Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] what can be done with botnet C&C's? (fwd)
From: Dude VanWinkle (dudevanwinklegmail.com)
Date: Mon Aug 14 2006 - 14:55:02 CDT
On 8/14/06, Jonathan Glass (gm) <jonathan.glassgmail.com> wrote:
> Peter Besenbruch wrote:
> > I keep hitting reply, and not posting to the list.
> > -------- Original Message --------
> > Valdis.Kletnieksvt.edu wrote:
> >> On Sun, 13 Aug 2006 08:32:16 EDT, Dude VanWinkle said:
> >>> When I worked at a university, the students were always getting
> >>> compromised till we implemented sandboxing. People DHCP'ing into the
> >>> network were placed in a subnet by themselves till a scan revealed
> >>> that they had:
> >>> 1: up to date AV
> >>> 2: up to date patches
> >>> 3: a Functioning firewall
> >> OK, I'll bite - if you detect a functioning firewall, how do you scan for
> >> up to date patches and A/V? Seems like you'd have to have at least a
> >> stub
> >> client on the machine to answer the "What patchlevel you at?" query.
> > I would also like to know how Mac and Linux machines were differentiated
> > from the Windows machines. It can't just be on the basis of user agent
> > Flash objects, Java, ActiveX? Was it a simple ban on everyone, unless
> > they ran a secured Windows system, and everyone else be damned (as
> > insecure)? Do you just give the users of alternate OSes a fixed IP?
> >> (And this is the sort of thing that is easy to force install in a
> >> corporate
> >> environment where you own the machine. It's also easy to do if you're a
> >> regular ISP, and you can get away with saying "If you don't like it,
> >> go to
> >> another ISP". It's a can of worms when you don't own the machine, and
> >> you're
> >> a de facto monopoly because the student lives in the dorms - a Hobson's
> >> choice "install this or don't get net access" doesn't make you many
> >> friends...)
> > Sandboxing suspicious activity might work better. If a student got
> > nailed a few times, the hassle of getting reconnected might force
> > changes in on-line behavior.
> As I understand it, the system Mr. VanWinkle mentioned is primarily
> aimed at finding the low-hanging fruit of unpatched/backdoor'd systems
> before letting them on the public (Residential) network. There is no
> good way of remotely testing for patches if the student has followed the
> recommended best practices and enabled their windows firewall with no
> exceptions allowed.
> A component of this system is the concept of a sandbox where a host is
> totally isolated from the rest of campus, and the other hosts in the
> sandbox. If the system has multiple issues, they get disabled and a
> school employee must visit them and verify the system is clean before
> they can be re-enabled.
> This fall, the students will be presented with the option of installing
> a host-based intrusion prevention and managed AV package to complement
> this scanning system.
> Other OSs get flagged as such (as well as Nessus + NMAP can determine)
> and the student moves on. The whole scanning/registering system takes <
> 5 minutes from start to finish (I don't know how long exactly...depends
> on how fast the student can click I guess).
Was anything ever done with passive vulnerability flagging? I seem to
remember that someone was looking into checking to see if the network
traffic generated made by a service would be indicative of their patch
levels but never heard anything after I left :-(
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/