AshlynnAug 30, 2024
nixCraft 🐧
Firewall rules: not as secure as you think https://www.haskellforall.com/2024/08/firewall-rules-not-as-secure-as-you.html #infosec #security
Firewall rules: not as secure as you think

Firewall rules: not as secure as you think This post introduces some tricks for jailbreaking hosts behind “s...

Aug 30, 2024 at 5:34amWeb
Show threadJustin DerrickAug 30, 2024

@nixCraft I’ve been using SSH -R to help administer computers remotely for years. Just today I had a family friend tell me their wireless mouse stopped working…. I connected through the SSH tunnel, ran VNC, opened an App that uses the camera, and had them show me the mouse. The mouse was charged, it just needed to be turned off and back on again.

One day I’ll put everyone on a VPN, but this works great right now.

Show threadniconiconiAug 30, 2024
@nixCraft Firewalls are mostly useless to stop data exfiltration without an IPS/IDS, a rule like (src_ip, src_port, dst_ip, dst_port) is too coarse-grained, and allows arbitrary payloads. But IPS/IDS is also useless for encrypted connections, unless you MITM all connections in order to inspect suspicious protocol-level activities, which is error-prone and is indistinguishable from an attacker. Any sufficiently advanced Intrusion Detection System is indistinguishable from an attacker. Then the only alternative is side-channel analysis on packet sizes or traffic pattern, which is not invasive but imprecise. Conclusion: Firewalling a general-purpose public server stopped being practical since many years ago...
Show threadSpaceLifeFormAug 30, 2024

@nixCraft

If you can transmit packets, you can do magic.

Show threadGerardo LisboaAug 30, 2024

@nixCraft
Although these tools have a valid place, I would never use them on customer networks without their EXPLICIT CONSENT.

The customer expects you to act ethically and abide to their rules. Anything less erodes their trust and opens the path to serious breach of contract and litigation.

If the customer does not provide their own methods of remote access, even though that is their contractual obligation, the fault is theirs.

#security #networks #ethics #RemoteAccess