Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: Re: 543.rar attachment

Re: 543.rar attachment

From: Micro Kluge <microkluge_at_hotmail.com>
Date: Wed, 16 Mar 2005 13:33:49 +0000

Security and Functionality are always the knife edge we walk. Too much of
one and we get not enough of the other. Each of our various entities has
certain needs and we each have to prune our desires and policies to fit
these realities. I am priviledged to have the ability to filter just about
any type of file extensions that I wish to. This includes stripping .rar,
.zip and .exe's, along with many others, at the gateway.
I realize this will not work for everyone, but this strategy is just a part
of my defense-in-depth, and has worked quite well thus far.

Cheers,
Erik

>From: "David J ONEILL" <David.J.Oneill_at_state.or.us>
>To: <kinnell.t_at_gmail.com>,
><security-basics_at_securityfocus.com>,<kj6loh_at_yahoo.com>
>Subject: Re: 543.rar attachment
>Date: Tue, 15 Mar 2005 10:50:24 -0800
>
>I hope you were being rhetorical in your questions. If not, you clearly
>do not have enough experience to be discussing what should and should
>not be allowed via email.
>
>As a state agency, we work with many other organizations (large and
>small), some only have regular email access to work with.
>
>David J O'Neill
>Senior Systems Analyst
>State of Oregon
>Department of Human Services
>Office of Information Services
>PH# 503.378.2101 ext. 280
>email david.j.oneill_at_state.or.us
>
> >>> Jonathan Loh <kj6loh_at_yahoo.com> 03/15/05 10:44AM >>>
>Ok let's take it from that standpoint then. All executables are not
>evil.
>
>All computer users are not evil. Does this mean we will shut down our
>firewalls and let everybody access our internal networks?
>
>I'm not saying stop all email traffic, far from it, just all archives.
>There
>are many ways of getting archives in. But oh well to each his own.
>Have you
>heard of ssh/scp/sftp for deployment of programs? Along with perhaps
>an email
>stating where to get your program and how to install it?
>--- David J ONEILL <David.J.Oneill_at_state.or.us> wrote:
>
> > And your point is ....
> >
> > Not all executable files are evil, the source of the file must be
> > considered. Sometimes, such as client server applications,
>executable
> > files must be deployed with the associated resource files. And with
>the
> > limitations on attachment sizes placed on commercial email systems,
>one
> > needs all the compression one can get.
> >
> > David J O'Neill
> > Senior Systems Analyst
> > State of Oregon
> > Department of Human Services
> > Office of Information Services
> > PH# 503.378.2101 ext. 280
> > email david.j.oneill_at_state.or.us
> >
> > >>> Jonathan Loh <kj6loh_at_yahoo.com> 03/14/05 10:41PM >>>
> > Ok let's have a reality check.
> > Blocking archive files is easy by just writing a simple filter
>looking
> > for
> > various extensions. Pruning executable files means you will have to
> > use that
> > same filter, open the archive, either extract the whole thing,
>delete
> > the
> > executables, and repackage the whole thing, or delete the
>executables
> > in place.
> >
> > Everyone can split large application files, or can be taught how,
>and
> > send them
> > to be repackaged. Ever wonder how TCP and UDP work?
> >
> > --- David J ONEILL <David.J.Oneill_at_state.or.us> wrote:
> > > Gee, why not just block ALL email communication. That would save
> > you
> > > some work too.
> > >
> > > Archive files are a necessary part of communication and very
> > beneficial
> > > in saving bandwidth.
> > >
> > > Let's have a reality check ....
> > >
> > > David J O'Neill
> > > Senior Systems Analyst
> > > State of Oregon
> > > Department of Human Services
> > > Office of Information Services
> > > PH# 503.378.2101 ext. 280
> > > email david.j.oneill_at_state.or.us
> > >
> > > >>> Jonathan Loh <kj6loh_at_yahoo.com> 03/14/05 02:21PM >>>
> > > Ok that's a solution. But what I want to ask you is this. How
>much
> > > overhead
> > > does it take to do this? Blocking archive files would be an
>easier
> > > method with
> > > little overhead. Possibly with a reply to sender that your site
> > does
> > > not
> > > accept archive files.
> > > --- Kinnell <kinnell.t_at_gmail.com> wrote:
> > > > On the network I'm a member of we block all exe files sent
>inside
> > > the
> > > > rar or zip, so even if it is sent the file will be 0byted.
> > Wouldn't
> > > > that be a better method? otherwise if you block all bz2, zip,
> > rar,
> > > > etc... then you will block a lot of useful communication
> > > >
> > > > -Kinnell
> > > >
> > > > On Fri, 11 Mar 2005 16:49:16 -0500, adisegna_at_siscocorp.com
> > > > <adisegna_at_siscocorp.com> wrote:
> > > > > Sean, I have to disagree with you. Any file that that can
> > > encapsulate an
> > > > > executable file should be blocked (IMO). ZIP files are one of
> > the
> > > > > biggest carriers of malicious content these days. I don't make
> > it
> > > a
> > > > > habbit of trusting my users no matter how many times they get
> > > trained.
> > > > > RAR extraction tools are not part of the software image policy
> > on
> > > my
> > > > > network so users are oblivious to the file blocking. What is
> > your
> > > > > solution?
> > > > >
> > > > > Thanks
> > > > >
> > > > > AD
> > > > > Information Technology Group
> > > > > Security Identification Systems Corporation
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sean Crawford [mailto:sean01_at_accnet.com.au]
> > > > > Sent: Tuesday, March 08, 2005 9:39 PM
> > > > > To: security-basics_at_securityfocus.com
> > > > > Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> -----Original Message-----
> > > > > ---> From: adisegna_at_siscocorp.com
>[mailto:adisegna_at_siscocorp.com]
> >
> > > > >
> > > > > ---> Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> I just recently got the same executable inside .rar. I
> > > extracted
> > > > > the
> > > > > ---> dddd.exe and ran a scan on it. Norton Corporate 9.01
>didn't
> > > find
> > > > > ---> anything (as of 4 days ago). I wasn't about to double
>click
> > > this
> > > > > exe on
> > > > > ---> my corporate network. Block the rar extension on your
>mail
> > > server.
> > > > > --->
> > > > >
> > > > > rar is a valid compression format...blocking it isn't a very
> > good
> > > > > solution.
> > > > >
> > > > > 2 cents.
> > > > >
> > > > > Sean
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Small Business - Try our new resources site!
> > > http://smallbusiness.yahoo.com/resources/
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Small Business - Try our new resources site!
>http://smallbusiness.yahoo.com/resources/

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Received on Mar 17 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]