North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)

  • From: Rich Kulawiec
  • Date: Mon Feb 12 08:59:11 2007

My two (and a half) cents.

1. Systems that need a firewall, antivirus and antispyware software added
on to survive for more than a few minutes SHOULD NOT BE CONNECTED TO THE
INTERNET IN THE FIRST PLACE.

They're simply not good enough.

It's like bringing a knife to a gunfight.  (nod to Mr. Connery)

2. The idea that you can run a program on a known-compromised OS and count
on that program to detect and/or remove the problem is fundamentally
flawed.  The only way to have much confidence in the former is to boot
from a known-UNcompromised OS and run it from there; the only way to
have some confidence in the latter is to wipe the drives and start over.
And there are still ways that both of these can fail (e.g., sufficiently
clever malware which hides from the first and manages to survive the
second by concealing itself in restored data).

Hitting the "scan and disinfect" button or whatever they call it this week
is well on its way to becoming a NOOP.

3. Banks, credit card companies, and numerous online merchants have
trained their users to be excellent phish victims by training them
to read their mail with a web browser.  Anyone who is serious about
stopping phishing will stop sending mail marked up with HTML.

4. Network operators need to be far more proactive about keeping Bad Stuff
from *leaving* their networks.  (After all, if it can be be detected inbound
to X's network, then in most cases it can be detected outbound from Y's --
the exceptions being things like slow, highly distributed attacks which
originate nowhere and everywhere.)

5. I have no sympathy for anyone who still uses the IE and/or Outlook
malware-and-exploit-propagation-engines-disguised-as-applications.
Not that the alternatives are panaceas -- of course they're not -- but at
least they're a big step away from two of the primary compromise vectors.


I figure little, if anything, substantive will be done about 1-4, but
I have some hope that 5 is simple enough that sufficient repetition will
eventually have some effect.

---Rsk