Educause Security Discussion mailing list archives
Re: Bagle.j out
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Wed, 3 Mar 2004 08:37:52 -0800
Hi Jack, #What I will probably look at following the suggestion in the #Educuause/Internet2 Effective Security Practices Guide # #http://www.educause.edu/security/guide/VirusandIntrusionDetection.asp # #and require my mail administrators to rename .exe and .zip attachments to #something that can't be auto-opened. I believe the days of transporting other-than-plain text via email may be close to over, if they aren't already gone. We used to hoe to the "defang by renaming" approach, but we've reconsidered the viability of that approach due to the sheer volume of viruses and worms in circulation (together with the fact that it doesn't prevent the determined from de-defanging and hurting themselves, while it is still sufficiently difficult that it keeps the novice from working with real/desired content) -- it manages to be simultaneously both too hard and too easy, if you see what I mean. Strip pifs/scrs/exes and move on. The real question right now, I think, is whether or not .zip's can be saved, or if they too will be lost. (rhetorical question, I believe I already know the answer). #This allows people to still transport #these but they have to go through a extra step of saving these as a #different name and opening the application to read these. Usually those #steps provide the "thinking pause" necessary to realize what is legit or #not. Unfortunately, defanging but not stripping is not always sufficient. As mentioned, with determination, users can still manage to "stick their fingers in the blades" of dangerous attachments, while many novice users may still find even trivial defanging of "real"/"wanted" attachments beyond their ability to reverse (and you're still left with billowing drifts of virus-laden attachments clogging your mail spool and your users mailboxes). Assume viruses/worms reach spam-like levels of distribution. Can you/will you deliver 100 (or 1000) 35K viruses/user/day? Does it make *sense* to do so? #I feel taking draconian steps, crippling #the MUA, banning binary/encrypted files, or blocking attachments #essentially mean we've given up and allowed the virus writers to win. Unfortunately, the social engineering is *really* improving, and virus writers are paying attention to what folks are doing for technical countermeasures.... -- "send .pif's/.scr's, they're obscure and no one knows what they are..." we respond by stripping (or defanging) .pif's/.scr's, but allowing legitimate extensions like .exe's to pass. The virus writers notice, and evolve... -- "send .exe's instead, they'll be too important to block..." we respond by stripping .exe's. The virus writers notice, and evolve.... -- "send .zip's instead, they'll auto-unpack and because they're not executable (hahah) and so pervasive, people will be reluctant to strip them" many sites respond by unzipping .zip's and scanning the contents... The virus writers notice, and evolve... -- "send password .zips's with the password embedded in the text, users will be happy to help us by using the password we provide..." we respond by... stripping zips? tokenizing the entire message body and then looking for passwords to auto-decrypt messages for scanning? ("They're finding our plain text passwords. Begin spelling the passwords by saying, "Your password is three two five nine three three...") I truly believe zips are just about history as mail message attachments. Yes, it is sad and ugly that it has come to that. Yes, it is unfortunate. Yes, it is probably necessary. I'll also say that I've seen the future, and when we do strip all non-text content from mail, the threat vector will then shift to come-and-get models involving web pages, or P2P dissemination, or instant messaging... Oh wait. That day's already here. (but we still need to deal with the email security related issues) #going to end on a positive note: You're more of an optimist than I am, Jack. :-) #* I've seen a huge jump in user awareness. Most people were very #suspicious and didn't trust this message. That is a positive sign We were saved by poor grammar on the part of the grammar writer. Once the virus writers add some native english speakers to their crews to proof read their spiels, you'll see standard written business english with American idioms. I also predict that a typical site still has HUNDREDS if not THOUSANDS of unpatched systems, 90% of users have NO CLUE what spyware is nor have they downloaded and installed something like Spybot S&D, users still haven't deployed software or personal hardware firewalls, etc., etc., etc. http://www.securityfocus.com/columnists/193 ("Joe Average User Is In Trouble") is right on the money. #* Our security team got word out quickly to the campus -- response and #handling on our campus has gotten alot better and I sense the same for #many other schools as well. There are limits to the number of successive waves of storms that people can cope with w/o a break or systemic failure. A couple of tornados a year can be an exciting diversion from the mundane, provided you don't personally get hit. Multiple tornados a day, day in and day out, make you think about serious permanent lifestyle changes. And the recent waves of virus variants portend the future, folks. If you're not planning on how you're going to handle dozens of serious new viruses and worms a day (or more), you're missing the point. This scale-up is an inevitable and unavoidable phenomena, I think, much as spam distribution ramped up (we're now routinely seeing 250,000+ unique spam vectors (unique dotted quads)/week at some small to medium sized regional ISPs I visit with). What we do know is that: -- virtually all of the viruses/worms target PCs running Windows, so there is substantial value to using a non-Windows platform (such as a Mac or a Linux box or Solaris or OpenVMS or whatever turns your crank) -- it is possible to be virtually entirely immune to these attacks, IF you're willing to change what you do (Frank daCruz did an excellent job of laying out what's required (see http://www.columbia.edu/kermit/safe.html ) But people still aren't willing to make those strategic changes, unfortunately. Regards, Joe ---- Joe St Sauver, Ph.D. (joe () oregon uoregon edu) University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Bagle.j out Theresa Semmens (Mar 02)
- <Possible follow-ups>
- Re: Bagle.j out Marty Hoag (Mar 02)
- Re: Bagle.j out Jason Richardson (Mar 02)
- Re: Bagle.j out James Morris (Mar 02)
- Re: Bagle.j out Gary Flynn (Mar 02)
- Re: Bagle.j out Tim Lane (Mar 02)
- Re: Bagle.j out Bradley D. Thornton (Mar 03)
- Re: Bagle.j out Jack Suess (Mar 03)
- Re: Bagle.j out Michael_Maloney (Mar 03)
- Re: Bagle.j out Iljun Kim (Mar 03)
- Re: Bagle.j out Joe St Sauver (Mar 03)
- Re: Bagle.j out Cal Frye (Mar 03)
- Re: Bagle.j out Gordon D. Wishon (Mar 03)
- Re: Bagle.j out Marty Hoag (Mar 03)
- Re: Bagle.j out Matthew Dalton (Mar 03)
- Re: Bagle.j out Scott Weeks (Mar 03)
- Re: Bagle.j out Kevin Shalla (Mar 03)