lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 Aug 2006 14:41:55 -0400
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: "Peter Besenbruch" <prb@...a.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: what can be done with botnet C&C's? (fwd)

On 8/14/06, Peter Besenbruch <prb@...a.net> wrote:
> I keep hitting reply, and not posting to the list.
>
>
> -------- Original Message --------
>
> Valdis.Kletnieks@...edu wrote:
> > On Sun, 13 Aug 2006 08:32:16 EDT, Dude VanWinkle said:
> >> When I worked at a university, the students were always getting
> >> compromised till we implemented sandboxing. People DHCP'ing into the
> >> network were placed in a subnet by themselves till a scan revealed
> >> that they had:
> >> 1: up to date AV
> >> 2: up to date patches
> >> 3: a Functioning firewall
> >
> > OK, I'll bite - if you detect a functioning firewall, how do you scan for
> > up to date patches and A/V?  Seems like you'd have to have at least a stub
> > client on the machine to answer the "What patchlevel you at?" query.
>
> I would also like to know how Mac and Linux machines were differentiated
> from the Windows machines. It can't just be on the basis of user agent
> strings. Would it be Javascript trickery on logging on to the network?
> Flash objects, Java, ActiveX? Was it a simple ban on everyone, unless
> they ran a secured Windows system, and everyone else be damned (as
> insecure)? Do you just give the users of alternate OSes a fixed IP?

Crap, I just remembered about the actual setup (sorry, I am littke
under the weather today*sneeze*). It wasnt as complex as you would
think. If we couldnt scan a machine that just DHCP'ed, then it was
assumed that you were protected and released to the "live" subnet. If
we could detect flaws on the system (no patches, out of date AV, etc)
then we would send 'em to the private subnet with the restricted
access. Only windows boxen with ISS FW would let the nessus through.

> > (And this is the sort of thing that is easy to force install in a corporate
> > environment where you own the machine.  It's also easy to do if you're a
> > regular ISP, and you can get away with saying "If you don't like it, go to
> > another ISP".  It's a can of worms when you don't own the machine, and you're
> > a de facto monopoly because the student lives in the dorms - a Hobson's
> > choice "install this or don't get net access" doesn't make you many friends...)
>
> Sandboxing suspicious activity might work better. If a student got
> nailed a few times, the hassle of getting reconnected might force
> changes in on-line behavior.


Its hard to determine "suspicious activity" on a network with research
going on. If we detected an infection, then the port in question was
pulled till someone cleaned the machine. A scan was then performed to
verify the integrity of the new machine (eg: if the Blaster worm was
detected, we would scan for the vulnerability and not let them on till
they came up "clean").

Again, this would not work for big ISP's, and its a little off topic,
but I thought I would answer the questions.


-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ