relay server, despite your firewall?  HELO?  Are you there???  [Awkward silence ensues.  Just who insisted on keeping that FTP server?  Queue sound of crickets...  Now you know that it didn't take a Wiz to do it...]

Additionally, session hijacking is pretty easy when session management is pretty much nonexistent in this service.

No, holding onto FTP makes decreasing sense, especially for anything truly CONFIDENTIAL.  Yes, it was a wonderful service when created and has been as wildly successful as Winter stomach flu, establishing itself despite so many working to stop its spread.

Overall, celebrating this birthday makes as much sense as playing an old Archies album.  Its time, too, has passed.  If you must celebrate the 70's, celebrate the philosophy.  If you love something, set it free. 

And that's all I have to write about this week.  No more forcing me to refer to old music.  Thanks, now you know what song is rattling around in my head:  "Sugar, ahhhhh, Honey, Honey".  Why not just be rid of it by applying a substitute, you ask?  To same to you and your legacy FTP server that refuses to go...

jt

Comments

comments powered by Disqus