[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44E0C2D7.7050102@gmail.com>
Date: Mon, 14 Aug 2006 14:37:11 -0400
From: "Jonathan Glass (gm)" <jonathan.glass@...il.com>
To: Peter Besenbruch <prb@...a.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: what can be done with botnet C&C's? (fwd)
Peter Besenbruch wrote:
> I keep hitting reply, and not posting to the list.
>
>
> -------- Original Message --------
>
> Valdis.Kletnieks@...edu wrote:
>> On Sun, 13 Aug 2006 08:32:16 EDT, Dude VanWinkle said:
>>> When I worked at a university, the students were always getting
>>> compromised till we implemented sandboxing. People DHCP'ing into the
>>> network were placed in a subnet by themselves till a scan revealed
>>> that they had:
>>> 1: up to date AV
>>> 2: up to date patches
>>> 3: a Functioning firewall
>>
>> OK, I'll bite - if you detect a functioning firewall, how do you scan for
>> up to date patches and A/V? Seems like you'd have to have at least a
>> stub
>> client on the machine to answer the "What patchlevel you at?" query.
>
> I would also like to know how Mac and Linux machines were differentiated
> from the Windows machines. It can't just be on the basis of user agent
> strings. Would it be Javascript trickery on logging on to the network?
> Flash objects, Java, ActiveX? Was it a simple ban on everyone, unless
> they ran a secured Windows system, and everyone else be damned (as
> insecure)? Do you just give the users of alternate OSes a fixed IP?
>
>> (And this is the sort of thing that is easy to force install in a
>> corporate
>> environment where you own the machine. It's also easy to do if you're a
>> regular ISP, and you can get away with saying "If you don't like it,
>> go to
>> another ISP". It's a can of worms when you don't own the machine, and
>> you're
>> a de facto monopoly because the student lives in the dorms - a Hobson's
>> choice "install this or don't get net access" doesn't make you many
>> friends...)
>
> Sandboxing suspicious activity might work better. If a student got
> nailed a few times, the hassle of getting reconnected might force
> changes in on-line behavior.
>
As I understand it, the system Mr. VanWinkle mentioned is primarily
aimed at finding the low-hanging fruit of unpatched/backdoor'd systems
before letting them on the public (Residential) network. There is no
good way of remotely testing for patches if the student has followed the
recommended best practices and enabled their windows firewall with no
exceptions allowed.
A component of this system is the concept of a sandbox where a host is
totally isolated from the rest of campus, and the other hosts in the
sandbox. If the system has multiple issues, they get disabled and a
school employee must visit them and verify the system is clean before
they can be re-enabled.
This fall, the students will be presented with the option of installing
a host-based intrusion prevention and managed AV package to complement
this scanning system.
Other OSs get flagged as such (as well as Nessus + NMAP can determine)
and the student moves on. The whole scanning/registering system takes <
5 minutes from start to finish (I don't know how long exactly...depends
on how fast the student can click I guess).
Thanks
Jonathan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists