Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: E-Mail viruses
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 5 Mar 2004 11:39:18 -0600 (CST)

On Thu, 4 Mar 2004, Earl Keyser wrote:

As one method of dealing with these -

1. We use the Draconian technique of stripping all .exe .zip. ,gif .jpg
.scr .bat .pif files.
Inconvenient for some, life saver for others.  For files that MUST be
sent, we use an alternate route - not network e-mail

Very draconian in todays world, and not productive by the way some folks
do the work they have to do with limited capabilities these days.  It
seems that we might was well revert back to only allowing e-mail in plain
text, and I'm certainly not totally adverse to this myself, but, I'm
willing to bet that the fallout of pushing this to the masses at large.

Can I in some of the networks I manage get away with forcng text only
e-mails and blocking all zip files at the perimiter, sure, and I could
quell the complaints pretty quickly, in some of the other larger enbvs I
manges, I'd have to resort to the painful application of advanced larting
to quell the outcry at the serverroom drawbridge.  And still I'd afect the
ability of many to to their assigned tasks...Far better if I can just
block out sights from sending through my mail servers those prone to spm
and those outright infected with one or more trojans and viruses.  I can
do this more 3effectivly if I have a system that can authentcate at some
level the senders address and the sending mail relay.  If I have to
blindly accpet easily verified spoofed addresses, then my taks are far
tougher and rely upon more draconian measures that are sooner or later
going to ruffle a manager at a high enough level that I'll end up having
to just let it all pass and sort the mess at the desktops...

Of course I could just toss my hands in the air and complain cause nothing
proposed is perfect, and deal with the status quo, without offering
something else to the mixed crowd for review <right Nick?>...

So, is it two steps backwards and move from there or just stand here and
take it and proceed as we are now?  Or do we look at possible ways to
sidestep enough to reduce the onslaught to a tide one might reasonably
manage?


2. We use McAfee EPO to push out updated dats daily.


Keeping anti--virus products up to date is like playing the patch-up game,
it;s overly reactive and allows too large a window of compromise.
Additionally it's resource intensive and only fattens the pocket books of
the vendors in this space.

Remember it took 4 patches to fix the issues that slammer sploited, and
the last and final patch in that muster fluck was only really released
approximately about 30 days prior to sploit, and many that were patched
and protected got that undone at or shortly after ploit release and never
knew due to dll levels released in various addon apps to their systems
<this remains a major headache to this day, and not just in the windos
arena>...


3. We forbid all users from bringing in foreign machines and  plugging
them in, since internal security is not as good as external security.


But, there are ways in still that are hard to monitor, even with a .edu
that might well scan all students for potential firearms and weapons;
floppies, cdroms, USB keydrives...

4. We send out reminders fairly often about safe usage.


Users in the future are either going to be more technically savvy and
aware, <to help gaurd their own systems and privacy and to plain get work
done> or have applications and OS' so user friendly that errors are not
easy to impliment due to enhancments in the tools used <far  less likely
as this technology is still so new and we all want to retain capabilities
we probably really don;t need, but, are not willing to give up, kinda like
the revert to text e-mails statements above>.  But teaching old dogs is
never as effectives as bringing up the new dogs with the traits from
ground up.

4. We have a PIX, an IDS and me to monitor things.


And enforce egress as well ingress filtering, correct?  Many of todays
issues are not as easily cought looking from the erpimiter out, one has to
see what flows from inside out as well to catch things.


Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault