lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1075310949.3765.35.camel@tantor.nuclearelephant.com>
From: jonathan at nuclearelephant.com (Jonathan A. Zdziarski)
Subject: Proposal: how to notify owners of
	compromised PC's

You can track widespread virii breakout without running manual
blacklists.  We're working on a streamlined (machine automated)
blackhole list server at http://www.nuclearelephant.com/projects/sbl/. 
It is originally designed to identify spammer IPs within minutes of a
new distribution based on how wide-spread the reports are across
networks (rather than the total number of reports) and works rather well
in preliminary testing.  A tool like this could easily be adapted to
track, in real-time, which hosts were infected based on the same spread
principle.  By using machine-automation combined with a realtime,
short-term blackhole server such as the SBL project, you can zero in
with accuracy the individuals infected without worrying about
blackholing entire dialup lists, etc.

For tracking dynamic accounts for virii, you may consider tweaking the
blacklist life from 24 hours to maybe 2-3 hours - that should be all you
need to notify the host anyway.  DSL lines don't change but every couple
of days, and dialup users are usually on for a couple hours unless
they're traveling.

What I think would be a better idea though as far as notifying the
end-users would be to code a little tray applet that would tell the user
whenever there were several port 25 connections to different hosts. 
Include with a standard "You're running windows so you're going to get
0wned" suite of tools. 

> >If major sites like Google, MSN etc. would query rapid DSL and dialup
> >blacklists, they could visually inform the visitor that their PC is
> >listed (+ inform them what to do, direct them to online AV etc).
> 
> Bad idea! Think about all those hosts listed in a RBL and the users can?t
> do anything about it? Especially dailup/dsl users with dynamic IP?s.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ