Ok I know it’s an old article that originally written for certifiedsecuritypro.com but the content of that article is relevant. To be honest I have a good laugh while reading the article tho. How true it is.

First of all yeah, the idea of “Default Permit” is really dumb. The favourite condition is when deciding the firewall policy or rules. I always asked by the question “For firewall rules or policy, should we allow first then deny or the other way around?”

I think MJR (Marcus J. Ranum) explanation should answer this question (and I intend to use it in my training class soon). His explanation on this issue,

“Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked – now the administrators need to decide whether to deny it or not, hopefully, before they got hacked”

Just like when your building has 65535 doors, how do you secure it? By telling the visitor that they can access any doors besides few or by telling them that they can NOT access the building unless using few designated doors?

Then 2ndly about Enumerating the Badness. It is about the time wasted on identifying, make a lists on the attack patterns/traffics or attack vectors instead of identifying or tracking the applications, normal traffics or pattern that running in the network or keeping tracks on what shud be running in our systems.  In other words, just allow the good traffics or application and deny unwanted or bad applications or traffics. “Default Deny” should be implemented instead of “Default Permit”

To quote MJR again;

“Why is “Enumerating Badness” a dumb idea? It’s a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Examine a typical antivirus package and you’ll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I’ve installed on my machine, and you can see it’s rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness”

And the 3rd one is about the needs of having secure application design or framework instead of implement first and manage the bugs/flaws later

Well I think you should read it yourself.

One of my favourite sites nowadays is http://security.org.my where recently it published a series of defacement occurred on the .gov related sites reported by users. And surprisingly there are few websites that been re-defaced from time to time and sadly the response from the affected party is either little or non-existence.

There’s one commenter of the defaced posting said that

” I think the country still can survive even if Majlis Daerah Kinta Barat or Majlis Perbandaran Manjung got defaced”

I do agree with the statement. Yes, the country will survive with this kind of attacks occurred on our government related sites but then let me point out few things tho.

For me, defacement is an attack that will leave trace like a blinking neon light in the middle of the desert at night. Because we can determine the final intention of the attacker in executing his attacks. Easier to trace as most of the attacks are more on the web applications flaws and vulnerability which most of the time will be logged either by the web logs or by the IDS. And of cause, obviously you will know that the defaced web sites has been compromised. Ahh and most of the time the attacker consists of either script kiddies who stumbled upon few scripts or a beginner in this web attacks. I think just like when you use nikto/nessus to launch your web vuln scanning etc, as it DOES produce a huge amount of alerts for snort at least.

But again, I do wonder why the response either too slow or non-existence at all and for the case of re-defacement, is the administrator has taken any necessary action to prevent such incident? Most of the time the action will be the restoration of the web page(s). But do they identify why the defacement occurred on their sites? Did they perform their own assessment on their assets applications and platform? Did they perform their patch management accordingly? I guess there are many questions need to be answered by them.

My concern is not the defacement issues but more on the response. If they failed to react or giving response accordingly to these annoying(my view) attacks then let me give one scenario where it should put enuff ph34r in those administrator heart.

Imagine if there’s one attacker who has the knowledge, the skills, the tools and the motivation to launch his attack where he adhere the maxim of intrusion “minimize signal, maximize access and maximize damage”. His exploits are custom made tools where he identified unpublished vulnerability exists on the victim web application (0-dayz). His attacks traffic are well crafted to appear as normal traffics in the network and of cause for these 0-dayz attacks, they will bypass the firewalls, IPS and even managed to avoid the IDS alerts from triggered. Or worst, he will create an encrypted channel to enable him to communicate with the compromised machine on appeared normal ports. His final intention? To steal data.

IF our .gov related administrators failed to respond appropriately on web defacement attacks, just imagine what kind of respond that they will give with the attack that I’ve mentioned above. I can bet the respond is none

Am I concern? No I am not concern.. I am freaking worry.