Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: Re: 543.rar attachment

Re: 543.rar attachment

From: Jonathan Loh <kj6loh_at_yahoo.com>
Date: Tue, 15 Mar 2005 10:48:59 -0800 (PST)

Good luck teaching common sense.
--- Kinnell <kinnell.t_at_gmail.com> wrote:

> Very true. However we are not looking to ban people from using e-mail
> as a tool to pass important files; we are looking to keep Tim, the new
> intern from a near college, from opening a stupid e-mail with a "your
> wife knows you watch porn" subject and running a file in there that is
> said to keep your wife from finding out.
>
> The problem is between the keyboard and the seat, not so much on the
> servers, but if we can't teach the users common sense then we need to
> ban all files. Same goes for so many hot topic items
>
>
> -Kinnell
>
> On Mon, 14 Mar 2005 22:41:44 -0800 (PST), Jonathan Loh <kj6loh_at_yahoo.com>
> wrote:
> > Ok let's have a reality check.
> > Blocking archive files is easy by just writing a simple filter looking for
> > various extensions. Pruning executable files means you will have to use
> that
> > same filter, open the archive, either extract the whole thing, delete the
> > executables, and repackage the whole thing, or delete the executables in
> place.
> >
> > Everyone can split large application files, or can be taught how, and send
> them
> > to be repackaged. Ever wonder how TCP and UDP work?
> >
> > --- David J ONEILL <David.J.Oneill_at_state.or.us> wrote:
> > > Gee, why not just block ALL email communication. That would save you
> > > some work too.
> > >
> > > Archive files are a necessary part of communication and very beneficial
> > > in saving bandwidth.
> > >
> > > Let's have a reality check ....
> > >
> > > David J O'Neill
> > > Senior Systems Analyst
> > > State of Oregon
> > > Department of Human Services
> > > Office of Information Services
> > > PH# 503.378.2101 ext. 280
> > > email david.j.oneill_at_state.or.us
> > >
> > > >>> Jonathan Loh <kj6loh_at_yahoo.com> 03/14/05 02:21PM >>>
> > > Ok that's a solution. But what I want to ask you is this. How much
> > > overhead
> > > does it take to do this? Blocking archive files would be an easier
> > > method with
> > > little overhead. Possibly with a reply to sender that your site does
> > > not
> > > accept archive files.
> > > --- Kinnell <kinnell.t_at_gmail.com> wrote:
> > > > On the network I'm a member of we block all exe files sent inside
> > > the
> > > > rar or zip, so even if it is sent the file will be 0byted. Wouldn't
> > > > that be a better method? otherwise if you block all bz2, zip, rar,
> > > > etc... then you will block a lot of useful communication
> > > >
> > > > -Kinnell
> > > >
> > > > On Fri, 11 Mar 2005 16:49:16 -0500, adisegna_at_siscocorp.com
> > > > <adisegna_at_siscocorp.com> wrote:
> > > > > Sean, I have to disagree with you. Any file that that can
> > > encapsulate an
> > > > > executable file should be blocked (IMO). ZIP files are one of the
> > > > > biggest carriers of malicious content these days. I don't make it
> > > a
> > > > > habbit of trusting my users no matter how many times they get
> > > trained.
> > > > > RAR extraction tools are not part of the software image policy on
> > > my
> > > > > network so users are oblivious to the file blocking. What is your
> > > > > solution?
> > > > >
> > > > > Thanks
> > > > >
> > > > > AD
> > > > > Information Technology Group
> > > > > Security Identification Systems Corporation
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sean Crawford [mailto:sean01_at_accnet.com.au]
> > > > > Sent: Tuesday, March 08, 2005 9:39 PM
> > > > > To: security-basics_at_securityfocus.com
> > > > > Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> -----Original Message-----
> > > > > ---> From: adisegna_at_siscocorp.com [mailto:adisegna_at_siscocorp.com]
> > > > >
> > > > > ---> Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> I just recently got the same executable inside .rar. I
> > > extracted
> > > > > the
> > > > > ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't
> > > find
> > > > > ---> anything (as of 4 days ago). I wasn't about to double click
> > > this
> > > > > exe on
> > > > > ---> my corporate network. Block the rar extension on your mail
> > > server.
> > > > > --->
> > > > >
> > > > > rar is a valid compression format...blocking it isn't a very good
> > > > > solution.
> > > > >
> > > > > 2 cents.
> > > > >
> > > > > Sean
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Small Business - Try our new resources site!
> > > http://smallbusiness.yahoo.com/resources/
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Mar 15 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]