I got lots of responses on 'Boomerang', which is basically thoughts of
trojans establishing covert channels outbound through a firewall.
Here are some of my responses to those messages:
- Yes this is similar to the '88 worm, but only because the worm used
covert channels to report on its progress. It usually crashed
- Yup, users can bring in trojan software via sneakernet like
they did before the internet was big time. The difference
is that those binaries generally are viruses, rather than
interactive comm links to a site outside.
- As for should've already planned or protected against (what
I call) 'Boomerang', conventional security and user education
may not be sufficient when cookies, client-side scripts/applets,
etc are the norm on the net. The most you can do is stop applet/
script access at the firewall, and warn against binaries from non-
authenticated sites. Ever try to stop all cookies in your browser?
Drives you nuts canceling all those warning messages.
- A trojan such as various shareware screen savers with NTs
rollback.exe bundled in and a delayed execution would be like
lobbing a grenade into a company via keyboard. Most companies
only backup their servers with a policy that users keep data files
on the servers, which of course the executive and technical staff
- Yes, I've seen the password sniffing dll for NT/W95 networks,
and this can be trojaned. But it has to be installed with admin
- Yes, good HTTP and other proxies do control what commands can
be sent (which is why application proxies are way better than
packet filters). There are other standard proxies that don't
limit outbound commands such as telnet, cookie data and e-mail
It's too restrictive to interactively authenticate all outbound
links to the net. And automatically authenticating machines won't
do the trick if a program from that machine wants a link out.
Hmm. Only use strong proxies. No transparent proxies allowed.
Browsers that can't save to disk. Good starting places.