[Due to some technical problems beyond our control, the editiing of these messages might be a little munged, along with the PGP signature on the last reply. - WK] Forwarded from: Michael J. Reeves <michaeljreevesat_private> This brings up an interesting point regarding add-on software. HOW much attention is paid to the alerts and logs??? The other day, I d/l'd a file and saved it. My Firewall and Anti-Virus did NOT detect any problem with the file. I opened it expecting one thing, and nothing appeared to happen. Closer examination revealed that it was a *.SCR file. Missed that!!! My firewall notified me that a NEW program was trying to access the internet, and asked should I "BLOCK" access. This sent up a "RED-FLAG" for me!!! I instructed it to establish the BLOCK-RULE, and proceeded to investigate. Turned out is was a new variation of an old trojan, BACKDOOR.LITMUS.203. Having some experience with this stuff, I rebooted the system from a boot disk, moved the suspected files (now 2) into a safe subdirectory, and rebooted the system. I, then, searched the REGISTRY and *.INI files for entries referring to these files and deleted them. I submitted the files to my Anti-Virus publisher for analysis with the results noted previously as to the trojan. They are now updating their definitions files. The one thing that my Anti-Virus program did NOT do was to CHECK the REGISTRY for entries indicative of KNOWN virus and/or trojans. Perhaps this should be suggested??? IMHO.... MJR InfoSec News wrote: > http://www.nwfusion.com/news/2003/0526isspatch.html > > By Ellen Messmer > Network World Fusion > 05/26/03 > > Internet Security Systems is readying technology it says could > benefit companies fed up with current patch management techniques. > > More precisely, ISS will enable its vulnerability-assessment scanner > to gang up with its network- and host-based intrusion-detection > systems (IDS) to stop newly discovered attacks or worms that could > damage unprotected servers or desktops on enterprise networks. Michael J. Reeves, AA, ASc MJR Consulting Services Sacramento, California 95842 E-Mail: michaeljreevesat_private -=- Forwarded from: Steve Manzuik <steveat_private> http://www.nwfusion.com/news/2003/0526isspatch.html If anyone needs to be concerned with patching its ISS but I don't think that their new buzzword will get the job done. > More precisely, ISS will enable its vulnerability-assessment scanner > to gang up with its network- and host-based intrusion-detection > systems (IDS) to stop newly discovered attacks or worms that could > damage unprotected servers or desktops on enterprise networks. The last time I tested ISS' host based "product" it did not work on HP-UX, caused issues on Solaris installs, and blue screened 3 out of 5 Windows 2000 boxes. Don't get me started on the unreliability of their network based product either. Too bad my client wasn't as amused with the failures as I was considering they shelled out close to 100K for the ISS solution. Their scanner product is pretty good though, with all the keygens and cracks floating around for it script kiddies seem to love it and with all the false positives it generates the kiddies won't get anywhere. With the high overhead created by using ISS products it almost makes me wonder if patch management isn't cheaper. > ISS CTO Chris Klaus calls the idea "virtual patching" because it > could eliminate the need to immediately apply server or desktop > software patches, which are often required to combat new attacks > that exploit software holes. Instead of having to rush to patch the > application or operating system software to stop a fast-moving worm > from taking over vulnerable systems, ISS would be able to have its > IDS ready to take certain steps to stop specific attacks aimed at > the target machine. A proper security framework already eliminates the need to rush out and patch non-critical boxes. Even with this "revolutionary" product it makes sense for IT departments to patch critical systems. > "Patching is unattainable. There's no Fortune 1000 company doing it > across all its systems," contends Klaus, who points out that > sometimes vendors stop supplying patches for their legacy products. > "For instance, Microsoft is no longer supporting patching for > Windows NT." Does ISS Server Sensor even support and work on Windows NT? Does anyone have any success stories with this product on NT? Patching is not unattainable if the proper framework is put in place in the first place. Proper processes can solve a lot of the patching issues. > Next month ISS will add the virtual patching capability to its > vulnerability-assessment tool, Internet Scanner 7.0, which runs on > Windows 2000. But Klaus mentioned NT above.... > Continuously updated with new attack information as it becomes > known, Internet Scanner will examine Web servers, firewalls, > operating systems, routers, switches, mails servers and other > applications to determine where a variety of weaknesses reside. The > product also will perform network discovery to locate network > resources. This is a neat idea but you will end up spending a ton of money protecting not so critical boxes. Its back to the old saying; "You don't spend 1,000,000.00 to protect 1,000. > Internet Scanner will no longer simply be a stand-alone tool, but > will be able to take commands from the ISS management console, > SiteProtector. Companies could then perform a scan when a new > vulnerability or threat was identified, to see which machines could > be hit. Then, based on the network manager's decision, SiteProtector > would be able to instruct the ISS network-based sensor, RealSecure > Network 7.0, or the host-based IDS, RealSecure Server 7.0 and > RealSecure Desktop 7.0, to take certain steps. The host-based IDS > could block access, based on a specific check or signature. Yay! Now your false positive prone ISS Scanner will not only confuse your IT staff but begin blocking potentially legitimate traffic. I can see the increase in productivity already. > Since traditional "passive" IDS products aren't in-line devices that > can block large traffic streams, RealSecure Network 7.0 would be > limited to instructing the firewall to block the attack through a > process called shunning, or alternatively, terminating a session > with TCP re-sets. So this is different from the OPSEC features in RealSecure how? How is this going to protect internal desktops and servers from an internal attack? Oh, it won't? So lets just call our desktops and back end devices "honeypots" and everything will be fine. > The virtual patching capability is coordinated with the debut next > month of what ISS has dubbed The X-Force Catastrophic Risk Index > that the company will issue periodically as a guide to the worst > security threats and risks. Wow, CATASTROPHIC RISK INDEX, this should send a chill up IT Security Manager's spines everywhere. Proper risk management employs more than half broken technology. Sorry to sound like a Final 4 firm but risk management is a combination of people, process, and technology. Security is built in layers and reliance should not be placed on one single device or technology. All ISS is doing here is setting their customers up to become victims -- or was that honeypot researchers? > While the virtual patching capability is still in testing mode, and > it's not clear how well the idea will work in practice, there's > little doubt that network managers are fed up with patching. Their entire product line is still in testing mode. ISS needs to fix the multiple issues in their basic products before they try and sell the world on their virtual patching service. Granted my organization is small, but I have about a dozen clients who were sold on ISS products -- all but two have given up trying to make them work properly. What does that tell you? Regards; Steve Manzuik Chief Technical Officer Entrench Technologies Inc. (403)663-1337 - office (403)589-4430 - cellular steveat_private -=- Forwarded from: White Vampire <whitevampireat_private> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, May 27, 2003 at 02:03:48AM -0500, InfoSec News(isnat_private) wrote: This is PR disguised as news. <snip> > "Patching is unattainable. There's no Fortune 1000 company doing it > across all its systems," contends Klaus, who points out that > sometimes vendors stop supplying patches for their legacy products. > "For instance, Microsoft is no longer supporting patching for > Windows NT." <snip> Prove it. Patching is unattainable, eh? Windows workstations can be set to reference a directory on a primary server within the NOC and automatically install updates in the directory. That is just one way to do it. If said "patching" is not taking place, perhaps there are some people out there who should start doing their jobs properly. Regards, - -- \ | \ / White Vampire\Rem | http://gammaforce.org/ \|\| \/ whitevampireat_private | http://gammagear.com/ "Silly hacker, root is for administrators." | http://webfringe.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) iD8DBQE+05ba3+rxmnEDyl8RAtqLAKD0vSsHCZlriYO7CwFnn3gDp1N/dACfXIvN U9z5ICL3U/mCPQnQTDQaOtI= =hAXD -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed May 28 2003 - 02:45:41 PDT