RE: [ISN] MS Outlook booted off campus

From: InfoSec News (isnat_private)
Date: Tue May 28 2002 - 01:33:07 PDT

  • Next message: InfoSec News: "RE: [ISN] Hackers can crack most in less than a minute"

    Forwarded from: Wall David  Civ AETC/DOXD <David.Wallat_private>
    OK, Guess I wasn't clear.
    We run Norton, and get automatic updates every 24 hours, occasionally
    changing to every 12 hours.  Everything is automatic on our network
    (UNIX servers and NT workstations).  No user can open any file, e-mail
    or attachment unless the antivirus checks it first.  This isn't on the
    firewall, it's on the network.
    I know it's impossible to catch every virus if it is radically new,
    but we very, VERY seldom get a successful penetration.  For example,
    we took over 600,000 hits with I love you, and none got through.  
    Lesser, obviously, numbers with code red, Klez, and others.  Again,
    none got through. The virus was deleted and the e-mail then had an
    attachment that wasn't there.
    I'm no great fan of Outlook, but I don't see that it deserved the
    comments by that university.  For those who disagree, that's fine.
    Now, if you'll pardon my absence - i.e., no more responses for a
    couple weeks - I'm off to get married.  I don't expect to even hear
    the words virus, Norton, Outlook, infosecNews, etc., for a while.
    Happy computing
    Dave Wall
    -----Original Message-----
    From: Stanislav N. Vardomskiy [mailto:stanyat_private]
    Sent: Friday, May 24, 2002 10:52 AM
    To: InfoSec News
    Cc: isnat_private; David.Wallat_private
    Subject: RE: [ISN] MS Outlook booted off campus
    On Fri, 24 May 2002, InfoSec News wrote:
    > Forwarded from: Wall David Civ AETC/DOXD <David.Wallat_private>
    > Is it just me, or is somebody burying their heads in the sand?
    > Whatever happened to maintaining the latest antiviral signature files
    > so you don't get hit in the first place?
    > Am I missing something here?????
    You are missing the human factor.
    There are really two ways of dealing with desktop users: First one is
    a Nortel approach, where noone outside the helpdesk had
    root/administrator access, and in order to get done something as
    trivial as time synchronised on between the license server and the
    workstation (so that FlexLM would actually check out the license), one
    had to call helpdesk.
    This approach works really well if you have huge budget for IT and
    infinitely patient users - IT/helpdesk has to be up to speed and be
    able to resolve problems FAST, and users get really really upset after
    having to call the "helldesk" for the third time with the same problem
    (And of course every problem is mission critical, be it e-mail outage
    or shortage of Modelsim licenses).
    At the moment I am babysitting about 20 users in a remote office.  My
    policies are fairely lax - all I care about is engineering being
    productive, so as long as they can read their e-mail, access their
    fileservers, and run their Verilog, I do not strictly enforce how they
    use their systems, with a believe that users themselves know best what
    it is that they want and how they want their systems configured in
    order to be most productive (The fact that most of my Windows users
    still use Windows 98 with no concept of local security makes it a
    folly to even try to prevent them from changing background pictures,
    mouse pointers, etc). Users are all informed that if I can not solve
    their problem, I will re-image their system to a sane configuration.
    This approach, while definitely easier on users does not permit
    totalitarian control over what gets executed on the desktop, and
    allowes users to toggle settings of their anti-viral software.
    I have to point out that my approach so far worked out, and not only
    are users productive, but there is no fear and loathing of IT
    department at my site, and users do bring potential problems to my
    attention.  At my site engineers are the ones that bring in revenue,
    and I get paid out of the money they generate.  In my mind it's a
    direct relationship - if they are not productive, then I do not get
    paid :-)  Playing a Computer Cop would get me nothing besides pink
    Lastly, the default settings with Symantec Norton Anti-Virus corporate
    edition that the head office here maintains calls for downloading the
    latest signature file once a week.  Unfortunately, with the latest
    batch of virii, that spread like wildfire, a week is nowhere near fast
    enough, and, truth to be told, even fetching an updated signature once
    a day can be not fast enough (figure in a delay in vendor releasing a
    signature, pushing it out to the corporate signature server, and
    client fetching it from the corporate server).
    So to address your inital question: 
    I can totally relate to the problems of Cambridge college's systems
    administrators.  If it's anywhere like the academentia I know and
    love, they are probably underpaid and understaffed and have no
    manpower to upkeep desktops of 700 users, and most likely have no
    political power in the colledge either.  As a result, while most
    likely they do maintain an anti-virus server/software, they have no
    way of making sure that every user is up to date and uses it.
    In a situation like this not using Windows, or at least not using
    components of Windows that were designed [1] to spread virii is a
    major workload reduction.
    > Dave Wall
    Will the virus impact my Macintosh if I am using a non-Microsoft e-mail
    program, such as Eudora?
    If you are using an Macintosh e-mail program that is not from
    Microsoft, we recommend checking with that particular company.  But most
    likely other e-mail programs like Eudora are not designed to enable virus
    replication.                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM]
    | "Backups we have; it's restores that we find tricky." Richard Letts at ASR
    | This message is powered by JOLT!  For all the sugar and twice the 
    caffeine. |
    +-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 05:13:34 PDT