RE: A question for the list...

From: Benjamin Tomhave (falconat_private)
Date: Tue May 20 2003 - 18:46:47 PDT

Next message: Kevin Reardon: "Re: A question for the list..."

Previous message: Luc Pardon: "RE: A question for the list..."
In reply to: Ray Stirbei: "Re: A question for the list..."
Next in thread: Kevin Reardon: "Re: A question for the list..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

This is indeed a fascinating thread.  What I wonder about is the precedent
set by the US Gov't this year in establishing a policy of pre-emptive
strikes as a measure of national defense.  Extending this concept to the
current thread, what's to say one shouldn't release a worm the second a
vulnerability is identified that infects a system, patches it, reboots it,
and moves on?  I mean, why stop at hacking-back against infected machines?
I would view this as a step beyond a hack-back type approach.  It also is
ludicrous, much like...well, nevermind... ;)

Another point that I feel should be underscored is this: It's often not
those companies with adequate infosec resources who are problematic when it
comes to worms, etc.  Instead, the problem often lies within less-protected
networks, often owned by organizations or individuals lacking in resources
and/or technical experience and competency.  While ignorance is no defense,
there's something to be said for those organizations that simply can't
afford adequate protection.

Personally, given the current "wild west" landscape of the Internet, these
vigilante/marshall approaches sound appealing, but what we're really talking
about is the need to revamp the very nature of the Internet.  Almost to the
extent of dividing the Internet into two segments: those certified as
secure, and those not.  Anyway...

For what it's worth...

-ben

> -----Original Message-----
> From: Ray Stirbei [mailto:meat_private]
> Sent: Sunday, May 18, 2003 12:28 PM
> To: Ed Shirey
> Cc: incidentsat_private
> Subject: Re: A question for the list...
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ed,
>
> I agree there is much value in having this sort of automated
> response to patch
> all our systems. This idea is at least 20 years old and this
> point was behind
> Morris' intention with the first Internet worm.  As you said,
> liability and
> ethics among other things are the reasons we don't use this today.
>
> However, I argue such extreme measures are uneccesary	: automated patch
> management is already available. Measures like firewalls,
> proxies, IDS/IPS
> can already redirect known attacks and scans to /dev/null. Deceptive
> applications even go further to redirect the attacker to a
> honeypot. Its only
> a matter of time until most security vendors will implement this feature.
> This summer, a colleague is presenting a paper and a proof of
> concept on an
> system that automatically creates and patches systems based on attack
> heuristics. This would solve the problem of waiting for a vendor
> as well as
> distribution.
>
> I suspect the biggest threat vector (in the corporate world) is
> not unpatched
> servers. You mentioned protecting bandwidth. Its DoS attacks from an
> availability perspective. The most damaging successful attacks
> come from an
> organization's own people. They don't need to run 0day exploits.
>
> So I agree with you there's much potential for benevolent worms,
> but I argue
> we don't need these drastic measures to secure systems.
>
> ray
>
>
> On Saturday 17 May 2003 07:30 pm, Ed Shirey wrote:
> > Dan Hanson wrote:
> > >As part of incident handling and response, most of us have had
> to respond
> > >to virus infections that have affected networks and hosts. Reports are
> > >circulating that members of the IRC operator community have distributed
> > >code through the update mechanism of the Fizzer virus. The
> code reportedly
> > >attempts to remove the virus from the host. The latest
> information seems
> > >to indicate that the "update" code was removed until further
> testing can
> > >be done and more discussion regarding the legalities of this are had.
> >
> > I think that this approach to dealing with worms is an inevitable
> > evolution of the network
> > "organism".  It obviously carries many risks, but it can also
> > potentially provide tremendous
> > benefit to the health of the overall system.
> >
> > It's certainly not always the case, but often an infected system has
> > readily exploitable
> > holes that an active "vaccine" could utilize to remove the malware.
> > This approach has
> > a host of ethical and technical issues, but assuming an altruistic and
> > benevolent (and
> > technically competent) source, this vaccine has a net benefit (sorry
> > about all the puns).
> >
> > I suggest that many of the issues are similar to those associated with
> > "Good Samaritans".
> > Our overly litigous society has many would-be samaritans afraid to offer
> > a helping hand
> > because of concern for liability.  Is this right? This isn't a
> > rhetorical question -- there are
> > certainly examples of well meaning, but inept assistance causing more
> > harm than good.
> >
> > However, as more and more malware "organisms" begin to inhabit our
> > network like
> > virtual E. Coli. in the Internet gut,  active measures may be required,
> > if for no other
> > reason than to protect bandwidth.  Perhaps DSL providers should consider
> > making
> > permission to release active countermeasures part of the terms of use.
> >
> > This is going to be a fun thread...
> >
> > Ed
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------
> ---------
> >- *** Wireless LAN Policies for Security & Management - NEW
> White Paper ***
> > Just like wired networks, wireless LANs require network
> security policies
> > that are enforced to protect WLANs from known vulnerabilities
> and threats.
> > Learn to design, implement and enforce WLAN security policies
> to lockdown
> > enterprise WLANs.
> >
> > To get your FREE white paper visit us at:
> > http://www.securityfocus.com/AirDefense-incidents
> >
> ------------------------------------------------------------------
> ---------
> >-
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE+x9DDzejBliQ3SdsRAmLEAJ9YpuJisnkYp8drOJ5u7ziJHmqWUgCg1otz
> x3RMDzeIfLA8sl3MCAt4viU=
> =gErl
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------
> ----------
> *** Wireless LAN Policies for Security & Management - NEW White Paper ***
> Just like wired networks, wireless LANs require network security policies
> that are enforced to protect WLANs from known vulnerabilities and
> threats.
> Learn to design, implement and enforce WLAN security policies to
> lockdown enterprise WLANs.
>
> To get your FREE white paper visit us at:
> http://www.securityfocus.com/AirDefense-incidents
> ------------------------------------------------------------------
> ----------
>
>


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Kevin Reardon: "Re: A question for the list..."
Previous message: Luc Pardon: "RE: A question for the list..."
In reply to: Ray Stirbei: "Re: A question for the list..."
Next in thread: Kevin Reardon: "Re: A question for the list..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 21 2003 - 09:39:00 PDT