Educause Security Discussion mailing list archives

Re: Bagle.j out

From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Wed, 3 Mar 2004 08:37:52 -0800

Hi Jack,

#What I will probably look at following the suggestion in the
#Educuause/Internet2 Effective Security Practices Guide
#
#http://www.educause.edu/security/guide/VirusandIntrusionDetection.asp
#
#and require my mail administrators to rename .exe and .zip attachments to
#something that can't be auto-opened.

I believe the days of transporting other-than-plain text via email may be
close to over, if they aren't already gone.

We used to hoe to the "defang by renaming" approach, but we've reconsidered
the viability of that approach due to the sheer volume of viruses and worms
in circulation (together with the fact that it doesn't prevent the determined
from de-defanging and hurting themselves, while it is still sufficiently
difficult that it keeps the novice from working with real/desired content)
-- it manages to be simultaneously both too hard and too easy, if you see
what I mean. Strip pifs/scrs/exes and move on.

The real question right now, I think, is whether or not .zip's can be saved,
or if they too will be lost. (rhetorical question, I believe I already know
the answer).

#This allows people to still transport
#these but they have to go through a extra step of saving these as a
#different name and opening the application to read these. Usually those
#steps provide the "thinking pause" necessary to realize what is legit or
#not.

Unfortunately, defanging but not stripping is not always sufficient. As
mentioned, with determination, users can still manage to "stick their
fingers in the blades" of dangerous attachments, while many novice users
may still find even trivial defanging of "real"/"wanted" attachments beyond
their ability to reverse (and you're still left with billowing drifts of
virus-laden attachments clogging your mail spool and your users mailboxes).

Assume viruses/worms reach spam-like levels of distribution. Can you/will
you deliver 100 (or 1000) 35K viruses/user/day? Does it make *sense* to
do so?

#I feel taking draconian steps, crippling
#the MUA, banning binary/encrypted files, or blocking attachments
#essentially mean we've given up and allowed the virus writers to win.

Unfortunately, the social engineering is *really* improving, and virus
writers are paying attention to what folks are doing for technical
countermeasures....

-- "send .pif's/.scr's, they're obscure and no one knows what they are..."
we respond by stripping (or defanging) .pif's/.scr's, but allowing
legitimate extensions like .exe's to pass. The virus writers notice,
and evolve...

-- "send .exe's instead, they'll be too important to block..."
we respond by stripping .exe's. The virus writers notice, and evolve....

-- "send .zip's instead, they'll auto-unpack and because they're not
executable (hahah) and so pervasive, people will be reluctant to strip
them"
many sites respond by unzipping .zip's and scanning the contents...
The virus writers notice, and evolve...

-- "send password .zips's with the password embedded in the text, users
will be happy to help us by using the password we provide..."
we respond by... stripping zips? tokenizing the entire message body
and then looking for passwords to auto-decrypt messages for scanning?
("They're finding our plain text passwords. Begin spelling the passwords
by saying, "Your password is three two five nine three three...")

I truly believe zips are just about history as mail message attachments.
Yes, it is sad and ugly that it has come to that. Yes, it is unfortunate.
Yes, it is probably necessary.

I'll also say that I've seen the future, and when we do strip all non-text
content from mail, the threat vector will then shift to come-and-get models
involving web pages, or P2P dissemination, or instant messaging... Oh wait.
That day's already here. (but we still need to deal with the email security
related issues)

#going to end on a positive note:

You're more of an optimist than I am, Jack. :-)

#* I've seen a huge jump in user awareness. Most people were very
#suspicious and didn't trust this message. That is a positive sign

We were saved by poor grammar on the part of the grammar writer. Once
the virus writers add some native english speakers to their crews to
proof read their spiels, you'll see standard written business english
with American idioms.

I also predict that a typical site still has HUNDREDS if not THOUSANDS
of unpatched systems, 90% of users have NO CLUE what spyware is nor
have they downloaded and installed something like Spybot S&D, users
still haven't deployed software or personal hardware firewalls, etc.,
etc., etc. http://www.securityfocus.com/columnists/193 ("Joe Average
User Is In Trouble") is right on the money.

#* Our security team got word out quickly to the campus -- response and
#handling on our campus has gotten alot better and I sense the same for
#many other schools as well.

There are limits to the number of successive waves of storms that people
can cope with w/o a break or systemic failure. A couple of tornados a
year can be an exciting diversion from the mundane, provided you don't
personally get hit. Multiple tornados a day, day in and day out, make
you think about serious permanent lifestyle changes.

And the recent waves of virus variants portend the future, folks. If you're
not planning on how you're going to handle dozens of serious new viruses
and worms a day (or more), you're missing the point.

This scale-up is an inevitable and unavoidable phenomena, I think, much
as spam distribution ramped up (we're now routinely seeing 250,000+
unique spam vectors (unique dotted quads)/week at some small to medium
sized regional ISPs I visit with).

What we do know is that:

-- virtually all of the viruses/worms target PCs running Windows, so there
is substantial value to using a non-Windows platform (such as a Mac
or a Linux box or Solaris or OpenVMS or whatever turns your crank)

-- it is possible to be virtually entirely immune to these attacks, IF
you're willing to change what you do (Frank daCruz did an excellent
job of laying out what's required (see
http://www.columbia.edu/kermit/safe.html )

But people still aren't willing to make those strategic changes, unfortunately.

Regards,

Joe

----
Joe St Sauver, Ph.D. (joe () oregon uoregon edu)
University of Oregon Computing Center

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

Bagle.j out Theresa Semmens (Mar 02)
- <Possible follow-ups>
- Re: Bagle.j out Marty Hoag (Mar 02)
- Re: Bagle.j out Jason Richardson (Mar 02)
- Re: Bagle.j out James Morris (Mar 02)
- Re: Bagle.j out Gary Flynn (Mar 02)
- Re: Bagle.j out Tim Lane (Mar 02)
- Re: Bagle.j out Bradley D. Thornton (Mar 03)
- Re: Bagle.j out Jack Suess (Mar 03)
- Re: Bagle.j out Michael_Maloney (Mar 03)
- Re: Bagle.j out Iljun Kim (Mar 03)
- Re: Bagle.j out Joe St Sauver (Mar 03)
- Re: Bagle.j out Cal Frye (Mar 03)
- Re: Bagle.j out Gordon D. Wishon (Mar 03)
- Re: Bagle.j out Marty Hoag (Mar 03)
- Re: Bagle.j out Matthew Dalton (Mar 03)
- Re: Bagle.j out Scott Weeks (Mar 03)
- Re: Bagle.j out Kevin Shalla (Mar 03)