[Dshield] He thinks he is bulletproof, is he?

Carboni, Chris ccarboni at azerty.com
Fri Dec 5 14:07:46 GMT 2003


I keep remembering a line I heard somewhere.

I don't remember the exact source (and possibly not the exact wording) but
-may- be attributed to Steven Northcutt.  If not, credit given here to the
originator, and apologies if I've butchered it.

>From a security standpoint ... "the only safe computer is one that is turned
off, physically disconnected from all external sources, encased in cement,
buried six feet underground and guarded 24x7 by an armed guard, and I'm not
even so sure about that."

It's all about risk vs. impact.  While the user has done some things to
mitigate many of the risks involved, the fact that the system is being used
for proprietary information (high impact if lost/stolen/diverted) alone
should dictate that it be secured more appropriately than it is.

As for what he's susceptible to ..

Any exploit that targets an unpatched vulnerability on his system, like the
RPC vulnerability.
A targeted attempt at his specific configuration which is admittedly a low
probability in any scenario but industrial espionage.
Older DOS virii which were not as (for lack of a better word) elegant as
today's bugs are and would just delete things, format drive, corrupt BIOS.

And as for his rare use of Windows, it matters not a bit how rare he uses
it, the (sad) fact is that as long as he -does- use it, he's at risk.  The
risk is -lower- with less use, but is still present.

One line in his e-mail bothers me quite a bit.

"I have the understanding that as long as I am using a DOS-only machine
there is no way a hacker could invade my machine while I am online
without my noticing that something very bizarre and fishy is happening
inside my system."

Well, even if that's true, and I don't necessarily believe it is, so what?

Once they're in it's too late.


Christopher Carboni GCWN, MCSE Win2k
System Engineer
Azerty, A Division of United Stationers
(800) 888-8080 x 2227
www.azerty.com
www.unitedstationers.com


-----Original Message-----
From: Kenneth Coney [mailto:superc at visuallink.com]
Sent: Wednesday, December 03, 2003 10:02 PM
To: list at dshield.org
Subject: [Dshield] He thinks he is bulletproof, is he?


I belong to a group that occasionally sends emails containing
proprietary 
commercial information from person to person for comment.  Recently
while 
seeking evaluations of a data base program I learned we have a person in

the group who uses a machine with only 16 megs or RAM and who removed
(more 
or less completely) Internet Explorer from his Windows 95 machine seven
or 
eight years ago and he has no AV and no firewall.  Since MS alerted us
to 
the RPC vulnerability 
(http://www.microsoft.com/technet/security/bulletin/MS03-026.asp) I have

been trying to get him to upgrade his machine, obtain anti virus
software 
and firewalls, or at least get any required patches.  This is his latest
reply.

"I rarely do Windows.  I do them at times when I need to view
an MS-Word document with all its pretty fonts and formatting
and/or lines and and boxes and images.  If I just need to know
only what the document says I use a program named Antiword to take
a look at it.  Antiword does a great job of converting MS-Word to
plain text.  Antiword is free and you can download versions of it
for almost all operating systems including even DOS.

Other times when I do Windows are those times when it is really
important for me to take a look at web pages infested with lots
of JavaScript and requiring a browser capable of handling it in
order to get any information from them.  None of my DOS-based browsers
can deal with JavaScript.  They just ignore it.  A DOS ported version
of the Unix text browser known as "Lynx" does a great job of getting
into https SSL web pages.  I have it installed on my machine.  For
doing web-browsing to display inline graphics I use a DOS browser known
as Arachne.  It displays web pages just as well as MSIE and NetScape
as long as the web pages don't make use of JavaScript and/or
browser-specific proprietary HTML tags.  Also Arachne doesn't do SSL.
Lynx does SSL but it doesn't handle JavaScript.  I have successfully
used the Lynx browser on several occasions for doing online shopping
and ordering merchandise by using a secure web page.

I have the understanding that as long as I am using a DOS-only machine
there is no way a hacker could invade my machine while I am online
without my noticing that something very bizarre and fishy is happening
inside my system.

For going to web pages with my Windows 95 machine I use the Opera
browser.  It isn't as bloated as the current versions of MSIE and
NetScape and it runs fine on systems having only 16MB of memory.

I never use a Windows machine for doing email.  When I am at a public
terminal running a Windows machine I do my email by running Pine on
my Unixish shell account.  I can get into my shell account on the remote
computer by running a Java Applet that does SSH which I can access from
a web browser.  When I finish my session the Java Applet self-destructs,
supposedly.

BTW, I have never received from anyplace on the internet a virus or
a worm capable of infecting a DOS system.  I have received thousands of
viruses and worms that are capable of infecting Windows 32 bit systems
only.  That is why I don't do my email with a Windows system."

I suspect he is very vulnerable to something, but lack enough root 
knowledge of TCP/IP and DOS to speak with certainty.  I agree he is
safer 
than many, even safer than some with firewalls and AV software in that
most 
virus writers these days don't seem to be expecting a DOS based machine,

but I suspect he isn't as malware proof as he thinks.  He on the other
hand 
believes he is completly bullet proof to all forms of malware and 
probe/infection attempts.  I'd like a second opinion.



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list