nanog mailing list archives
Fingerprints (was Re: Lazy network operators - NOT)
From: Sean Donelan <sean () donelan com>
Date: Mon, 19 Apr 2004 03:29:50 -0400 (EDT)
On Sun, 18 Apr 2004, Matt Hess wrote:
<late-night-humor> # Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp The OS fingerprint list they have is rather extensive.. </late-night-humor>
This has been suggested before. Remember Windows 9x is essentially a single-user operating system. Once a machine has been compromised, lots of things can be altered by the intruder. Some of the modifications are trivial, such as registry entries. Others changes can get more interesting. Fingerprints work best if the adversary isn't actively trying to munge them. It doesn't always look like another operating system, but it ceases to look like a Windows 9x box. The arms race continues. Figuring out what the intruder changed, and cleaning it up continues to get more complicated. Last year running a major anti-virus program was usually enough. Now it can take hours, and sometimes its faster to re-install the operating system, assuming the user still has their original CD's and various Microsoft anti-piracy keys and then downloads all the patches they were missing. http://www.washingtonpost.com/wp-dyn/articles/A22514-2004Apr18.html The Federal Trade Commission today is hosting a daylong workshop in Washington to discuss the effects of hidden software that may be used to control or spy on a computer without its user's knowledge. So far most "spyware" and "adware" programs, often placed on Windows PCs by such downloaded programs as file-sharing programs, appear to have been used for the relatively benign purpose of tracking consumer preferences, said Howard Beales, director of the FTC's consumer protection division. The FTC is watching to see if criminals start making widespread use of this technology to steal credit-card and Social Security numbers of unwitting computer users, he said.
Current thread:
- Re: Lazy network operators - NOT, (continued)
- Re: Lazy network operators - NOT Iljitsch van Beijnum (Apr 18)
- Re: Lazy network operators - NOT Paul Vixie (Apr 18)
- Re: Lazy network operators - NOT Steven Champeon (Apr 20)
- Re: Lazy network operators - NOT Rik van Riel (Apr 28)
- Re: Lazy network operators - NOT Paul Jakma (Apr 18)
- Re: Lazy network operators - NOT Mike Jezierski - BOFH (Apr 18)
- Re: Lazy network operators - NOT Matt Hess (Apr 18)
- Re: Lazy network operators - NOT Mike Jezierski - BOFH (Apr 18)
- Blocking Win95 hosts [WAS: Lazy network operators - NOT] Patrick W . Gilmore (Apr 18)
- Re: Blocking Win95 hosts [WAS: Lazy network operators - NOT] Matt Hess (Apr 18)
- Fingerprints (was Re: Lazy network operators - NOT) Sean Donelan (Apr 19)
- Re: Lazy network operators - NOT Petri Helenius (Apr 18)
- Re: Lazy network operators - NOT Paul Vixie (Apr 18)
- Re: Lazy network operators - NOT Jerry Eyers (Apr 18)
- Re: Lazy network operators - NOT Lou Katz (Apr 18)
- Re: Lazy network operators - NOT Rodney Joffe (Apr 18)
- Re: Lazy network operators - NOT Doug White (Apr 18)
- Re: Lazy network operators - NOT Sean Donelan (Apr 18)
- Re: Lazy network operators - NOT Doug White (Apr 18)
- Microsoft XP SP2 (was Re: Lazy network operators - NOT) Sean Donelan (Apr 18)
- Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) Brandon Shiers (Apr 18)