Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
OK, we're here. Now what?

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


                                   

Active vulnerability notification

Pro-actively notify owners of vulnerable and infected systems
 
(0)
  [vote for,
against]

An automated scanning tool should be developed that detects machines connected to the network that are either running obsolete or unpatched network software with known vulnerabilities, or are actually infected with a known virus. Tools for doing the former are already in wide use by malicious hackers, but the latter is considerably less useful to them.

This system could be shared with large organizations and ISPs, who would then be encouraged to use it to scan their internal networks. Users of vulnerable machines could be warned, infected machines might be disconnected, and so on.

The system might also be used by third parties to assess network-wide vulnerabilities, and to identify the most worrisome unsecured networks.

Any organization that leaves machines vulnerable, gets compromised, and then is used to inflict economic damage on a third party, could be considered negligent, giving large, responsible organizations an incentive to secure their networks.

MIT Information Systems has done this kind of scanning in the past, for major vulnerabilities being actively exploited elsewhere on the Internet. If this kind of scan-and-repair operation were widely adopted, it could significantly reduce the opportunity for hackers to hijack innocent third-party machines for DOS attacks, in addition to directly protecting participating parties against intrusion.

beland, Jul 13 2003

MIT I/S announcement about campus scan http://diswww.mit.e...laus/security-fyi/7
Scans at MIT are announced to interested parties by a mailing list. This is an example of an early announcement for a pop2 vulnerability. [beland, Oct 04 2004]

Self-scan http://web.mit.edu/...ty/www/webscan.html
Cool! MIT I/S now has a page where you can request a rather detailed scan of your own machine. [beland, Oct 04 2004]

HFNetChk http://www.microsof.../tools/hfnetchk.asp
"It's critical to know which patches have been applied to your system and, more importantly, which haven't. Microsoft has released a tool called HFNetChk that will significantly aid system administrators in this task." [phoenix, Oct 04 2004]

Security Administrator Tool for Analyzing Networks (SATAN) http://www.fish.com/satan/
"SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them." [phoenix, Oct 04 2004]

[link]






       This is so wrong for so many reasons.
phoenix, Jul 13 2003
  

       No one has yet given any concrete reasons why they dislike the idea. Please explain your disapproval so that I may be enlightened and have better ideas in the future.
beland, Jul 14 2003
  

       [significantly re-worded in more neutral language to encourage better comments; comments responding to politically irrelevent aspects removed]
beland, Jul 14 2003
  

       1. Yes, I did give concrete reasons.
2. It's still incredibly intrusive.
3. Please consider the network traffic involved for your ISP to download and scan all the files from all the computers hooked up to it. They aren't on all the time; they'll need to be scanned when they log into the system. How long would it take you to upload the entire contents of your hard drive to your ISP over your connection? Would you be willing to wait that long to get an Internet connection? How often would you be willing to do it?
lurch, Jul 14 2003
  

       Now those are some interesting observations. (Sorry, I was in the middle of re-booting this idea when your comment came in.)   

       Allow me to clarify somewhat: I did not really envision ISP actually scanning the contents of everyone's hard drives. I was thinking of the kind of testing that malicious hackers are already doing - connecting to a port on the target, sending a small amount of data, and examining the reply for clues about system vulnerabilities. For example, many programs send version information back to anyone who asks for it. It is relatively easy for a potential intruder to scan a large number of addresses looking for a version of Sendmail or Apache or Exchange or even an operating system, that has a known security hole, and then exploit that hole to gain acccess.   

       I suppose this method doesn't catch vulnerabilities in software that require user intervention to trigger; for example, in MS Outlook.   

       As I see it, this technique is no more intrusive and requires (for the end-user) no more bandwidth than being connected to the (unfiltered) Internet normally does. (Since malicious hackers routinely make scans of this kind through random tracts of IP space.)
beland, Jul 15 2003
  

       By way of example, it's not an idea. It's advocating MIT's solution to the problem.
thumbwax, Jul 15 2003
  

       1) Who pays for this?
2) "Any organization that leaves machines vulnerable, gets compromised, and then is used to inflict economic damage on a third party, could be considered negligent, giving large, responsible organizations an incentive to secure their networks."
How is this different than what happens now?
3) "...might also be used by third parties to assess network-wide vulnerabilities, and to identify the most worrisome unsecured networks."
There are already tools to do this.
phoenix, Jul 15 2003
  

       > How is this different than what happens now? <   

       If active scanning and repair were standard practice, or if an organization were actually warned about vulnerabilities, then the stanarded "knew or should have known" is much easier to meet. This is not the case today.   

       > There are already tools to do this. <   

       Pointers would be enlightening. I'm not familiar with any that identify machines that have already been compromised (and which I've never heard of MIT using).   

       Incindentally, I am wondering if any are open source, and at what point, if any, making these tools public does more harm than good. (Perhaps only for vulnerabilities for which no good fixes are available?)
beland, Jul 16 2003
  

       "Pointers would be enlightening. I'm not familiar with any that identify machines that have already been compromised (and which I've never heard of MIT using)."
I've posted links to two, but I'm not doing anymore research for you. Nothing personal. Yes there are similar open source tools.
phoenix, Jul 17 2003
  

       As far as I can tell from the sites linked, neither SATAN nor HfNetChk identify which machines have actually been broken into, only those that are vulnerable to break-in.
beland, Aug 05 2003
  

       Isn't that what your idea is?
snarfyguy, Aug 05 2003
  

       Exactly.
beland, Aug 06 2003
  

       This is sold as a commercial service already:   

       www.qualys.com www.foundstone.com   

       Scanning techniques do NOT examine hard drives and passive scans do not intrude at all: they use variations in banners, responses, IP header flags and the like to identify O/S and patch levels. As MS is now deliberately "marking the cards" (i.e., formatting different banner responses for different patch levels) , this has become very accurate (circa 90%).   

       Its not intrusive using these techniques, as this is simply querying IP ports you have already deliberately activated or, by act of omission, failed to deactivate; you are therefore inviting connection. If you find this intrusive, close your unwanted IP ports (which, in turn, makes you less vulnerable to these attacks).   

       Other techniques actually directly query the Windows registry to ascertain patch levels: as anadministrative logon is required, the only way to achieve this is by (a) hacking the box and getting those credentials and (b) getting consent. Some security purists might argue that by leaving your admin account open to being hacked (e.g., bruteforced) means you were never serious about protecting your privacy.   

       And finally, before anyone Sm*** A** responds by saying that "Nessus doesn't work that way, it actually tests the vulnerabilities", I've excluded that as a valid approach as using such tests can be dangerous. On an individual machine, fine, but across millions, now that would be dodgy. Also, it would really screw everyone's NIDS, so that's a no-no straightaway.   

       So do I think its a good idea? Nope. Whatever happened to people getting that elusive material called "clue"? If you're connecting, its your responsibility and in your interests to protect yourself. And as for those people who don't bother? They'll find themselves increasingly cut-off by ISPs and networks looking to reduce their liability for botnet attacks.
dale223, Aug 22 2004
  
      
[annotate]
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle