I am planning to be very quick and brief with this post and to try to clarify some misconception regarding some of our latest posts and projects on GNUCITIZEN.
The first general misconception is regarding the CITRIX posts. Let's start with "CITRIX: Owning the Legitimate Backdoor", shall we? A lot of GNUCITIZEN's readers thought that I am showing new attack techniques. No, they are not new! In fact, I have provided you with a script and a link to a paper that was published back in 2002. However, my intention was not to familiarize you with the techniques but to draw your attention to the ridiculous number of wide open CITIRIX service located on government and military facilities. I don't know about you but to me this is concerning. It has become even more concerning when I accidentally stumbled accross some nuclear power I don't know what, a global logistics system and US Federal funding portal. Since, I don't have the time and the facilities to contact each of the affected organization individually I decided to go public and let the people know about the problem, hoping that someone will bother. Fortunately for all of us, the operation was successful!
Then me and Adrian published a post ("BT Home Flub: Pwnin the BT Home Hub") on the vulnerabilities we found in BT Home Hub/Thomson/Alcatel Speedtouch 7G router, currently affecting more then 2 000 000+ (two millions plus) users. We don't even know the exact number. We believe that it is has to be at least 4 or 5 millions (GLOBALLY!) mainly because of similar issues found on the Speedtouch routers shipped by other ISPs.
I would like to draw your attention to some of the details published regarding this vulnerability. First of all it is remote. Second of all, attackers can completely hijack the victim, including but not only, their INTERNET TRAFFIC, their VOIP calls, their BANK ACCOUNTS, their SOCIAL PROFILES, and of course, they can purchase goods on the behalf of the victim, perform IDENTITY THEFT stunts, etc, etc, etc. The attack is a combination of a Cross-site scripting, Cross-site request forgery and Authentication Bypass vulnerabilities. This means that no matter how strong your password is, you are still vulnerable. Period!
Next, two follow up posts were published on some rather concerning CITRIX and Microsoft Terminal Services issues. The first one, titled "Remote Desktop Command Fixation Attacks", is about how easy it is to trick someone to authenticate a RDP or ICA session and as such let the bad guys in. People from FD and BUGTRAQ have responded with some very interesting but quite groundless claims. stating that this is not an issues and that if you can make the user click on a RDP or ICA file then you can make them click on anything (i.e. .exe and .bat files). Bollocks! Let me tell you something! Executables and shell scripts are blocked by default by most open source and commercial grade filters and mail gateways - RDP and ICA are not. People use remote desktop facilities all the time. We've been testing some of the world top financial organizations and all of them use RDP or ICA. And the victim doesn't have to do anything but to log in.
The second post "0day: Hacking secured CITRIX from outside" expands on the previous one and provides some details on how easy it is to penetrate CITRIX by simply tricking unaware user to visit a malicious website. In this case, the victim does not have to authenticate or perform any interaction. The attack is automatic, transparent and quite dangerous.
Last but not least, I would like to bring some light on what I meant when I said that "Security in depth does not exist". IT security is not only about keeping the perimeter safe. There is a lot more then that. Sometimes, it is so hard to get the security right that attacks are just inevitable. Sometimes systems are set in such an impossible way that it is extremely hard and very expensive to set them the right way. This is all the time. Security in depth is hard to implement. You may think that you implement it the right away but as they say: "a system is as secure as the weakest link". Luckily we have a Black PR/Crisis PR consultant on board, here at GNUCITIZEN, to explain to us how to handle the security problem the right way.