Security Watch

Getting Back with MySpace

Plus: Web 2.0 leaks; Cisco's NAC problems are not a problem (we think).

• By Russ Cooper
• 05/14/2007

It started with Mike Davidson, author of McCain's MySpace template, getting miffed that McCain hadn’t credited him for creating the template. Then, to top it off, images on the McCain page were actually referencing images stored on Davidson’s server. As a result, every time McCain’s page was loaded, Davidson’s bandwidth was chewed up in the process.

So Davidson changed some images on his own computer, which in turn were pulled up by McCain’s template and displayed on McCain’s page.

It's a perfect example of how a little lack of knowledge can cost a lot more than you can expect. McCain’s people should have ensured they knew where every single link was pointing, and that they controlled, or had a contractual agreement about, each one. How would they have known, for example, that one of the foreign links weren’t pointing to malware or a phishing scam? Clearly, they never checked.

Web 2.0 Sites Could Encourage Data Leaks
Here's an article packed full of advertisements from various vendors, each warning that the biggest Web 2.0 risk is what their product handles. Clearswift, a content security company, says its survey, which shows that 39 percent of employees access Web 2.0 sites while at work, means companies are going to have brand damage big time.

Perhaps more interesting than anything else in the story is the fact that Wikileaks.org will be starting up shortly. Wikileaks is intended to provide people with a way to leak corporate information and documents anonymously. While there’s always a need for people to be able to disclose information for the public good, it's nearly impossible to ensure that’s all that will be disclosed. It will also fuel the never-satisfied Internet rumor mill by allowing anyone to post anything they can contrive, and claim it’s legitimate. It’s bad enough that many reports use information on personal sites, often mis-interpretations of previous quotes, as fact; now, we’ll have stuff allegedly on corporate letterhead.

We have continually pointed out the perils of Web 2.0, primarily from the perspective that its content is often not well-supervised -- meaning you could be hosting an exploit if you allow anything to be uploaded, and your employees could be infected if they visit. For now, that’s enough to be concerned about.

Cisco's NAC Proves Software Is Software, Is Software
ERNW GmbH demonstrated two vulnerabilities in Cisco Network Access Control (NAC) products. The first was the fact that the client is unauthenticated to the server, thereby allowing software to spoof the Cisco Trust Agent (CTA), the software which will ultimately report the security posture of the client to the NAC environment. As such, malware could pose as the CTA. The second was the ability to spoof legitimate responses via the CTA, thereby allowing a client which was not compliant with NAC rules, to state it is, and be accepted as such. Combined, it means a client could be completely 0wned yet get NAC authorization and access. (More info here and here.)

This is the problem with any such tool that relies upon the client maintaining a code base to employ during the communication with the access server. Microsoft’s NAP will likely have similar flaws. Of course, one could argue that if the machine is already compromised, all bets are off. This is true to the extent that a compromised system could be made to do anything the criminal controller desires; however, it's possible to design an access control infrastructure that demands at-the-moment notification based on dynamically generated code and/or key exchanges that cannot be predicted in advance. Regardless, if the only way to determine the system’s status is to query the presence of files or registry keys, such things can be spoofed and cannot guarantee the status is legitimate.

Cisco’s response was rather weak. The company chose to point out something that didn’t appear to be a point of the presentation at all -- namely that although the CTA can be bypassed/trojaned, this fact does not compromise authentication if additional authentication is used. Well, who said it would? If you require someone to log in to get network access, or a valid machine account to assign an address, these features (not of NAC) will not be usurped. Um, thanks, Cisco -- we weren’t worried about that.