Re: Attackers Exploit Animated Cursor Flaw

["Robert Green" <ROBERT_GREEN1963@xxxxxxxxx>]

"Neil Cherry" <njc@xxxxxxxxxxx> wrote in message
news:slrnf1pomp.h2q.njc@xxxxxxxxxxxxxx
> In comp.home.automation, you wrote:
> > "Marc_F_Hult" <MFHult@xxxxxxxxxxxxxxxxxxxxx> wrote in message
> >
> >> On Fri, 30 Mar 2007 19:21:39 -0400, "Robert Green"
> >>
> >> >Attackers Exploit Unpatched Explorer Flaw
> >
> ><stuff snipped>
> >
> >> IMO, HA and a smart home ought to be helpful in smart risk assessment
and
> >> effective risk reduction, and real-time loss mitigation (think
sprinklers
> >> and their cyber equivalents) -- not feeding paranoia.
>
> > With more and more emphasis on HA, alarm and even HT systems being
"internet
> > enabled" security issues are going to require careful consideration.  It
> > appears that the cursor exploit is being considered as rather serious
among
> > security experts.  It's unfortunate that not one poster here has
indicated
> > an interest (or perhaps a willingness) to engage in discussions about
how to
> > secure the HA to internet interface as best as possible.  Perhaps we
need to
> > sort that sociological issue out before any technological or educational
> > interaction can proceed.
>
> I don't know if I can add anything useful to the conversation but I
> have a few points that may be of interest. I know a number of
> engineers who refuse to secure their home systems. One recent revealed
> that his home PC was so full of spyware that it failed to boot. He
> went to a local electronics retailer for advice on how to fix the
> problem (cha-ching, sale made). Another has a wireless system where he
> only uses WEP because it's 'good enough' (WEP can be cracked in about
> a minute). In the lab, at work, a vendor failed to inform us that
> their tool actually ran Embedded Windows and we had a nice case of
> spyware that kept re-infecting the lab servers. What a nightmare to
> find that one, and to get fixed! Modern printers (as well as other
> Internet ready appliances) are now running embedded Windows, how do
> you go about finding out and getting that fixed. Two years ago it was
> demonstrated that a Cisco router could be infected, used to run remote
> code and turned into a zombie machine. I'm also pretty sure there are
> various Linux embedded devices that have their fair share of problems.
> These complexities are enough to drive the engineering staff to drink.
> The average user can't even begin to comprehend what this all means or
> how to properly deal with it. Remember they pretty much want
> plug-n-play.

I think that's why so many new PCs are sold.  I know of several cases where
machines were so infested with spyware and such that they ran at 1/10 normal
speed when they ran at all.  Their owners just went out and bought new
machines, hoping that newer was somehow safer, but it really never was.
Lots of people balk at the attention to detail securing a PC requires and
conceptually, I suppose you never really can secure a machine that has to
talk to the outside world.  That's why I found the animated cursor exploit
so troubling.  Who would have thunk it?

> If you're concerned with securing the access to the HA env. from
> outside the home this isn't too difficult. You've got VPN or ssh
> tunnels that can easily solve those kinds of problems. With the
> appropriate home route/firewall that can easily be established.

Half of the readers here have likely just lost you!  (-: Virtual Private
Networks and ssh are not the stuff that Suzie Q. Homeowner, trying to
monitor her babysitter via a cellphone hookup. is going to master.  There's
a good writeup here:

http://en.wikipedia.org/wiki/VPN

<<Secure VPNs use cryptographic tunneling protocols to provide the intended
confidentiality (blocking snooping and thus Packet sniffing), sender
authentication (blocking identity spoofing), and message integrity (blocking
message alteration) to achieve privacy. >>

> The main problem with security is that it generally an after thought.
> Users only care about it when it interferes with the usage of the
> system (either by making it difficult to use or by fixing it after the
> fact). Vendors are more concerned with getting the system usable so
> they can get it out the door (they can always fix it later).

Agree, and that "rush to ship" often spells trouble for the end user.
Vendors are notorious for having stuff default to the least secure mode.
Also, security is a pain.  At one place I worked at, we had to reset at
least a motherboard a month when the user forgot the BIOS password.
Security adds a lot of overhead.

> Right now I'm can only take comfort in know that my system is more
> secure than that of my neighbors' systems. It's like when riding a
> bicycle by a loose dog. You don't have to be the fastest rider just
> don't be the slowest rider.

Or the one that smells like bacon. (-:  If you're the standing up nail, like
Steve Gibson was, www.grc.com/dos/grcdos.htm all the security in the world
couldn't prevent him from being victimized by a massive DOS attack.  That's
what botnets excel at.   Not being able to reach your own PC's is not as bad
as someone hacking in, but it's no picnic, either.

But back to the main question.  Even with VPN and firewalls, something like
the cursor exploit seems to me like getting carjacked.  If you open up all
the secure connections and then click on a site that uses the exploit,
you'll have turned control over to the bad guys.  They don't need to break
in, they just need to trick you into letting them in.

--
Bobby G.