Security Watch

Check Point Vulnerability Expanded

More products are added to Check Point's SecurePlatform Firewall vulnerability warning.

• By Russ Cooper
• 10/10/2005

The rule supplied with the Firewall product to handle "CIFS" traffic is equivalent to "ANY," in that it actually allows any traffic to/from the source/destination addresses added to the rule. CIFS is a file sharing protocol used by Windows systems which permits SMB over TCP. The rule permits CIFS as well as some legacy NetBIOS traffic. A proper CIFS rule should limit traffic to port 445.

While no patch has yet been provided by Check Point, anyone needing this rule group can create a custom group of their own limiting what traffic is allowed.

Denial of Service
Snort TCP SACK Option Error Handling Denial of Service Issue (Intellishield ID: 9711): Snort version 2.4.0 and earlier contain an issue that could allow a remote attacker to create a denial-of-service (DoS) condition. The issue only affects systems running Snort in verbose mode. Exploit code is available.

It’s worth reminding everyone that any service, including forensic services like Snort, can contain vulnerabilities which put systems at risk. While this issue isn’t likely to be widely attacked, if you use Snort to audit your networks, an attacker may be able to avoid being logged. Snort version 2.4.1 was released to correct the vulnerability.

Human Factors
Gartner has published a study regarding the Indian call center industry where they claim India will suffer a shortfall of 250,000 qualified call center workers by 2009. Gartner claims this will result in an increased risk of fraud and identity theft within the industry, largely due to less due diligence during the hiring process.

What country hasn’t faced a shortfall of qualified workers for a given industry at some point in their history? Typically, when that happens, immigration efforts are stepped up to attract the qualified from countries where a surplus exists. There’s certainly no reason to believe that India would be unable to do this.

The real question is whether or not due diligence in background checks on any employee is going to be lessened under the weight of fewer available candidates. This must surely exist already, given that most "qualified" call center employees must undergo education in precisely how to perform their jobs. India sees call center business as a huge potential to raise the quality of life in their country, so it’s highly unlikely that they’ll permit the industry to become overrun with fraudsters and insider criminals given the harm it could cause to their overall economy. Probably the greatest risk is in the rapid growth of the industry while the government and private industry groups come to terms over how to regulate and supervise this resource.

A survey conducted by Trend Micro reports that users are more likely to take risks while surfing the Internet when they’re at work because, they believe, their IT departments are protecting them.

So users at corporate desktops are as ill-informed as those at home computers ... wow, that’s a headline! Why would anyone think that corporate users would be any more security-savvy than they are when they’re at home? Certainly user security education occurs more often at work, but that doesn’t mean that those users who have been taught are any more likely to apply what they’ve learned than those who have never been taught. History shows us that if a virus-laden attachment gets past the corporate anti-virus gateway, users within that organization are as likely to open it as anyone else. That’s why Cybertrust has long recommended default deny for attachments.

Anyway, for all you IT folks out there creating complacency with your users, convincing them they are completely secure within your perimeter ... maybe you should run through your offices with their hair afire a few more times a week than you are now just to convince your users that bad things can, and do, happen in your workplace.

Physical Security
A few weeks back Los Angeles found the equivalent of the "Big Red Switch" when, as a result of a mistake made while connecting a power line, a cascade failure resulted in the blackout of 750,000 homes and businesses.

Ever hear the story of the "Big Red Switch"? That’s the switch in the computer room that has a sign on it that says "Only press in the event of an emergency!" and turns everything off at one time. Redundant systems are, all too often, plagued with such elements.

It’s also worth mentioning the costs of such events. Power officials said that they had restored 90 percent of blacked-out premises within 90 minutes, but because the event occurred at lunch time, many people had simply decided to take the rest of the day off. Therefore, the actual cost isn’t simply 90 minutes of downtime, but an entire afternoon.

Privacy
Researchers at the University of California, Berkeley, have found a way to turn the clicks and clacks of typing on a computer keyboard into a startlingly accurate transcript of what exactly is being typed. The techniques described in this paper are relatively easy; the team used open-source spell-checkers and a $10 PC microphone, for example. And for that reason, the Berkeley team has decided not to release the source code used in the study.

First, for this to be effective, the eavesdropper is going to have to profile the system being listened to. Different keyboards give off different sounds. Anyone who has tried to train their voice-aware cell phone to "dial" is aware of how tricky it can be to get reliable recognition consistently. One also has to believe that people who type with two fingers sound different than those who type will all fingers. In any event, it’s worth noting that they did mention that defeating this technique, and other TEMPEST eavesdropping techniques, may be as simple as turning on an AM/FM radio.

Governance
The U.S. Federal Communications Commission (FCC) gave the toll-free number 1-800-RED-CROSS to the American Red Cross, taking it from an entity who had acquired the number hoping to receive a major payday for it.

Why should squatting be allowed at all, be it telephone or domain names?