Security Basics mailing list archives

RE: Spyware

From: "Jeff Gercken" <JeffG () kizan com>
Date: Wed, 15 Dec 2004 15:03:19 -0500

Perhaps you should petition IANA to allocate a TCP port for spyware :)
http://www.iana.org/cgi-bin/sys-port-number.pl

Egress filtering is a really good idea.  If more organizations did this
we would have much fewer problems to deal with.  The problem is, without
upper layer protocol detection (application proxies, NBAR, et al), a
TCP/UDP port is just an arbitrary number.  There is nothing stopping you
from running ssh on port 80 or chargen on port 22.  Filtering may stop
some of the dumber spyware, but it shouldn't be considered as a
solution.

-Jeff

-----Original Message-----
From: Matt Stern [mailto:sternm () comprehensive com] 
Sent: Tuesday, December 14, 2004 5:38 PM
To: security-basics () lists securityfocus com
Subject: Spyware

Hello all:

I was just wondering if spyware sends its answers "back home" on any 
particular TCP or UDP port.  If so, then couldn't I doubly safeguard the

LAN (after trying to keep all the spyware off the workstations) by 
disallowing outbound communications via the firewall, for those ports? 
 Or conversely, instead of allowing all outbound traffic, only allow the

usual ports, such as 80, 443, 23, etc?

Thanks.

-- 
Matthew H. Stern, CCP/CDP, sternm () comprehensive com
Serving the IT industry since 1976
Comprehensive Computer Services Inc.
www.comprehensive.com
Phone: 631 755-2250, Fax 755-2254
560 Broad Hollow Road, Melville NY 11747

Current thread:

Spyware Matt Stern (Dec 15)
- Re: Spyware dallas jordan (Dec 16)
- Re: Spyware Liran Cohen (Dec 16)
- Re: Spyware Jon Lawhead (Dec 16)
- <Possible follow-ups>
- RE: Spyware Gross Barry D. (Dec 16)
- RE: Spyware Jeff Gercken (Dec 16)
- RE: Spyware Griffin, Van (Dec 16)
- RE: Spyware Friend, Jason A Contractor/CoTs (Dec 16)
- RE: Spyware geraldf (Dec 16)
- RE: Spyware Paris E. Stone (Dec 17)