Web Based Audits - are they safe?
Web Based Audits - are they safe?| "We're moving towards Web-based software, software that
runs in the browser, and that's a really insecure device," says
Grossman. What Web application providers
want to do "can't be done securely in the browser right now." Web
2.0 applications are "the new place for malware," he says, "and as it
gets larger the problems are only going to get worse."
http://www.pcworld.com/businesscenter/article/149532/article.html?tk=nl_spxnws
Black Hat Security Conference Las Vegas 2008 |
Well, what more can we say, about conducting software audits of your PC using Web based applications?
| UPDATED 17th April 2007
How would you like your network drivenames listed on the WWW as a location along with IP addresses, user names and software license keys? |
We
posted this web page as an advisory ..... about web based audit issues in
January 2003 .... but
we didn't envisage anyone would actually start posting their own license
numbers on the web. The end users are in violation of their EULAs as is the
vendor as well which is unfortunate as they are highly respected in this
field. I am sure the vendor will act to rectify this BUT given the porisity of the web it is now posted out there for all to see for some time to come. The reports also include license keys for other software installed when you examine each report plus other details of both commercial and private nature that are now being aired. See also http://www.google.com/search?q=%22Windows+XP+Professional%22+%22Belarc+Advisor+Current+Profile%22+key%3A Your organization needs to be made aware of this as a risk for them if their data is listed using this method of auditing. Its the end users who are at fault by the way! |
Quite simply, we believe that the RISKS to YOUR SYSTEMS are FAR TOO GREAT but you need to read the following to make up your own minds.
Many are being tempted by the attraction of doing an inventory of their PC hardware and software by using Internet/Web based subscription services where the customer can dial-in and do the software and hardware audit using web based, site and email hosting services.
NOTE: We wrote this article back in 2003 so some of the web links listed below may be dead or removed.
The practise is growing and this raises some so-far unresolved issues that you as the end-user customer need to address.
The benefits offered by web based auditing seem to be;
………… and so-on
|
Extract from a sample log file whilst connected to the Internet ;
The above "commands" have been viewed as scripted attempts to break-in to a PC based system using a series of open ports, by unknown attackers. Some of the capabilities offered by the above attempts are potentially destructive. |
WHY YOU SHOULD BE WARY OF WEB BASED AUDITS
1. INSTANT MESSAGING SERVICES POSE A WEB AUDIT RISK
Instant messaging (IM) is gaining in popularity as it lets people interact instantly, and provide immediate contact, as opposed to the delays that can occur when using other forms of communication eg; voice-mail/e-mail. This means they are connected (and can be identified via port scanners) hence the risk increases whilst the ports are open.
This raises potentially serious security issues posed by IM usage especially where the systems have been implemented using an ad hoc approach, and may open up a company to many potential security and legal problems.
2. WEB SERVICES, INTERNET COLLABORATION POSE BIG SECURITY CHALLENGES
Read what the Industry Pundits are saying about Security over the Web at http://www.securityfocus.com/bid/3767
Increased use of videoconferencing and Internet-collaboration technologies, the rush to Web services and a new class of malicious code that blends virus and wormlike capabilities are some of the biggest security challenges for 2002, analysts said.
3. INTERNET EXPLORER HAS SERIOUS VULNERABILITIES (if not fixed)
MS security patch opens new hole http://www.zdnet.com/zdnn/stories/news/0,4586,2836273,00.html
Microsoft urges Passport users to install IE patch Microsoft Corp. is urging almost 200 million Passport users to install a patch released nearly two months ago to fix a problem with its Internet Explorer browser.
A flaw exists in Microsoft Internet Explorer that may allow a remote attacker to view known files on a target system when a user views web content containing a specially crafted script. This vulnerability could be used by a malicious web site administrator to view any known file on a target system. It may also lead to the execution of arbitrary code. Microsoft Internet Explorer is prone to a vulnerability which may disclose sensitive information to a malicious webmaster. Details sourced from http://www.securityfocus.com/bid/3779
The above vulnerabilities exist
for Microsoft Internet Explorer 5 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities exist for
Microsoft Internet Explorer 5.01 on the following systems
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows ME
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities
exist for Microsoft Internet Explorer 5.01SP1 on the following systems
Microsoft Windows
95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities
exist for Microsoft Internet Explorer 5.01SP2 on the following systems
Microsoft Windows
95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities
exist for Microsoft Internet Explorer 5.5 on the following systems
Microsoft Windows
95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities
exist for Microsoft Internet Explorer 5.5SP1 on the following systems
Microsoft Windows
95
Microsoft Windows 98
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
The above vulnerabilities
exist for Microsoft Internet Explorer 5.5SP2 on the following systems
Microsoft Windows
95
Microsoft Windows 98
Microsoft Windows 98se
Microsoft Windows ME
Microsoft Windows 2000
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP6a
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Terminal Server 4.0
Please note some of the external web links are several years old and may not work as this article was first published in 2003
4. Suggested fix for AIM hole has back door and spyware
The fix recommended by security group w00w00 Security Development to plug a hole in America Online Inc.'s Instant Messenger (AIM) opens a user's system to hacker attacks and can direct the user's Web browser to pornographic Web sites.
Most commercial IM services use port 80, the port that carries most HTTP traffic. But, because port 80 is used for HTTP traffic, there is no easy way to keep an eye on IM traffic alone. IM traffic can open up port 80 many times a day, which can significantly increase a company’s exposure to security breaches.Messages exchanged have not up until now been usually scanned for viruses or malicious programs. This means hackers with knowledge of this vulnerability can exploit this openness by sending attachments containing viruses, worms, and other malicious software and may also allow them access to files stored on local drives or peer to peer connections. When these enter a corporate network undetected then you are at risk!
5. What about Web based Audits using TCP/IP?
TCP/IP (Telecommunications Control Protocol / Internet Protocol) is the most commonly used port-based protocol on the Internet, but it does not provide a great deal of security. Security is provided by making sure incoming packets match within a range of expected sequence numbers, and the sequence numbers are randomised when the connection is set up. It is possible to intercept an existing TCP/IP connection if the sequence is known. On some TCP/IP stacks, the state of the initial sequence number for new and old connections can be derived if the attacker can witness a few new connections being set up, as in the case of a web based audit. See http://www.cert.org/advisories/CA-2001-09.html for further details.
6. THERE ARE LARGE NUMBERS OF PORTS AVAILABLE AND IN USE
If your network administrator has not secured the port vulnerabilities that are currently known then there are added risks when using web based audit techniques over the Internet.
The PORTS Number Registry illustrates the LARGE number of ports (many of which are used for scanning / sniffer / snort devices) http://www.iana.org/assignments/port-numbers
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports are
those from 0 through 1023. The Registered Ports are those from 1024 through 49151 The Dynamic and/or Private Ports are those from 49152
through 65535
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q150543
The above article discusses the known TCP/IP ports (TCP and/or UDP) that are used by services within Microsoft Windows NT version 4.0 and Microsoft Exchange
Server version 5.0. This is not a complete list of TCP/IP port assignments.
For additional TCP/IP port assignment information, see the following articles in the Microsoft Knowledge Base:
http://support.microsoft.com/directory/article.asp?ID=kb;en-us;Q174904
February 2001 http://www.infosecuritymag.com/articles/february01/cover.shtml
P2P, OR NOT P2P? Napster, Gnutella, IM and other peer-to-peer applications are still the "flavour of the week." But if you're not careful, these
programs could have already been used to undermine your network security. A peer-to-peer (P2P) network is one where each workstation has both server and
client capabilities and users can initiate communication between any two (or more) computers. P2P is an alternative to the traditional client-server model of
networking, and is especially handy for trading files across the Internet. With the advent of file-exchange programs like Napster, peer-to-peer has also
come to describe the exchange of files through a mediating server If you are running a peer-to-peer and not aware of the risks and conduct web based audits
then you are at bigger risk than you think!.
WHY YOU SHOULD BE WARY OF WEB BASED AUDITS
How does the above details affect Web AUDITS? Unless the web based auditing service uses a dedicated specific port as allocated and authorised by ......org for its service, and not port 80 or some other common open port, then you have NO WAY of tracking what occurs during the course of a web based audit.
The web based audit service may use or offer encrypted communications between the corporate site and the audit site, however whilst the port is open, and there are gaps in send and receive status times then other users may attach themselves to the port whilst open and use the port to gather data and information direct from your site.
Think it can’t happen? Have you checked? When did you last check? Do you know what to look for? How secure are your systems when you use a web based auditing service? Can you afford to take the risk?
There are now web based audit tools on the market that enable you to conduct an audit whilst you are logged on to the Internet BUT you need to be very careful as some of these require you to lower your level of security to enable the web audit to function. This is NOT a smart way to conduct an audit! Some of these audit tools are available when you log on to a https site (a secure server_) but have you thought about this? The secure server ONLY protects their side of the connection NOT YOUR SIDE!
To conduct an audit on your PC you need to have some OPEN PORTS available.
SO
AGAIN, WHAT IS THE RISK DURING WEB BASED AUDIT?During the time of an audit via the web it is quite possible for a port scanner device to attack your PC and download other files in between the transmission polling times that are used in transmission. If you think this is a risk then you would be well advised NOT to consider web audits of your PC based systems. The web is NOT a secure place for conducting audits.
If you think that you are SECURE whilst the web based audit is under way you need to make sure. The way to do this is to establish a separate connection device to listen to the PC traffic and monitor every event both inbound and outbound and analyse the results to establish how safe the traffic activity has been during the course of the audit. In many instances you just won't be able to tell. If you think its worth the risk then be prepared for the possibility of corruption of PC data, theft of PC information, installation of trojans on your system and so on.
Think it doesn't happen? Then read the following details;
During 2001 CERT said it received more than 52,000 reports of security incidents last year, compared with more than 21,000 in 2000. A CERT analyst explained the sharp rise as a result of heightened awareness by users.
Other areas of risk with Web Based audits (which can only be conducted if they have access to your open ports on your PC) can be identified when you read the following details regarding Port TCP/21 (ftp), TCP/80 (http), and TCP/443 (https). http://www.cert.org/tech_tips/win_intruder_detection_checklist.html
Have you examined the processes used in conducting a web based audit yet?
What would you think if you saw the log files for a PC system that had been busy auditing and seen the attempts "behind the scenes" NOT from the audit house/hosting service but other "attackers" trying to break-in whilst the ports were opened during an audit cycle.
Extract from a sample log file whilst connected to the Internet;
The above "commands" are scripted attempts to break-in to a PC based system using a series of open ports, by unknown attackers. Some of the capabilities offered by the above attempts are potentially destructive.
UPDATE 17th April 2007 ........................and from another popular PC Audit program that has users posting their "own" profiles on the web the following key details are being exposed! This places your organization at severe risk if the data is not properly firewalled and secured!
  |
 |
All of the aspects listed above are the key reasons why we WILL NOT conduct WEB BASED Auditing! We firmly believe the RISKS are FAR TOO GREAT!
THERE IS ONLY ONE SAFE WAY TO CONDUCT A SOFTWARE COMPLIANCE AUDIT!
The safest method to conduct an audit is;
and not at risk when port scanners, sniffers and other attack tools are being used to break into your systems.
"The primary purpose in conducting a software compliance audit is to REDUCE YOUR RISK, so why INCREASE it using web based audits?"
CAN'T AFFORD AUDIT SOFTWARE?
If you've been fighting a losing battle about having a budget for audit software tools and need
to convince management, accountants and directors, then you need to read this article and make a comparison between what "could have been avoided"
vs what needed to be budgeted. It might just tip the scales in your favour as you strive to achieve software compliance using software audit tools.
No Budget For Audit Software and It's
a Risky Business if you think you are 80% Compliant!
Performing a software inventory involves analysing the software products installed on your computers and comparing this against licenses owned. Depending on the size of your organisation, and the condition of your records, this may be quite simple, or it can take a bit of effort.
Remember, there is no excuse for using illegal software and the financial and legal costs can be very high.
WHERE DO YOU START on an AUDIT?
Our Message System http://www.pcprofile.com/swmessage.htm
is a great place to start off with Software Compliance. A US version is available spelt "authorized". Without this message 'from the
management" you are wasting your time! Followed very closely by;
Take a Snapshot using AUDIT
Baseline
which will give you a broad look at the extent of the non-standard and non-authorised software,
loaded on your PC's - the
results will astound you!
Use the Software Licence Cost Model
to assess what the risk and damage might be if you get caught
AUDIT
BaselineV4 FAST server based
auditing - NOW there is NO EXCUSE for not auditing your PCs
|
