SecurityFocus

RFC: virus handling Jan 28 2004 03:45PM
Thomas Zehetbauer (thomasz hostmaster org) (13 replies)

Re: RFC: virus handling Jan 29 2004 08:39PM
Pavel Levshin (flicker mariinsky ru) (1 replies)

Re: RFC: virus handling Feb 03 2004 01:26AM
David F. Skoll (dfs roaringpenguin com)

Re: RFC: virus handling Jan 29 2004 12:18PM
Sascha Wilde (wilde agentur-sec de)

RFC: content-filter and AV notifications (Was: Re: RFC: virus handling) Jan 29 2004 12:00PM
Andrey G. Sergeev (AKA Andris) (andris aernet ru) (1 replies)

Re: RFC: content-filter and AV notifications (Was: Re: RFC: virus handling) Feb 03 2004 04:07PM
Peter J. Holzer (hjp wsr ac at)

Re: RFC: virus handling Jan 28 2004 11:11PM
Pavel Kankovsky (peak argo troja mff cuni cz)

Re: RFC: virus handling Jan 28 2004 10:00PM
John Fitzgibbon (fitz jfitz com) (1 replies)

Re: RFC: virus handling Feb 03 2004 05:09PM
Dave Clendenan (dave dave clendenan ca) (1 replies)

Re: RFC: virus handling Feb 03 2004 10:59PM
Volker Kuhlmann (list0570 paradise net nz)

Re: RFC: virus handling Jan 28 2004 09:26PM
Craig Morrison (craig fishpalace org) (1 replies)

Re: RFC: virus handling Feb 03 2004 11:11AM
James C. Slora Jr. (Jim Slora phra com)

Re: virus handling Jan 28 2004 08:33PM
Mike Healan (mike spywareinfo com)

Re: RFC: virus handling Jan 28 2004 08:06PM
Dave Aronson (spamtrap secfocus dja mailme org)

Re: RFC: virus handling Jan 28 2004 07:08PM
Daniele Orlandi (daniele orlandi com)

Re: RFC: virus handling Jan 28 2004 06:48PM
Piotr KUCHARSKI (chopin sgh waw pl)

Re: RFC: virus handling Jan 28 2004 06:24PM
Patrick Proniewski (patpro patpro net) (1 replies)

Re: RFC: virus handling Feb 03 2004 08:55PM
Matthew Dharm (mdharm one-eyed-alien net) (1 replies)

Re: RFC: virus handling Feb 04 2004 01:44PM
Ben Wheeler (b wheeler ulcc ac uk) (1 replies)

Re: RFC: virus handling Feb 05 2004 12:52PM
Shawn McMahon (smcmahon eiv com)

Re: RFC: virus handling Jan 28 2004 06:07PM
Jeremy Mates (jmates sial org) (1 replies)

Hysterical first technical alert from US-CERT Feb 03 2004 12:11PM
Larry Seltzer (larry larryseltzer com) (3 replies)

Re: Hysterical first technical alert from US-CERT Feb 05 2004 12:18PM
Andreas Marx (amarx gega-it de)

Re: Hysterical first technical alert from US-CERT Feb 04 2004 02:31PM
Valdis Kletnieks vt edu (2 replies)

Re: Hysterical first technical alert from US-CERT Feb 05 2004 08:33AM
Stephen Samuel (samuel bcgreen com) (1 replies)

Re: Hysterical first technical alert from US-CERT Feb 06 2004 10:07PM
Valdis Kletnieks vt edu (1 replies)

Re: Hysterical first technical alert from US-CERT Feb 08 2004 01:01PM
Shawn McMahon (smcmahon eiv com)

RE: Hysterical first technical alert from US-CERT Feb 04 2004 02:41PM
Larry Seltzer (larry larryseltzer com) (1 replies)

Re: Hysterical first technical alert from US-CERT Feb 04 2004 05:11PM
Valdis Kletnieks vt edu

Re: Hysterical first technical alert from US-CERT Feb 04 2004 12:27PM
Philip Rowlands (phr doc ic ac uk)

Re: RFC: virus handling Jan 28 2004 05:54PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)

getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Feb 03 2004 09:11AM
Gadi Evron (ge linuxbox org) (4 replies)

Re: getting rid of outbreaks and spam (junk) Feb 04 2004 08:07PM
James Riden (j riden massey ac nz)

Gadi Evron <ge (at) linuxbox (dot) org [email concealed]> writes:

> The AV industry is built on reaction rather than prevention. Adding
> new signatures is still the #1 tool in the fight against malware.

That's why AV must never be used as the first/only line of defence
against malware. The couple of hour window between outbreak and
updated signatures could be enought to do significant damage; think of
Blaster written by a skilled and malicious individual. As you say, AV
falls into the 'detection/response' categories instead of
'prevention'.

> If backbones filtered the top-10 current outbreaks, with non-intrusive
> means such as for example running MD5 checksum checks against
> attachments, or whatever other way - wouldn't it be better? True, it
> may cause a cry of "the government spies on us, but with the current
> economic troubles outbreaks cause, can we really use that excuse
> anymore? Doesn't the police regulate speeding?

Not my area, but I believe most backbone networks are designed to get
packets from A to B as fast as possible. Egress filtering at ISPs,
for both spoofed addresses and email-borne viruses would be a start
though.

> Although completely not practical, a way to contact users (or ISP's,
> isn't that how it works?) by IP address would help a lot. But that
> would be circumventing the real problem which is ISP's not doing much
> about ABUSE REPORTS or USER SECURITY.

It would also be good to have ISPs accountable for abuse that
originates in their networks. But does any government department have
the resources to do this, even if appropriate laws are in place?

Several sites providing DNSBLs, and/or providing statistics of proxy
abusers have been taken off the 'net by massive DDoS attacks. The FBI
clearly has authority under the law to go after this kind of thing,
but has done absolutely nothing about it as far as I've heard.

cheers,
Jamie
(and, yes, everyone should turn off the !@#$ virus notifications already :)
--
James Riden / j.riden (at) massey.ac (dot) nz [email concealed] / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.

[ reply ]

Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Feb 04 2004 08:04PM
Georg Schwarz (geos epost de)

Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Feb 04 2004 06:27AM
der Mouse (mouse Rodents Montreal QC CA)

Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Feb 03 2004 11:07PM
James A. Thornton (jamest u-238 infinite1der org)