lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <44853596.1064662822@[192.168.2.119]>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: RE: Probable new MS DCOM RPC worm for Windows

--On Saturday, September 27, 2003 7:30 AM -0400 Karl DeBisschop 
<kdebisschop@...rt.infoplease.com> wrote:
>
> I imagine mail out of that subnet passes through a proxy server with
> spam and virus detection.
>
Yes.  And they will get an entirely different DNS server (through DHCP) 
that will only resolve the hosts that we want them to resolve.  :-)

> This is a cute concept Paul. You've got a pretty challenging environment
> there, and this looks like a creative and functional help for you. It
> will be interesting to hear how well this ends up working for you and
> what evolution it goes through. For instance, if your security policy
> includes supporting diversification, you could add connections to
> mirrored Linux and/or (Net|Free|Open)BSD distros (which would be easy
> enough to mirro locally).
>
That's the plan, although the focus right now is completely on the 
Microsoft clients.  I recently suggested that we should switch all MS 
clients to Mac OS X.  :-)  They actually didn't laugh this time.

We already are pretty diversified.  Our "backoffice" stuff is primarily 
Solaris, but we've got plenty of Linux flavors, HP_UX, SGI, FreeBSD, 
OpenBSD, etc.

> Maybe this concept is already widely in use at academia. If it is not,
> it may soon be.
>
The ideas along this line have been floating around for some time and 
variations of it have been implemented during the Blaster mess, but I 
haven't seen this *exact* idea espoused.  Don't misunderstand.  It's not 
really my idea.  It's more a result of ongoing discussions amongst a group 
of us, with me and others throwing out various thoughts and input from a 
number of mailing lists that we read, all thrown together into a stewpot 
and stirred vigorously.  :-)

The implementation will require the skills of other people.  I'm not a DNS 
expert nor a switching/routing expert, but we have guys that are, and 
they're figuring out the implementation now.

Essentially what would happen is a person's MAC address would end up in the 
"evil" file and their connection would be killed.  Then DHCP would see 
their next REQUEST and ACK an address in the "evil vlan" (10.x.x.x so they 
can't serve anything or get off campus without translation) with a special 
DNS server that resolves the vendor's patch site, our gateway mail server 
and a web page that warns them of the problem.  Eventually mirroring could 
enter into the equation as well.  We already mirror all MS patches and AV 
stuff locally anyway.

As much as possible we're trying to eliminate work for us and put the onus 
on the user to fix their problem, with help from IT if they need it.

Eventually I can see us putting hosts in there that have been hacked, 
tagged, infected, whatever.  Personally I'd like to put them in there if 
they're simply vulnerable, not hacked, but I haven't yet persuaded the 
powers that be that we should be that "draconian".  (I prefer to see it as 
proactive.)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ