lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 24 Nov 2008 02:08:02 -0500
From: "Elazar Broad" <elazar@...hmail.com>
To: nytrokiss@...il.com, bipin.gautam@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [inbox] Re: Fwd: Comment on: USB devices
	spreading viruses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec's Endpoint Protection has a device control feature which
basically functions as you have stated. I haven't really played
around with it much, however, it can block devices based on device
id...

elazar

On Mon, 24 Nov 2008 00:17:34 -0500 Bipin Gautam
<bipin.gautam@...il.com> wrote:
>On 11/24/08, James Matthews <nytrokiss@...il.com> wrote:
>> bit9 and kaspersky offer this new service. Companies should make
>use of it.
>>
>
>what service, James!
>
>Could you please explain more...
>
>I find it ridicules to know that this problem has been there since
>the
>earliest version of windows but still without a generic solution!
>Is
>this unwillingness for the approach to a proper solution is what
>has
>fueled the "antivirus business" for so long?
>
>If you look in the *nix side you will see this technique is
>tested/proven. Signature based or behavior based approach
>detection
>will continue to fail.
>
>To address this never-ending problem of virus infection from
>removable
>media, i have implemented no-execution-from-removable to dorzons
>of
>computers in the past years, even the dumbest of users understand
>what
>is being done and feel safe about they wont likely have virus
>infection from the removable media ever, even if the media has a
>virus. They know workaround on how to temporarily disable the
>restriction if they are willing to run something trustworthy as i
>have
>made the users clear there is no solution to the problem of virus
>infection from removable media and and you have to learn these few
>things ...like you have learned to use antivirus software to stay
>safe. Users get it, really!
>
>Antivirus companies should take similar approach (as described
>previously) to address it but adding USABILITY.
>
>This problem is there to stay for years to come. What better could
>be
>the proper solution to this problem?
>
>thanks,
>-bipin
>
>
>
>> On Sun, Nov 23, 2008 at 10:05 PM, Bipin Gautam
>> <bipin.gautam@...il.com>wrote:
>>
>>> On 11/23/08, Mike C <mike.cartall@...il.com> wrote:
>>>
>>> >> Of course, blindly thwacking people / dragging them to HR by
>the hair
>>> >> when they're really just trying to do their jobs is
>>> >> counter-productive. The calls also show us where we,
>security, are
>>> >> falling down. Perhaps it's poor awareness training (if the
>user didn't
>>> >> know that they shouldn't run unapproved software, or why we
>have that
>>> >> rule, or how to get a new app approved); or could be that
>the official
>>> >> route is being seen as too slow or bureaucratic, in which
>case it
>>> >> needs fixing. And so on.
>>> >>
>>> >
>>> > All I hope is we can fix the issue. Hopefully in the near
>future.
>>> >
>>>
>>>
>>> Yeah!
>>> Here is my prospective to a possible solution that wouldn't
>compromise
>>> usability.
>>>
>>> But, first lets all agree on "banning execution of any binary
>from
>>> removable media" is the only straightforward solution this
>decades old
>>> problem of virus infection/propagation from removable media.
>>>
>>> See, if a web-page tries to install an activeX / browser
>plugin, your
>>> browser (non intrusively) waits for user interaction with a
>security
>>> warning message on "if you really intend to install the plugin
>(Which
>>> may be harmful!)" or .......may choose to ignore the dialog and
>>> continue browsing.
>>>
>>> Here, it is assumed "user understands" the security impact of
>>> executing untrusted programs from internet and let the
>execution
>>> decision left to the end user with manual interaction. If the
>plugin
>>> installation behavior is not intended user can simply ignore
>the
>>> manual interaction request for execution and instead continue.
>>>
>>> In similar way, anti virus company or Microsoft should create
>similar
>>> for "My Computer Zone" where the first execution of a binary
>"from
>>> removable media" is denied by default and prompt for user
>interaction
>>> to execute, white list&execute or terminate/ban the request for
>>> execution from removable media like the way internet explorer
>(non
>>> intrusively) handles installation of activeX like in IE. Binary
>>> execution from removable media should be treated that way (
>untrusted
>>> ! )
>>>
>>> Pen drive / SD have unique serial numbers which can be used to
>>> identify and permanently whitelist or blacklist the media from
>>> execution.
>>>
>>> Windows already has a feature for prompting if user tries to
>execute
>>> binary from intranet/shared folder or execution of binary
>marked as
>>> downloaded from "Internet Zone"
>>>
>>> Why not have similar for binary execution from removable media
>as well!?
>>>
>>> What better could be the solution to stopping virus to
>propagate from
>>> removable medias with (default) FAT file system. (lacking
>ACL's)
>>>
>>> For corporate environment let there be feature to sync these
>white
>>> listed/blacklisted hashes of executable or removable media UID
>from
>>> anti virus server/domain controller to anti virus
>clients/related
>>> service running in user end.
>>>
>>> Will this work :)?
>>>
>>> -thanks,
>>> bipin
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> --
>> http://www.goldwatches.com/
>>
>> http://www.jewelerslounge.com/luxury-insurance
>>
>
>
>--
>x-no-archive: yes
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkkqUtIACgkQi04xwClgpZitOQP8D1lV4X3nBEKbynQ0RUX5RMO3U/5Z
cpJAalM0CPllm0sbTkAMeuogsyB4vhZ9J4UdXcRzyVOZPLs1nMOvQHttNTTXAKQDXsiv
6aexWRZvg4UeE5YSbgs7bU8PjWsNAW3kPL9d2/fkuLisCA2leOMMjPUdxZQu8vRg5oIC
IQQl5TM=
=/TSf
-----END PGP SIGNATURE-----

--
Click for huge discounts on pet food and supplies - up to 70% off
http://tagline.hushmail.com/fc/PnY6qxt2l8TNc9jVLBmA5nygUPHxBXPtdRHOAicTVOCmlIMT7aiDW/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ