Securing Gateways

Share on Facebook Share on Facebook   Post to Twitter Post to Twitter
Description

Securing Gateways

Comments
Would you like to comment?

Sign In if already a member, or Join Now for a free account.

Presentation Transcript Presentation Transcript

Securing GatewaysIdentifying/Defending E-Mail Attacks : Securing GatewaysIdentifying/Defending E-Mail Attacks A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando, Florida Las Vegas, 26 July, 2000

The Problem : 26 July 2000 appbh00 2 The Problem In recent months the most serious problems have been from the “Mass Mailer” viruses May take many forms Word Documents: Melissa Excel spreadsheets: Papa VBS files: Loveletter Script files: KAK All have common roots Are other vectors but less common

Slide 3 : 26 July 2000 appbh00 3 What makes MassMailers easy

Mass Mailers : 26 July 2000 appbh00 4 Mass Mailers From a corporate/agency standpoint, the really disruptive mechanism are those which broadcast using global address lists (GAL) potential for thousands of messages 50,000 Melissa seen 200,000 LoveLetter

Mass Mailers : 26 July 2000 appbh00 5 Mass Mailers Thusfar .EXE files are constrained to local access e.g. PrettyPark uses .WAB - has no access to GAL All attacks using GAL are VB based (VBA/VBS/ActiveX)

Slide 6 : 26 July 2000 appbh00 6 Mass Mailing http://msdn.microsoft.com/library/devprods/vs6/vc++/vccore/_core_mapi.2c_.enabling_your_program_for_mail.3a_.overview.htm

Looking Sdrawkcab : 26 July 2000 appbh00 7 Looking Sdrawkcab Early 1998 - vendor told that inclusion of CreateObject in VBS was not a good idea Ignored as usual Russian New Year attack demonstrated capability of embedded scripting Patch issued for RNY WORD/EXCEL. Required 32 Mb download. Ignored PowerPoint.

Looking Sdrawkcab - Dec 1997 : 26 July 2000 appbh00 8 Looking Sdrawkcab - Dec 1997 Outlook added HTML capability discovering exactly which HTML was like pulling teeth

Whazzat ? : 26 July 2000 appbh00 9 Whazzat ? Image is on remote site

Experiment #17, HTML generation test
This is a test of HTML response capability
  • If you see more than this message
  • text please let me know

Padgett

July 00 - Surprise : 26 July 2000 appbh00 10 July 00 - Surprise http://www.microsoft.com/technet/security/bulletin/fq00-049.asp The Office HTML Script vulnerability, allows malicious script code on a web page to reference an Excel 2000 or PowerPoint file in such a way as to cause a remotely hosted file to be saved to a visiting user's hard drive.

Since Then : 26 July 2000 appbh00 11 Since Then W97M/Alina.A@MM W97M/Antisocial.E@MM W97M/Bench.E@mm W97M/Buffer.A@MM W97M/MadCow@MM, WM97/Melissa-D@MM (over 50 Melissas now) W97M/Cobra.F@MM W97M/Evolution.E@MM W97M/Jany.B@MM W97M/Lucia.A@MM W97M/Nail.B@MM W97M/Ping.B@MM W97M/Prilissa.A@MM etc, etc, etc

What is the common factor ? : 26 July 2000 appbh00 12 What is the common factor ? ALL use CreateObject Are other possible constructs GetObject (must preexist) CreateTextObject (using executable ASCII) GetTextObject and one more we’ll mention later but not many

Gateway Factor : 26 July 2000 appbh00 13 Gateway Factor “Block all Scripting” something about a baby and a bath ? “Block all executables” care to be a bit more specific: ??_ AD? ASP BAS BAT BIN CDR CHM CMD COM CPL CRT CSC DEV DL? DO? EXE GMS GZ? HLP HT? IM? INI INS ISP JS? MD? MPP MPT MS? OBD OBT OCX OLE OV? PCD POT PP? RTF SCR SCT SHS SMM SYSVB? VS? VXD WBK WPD WS? XL? XML XTP

More Appropriate : 26 July 2000 appbh00 14 More Appropriate Allow only permitted extensions Block anything with fab four This re-establishes sandbox but allows “safe” scripting & VBS

At Desktop : 26 July 2000 appbh00 15 At Desktop Vendor has 8 Mb patch (2 Mb 2000) Affects many elements http://support.microsoft.com/support/kb/articles/Q262/6/18.asp Does seem to work well with today’s problems, but what about tomorrow ? Executable written to TEMP directory prior to screen popup exploit already being discussed

At Desktop : 26 July 2000 appbh00 16 At Desktop Best answer probably Integrity Manager/Behavior blocker no updates required unless new mechanism discovered doesn’t happen very often If network application tries to write to disk, or execute local file, ask first. Mail, Browser, FTP, ...

That other construct : 26 July 2000 appbh00 17 That other construct CLSID essentially a call to an internal element generally one marked “safe for scripting” and shouldn’t be may allow creation/writes without “CreateObject” method used by BubbleBoy/KAK shouldn’t be in a script anyway

Conclusions : 26 July 2000 appbh00 18 Conclusions Gateways filters need to be developed that are both specific and granular need to be able to apply/reconfigure immediately (vendors often lag by several hours) library of special filters needs to be developed commitment from gateway for immediate action specific line of authority to direct filters consided “approved” attachments rather than bad

Conclusions II : 26 July 2000 appbh00 19 Conclusions II Gateways can use multiple products - is a good idea re: scanners choose defensible points and ones that can be reconfigured quickly. Desktop Integrity Management/Behavior Blockers may be more appropriate slow updates very large numbers

Thank you : 26 July 2000 appbh00 20 Thank you Questions ? A. Padgett Peterson, P.E., CISSP padgett.peterson@lmco.com

Upload Content

|

Embed Content

Related Online Classes

Alexandro Colorado
Secure your data using Linux by Alexandro
Fri, September 12, 08 11:00 AM
(Mexico Standard Time)
Copyrights © 2009 authorGEN. All rights reserved.