-Intro

You set up firewalls, e-mail filtering, Intrusion Detection Systems (IDS), personal firewalls, Censor Software (both on network and personal level) and they still get in. What I'm referring to is those pesky VBS, similar worms inhibiting the Windows platform right now and maybe a few real life crackers here and there. For the network administrator, this can be a real problem. Even when he has secured his network with the latest tools and patches, there is still a big chance of his kingdom getting infected, especially if it's made up of MS Windows machines, and its trusting users.

The main problem lies in the user's activities. Normally, the administrator is expected to shut off inbound connections so that malicious users cannot connect to the internal network. However, we are increasingly seeing that this is only one side of the coin. Most users will be accessing hostile networks, like IRC, even if they have no business to do so.

In this article I will be outlining some of the protocols that most Security related tools do not cover or even think of protecting users from. The HTTP protocol provides a backdoor for hackers and malicious crackers to get into your network; much the same goes for e-mail. While this is getting a lot of press right now, there's a lot more to network security than just HTTP and e-mail.

-Newsgroups

Newsgroups basically have the same problems as e-mail. The difference is that instead of infecting just the target user, a malicious newsgroup post targets more than just one. So if you're using Outlook Express to read Newsgroups, and have your mind at rest 'cause you're filtering your e-mails from known exploits and attachments, you could be in trouble.

Newsgroups although similar to e-mail, cannot be filtered in the exactly same way. A solution to this would be to deploy a newsgroup relay, that copies and filters all newsgroup posts to an internal host from a public newsgroup. Of course this can produce a number of problems, like slow updating times, clogged servers, and large hard disk space. Of course you could always perform a secure installation of the newsgroups clients on each and every machine in your network, but this is certainly not the most practical way to improve security, especially in a large network.

-Instant Messenger

Then there are the so called instant messenger and similar networks like IRC, ICQ, AOL-CHAT and other similar networks. With difference to Newsgroups and e-mail, these offer almost instant message reply. Obviously, these networks allow support for sending and receiving files, and many users are very, maybe overly willing to receive any file as longs it's named myself_nude.jpg.exe or anything similar.

This also means that users are more easily fooled into giving out personal information, some of which can give attackers some real advantage when trying to get into your network. Apart from this, accessing IRC and similar networks, exposes your firewall's IP address, or the user's NAT.

It is very common for users on IRC to get scanned for vulnerabilities. So if any user is accessing IRC, and has for example, PCAnywhere, telnetd or whatever running on the IP address shown on IRC, you'll be sure to get some bruteforcing one day or another.

ICQ is also known to be a very unsecured "protocol". In fact, ICQ makes no claim on the security of their product. Much the same goes to most other chatting networks, since they are generally not designed with security in mind, but rather overall "efficiency" and multitude of features to satisfy a big number of users. Of course, giving access to these services to users on a supposedly secure network, will create a backdoor in the network, and easily compromise the overall security.

-File Sharing

The relatively new file sharing applications, which allow users to download MP3s, videos, multimedia and apps. Napster is the most notorious of all current file sharing applications. No public exploits exist for the protocol in Napster, and it has not produced any significant security problems until now. This might be due to the fact that it only allows audio files (mp3s) to be shared, rather than any files.

Another similar application, which has produced a lot less legal controversy is IMesh. This allows executables to pass, thus allowing viruses, Trojans and worms to flow through the network. Of course the user has to be fooled into running the file, similar to the IRC and ICQ file sharing problems. We should also keep in mind that this is quite unexplored territory as far as security goes, so ... any evil thoughts ?

Similar to this, we have Gnutella which boasts of decentralization. While testing this Network, I have found it quite unreliable. However I think that this will improve in terms of reliability. The idea of Gnutella gives me evil loads of ideas. For example worms could communicate through the Gnutella protocol, making them virtually impossible to shut off and difficult to detect. Maybe a virus writer could implement a system so that commands and files are tunneled through the protocol so that the worms can communicate between each other. All is perfect: the source code is available and the protocol is public. Of course I'll leave the details for your private research.

-Solutions

These kindof problems exist in any network that trusts it's own users. It's quite necessary to only allow users to only access trusted or filtered protocols and maybe sites where security is critical and data simply cannot be shared unless legal access is given. This applies to most Corporate networks, where compromising just one machine means a compromise on the whole network. The solution would be to add the required rules to the firewall and restrict access. Besides that it's very reasonable to educate the users and set up security policies. The traditional virus scanner always helps as well.