RE: Instant Messaging hash values

["David Gillett" <gillettdavid () fhda edu>]

  I've just stumbled over a bunch of AIM clients talking to port
20 ("ftp-data").  Most of our users are allowed to IM, but 
pretending to be other kinds of traffic isn't kosher.

David Gillett


> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
> Sent: Monday, August 08, 2005 8:52 AM
> To: Netops; Nick Duda
> Cc: security-basics () securityfocus com
> Subject: RE: Instant Messaging hash values
>
>
> Hard to block at the firewall, they've adapted to random ports, so if
> you block 5190 it just moves.  Even worse, many chat web 
> sites are going
> right over port 80.  
>
> I'd be interested in the solution myself.  Written warnings and
> penalties don't mean anything to anyone.  We've got to block it.  I've
> got PHI and financial info to worry about and one disclosure can be
> disaster. 
>
>
> Sonja L. Robinson, CISSP, CIFI, CISA, CISM
> Forensic Specialist, Digital Investigations
> HIP Information Security Group
> Tel: 212-806-4125
> srobinson () hipusa com
>  
>
> -----Original Message-----
> From: Netops [mailto:michael () bluesuperman com] 
> Sent: Saturday, August 06, 2005 4:31 PM
> To: Nick Duda
> Cc: security-basics () securityfocus com
> Subject: Re: Instant Messaging hash values
>
> Hello,
>
>       I think that this would be to hard to maintain, why not simple
> block the type of traffic on the firewall or proxy server.
>
> Michael
>
>
> Nick Duda wrote:
> > I'm looking to create a software restriction policy via GPO 
> to prevent
>
> > different instant messenger services (AIM, MSN, Yahoo, 
> Trillian..etc) 
> > from running based on the hash value. Short of gathering all know 
> > binaries for each client is there any way to obtain hash codes from 
> > past versions anywhere....perhaps a website with a 
> repository of hash 
> > values for binaries?
> >
> > Thanks in advance,
> >
> > Nick Duda - Systems Administrator