lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat May 14 18:50:29 2005
From: eric at arcticbears.com (Eric Paynter)
Subject: Benign Worms

On Sat, May 14, 2005 9:30 am, Valdis.Kletnieks@...edu said:
> Even if you *do* manage to code the worm correctly, all it takes is for
> *one* person visiting your site to have plugged their laptop into the net,
> and you're at least potentially screwed.

Hopefully as a minimum, one would code it to be limited to certain
subnets. That way, even if it does get the laptop, when the laptop goes
onto the Internet, it will not scan from the NIC with a public IP. It will
just go dormant.


> And I posit that if your network is either small enough or run *that*
> fascistly that you are ready to swear on a Bible in court,
> under penalty of perjury, that you *know* everything that's connected to
> it, then you don't need a worm to fix it.

Fascistly? Well, maybe from a university point of view, where the networks
tend to be more open. But for some corporate networks, the corporation
owns all equipment on the network and has a legal responsibility to ensure
the safety of the data on the network. That means forcing patches to all
machines.

With all the exploits over the years that allow users to escalate privs,
it's not too uncommon in medium and large corporations (several thousand
or more desktops) that some users have taken over their desktops and
removed the sysadmin's privs. If the corporation has a geographically
distributed wide area network, it may be cost-prohibitive to send people
to every site where one of these "rogue PCs" is detected, not to mention
that some can be very difficult to detect. Non-technical enforcement
(determining the user and escalating to HR) can also be difficult,
especially when inter-divisional politics get in the way (surprise: most
large corporations have very dysfunctional relationships
inter-departmentaly and especially inter-divisionally).

What's the easiest and fastest way to periodically sweep the network clean
of these PCs, to meet the mandate of ISD to have everything patched, to
avoid the politics of disciplining user X for breaking the rules, to just
make it happen without all the argument? This is the line of reasoning
that leads young support jockeys to consider benign worm development...

Although I would still suggest that a worm is not the way to go. Put the
"hack and patch" functionality on a server and point the server at each
subnet you want to target. Much safer. Much easier to control.

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ