OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Win2k Security Advice Archives: Re: Happy New Year / a little n

Re: Happy New Year / a little new yeasr rant - AntiVirus


Subject: Re: Happy New Year / a little new yeasr rant - AntiVirus
From: Poomba1 (poomba1POOMBA1.V-WAVE.COM)
Date: Sun Jan 02 2000 - 13:54:32 CST


 Since the beginning of this argument, the point that a lot
of us have been trying to make seems to get little respect.
 First, with the type of people in this list, whatever a AV
product includes in it's list in a moot point for most of us
as we can easily get around that issue. All of us have test box's
and do appreciate these tools and use them in the proper environment.
 The previous post of comparing the tools to a locksmith's tools is very
valid.
The internet has changed and this mentality that if it in on the NET it
must be available to anyone must change. Imagine a Locksmith not only
supplying
the "master keys" to anyone but also taking the time to write out specific
detailed
instructions on how to use them so even a 10 year old could use them. The
internet has
changed, we must change as well. I can speak for myself in addressing
the issue that we have to protect in the lowest common denominator and
that means trying to lock down the best we can. NAV properly configured in
the Corporate environment is a great 1st notice of attack as it may not
protect
an buffer overrun exploit but it will can stop some of the code after it as
well as alert the sys admin staff of the infraction, be it from floppy, Web
or email.
Everything is a bonus and the argument that all these "tools" be left
untouched is unrealistic.
 The irony in these tools is how "easily" they can be launched unseen and
unknown to the end user, surprisingly suspicious if you ask me. As well
products like pcAnywhere don't list all the exploits and ASM code, sometimes
even compiled with detailed instructions on how to use their product to gain
unauthorized access to a foreign machine.
 I haven't witnessed or heard of someone trying to launch a install of
pcAnywhere
via an exploit. Nor do my port sensors see to many people trying to attempt
that type of
connection. I do see a lot of Netbus or BO2K scans though.
 I am really disappointed to see in the group the usual
"the internet is not part of society" rant and therefore feel that we not
need to apply any of societies basic rules of conduct. The internet has
changed
from 10 years ago, I think some of the people in this group grow up and
realize
this.

->-----Original Message-----
->From: Weld Pond [mailto:weldL0PHT.COM]
->Sent: Sunday, January 02, 2000 09:03
->To: win2ksecadviceLISTSERV.NTSECURITY.NET
->Subject: Re: Happy New Year / a little new yeasr rant - AntiVirus
->
->
->L0phtCrack was considered a virus only briefly (a few weeks) by Trend
->Micro, McAfee and Norton Antivirus. We have since contacted
->the companies
->and gotten them to correct this error.
->
->Trying to secure networks by keeping tools that can be harmful in the
->wrong hands away is a losing proposition. You need to secure
->your networks
->knowing that an attacker probably does have state of the art tools and
->full control of a client machine. Anything else is just wishing the
->problem away. There will always be a new "remote admin" tool that you
->won't detect or a new cracker that you won't detect. You need to patch
->known holes.
->
->Weak NT passwords are a known attack vector. Industry best
->practices is
->to enforce strong passwords and audit your passwords so you
->know they are
->uncrackable. This is solving the problem. Hoping to keep
->attack clients
->off your network is not really a good security approach.
->
->
->-weld
->
->
->On Sun, 2 Jan 2000, Daniel Docekal wrote:
->
->> Dear Steve,
->>
->> Antivirus companies are RIGHT when they assume that BO,
->BO2K, L0pthcrack
->> and many other "false tools" are considered as virues. And i am VERY
->> happy they DO SO. Otherwise all of our networks will be subject of
->> permanent danger, security problems and open to anybody
->brainless and
->> wishing to make harm.
->>
->> Daniel
->>
->> > -----Original Message-----
->> > From: Steve [mailto:steveWIN2KSECADVICE.NET]
->> > Sent: Saturday, January 01, 2000 10:45 PM
->> > To: win2ksecadviceLISTSERV.NTSECURITY.NET
->> > Subject: Happy New Year / a little new yeasr rant - AntiVirus
->> >
->> >
->> > Why have the decision makers at Symantec added RFPPOISON.EXE
->> > to their virus
->> > signatures? According to Symantec, it is a Trojan. Why do
->> > the Anti-Virus
->> > vendors continually try to undermine and attack the work done
->> > by people such
->> > as R.F.P. or even L0pht for that matter (NAV also detects
->> > L0phtcrack). What
->> > kind of message is the Anti-Virus community sending to
->the Security
->> > community when they list useful tools as Trojan's. Does
->> > anyone else see
->> > anything wrong with this?
->> >
->> > Anyways, just something that I happened to notice last night
->> > as my NAV went
->> > crazy finding copies of BO, L0phtcrack, and RFPPOISON on my
->> > laptop I use for
->> > security testing.
->> >
->> > I hope you all have a great and prosperous year.
->> >
->> >
->> > Regards;
->> >
->> >
->> > Steve Manzuik
->> > Moderator
->> > Win2K Security Advice
->> > stevewin2ksecadvice.net
->> >
->> >
->_____________________________________________________________________
->> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
->> > ** FOR A WEEKLY DIGEST, send the command "SET
->win2ksecadvice DIGEST"
->> > SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
->> >
->>
->>
->_____________________________________________________________________
->> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
->> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
->> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
->>
->
->_____________________________________________________________________
->** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
->** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
->SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
->

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net



This archive was generated by hypermail 2b27 : Sun Jan 02 2000 - 15:00:26 CST