[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8a6b8e350811232231v594a2155t3a1ffe40cd6c4c2@mail.gmail.com>
Date: Mon, 24 Nov 2008 08:31:32 +0200
From: "James Matthews" <nytrokiss@...il.com>
To: "Bipin Gautam" <bipin.gautam@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: [inbox] Re: Fwd: Comment on: USB devices
spreading viruses
What i was referring to was having only programs on a corporate white list
run. White listing services are provided by http://www.bit9.com/ and they
have now partnered with Kaspersky to be able ID most programs and anything
else run it in a sandbox.
However your approach to blocking USB devices is better. But this is an
overall approach.
James
On Mon, Nov 24, 2008 at 7:17 AM, Bipin Gautam <bipin.gautam@...il.com>wrote:
> On 11/24/08, James Matthews <nytrokiss@...il.com> wrote:
> > bit9 and kaspersky offer this new service. Companies should make use of
> it.
> >
>
> what service, James!
>
> Could you please explain more...
>
> I find it ridicules to know that this problem has been there since the
> earliest version of windows but still without a generic solution! Is
> this unwillingness for the approach to a proper solution is what has
> fueled the "antivirus business" for so long?
>
> If you look in the *nix side you will see this technique is
> tested/proven. Signature based or behavior based approach detection
> will continue to fail.
>
> To address this never-ending problem of virus infection from removable
> media, i have implemented no-execution-from-removable to dorzons of
> computers in the past years, even the dumbest of users understand what
> is being done and feel safe about they wont likely have virus
> infection from the removable media ever, even if the media has a
> virus. They know workaround on how to temporarily disable the
> restriction if they are willing to run something trustworthy as i have
> made the users clear there is no solution to the problem of virus
> infection from removable media and and you have to learn these few
> things ...like you have learned to use antivirus software to stay
> safe. Users get it, really!
>
> Antivirus companies should take similar approach (as described
> previously) to address it but adding USABILITY.
>
> This problem is there to stay for years to come. What better could be
> the proper solution to this problem?
>
> thanks,
> -bipin
>
>
>
> > On Sun, Nov 23, 2008 at 10:05 PM, Bipin Gautam
> > <bipin.gautam@...il.com>wrote:
> >
> >> On 11/23/08, Mike C <mike.cartall@...il.com> wrote:
> >>
> >> >> Of course, blindly thwacking people / dragging them to HR by the hair
> >> >> when they're really just trying to do their jobs is
> >> >> counter-productive. The calls also show us where we, security, are
> >> >> falling down. Perhaps it's poor awareness training (if the user
> didn't
> >> >> know that they shouldn't run unapproved software, or why we have that
> >> >> rule, or how to get a new app approved); or could be that the
> official
> >> >> route is being seen as too slow or bureaucratic, in which case it
> >> >> needs fixing. And so on.
> >> >>
> >> >
> >> > All I hope is we can fix the issue. Hopefully in the near future.
> >> >
> >>
> >>
> >> Yeah!
> >> Here is my prospective to a possible solution that wouldn't compromise
> >> usability.
> >>
> >> But, first lets all agree on "banning execution of any binary from
> >> removable media" is the only straightforward solution this decades old
> >> problem of virus infection/propagation from removable media.
> >>
> >> See, if a web-page tries to install an activeX / browser plugin, your
> >> browser (non intrusively) waits for user interaction with a security
> >> warning message on "if you really intend to install the plugin (Which
> >> may be harmful!)" or .......may choose to ignore the dialog and
> >> continue browsing.
> >>
> >> Here, it is assumed "user understands" the security impact of
> >> executing untrusted programs from internet and let the execution
> >> decision left to the end user with manual interaction. If the plugin
> >> installation behavior is not intended user can simply ignore the
> >> manual interaction request for execution and instead continue.
> >>
> >> In similar way, anti virus company or Microsoft should create similar
> >> for "My Computer Zone" where the first execution of a binary "from
> >> removable media" is denied by default and prompt for user interaction
> >> to execute, white list&execute or terminate/ban the request for
> >> execution from removable media like the way internet explorer (non
> >> intrusively) handles installation of activeX like in IE. Binary
> >> execution from removable media should be treated that way ( untrusted
> >> ! )
> >>
> >> Pen drive / SD have unique serial numbers which can be used to
> >> identify and permanently whitelist or blacklist the media from
> >> execution.
> >>
> >> Windows already has a feature for prompting if user tries to execute
> >> binary from intranet/shared folder or execution of binary marked as
> >> downloaded from "Internet Zone"
> >>
> >> Why not have similar for binary execution from removable media as well!?
> >>
> >> What better could be the solution to stopping virus to propagate from
> >> removable medias with (default) FAT file system. (lacking ACL's)
> >>
> >> For corporate environment let there be feature to sync these white
> >> listed/blacklisted hashes of executable or removable media UID from
> >> anti virus server/domain controller to anti virus clients/related
> >> service running in user end.
> >>
> >> Will this work :)?
> >>
> >> -thanks,
> >> bipin
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > --
> > http://www.goldwatches.com/
> >
> > http://www.jewelerslounge.com/luxury-insurance
> >
>
>
> --
> x-no-archive: yes
>
--
http://www.goldwatches.com/
http://www.jewelerslounge.com/luxury-insurance
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists