Dailydave mailing list archives
RE: Self updating worms?
From: "Jonathan Wilkins" <jwilkins () microsoft com>
Date: Mon, 13 Sep 2004 08:10:42 -0700
It's an ancient concept, but one that's proven extremely difficult to implement for mass consumption. You're not going to see my mother running some version of WinXP with MAC anytime soon. -----Original Message----- From: robert () dyadsecurity com [mailto:robert () dyadsecurity com] Sent: Friday, September 10, 2004 2:25 PM To: Jonathan Wilkins Cc: dailydave () lists immunitysec com; ge () linuxbox org; th-research () linuxbox org; Blue Boar; Oded H Subject: Re: [Dailydave] Self updating worms? Jonathan Wilkins(jwilkins () microsoft com)@Fri, Sep 10, 2004 at 01:57:44PM -0700:
1. someone goes "oh shit, my firewall's getting hammered, what's going
on?" 2. someone gets a copy and the reverse engineering starts 3. someone figures out what hole is being exploited 4. everyone reprioritizes that patch and starts installing it What happens when the total traffic is too small to notice and days or
weeks go by between probes? What happens when the exploit being used is different across
instances?
I'm working on a few ideas, but I don't have anything that I haven't been able to beat yet.
If you really want to stop automated attacks, instead of putting up IDS/IPS/Firewalls/Antivirus/Hids/Anti-spyware/etc, you should instead focus on having a sane hardware base, and a Mandatory Access Control policy enforced by the OS. If you build on a foundation of Discretionary Access Controls, you will always be one application bug away from compromise. At least with Mandatory Role Based Access Control, your OS can enforce the extent of the damage. For an idea of what I'm talking about read: http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.pdf http://hissa.ncsl.nist.gov/rbac/paper/rbac1.html http://www.nsa.gov/selinux/ This isn't a new concept. It just has been ignored for far too long. Robert --- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Self updating worms?, (continued)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
- Re: Self updating worms? Gadi Evron (Sep 10)
- Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
- Re: Self updating worms? robert (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 13)
- Re: Self updating worms? robert (Sep 13)