lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <B99D046F7F16A34EA7926E14DD82F5A114CCDD@exchny28.ny.ssmb.com>
From: jan.m.clairmont at citigroup.com (Clairmont, Jan M)
Subject: Getting the lead out of  broken virus / worm email meta-reporting

How fast is fast? The time it takes an av, spyware or firewall
company to react to a real-time threat.   I think there is going
to have to be a pooling of anti-virus, mail sweeping and firewall 
protection knowledge.   There should be a central policy that 
can be reported and distributed to the various vendors and 
clients that autoupdates the protecting software.  Simply a 
crisis-mail-alert with appropriate information for translation into a protecting shield that updates all av, mail and firewall
utilities.

Has anyone written or read a spec. on standardizing worm, virus
or other alerts with not just there's a'sploit, but a method of
reporting the 'sploit or adware, malware in a way that the 
vendors and clients could instantly counter with a new filter or
fix?


Information such as.
Such as the Virus, Malware, Spam type.
Then filtering fingerprint,
Associated dll update, or where to get it from approved vendor lists.
etc.
etc. Time of discovery, Place, 
Description of malicious effect etc.

Does anyone have any ideas on this?  Is there an RFP on this 
particular subject of universal alerts with fix etc. etc?

Because the time consuming list watching is just not standardized.
What vendor and when it comes time to update is a matter of
when they get around to it.  By that time the cows are out of the
barn and we are like the volunteer fire department, foundation
savers.  By the time everyone gets out of bed, rushes to the firehouse and gets to the scene there is nothing left but a foundation to save.

A Universal Internet Security Alert system with fix, signature etc. should be implemented, when one finds the fix they would be obligated to put the fix into an alert database that all vendors could use.  It would be non-vendor specific and universal to all updates.

Any other thoughts would be welcome.
Part of the problem I see would be how to secure the reporting itself.  It would have to be through a specific Agency,
with signature and encryption that is fairly fool proof and secure.
A centralized database that can then be created and then an
alert issued where everyone can go and get the fix, signature or
whatever and automated. Right now every vendor has its own.

Thoughts,
Jan Clairmont
Firewall Administrator/Consultant


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Todd Towles
Sent: Tuesday, August 03, 2004 9:53 AM
To: 'Denis McMahon'; 'fd'
Subject: RE: [Full-Disclosure] broken virus / worm email has attachment
not found by grisoft proxy scanner


I have seen this type of e-mail on my yahoo account at home. I just guessed
it was a corrupt e-mail put out by some e-mail virus circling the internet.
It wouldn't by the first time or the last.


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Denis McMahon
Sent: Tuesday, August 03, 2004 6:39 AM
To: fd
Subject: [Full-Disclosure] broken virus / worm email has attachment not
found by grisoft proxy scanner

Hmm

I've had a couple of suspicious emails this week with headers, blank 
line, a line of text, mime headers.

Thunderbird doesn't see the mime attachment due to the broken headers, 
which is good, but nor does the grisoft email proxy scanner, which is 
bad, especially as I guess that certain broken applications (no I don't 
have outlook [express] on my system) might try and be snart and find the 
attachment.

This might be broken malware sending unusable stuff out, but my worry is 
that somene may have found a technique that will sneak an attachment 
past some a-v scanners in a "broken" format that certain popular email 
apps will try and fix, possibly putting active malware on the hard disk.

I tried to talk to grisoft about this, but all I get back is "you have 
to pay to talk to us cheapskate" ... whilst I can agree that they might 
not want to provide tech support to users of their free scanner, does 
anyone have an email address at grisoft for submitting suspicious items 
that have got past their proxy scanner?

Denis

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ