On Jan 14, 2011, at 6:24 AM, William Herrin wrote: > On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <do...@mail-abuse.org> wrote: >> Unfortunately, a large number of web sites have been compromised, where an >> unseen iFrame might be included in what is normally safe content. A device >> accessing the Internet through a NATs often creates opportunities for >> unknown sources to reach the device as well. Once an attacker invokes a >> response, exposures persist, where more can be discovered. There are also >> exposures related to malicious scripts enabled by a general desire to show >> users dancing fruit. Microsoft now offers a toolkit that allows users a >> means to 'decide' what should be allowed to see fruit dance. Users that >> assume local networks are safe are often disappointed when someone on their >> network wants an application do something that proves unsafe. Methods to >> penetrate firewalls are often designed into 'fun' applications or poorly >> considered OS features. > > Doug, > > Passive attacks. Very effective. Breeze past the firewall like it > wasn't there. Hard to target though; work best when you're fishing for > whatever you can get instead of trying to crack a particular system. > Some success combining them with social engineering. > Grabbing whatever you can get near the thing you're trying to crack is often a good first step. Afterall, once you pwn a system inside the firewall in the same security zone as your target, it becomes a lot easier to attack your target.
> Not terribly relevant to the discussion in this thread. Firewalls > mostly block active attacks where a hacker is pushing unsolicited data > at a host instead of waiting for the host to request data. Whether or > not NAT is involved doesn't really change that larger picture of the > general class of attacks firewalls obstruct. > Ah, but, the point here is that NAT actually serves as an enabling technology for part of the attack he is describing. Another example where NAT can and is a security negative. The fact that you refuse to acknowledge these is exactly what you were accusing me of doing in my previous emails. Owen
