Security Incidents mailing list archives
Re: A question for the list...
From: Andy Shelley <andy () cbeyond net>
Date: Mon, 19 May 2003 15:12:51 -0400
From the responses received so far, it seems like most are focusing on the endpoints. There was a paper from just over a year ago that is tangentially related.
http://web.proetus.com/reference/bns.htmlInteresting concept that could come into play at just this sort of situation, except direct action to the host isn't taken but alerts automatically passed to the upstream provider, who can then filter.
It's all conceptual, though. On Sunday, May 18, 2003, at 07:33 PM, Rob Shein wrote:
What is being done with respect to Fizzer is rather different from "engagingthe attacker" or even scanning large sections of the internet to find compromised hosts in pursuit of fixing them. The method being used isneither active nor aggressive, and here is the key difference. I think the likelihood of harming others is far less in this scenario, and I doubt that there is even a potential legal issue either, for that matter. As the virusreaches out for an update from a known location, here there was theopportunity to cause the virus to elegantly commit suicide; there is no way that the code would accidentally be run on an uninfected machine except withthe direct participation of that machine's owner. -----Original Message----- From: Dan Hanson [mailto:dhanson () securityfocus com] Sent: Saturday, May 17, 2003 12:28 AM To: incidents () securityfocus com Subject: A question for the list...As part of incident handling and response, most of us have had to respond tovirus infections that have affected networks and hosts. Reports arecirculating that members of the IRC operator community have distributed codethrough the update mechanism of the Fizzer virus. The code reportedlyattempts to remove the virus from the host. The latest information seems to indicate that the "update" code was removed until further testing can bedone and more discussion regarding the legalities of this are had.At last year's Blackhat conference in Las Vegas, Tim Mullen presented what turned out to be a very controversial proposal. Briefly, he questioned why it would be inappropriate to strike back and disable (if not remove) a wormfrom hosts that are clearly not being adequately managed.The discussion, both in the session, and after, included those who felt that this was simply vigilanteism that has no place in the current world, and those who feel that there is a responsibility for someone to do something to try to maintain, if not improve, the security situation for those connectedto the Internet. http://online.securityfocus.com/columnists/98http://www.blackhat.com/html/bh-usa-02/bh-usa-02- speakers.html#Timothy%20Mullen http://www.securityfocus.com/columnists/134It seems to me that a group finally took it upon themselves to do exactly what Tim was suggesting the community consider. But it appears that they have done it without any consultation of the community in general, and if Ihave read the reports correctly, with no authorization.Here is a link for a report on News.com and it contains some opinions bylegal folk. http://news.com.com/2100-1002_3-1003894.html?tag=lhA bunch of ideas for discussion pop-up to me... some of these may not be totally on-topic for this forum, if you can tie something back into incidentresponse, I'll likely allow it through. -What are the implications down the road? -Are there concerns that organizations have with this trend? Legal? Precedure?-Is this any different than a similar activity that installs malicious codeon the target host?-The approach that Tim advocated was significantly less intrusive than the approach taken with the Fizzer virus, Tim's approach made no significantchanges on the targeted host, simply blocked the ability of Nimda toreplicate (if I remember correctly), and notify the owner that they have been compromised and where to go to find help in removing the infection. The approach taken to actually modify the system to remove Fizzer seems to gosignificantly past that. Why was the reaction to Tim's advocacy ofdiscussion so hostile, and to date, I have seen no negative criticism of theFizzer removal.-Is this a catalyst for a group (IETF?) of some kind to debate these issuesto find a resolution? I think that most people would agree that the increasing risk that these distributed networks pose to every Internetconnected host is grave, and a better method is required to deal with them.Are there other ideas that don't get us into "arms races" with malcode writers.-If this becomes standard practice, will this force the communication and update channels underground/encrypted (the "arms race" that I mentioned)-What are some of the strategies that organizations are implementing to control their exposure to these communication channels?-If a command can be given in a channel to "shut down" the network of hosts, what is the view on the legality of doing this? If you had a host on yournetwork that was suddenly shut down by a well meaning (or not so well meaning third party), what would your response be?I am not advocating the validity of one side over another, I just find it curious how similar the idea of Tim's, and the actual attempt to remove thevirus, are.As an aside, I would like to keep the discussion on this civil. If postsbecome to flamey to oneside or the other (i think both sides have valid ends) they will likely be rejected. D----------------------------------------------------------------------- ----- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdownenterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents----------------------------------------------------------------------- ---------------------------------------------------------------------------- ----- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents----------------------------------------------------------------------- -----
-- Andy Shelley Cbeyond Communications andy () cbeyond net ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper ***Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
Current thread:
- RE: A question for the list..., (continued)
- RE: A question for the list... Benjamin Tomhave (May 21)
- Re: A question for the list... Kevin Reardon (May 20)
- RE: A question for the list... Mark Ng (May 21)
- Re: A question for the list... Kevin Reardon (May 21)
- RE: A question for the list... Rob Shein (May 22)
- Re: A question for the list... Gary Flynn (May 21)
- Re: A question for the list... Jimi Thompson (May 23)
- Re: A question for the list... Jay D. Dyson (May 25)
- Re: A question for the list... Andy Shelley (May 20)
- RE: A question for the list... John McCracken (May 20)
- Re: A question for the list... Anders Reed Mohn (May 20)
- Re: A question for the list... Ray Stirbei (May 21)
- RE: A question for the list... Bojan Zdrnja (May 26)
- Re: A question for the list... Chip Mefford (May 21)
- Re: A question for the list... Keith W. McCammon (May 22)
- Re: A question for the list... Steve Barnet (May 22)