Security Incidents mailing list archives

Re: A question for the list...

From: Ray Stirbei <me () highentropy org>
Date: Sun, 18 May 2003 14:28:19 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ed,

I agree there is much value in having this sort of automated response to patch
all our systems. This idea is at least 20 years old and this point was behind
Morris' intention with the first Internet worm.  As you said, liability and
ethics among other things are the reasons we don't use this today.

However, I argue such extreme measures are uneccesary   : automated patch 
management is already available. Measures like firewalls, proxies, IDS/IPS 
can already redirect known attacks and scans to /dev/null. Deceptive 
applications even go further to redirect the attacker to a honeypot. Its only 
a matter of time until most security vendors will implement this feature. 
This summer, a colleague is presenting a paper and a proof of concept on an 
system that automatically creates and patches systems based on attack 
heuristics. This would solve the problem of waiting for a vendor as well as 
distribution.

I suspect the biggest threat vector (in the corporate world) is not unpatched 
servers. You mentioned protecting bandwidth. Its DoS attacks from an 
availability perspective. The most damaging successful attacks come from an 
organization's own people. They don't need to run 0day exploits.  

So I agree with you there's much potential for benevolent worms, but I argue
we don't need these drastic measures to secure systems.

ray


On Saturday 17 May 2003 07:30 pm, Ed Shirey wrote:

Dan Hanson wrote:

As part of incident handling and response, most of us have had to respond
to virus infections that have affected networks and hosts. Reports are
circulating that members of the IRC operator community have distributed
code through the update mechanism of the Fizzer virus. The code reportedly
attempts to remove the virus from the host. The latest information seems
to indicate that the "update" code was removed until further testing can
be done and more discussion regarding the legalities of this are had.


I think that this approach to dealing with worms is an inevitable
evolution of the network
"organism".  It obviously carries many risks, but it can also
potentially provide tremendous
benefit to the health of the overall system.

It's certainly not always the case, but often an infected system has
readily exploitable
holes that an active "vaccine" could utilize to remove the malware.
This approach has
a host of ethical and technical issues, but assuming an altruistic and
benevolent (and
technically competent) source, this vaccine has a net benefit (sorry
about all the puns).

I suggest that many of the issues are similar to those associated with
"Good Samaritans".
Our overly litigous society has many would-be samaritans afraid to offer
a helping hand
because of concern for liability.  Is this right? This isn't a
rhetorical question -- there are
certainly examples of well meaning, but inept assistance causing more
harm than good.

However, as more and more malware "organisms" begin to inhabit our
network like
virtual E. Coli. in the Internet gut,  active measures may be required,
if for no other
reason than to protect bandwidth.  Perhaps DSL providers should consider
making
permission to release active countermeasures part of the terms of use.

This is going to be a fun thread...

Ed





---------------------------------------------------------------------------
- *** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
---------------------------------------------------------------------------
-

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+x9DDzejBliQ3SdsRAmLEAJ9YpuJisnkYp8drOJ5u7ziJHmqWUgCg1otz
x3RMDzeIfLA8sl3MCAt4viU=
=gErl
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Current thread:

A question for the list... Dan Hanson (May 16)
- Re: A question for the list... Ray Stirbei (May 17)
  - RE: A question for the list... John McCracken (May 17)
- Re: A question for the list... Ed Shirey (May 17)
  - RE: A question for the list... Dan Perez (May 19)
  - Re: A question for the list... Ray Stirbei (May 19)
    - RE: A question for the list... Benjamin Tomhave (May 21)
  - Re: A question for the list... Kevin Reardon (May 20)
    - RE: A question for the list... Mark Ng (May 21)
    - Re: A question for the list... Kevin Reardon (May 21)
    - RE: A question for the list... Rob Shein (May 22)
    - Re: A question for the list... Gary Flynn (May 21)
    - Re: A question for the list... Jimi Thompson (May 23)
    - Re: A question for the list... Jay D. Dyson (May 25)
- Re: A question for the list... De Velopment (May 19)
- RE: A question for the list... Rob Shein (May 19)

(Thread continues...)