Re: A question for the list...

[De Velopment <devel () www2 kparker org>]

On Fri, 16 May 2003, Dan Hanson wrote (in part):

> At last year's Blackhat conference in Las Vegas, Tim Mullen presented what
> turned out to be a very controversial proposal. Briefly, he questioned why
> it would be inappropriate to strike back and disable (if not remove) a
> worm from hosts that are clearly not being adequately managed.

It is interesting that this sounds similar to me to proposals by the
RIAA to allow them to legally "strike out", hack into the networks
of companies, and remove allegedly copyrighted files from machines
who may have advertised them on Peer-to-peer networks.

And I'll BET you that we'll have inquiries in the Incidents list
if the computers owned by the RIAA try such a thing.

But to get more directly to the inquiry at hand, I've wondered
if it could be considered "self defense" if, say, a web server
who just received the Nimda packet for, say, "cmd.exe" sent an
immediate signal right back, telling the offending machine
to shut itself down?  And this being considered different from
someone going through his/her logs after the fact and sending
a counter-attack at that point?  (One problem with the latter
approach is some of the IP addresses may have been reassigned).

Good luck on your inquiry and best regards,

Ken Parker


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------