[143708] in North American Network Operators' Group
Infection vectors
daemon@ATHENA.MIT.EDU (Charles N Wyble)
Mon Aug 15 11:55:54 2011
Date: Mon, 15 Aug 2011 10:55:17 -0500
From: Charles N Wyble <charles@knownelement.com>
To: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <AF4EC99B-E8EA-44B9-B21E-C60EF2CCC2ED@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 08/15/2011 10:31 AM, Steven Bellovin wrote:
> On Aug 15, 2011, at 10:12 21AM, Randy Bush wrote:
>
>>> I've always wondered if the next cisco/juniper 0 day will be delivered
>>> via a set of exploits delivered via a link posted to NANOG. :) Maybe
>>> I'll do a talk at DEFCON next year about that.
>> more likely a 'shortened' url. how anyone can click those is beyond me.
>>
> I'm curious what your objection is.
>
> Mine is privacy -- the owner of the shortening site gets to see every place
> you visit using one of those.
That's why I have my own url shortening service using yourls.
(http://yourls.org/)
> I don't think there's a significant incremental
> security risk, because the URL you click on doesn't tell you what you'll
> receive in any event.
Exactly.
> Case in point: https://www.cs.columbia.edu/~smb/SMBlog-in-PDF.pdf
> does *not* yield a PDF. (As far as I know, it's a completely safe URL to
> click on, but I can't guarantee that someone else didn't hack my site. I, at
> least, haven't put any nasties there.)
Or so you claim! :) And a PDF file is a particularly potent infection
vector. It would be interesting to put up a PDF (say OSPFvsISIS.pdf or
WhyAnyoneWhoIsn'tNamedOwenHasRottenv6Ideas.pdf) with an exploit. This
exploit could be a toe hold, which grabs other malware, opens reverse
remote shell etc. If one is targeting very long term exploitation at
mass scale, sitting in the network control plane for a long period of
time is a large factor. And if one entices operators to download malware
, the first step of most attacks (elevating privileges) is often much
easier (certainly faster, as operators doing something privileged is a
regular occurrence).
> Given the rate of hacking -- is anyone really safe from a
> determined amateur attack,
Maybe.
> let alone state-sponsored nastiness? -- and
> given the amount of third-party content served up by virtually all ad-containing
> site, you really have no idea what you're going to receive when you click
> on any link.
Yep. I see hacked ad content every single day.
