lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: treidy at gmail.com (Thomas Reidy)
Subject: Getting the lead out of broken virus / worm email meta-reporting

A good thought, but will probably be tough to convince a Sophos, etc
to go along w/ this w/o a very strong customer demand...  profits are
still king...

Tough to implement, but a good idea...

-- Tom

On Tue, 3 Aug 2004 11:40:19 -0400, Clairmont, Jan M
<jan.m.clairmont@...igroup.com> wrote:
> How fast is fast? The time it takes an av, spyware or firewall
> company to react to a real-time threat.   I think there is going
> to have to be a pooling of anti-virus, mail sweeping and firewall
> protection knowledge.   There should be a central policy that
> can be reported and distributed to the various vendors and
> clients that autoupdates the protecting software.  Simply a
> crisis-mail-alert with appropriate information for translation into a protecting shield that updates all av, mail and firewall
> utilities.
> 
> Has anyone written or read a spec. on standardizing worm, virus
> or other alerts with not just there's a'sploit, but a method of
> reporting the 'sploit or adware, malware in a way that the
> vendors and clients could instantly counter with a new filter or
> fix?
> 
> Information such as.
> Such as the Virus, Malware, Spam type.
> Then filtering fingerprint,
> Associated dll update, or where to get it from approved vendor lists.
> etc.
> etc. Time of discovery, Place,
> Description of malicious effect etc.
> 
> Does anyone have any ideas on this?  Is there an RFP on this
> particular subject of universal alerts with fix etc. etc?
> 
> Because the time consuming list watching is just not standardized.
> What vendor and when it comes time to update is a matter of
> when they get around to it.  By that time the cows are out of the
> barn and we are like the volunteer fire department, foundation
> savers.  By the time everyone gets out of bed, rushes to the firehouse and gets to the scene there is nothing left but a foundation to save.
> 
> A Universal Internet Security Alert system with fix, signature etc. should be implemented, when one finds the fix they would be obligated to put the fix into an alert database that all vendors could use.  It would be non-vendor specific and universal to all updates.
> 
> Any other thoughts would be welcome.
> Part of the problem I see would be how to secure the reporting itself.  It would have to be through a specific Agency,
> with signature and encryption that is fairly fool proof and secure.
> A centralized database that can then be created and then an
> alert issued where everyone can go and get the fix, signature or
> whatever and automated. Right now every vendor has its own.
> 
> Thoughts,
> Jan Clairmont
> Firewall Administrator/Consultant
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Todd Towles
> Sent: Tuesday, August 03, 2004 9:53 AM
> To: 'Denis McMahon'; 'fd'
> Subject: RE: [Full-Disclosure] broken virus / worm email has attachment
> not found by grisoft proxy scanner
> 
> I have seen this type of e-mail on my yahoo account at home. I just guessed
> it was a corrupt e-mail put out by some e-mail virus circling the internet.
> It wouldn't by the first time or the last.
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Denis McMahon
> Sent: Tuesday, August 03, 2004 6:39 AM
> To: fd
> Subject: [Full-Disclosure] broken virus / worm email has attachment not
> found by grisoft proxy scanner
> 
> Hmm
> 
> I've had a couple of suspicious emails this week with headers, blank
> line, a line of text, mime headers.
> 
> Thunderbird doesn't see the mime attachment due to the broken headers,
> which is good, but nor does the grisoft email proxy scanner, which is
> bad, especially as I guess that certain broken applications (no I don't
> have outlook [express] on my system) might try and be snart and find the
> attachment.
> 
> This might be broken malware sending unusable stuff out, but my worry is
> that somene may have found a technique that will sneak an attachment
> past some a-v scanners in a "broken" format that certain popular email
> apps will try and fix, possibly putting active malware on the hard disk.
> 
> I tried to talk to grisoft about this, but all I get back is "you have
> to pay to talk to us cheapskate" ... whilst I can agree that they might
> not want to provide tech support to users of their free scanner, does
> anyone have an email address at grisoft for submitting suspicious items
> that have got past their proxy scanner?
> 
> Denis
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


-- 
Thomas Reidy
treidy@...il.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ