Full Disclosure mailing list archives
Re: what can be done with botnet C&C's? (fwd)
From: Peter Besenbruch <prb () lava net>
Date: Mon, 14 Aug 2006 08:27:32 -1000
I keep hitting reply, and not posting to the list. -------- Original Message -------- Valdis.Kletnieks () vt edu wrote:
On Sun, 13 Aug 2006 08:32:16 EDT, Dude VanWinkle said:When I worked at a university, the students were always getting compromised till we implemented sandboxing. People DHCP'ing into the network were placed in a subnet by themselves till a scan revealed that they had: 1: up to date AV 2: up to date patches 3: a Functioning firewallOK, I'll bite - if you detect a functioning firewall, how do you scan for up to date patches and A/V? Seems like you'd have to have at least a stub client on the machine to answer the "What patchlevel you at?" query.
I would also like to know how Mac and Linux machines were differentiated from the Windows machines. It can't just be on the basis of user agent strings. Would it be Javascript trickery on logging on to the network? Flash objects, Java, ActiveX? Was it a simple ban on everyone, unless they ran a secured Windows system, and everyone else be damned (as insecure)? Do you just give the users of alternate OSes a fixed IP?
(And this is the sort of thing that is easy to force install in a corporate environment where you own the machine. It's also easy to do if you're a regular ISP, and you can get away with saying "If you don't like it, go to another ISP". It's a can of worms when you don't own the machine, and you're a de facto monopoly because the student lives in the dorms - a Hobson's choice "install this or don't get net access" doesn't make you many friends...)
Sandboxing suspicious activity might work better. If a student got nailed a few times, the hassle of getting reconnected might force changes in on-line behavior. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- what can be done with botnet C&C's? (fwd) Gadi Evron (Aug 13)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 13)
- Re: what can be done with botnet C&C's? (fwd) Valdis . Kletnieks (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Valdis . Kletnieks (Aug 14)
- Re: what can be done with botnet C&C's? J. Oquendo (Aug 13)
- <Possible follow-ups>
- Re: what can be done with botnet C&C's? (fwd) Peter Besenbruch (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Jonathan Glass (gm) (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 14)
- Re: what can be done with botnet C&C's? (fwd) Dude VanWinkle (Aug 13)