* L. Christopher Paul (lcpat_private) [010806 02:21]: > One question ... Mighten this lead to a false sense of security? > > With the CRv1 or CRv2 I can see this as being appropriate, but with CRII > creating backdoors and then broadcasting the vulnerability, the incidence > of compromises beyond the initial worm infestation is incredibly high. > > By automating a 'fix', and not rebuilding the box, there is no guarantee > that the box is safe to be re-connected to the network; only that the worm > is gone and that it can't be re-infected. > > If such a tool is built (which isn't all bad), it needs to be shipped with > a big 'ole warning to that effect. Agreed. If anyone developed such tool and if we decided to point people to it from our warning message to administrators of possible infected machines we would add such warning. But realistically speaking we are talking about the same folks who have failed to patch their systems after two highly publicized worms. The changes of them going through the trouble of reinstalling the whole system are not very good. Its good to give them an easy option that at the very least closes the hole and hope that the machine had not yet been found by an attacker and modified further. > --lcp -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 19:39:30 PDT