Re: [inbox] Re: Fwd: Comment on: USB devices spreading viruses

["James Matthews" <nytrokiss () gmail com>]

What i was referring to was having only programs on a corporate white list
run. White listing services are provided by http://www.bit9.com/ and they
have now partnered with Kaspersky to be able ID most programs and anything
else run it in a sandbox.

However your approach to blocking USB devices is better. But this is an
overall approach.

James

On Mon, Nov 24, 2008 at 7:17 AM, Bipin Gautam <bipin.gautam () gmail com>wrote:

> On 11/24/08, James Matthews <nytrokiss () gmail com> wrote:
> > bit9 and kaspersky offer this new service. Companies should make use of
> it.
> >
>
> what service, James!
>
> Could you please explain more...
>
> I find it ridicules to know that this problem has been there since the
> earliest version of windows but still without a generic solution! Is
> this unwillingness for the approach to a proper solution is what has
> fueled the "antivirus business" for so long?
>
> If you look in the *nix side you will see this technique is
> tested/proven. Signature based or behavior based approach detection
> will continue to fail.
>
> To address this never-ending problem of virus infection from removable
> media, i have implemented no-execution-from-removable to dorzons of
> computers in the past years, even the dumbest of users understand what
> is being done and feel safe about they wont likely have virus
> infection from the removable media ever, even if the media has a
> virus. They know workaround on how to temporarily disable the
> restriction if they are willing to run something trustworthy as i have
> made the users clear there is no solution to the problem of virus
> infection from removable media and and you have to learn these few
> things ...like you have learned to use antivirus software to stay
> safe. Users get it, really!
>
> Antivirus companies should take similar approach (as described
> previously) to address it but adding USABILITY.
>
> This problem is there to stay for years to come. What better could be
> the proper solution to this problem?
>
> thanks,
> -bipin
>
>
>
> > On Sun, Nov 23, 2008 at 10:05 PM, Bipin Gautam
> > <bipin.gautam () gmail com>wrote:
> >
> > > On 11/23/08, Mike C <mike.cartall () gmail com> wrote:
> > >
> > > > > Of course, blindly thwacking people / dragging them to HR by the hair
> > > > > when they're really just trying to do their jobs is
> > > > > counter-productive. The calls also show us where we, security, are
> > > > > falling down. Perhaps it's poor awareness training (if the user
> didn't
> > > > > know that they shouldn't run unapproved software, or why we have that
> > > > > rule, or how to get a new app approved); or could be that the
> official
> > > > > route is being seen as too slow or bureaucratic, in which case it
> > > > > needs fixing. And so on.
> > > >
> > > > All I hope is we can fix the issue. Hopefully in the near future.
> > >
> > >
> > > Yeah!
> > > Here is my prospective to a possible solution that wouldn't compromise
> > > usability.
> > >
> > > But, first lets all agree on "banning execution of any binary from
> > > removable media" is the only straightforward solution this decades old
> > > problem of virus infection/propagation from removable media.
> > >
> > > See, if a web-page tries to install an activeX / browser plugin, your
> > > browser (non intrusively) waits for user interaction with a security
> > > warning message on "if you really intend to install the plugin (Which
> > > may be harmful!)" or .......may choose to ignore the dialog and
> > > continue browsing.
> > >
> > > Here, it is assumed "user understands" the security impact of
> > > executing untrusted programs from internet and let the execution
> > > decision left to the end user with manual interaction. If the plugin
> > > installation behavior is not intended user can simply ignore the
> > > manual interaction request for execution and instead continue.
> > >
> > > In similar way, anti virus company or Microsoft should create similar
> > > for "My Computer Zone" where the first execution of a binary "from
> > > removable media" is denied by default and prompt for user interaction
> > > to execute, white list&execute or terminate/ban the request for
> > > execution from removable media like the way internet explorer (non
> > > intrusively) handles installation of activeX like in IE. Binary
> > > execution from removable media should be treated that way ( untrusted
> > > ! )
> > >
> > > Pen drive / SD have unique serial numbers which can be used to
> > > identify and permanently whitelist or blacklist the media from
> > > execution.
> > >
> > > Windows already has a feature for prompting if user tries to execute
> > > binary from intranet/shared folder or execution of binary marked as
> > > downloaded from "Internet Zone"
> > >
> > > Why not have similar for binary execution from removable media as well!?
> > >
> > > What better could be the solution to stopping virus to propagate from
> > > removable medias with (default) FAT file system. (lacking ACL's)
> > >
> > > For corporate environment let there be feature to sync these white
> > > listed/blacklisted hashes of executable or removable media UID from
> > > anti virus server/domain controller to anti virus clients/related
> > > service running in user end.
> > >
> > > Will this work :)?
> > >
> > > -thanks,
> > > bipin
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> > --
> > http://www.goldwatches.com/
> >
> > http://www.jewelerslounge.com/luxury-insurance
>
>
> --
> x-no-archive: yes



-- 
http://www.goldwatches.com/

http://www.jewelerslounge.com/luxury-insurance

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/