Re: Self updating worms?

[robert () dyadsecurity com]

Jonathan Wilkins(jwilkins () microsoft com)@Fri, Sep 10, 2004 at 01:57:44PM -0700:
> 1. someone goes "oh shit, my firewall's getting hammered, what's going
> on?"
> 2. someone gets a copy and the reverse engineering starts
> 3. someone figures out what hole is being exploited 
> 4. everyone reprioritizes that patch and starts installing it
>
> What happens when the total traffic is too small to notice and days
> or weeks go by between probes?
> What happens when the exploit being used is different across instances?
>
> I'm working on a few ideas, but I don't have anything that I haven't
> been able to beat yet.

If you really want to stop automated attacks, instead of putting up IDS/IPS/Firewalls/Antivirus/Hids/Anti-spyware/etc, 
you should instead focus on having a sane hardware base, and a Mandatory Access Control policy enforced by the OS.  If 
you build on a foundation of Discretionary Access Controls, you will always be one application bug away from 
compromise.  At least with Mandatory Role Based Access Control, your OS can enforce the extent of the damage.

For an idea of what I'm talking about read:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.pdf
http://hissa.ncsl.nist.gov/rbac/paper/rbac1.html
http://www.nsa.gov/selinux/

This isn't a new concept.  It just has been ignored for far too long.

Robert

---
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave