[Dshield] Microsoft Security Update CD

Kenneth Coney superc at visuallink.com
Sat Mar 27 18:20:24 GMT 2004


No, I didn't get either, but I have to say the idea of MS distributing an 
AV software is funny.  I think based on their past performance I would be 
really reluctant to trust an MS product as a front line of defense.  I mean 
besides zillions of vulnerabilities and bugs in their released (before 
their time) products to date (with only half them patched), there is also 
the issue of their past performance as regards to spyware (i.e., Alexia, 
etc.), and their historically poor attitude towards security.  Hang on to 
that free CD.  If in a year or so's time they do release an upgrade patch 
it will probably require you to insert the genuine original CD in the drive 
before the update can occur.  Of course the update will also require 
Internet Explorer too.  And of course their will be vulnerability issues 
and bugs in that update which will require patches over and above the 
newest anti virus patches (which will probably take a back seat).


list-request at dshield.org wrote:

> Send list mailing list submissions to
> 	list at dshield.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.dshield.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
> 	list-request at dshield.org
> 
> You can reach the person managing the list at
> 	list-owner at dshield.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of list digest..."
> 
> 
> ------------------------------------------------------------------------
> 
> Today's Topics:
> 
>    1. whois packets (j.travis)
>    2. Re: Security in Layers (Doug White)
>    3. RE: Sudden Massive increase in DPT=137 (Lauro, John)
>    4. Re: Security in Layers (John Holmblad)
>    5. Standard Reporting (Pete Cap)
>    6. FYI: Port Reporter Tool (R Shady)
>    7. Double Edged Sword ? (Chuck Lewis)
>    8. Analysis of Witty Worm (Bjorn Stromberg)
>    9. Key Logger (Paul Marsh)
>   10. Re: Security in Layers (Chris Brenton)
>   11. Re: Security in Layers (John Hardin)
>   12. Re: whois packets (John Sage)
>   13. new 'infocon' logo (Johannes B. Ullrich)
>   14. Re: Security in Layers (John Holmblad)
>   15. Re: whois packets (Keith Bergen)
>   16. Re: Security in Layers (Tony Earnshaw)
>   17. Re: Standard Reporting (Tony Earnshaw)
>   18. Re: Analysis of Witty Worm (Mrcorp)
>   19. Re: Security in Layers (Tony Earnshaw)
>   20. Re: Security in Layers (John Holmblad)
>   21. Followup Re CIS Scoring Tool (John Holmblad)
>   22. Re: Security in Layers (John Holmblad)
>   23. Microsoft Security Update CD (John Holmblad)
>   24. Re: Security in Layers (Johannes B. Ullrich)
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] whois packets
> From:
> "j.travis" <skynet at psinode.com>
> Date:
> Thu, 25 Mar 2004 14:00:13 -0800
> To:
> <list at dshield.org>
> 
> 
> I need to be able to run a 'whois' script from the command line and also
> from a web form.  So I am planning to specify 3 or 4 of the main whois
> servers to use and only allow tcp port 43 connections to those servers.
> Just wondering if anyone has any tips along these lines for running
> whois scripts?
> 
> I have also seen people trying to enter automated, malicious stuff into
> the whois web-form but that is kind of a seperate issue...
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> "Doug White" <doug at clickdoug.com>
> Date:
> Thu, 25 Mar 2004 16:32:27 -0600
> To:
> "General DShield Discussion List" <list at dshield.org>
> 
> 
> :
> : Would be interesting to know what Microsoft people contribute actively
> : to SANS/GIAC. I'd guess at infinitely many (0/1). I suppose the reason
> : would be, that SANS/GIAC is there for the community. Which Microsoft is
> : not: Microsoft is there for Microsoft and to make money, whatever the
> : bloody community might profit from anything whatsoever. Nah, I'm not
> : /anti/-Microsoft as such, purely /for/ the community. Being both would
> : be an anachronism, an oxymoron and against my religious beliefs ("heaven
> : is a cat lying on you head, your head on the pillow, purring while
> : you're trying to get some sleep").
> :
> 
> 
> I watched a Microsoft Webinar on "Security" this morning, and aside from two
> speakers talking a mile a minute, and generally in conflict with each other, I
> got the impression that the good folks at MS have just learned how to pronounce
> "security" and are still learning how to spell it.   This seems to be a long way
> from actually doing anything about it.
> 
> 
> ======================================
> Stop spam on your domain, Anti-spam solutions
> http://www.clickdoug.com/mailfilter.cfm
> For hosting solutions http://www.clickdoug.com
> ======================================
> If you woke up breathing, congratulations! You have been given another chance!
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> RE: [Dshield] Sudden Massive increase in DPT=137
> From:
> "Lauro, John" <jlauro at umflint.edu>
> Date:
> Thu, 25 Mar 2004 17:34:54 -0500
> To:
> "General DShield Discussion List" <list at dshield.org>
> 
> 
> I am just running iptables on a 2.4.something kernel.  I have the logs
> going to /dev/shm so that I can keep up, and cron rotates it once an
> minute and keeps a count that is averaged every 5 minutes into mrtg,
> etc...  We have a class B (65K addresses) network.  I also run argus
> on the same box to keep a more long term log, but that doesn't
> generate near the load that the logs from iptables generate...  There
> is a very noticable JUMP in dropped packets this morning, which caused
> me to investigate a little...
> 
> To generate the top ports, or how many sorces, etc...  I just run
> against the last 1 minute file a few awk ... | sort | uniq | wc -l
> script, or a awk ... | sort | uniq -c | sort -n | tail to get the top
> talkers, etc...  Along with a fgrep DPT=137 or whatever else is
> needed.
> 
> The rate actually picked up to over 12M packets/hour of DPT=137 to us,
> but started decling (a little) a hour ago (at 4AM), and now is closer
> to 10M packets/hour.  Most of the sources are different then what I
> was seeing earlier in the day, but about 10% showed up in both 1
> minute samples.  The last time I seen this much bad traffic sustained
> for this long was from a new worm.  Of course with UDP, the source IPs
> could be easily spoofed, any maybe they are largely from the same /8,
> but LEN=58 on all the packets so that seems unlikely to be useful for
> spoofed packets.
> 
> 
> 
>>-----Original Message-----
>>From: list-bounces at dshield.org 
>>[mailto:list-bounces at dshield.org] On Behalf Of Tony Earnshaw
>>Sent: Thursday, March 25, 2004 2:21 PM
>>To: General DShield Discussion List
>>Subject: Re: [Dshield] Sudden Massive increase in DPT=137
>>
>>
>>tor, 25.03.2004 kl. 15.47 skrev Lauro, John:
>>
>>
>>>Is there a new virus/worm?
>>> 
>>>I've just seen a massive increase in traffic SPT=137, DPT=137, 
>>>prot=UDP starting around 8AM.
>>> 
>>>We are blocking an extra 8 million packets an hour right 
>>
>>now (varies, 
>>
>>>but probably about 5X normal), and it's been going on for 
>>
>>almost two 
>>
>>>hours now.
>>> 
>>>A fair amount of of sources.  About 500 in a 1 minute 
>>
>>sample, but also 
>>
>>>lots of packets from each source...  I'll hold onto a one minute 
>>>sample and compare later to see if it's the same or different 
>>>sources....
>>
>>It wouldn't ever hurt to learn what software/hardware 
>>"discovered" this. For my part I'm not experiencing this, but 
>>can't compare :( I'm running iptables on kernel 2.6.4 (Linux, 
>>of course) and am only connected sporadically to the Internet.
>>
>>--Tonni
>>
>>-- 
>>
>>mail: billy - at - billy.demon.nl
>>http://www.billy.demon.nl
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> John Holmblad <jholmblad at aol.com>
> Date:
> Thu, 25 Mar 2004 18:21:46 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> Tonni/John,
> 
> I suspect that you will find,  as I have among the infosec informed at 
> Microsoft, a wide range of opinions on INFOSEC best practices. Most of 
> these opinions, from what I can tell are in reasonably close alignment 
> with SANS thinking but there are others of which vary from SANS views. I 
> know from a conversation that I had with Jesper Johanssen a few months 
> ago when I asked for his thoughts on the CIS scoring tool that he has 
> reservations about attempts to provide such quantitative scores. I 
> disagree with his opinion and having myself gone through the SANS W2K 
> training on that tool I am completely sold on the tool's value and 
> utility and I hope that the CIS gets additional financial resources to 
> continue its mission of developing quantitative measures and measurement 
> systems pertaining to the security of IT systems. From a speech several 
> months ago that Alan Paller, research director at SANS gave to a US 
> government audience I got the clear sense that he also believes it is 
> high time to develop more such quantitative and objective measures of 
> security  than those which are currently available. Whether this 
> translates into more funding for groups like the CIS I don't know but I 
> hope so because I think such org's have an important role to play in the 
> INFOSEC community
> 
> 
> I should add that other industry voices have expressed concern about the 
> complexity of managing an IDS environment so in that sense Jesper 
> Johanssen is not a lone voice although he may be in the minority.  
> Recall the following ruckus from last summer (now old news) after 
> Gartner's declaration of the death of IDS:
> 
>    
> http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci905961,00.html 
> 
> 
> In fact for small and medium enterprises, an outsourced monitoring 
> solution (e.g. Counterpane - www.counterpane.com) might be more cost 
> effective than having inhouse IDS/IPS expertise and systems.
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] Standard Reporting
> From:
> Pete Cap <peteoutside at yahoo.com>
> Date:
> Thu, 25 Mar 2004 18:36:39 -0800 (PST)
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> Greetings, List:
> 
> In the interests of brevity, and getting replies and
> analysis done a lot sooner, might it not be a good
> idea to standardize the way in which people alert the
> list to (possibly) malicious activity?
> 
> I just want to avoid, if possible, the following:
> 
> User1: I'm seeing weird traffic, anyone else getting
> this?
> User2: What port?
> User1: xxx.
> User2: Is that tcp? or UDP?
> User3: What IDS solution recorded the data?
> User2: And can we please see some records?
> User1: Here you go.
> User4: Ok, can we get packet captures now?
> 
> etc. ad nauseum.
> 
> I have a basic idea but I'm open to suggestions...
> 
> Regards,
> Pete
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] FYI: Port Reporter Tool
> From:
> R Shady <RShady at stny.rr.com>
> Date:
> Fri, 26 Mar 2004 06:00:27 -0500
> To:
> Dshield <List at dshield.org>
> 
> 
> Microsoft came out with a free Port Reporter Tool
> for Win2k, WinXP Pro, Win2003:
> KB Article 837243:
> 
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;837243#appliesto
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] Double Edged Sword ?
> From:
> "Chuck Lewis" <clewis at iquest.net>
> Date:
> Fri, 26 Mar 2004 07:52:51 -0500
> To:
> "General DShield Discussion List" <list at dshield.org>
> 
> 
> Good Morning Folks and Happy Friday ?
> 
> I had a thought this morning (that happens from time to time...). We have preached and preached for years for users to be wary of email with attachments from someone they didn't know, weren't expecting even if it is from someone they know, etc. But for the most part this was a pre-warning and most users never really saw/got these emails.
> 
> So with all of the Bagle, MyDoom, Netsky, etc. stuff that has been flying the last two weeks or so, I think that has done more to educate users than anything we have done to date.
> 
> We are a smaller company (around 250 folks) and the PC knowledge is all over the place with most folks in the "newbie" class, believe it or not. I sent out a general message warning everyone about these when they FIRST hit so folks would be aware at work AND at home (since not all of our users have PC's at work but do have one at home). We have had NO problem with these things.
> 
> Sometimes "seeing is believing" ?
> 
> JMHO,
> 
> Chuck
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] Analysis of Witty Worm
> From:
> "Bjorn Stromberg" <bjorn at thechemistrylab.com>
> Date:
> Fri, 26 Mar 2004 09:34:18 -0700
> To:
> <list at dshield.org>
> 
> 
> An excellent dissection of the Witty Worm by CAIDA. Of special note is the
> realization that "The patch model for Internet security has failed
> spectacularly." Of course some have been saying this for years, but Witty
> makes the case exceptionally well.
> 
> http://www.caida.org/analysis/security/witty/
> 
> Bjorn Stromberg
> ::this is not a sig::
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] Key Logger
> From:
> "Paul Marsh" <pmarsh at nmefdn.org>
> Date:
> Fri, 26 Mar 2004 11:49:28 -0500
> To:
> "General DShield Discussion List" <list at dshield.org>
> 
> 
> http://informationweek.securitypipeline.com/news/18401740
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> Chris Brenton <cbrenton at chrisbrenton.org>
> Date:
> Fri, 26 Mar 2004 14:47:23 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> On Thu, 2004-03-25 at 18:21, John Holmblad wrote:
> 
>>Most of 
>>these opinions, from what I can tell are in reasonably close alignment 
>>with SANS thinking but there are others of which vary from SANS views.
> 
> 
> I think you need to look at these tools as "starting point" and not an
> absolute authority on black and white. If you don't even know where to
> begin, these tools help you get started in the right direction. Once you
> get your feet under you however, you should modify them as appropriate
> for your environment. 
> 
> 
>>I 
>>know from a conversation that I had with Jesper Johanssen a few months 
>>ago when I asked for his thoughts on the CIS scoring tool that he has 
>>reservations about attempts to provide such quantitative scores.
> 
> 
> I think Jesper's concern, and one shared by many in the field, is that
> the uninformed with look at the grading the same way many view a pretty
> GUI. The thought process is "let me just click my way through to a
> secure environment and I should not have to learn what's actually taking
> place under the hood". Obviously there are problems with this line of
> thinking when addressing the complexities of security. A pretty GUI can
> never replace a properly educated security analyst. 
> 
> Personally, I think they are a great starting point. I think the point
> system is somewhat arbitrary in that each item will actually have a
> different weight depending on the environment (however good luck
> building that variable into the system), but at least it shows the
> security person behind the console what they need to think about. Of
> course the key is to get them thinking, not necessarily reacting blindly
> to a pre-determined point system. 
> 
> We seem to keep hoping that we can make security as easy as driving a
> car. Sooner or later we'll learn that its more like flying a plane, it
> is not going to happen without proper training.
> 
> 
>>From a speech several 
>>months ago that Alan Paller, research director at SANS gave to a US 
>>government audience I got the clear sense that he also believes it is 
>>high time to develop more such quantitative and objective measures of 
>>security  than those which are currently available.
> 
> 
> The problem is metrics. Let me give just one example:
> 
> The Router Auditing Tool (RAT) is probably one of the best CIS tools
> that have been created. It does an excellent job of flagging config
> problems with a Cisco router. One of the items it looks for is "no ip
> direct-broadcast", or disabling the mapping of layer 3 broadcasts to
> layer 2. The RFC's state that this should be disabled on any router
> interface facing a network with more than 2 IP addresses (in other
> words, any subnet mask besides a /30). This is to help prevent turning
> your network into a Smurf amplifier.
> 
> Now, if we are talking an exposed ISP backbone I totally concur. If we
> are talking a network that is sitting behind a proper perimeter that is
> using tools like the HP JetDirect software or SNMP monitoring tools.
> Well, disabling this option will break all of these tools. You've just
> killed your ability to monitor devices in the interest of security.
> 
> So direct-broadcast is obviously something you need to give some thought
> to if RAT flags it, but at the same time you don't want to just do it
> without understanding the impact it will have on your network.
> 
> Now, when it comes to trying to create an across the board scoring
> system, do you score negative points against this network for leaving
> direct-broadcast enabled? Do you force them to break their tools in an
> attempt to meet a general standard, even if they have mitigated the
> actual problem through other means (like blocking all broadcasts
> originating from the Internet at the firewall)? Do you give them an
> exemption, in which case you've now just created a loophole that someone
> else who does actually have a problem may be able to sneak through? 
> 
> I think you can see where I'm going with this. Its possible to create
> this kind of an argument for just about any security line item. This
> makes it pretty much impossible to develop a single canned tool that
> reports appropriately in every single environment. The key is educating
> the person behind the tool. 
> 
> 
>>I should add that other industry voices have expressed concern about the 
>>complexity of managing an IDS environment so in that sense Jesper 
>>Johanssen is not a lone voice although he may be in the minority. 
> 
> 
> This is another thing that I think these tools help to address, the "oh
> security is just too hard so I'll just do nothing" attitude.
> 
> 
>>Recall the following ruckus from last summer (now old news) after 
>>Gartner's declaration of the death of IDS:
> 
> 
> I think the problem is many people want a "cure all" that takes care of
> all security issues. When IDS did not fit the bill, people like Gartner
> jumped on the "IDS sucks" bandwagon. IDS is a tool, just like any other
> you would use to secure your perimeter. It has its strengths and
> weaknesses, just like everything else. The idea of defense in-depth is
> to leverage its strengths and augment its weaknesses with some other
> tool. That, or make an informed decision to accept the additional risk.
> 
> Great thread!
> Chris
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> John Hardin <johnh at aproposretail.com>
> Date:
> Fri, 26 Mar 2004 09:50:52 -0800
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> On Thu, 2004-03-25 at 15:21, John Holmblad wrote:
> 
>>I asked for his thoughts on the CIS scoring tool 
> 
> 
> Can you post a reference for this tool? Thanks.
> 
> --
> John Hardin  KA7OHZ                           
> Internal Systems Administrator/Guru               voice: (425) 672-1304
> Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
> -----------------------------------------------------------------------
>   Failure to plan ahead on someone else's part does not constitute an
>   emergency on my part.
>                                   - David W. Barts in a.s.r
> -----------------------------------------------------------------------
>  10 days until Daylight Savings Time begins - Spring Forward
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] whois packets
> From:
> John Sage <jsage at finchhaven.com>
> Date:
> Fri, 26 Mar 2004 09:36:43 -0800
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> On Thu, Mar 25, 2004 at 02:00:13PM -0800, j.travis wrote:
> 
>>From: "j.travis" <skynet at psinode.com>
>>To: <list at dshield.org>
>>Date: Thu, 25 Mar 2004 14:00:13 -0800
>>Subject: [Dshield] whois packets
>>
>>I need to be able to run a 'whois' script from the command line and
>>also from a web form.  So I am planning to specify 3 or 4 of the
>>main whois servers to use and only allow tcp port 43 connections to
>>those servers.  Just wondering if anyone has any tips along these
>>lines for running whois scripts?
> 
> 
> You don't specify what OS platform your command line is running on.
> 
> You might check out:
> 
> http://whois.bw.org/
> 
> 
> "Self-detecting CGI support
> 
> Simple command-line use 
> 
> Prevents data harvesting with multiple security features for web use
> 
> Optional result caching with an SQL database 
> 
> Support for available/not available results 
> 
> Fully customizable HTML output 
> 
> Support for Apache-style SSI (server-side includes) 
> 
> External TLD table for support of ALL top-level domains 
> 
> Fully configurable disclaimer stripping 
> 
> Automatic support for netblocks 
> 
> Unpacks packed (single-integer) IP addresses"
> 
> 
> 
> - John
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] new 'infocon' logo
> From:
> "Johannes B. Ullrich" <jullrich at sans.org>
> Date:
> Fri, 26 Mar 2004 14:57:12 -0500
> To:
> list at dshield.org
> 
> 
> The feedback for out new infocon logo wasn't all that great,
> so I setup a page with a couple alternatives, and am looking
> for feedback:
> 
> current new logo: http://isc.sans.org/infocon.html
> 
> alternatives: http://isc.sans.org/images/infocon_poll.gif
> 
> please send feedback off-list
> 
> (alternative designs are welcome as well. contact me for
> details regarding constraints)
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> John Holmblad <jholmblad at aol.com>
> Date:
> Fri, 26 Mar 2004 15:26:12 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> John,
> 
> here is the URl for the Center for Internet Security www site:
> 
>    http://www.cisecurity.org/
> 
> you will find the references there to the scoring tools.
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] whois packets
> From:
> Keith Bergen <keith at keithbergen.com>
> Date:
> Fri, 26 Mar 2004 15:51:51 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> You may want to look at http://whois.bw.org/ I think they 
> already do a lot of this (not sure about the command line).
> 
> ---- Original message ----
> 
>>Date: Thu, 25 Mar 2004 14:00:13 -0800
>>From: "j.travis" <skynet at psinode.com>  
>>Subject: [Dshield] whois packets  
>>To: <list at dshield.org>
>>
>>I need to be able to run a 'whois' script from the command 
> 
> line and also
>>from a web form.  So I am planning to specify 3 or 4 of the 
> main whois
> 
>>servers to use and only allow tcp port 43 connections to 
> 
> those servers.
> 
>>Just wondering if anyone has any tips along these lines for 
> 
> running
> 
>>whois scripts?
>>
>>I have also seen people trying to enter automated, malicious 
> 
> stuff into
> 
>>the whois web-form but that is kind of a seperate issue...
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> Tony Earnshaw <tonye at billy.demon.nl>
> Date:
> Fri, 26 Mar 2004 20:58:51 +0100
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> tor, 25.03.2004 kl. 23.32 skrev Doug White:
> 
> 
>>I watched a Microsoft Webinar on "Security" this morning, and aside from two
>>speakers talking a mile a minute, and generally in conflict with each other, I
>>got the impression that the good folks at MS have just learned how to pronounce
>>"security" and are still learning how to spell it.   This seems to be a long way
>>from actually doing anything about it.
> 
> 
> Funnily enough, I'm now, at last, beginning to earn money on the above.
> It's taken awhile, but it's now becoming apparent - hard cash.
> 
> This machine, a Compaq el Cheapo notebook (that I'm writing this with
> now) is dual-boot RedHat Enterprise Server 3 (RHEL3) and original XP
> Prof. I checked yesterday with CIS-Win.exe and I'd have to have
> something like 30 patches/SPs to make it safe. But, the first SP breaks
> the Compaq drivers and renders boot impossible. The RHEL3 bit is a
> simple upgrade from RedHat 7.2 and everything works, still.
> 
> Things have to be made easy for people. There are millions of cracked
> Windows machines out there, spewing poison. Guess what has my vote.
> 
> It'll take a long while yet before home users will opt for Linux (no,
> there's no real other choice - it's all to do with available software
> and critical mass, e.g. marketing). But bottom line: between March 2002
> and  March 2004, I'm beginning to make money, because the Windows market
> in Holland (e.g. .nl TLDs) is fed up with lies "we promise it will get
> better, if you'll only buy - errr sorry, lease,for ever and ever the
> next version".
> 
> I used to be a 100% Microsoft and Windows person.
> 
> --Tonni
> 
> 
> mail: billy - at - billy.demon.nl
> http://www.billy.demon.nl
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Standard Reporting
> From:
> Tony Earnshaw <tonye at billy.demon.nl>
> Date:
> Fri, 26 Mar 2004 20:18:11 +0100
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> fre, 26.03.2004 kl. 03.36 skrev Pete Cap:
> 
> 
>>In the interests of brevity, and getting replies and
>>analysis done a lot sooner, might it not be a good
>>idea to standardize the way in which people alert the
>>list to (possibly) malicious activity?
>>
>>I just want to avoid, if possible, the following:
>>
>>User1: I'm seeing weird traffic, anyone else getting
>>this?
>>User2: What port?
>>User1: xxx.
>>User2: Is that tcp? or UDP?
>>User3: What IDS solution recorded the data?
>>User2: And can we please see some records?
>>User1: Here you go.
>>User4: Ok, can we get packet captures now?
>>
>>etc. ad nauseum.
>>
>>I have a basic idea but I'm open to suggestions...
> 
> 
> MySQL used to have a mandatory report list for reporting this kind of
> thing. One had to fill out a multitude of details before it would be
> considered. Though since becoming an LDAP convert, I've little to do
> with MySQL.
> 
> Basically I agree entirely. On other lists I refuse to answer any
> questions without people having supplied at least:
> 
> OS, OS version, possibly Linux distro
> Utility, utility version
> configuration details
> log details
> 
> _-Tonni
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Analysis of Witty Worm
> From:
> Mrcorp <mrcorp at yahoo.com>
> Date:
> Fri, 26 Mar 2004 12:59:50 -0800 (PST)
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> On a similar note, Mike Lee and Brian Hitchen wrote an article on the future of viruses.  It
> provides a good insight into potential threats...
> 
> 
> http://www.infosecwriters.com/texts.php?op=display&id=155
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> Tony Earnshaw <tonye at billy.demon.nl>
> Date:
> Fri, 26 Mar 2004 22:19:34 +0100
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> fre, 26.03.2004 kl. 00.21 skrev John Holmblad:
> [...]
> 
> John,
> 
> I really appreciated this answer and its content. You know, what I'd
> really like to see would be co-operation between Microsoft and "the rest
> of the world".
> 
> 
>>I should add that other industry voices have expressed concern about the 
>>complexity of managing an IDS environment so in that sense Jesper 
>>Johanssen is not a lone voice although he may be in the minority.  
>>Recall the following ruckus from last summer (now old news) after 
>>Gartner's declaration of the death of IDS:
>>
>>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci905961,00.html
> 
> 
> This was a very interesting summary; I'm no Gartner, so my opinion is
> probably valueless - and obviously firewalls are the first line of
> defense from outside one's network. But intruders can come from within
> one's network as well, and there will always be a need to monitor
> traffic coming in both directions through a firewall, and on both sides
> of it. Moreover, IDS for a Unix person is far more than simply
> monitoring a network connection, being also effective accounting of
> assets.
> 
> 
>>In fact for small and medium enterprises, an outsourced monitoring 
>>solution (e.g. Counterpane - www.counterpane.com) might be more cost 
>>effective than having inhouse IDS/IPS expertise and systems.
> 
> 
> Agree utterly. However, that's no argument against IDS.
> 
> Best,
> 
> --Tonni
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> John Holmblad <jholmblad at aol.com>
> Date:
> Fri, 26 Mar 2004 17:09:06 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> Tonni,
> 
> I am interested to learn more about your transition to RHEL 3.0. I too 
> have a dual boot system with RH8.0 Pro  + W2K Adv Server on a laptop. In 
> my several conversations with Redhat tech support and also their sales 
> support  "transition" team  prior to Dec 31 when they ended support for 
> RH 8.0 I was informed that there was no upgrade path from 8.0 to EL 3.0. 
> In other words I would have to start with a clean install  of RH EL 3.0 
> and restore whatever files I had saved prior to the install. From what 
> you have stated they either came to their senses and have by now 
> provided their customer base with a straightforward migration path that 
> does NOT require a full reinstall, or you have figured out a way to do 
> this on your own. Any details you would be willing to share with me on 
> your "transition" experience would be much appreciated. I have so far 
> put off the upgrade to RHEL 3.0 out of fear that I would inadvertently 
> "hose" my system which has been carefully crafted over the last year. By 
> the way the boot loader I am using is GRUB.
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] Followup Re CIS Scoring Tool
> From:
> John Holmblad <jholmblad at aol.com>
> Date:
> Fri, 26 Mar 2004 18:41:27 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> All,
> 
> as a followup to my earlier post on the Center for Internet Security and 
> the CIS scoring tool, I took a few minutes to browse the www site which 
> I had not visited for several months and I learned that this week a new 
> version (V2.1.12) of the Windows scoring tool was released that now 
> includes support for Windows XP Pro. It includes several .inf templates  
> for WXP Pro including a US NSA endorsed template 
> (NSA_XP_Workstation.inf).  As a point of information, you need to be 
> logged on with administrator privileges to run the scoring check correctly.
> 
> Thanks to any on this list including SANS who were involved in the hard 
> work to get this out. Obviously it is an important step forward for this 
> compliance checking technology.
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> John Holmblad <jholmblad at aol.com>
> Date:
> Fri, 26 Mar 2004 18:09:20 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> Tonni,
> 
> I did not mean to convey by my remarks an anti-IDS bias. In addition to 
> using IDS to detect attacks from the "inside", I am a strong proponent 
> of using per desktop firewalls and strong enforcement of the principle 
> of least privilege on all enterprise systems (not just the servers) with 
> auditing of access to sensitive resources especially in the small & 
> medium enterprise market.  In other words create the mind set in the  
> organization enforce by policy that the desktop/laptop computer is a BT 
> (business tool) with business specific purposes and not a  PC with 
> "freestyle" personlization capabilities.
> 
> Although I do not have personal experience with Cisco's Security Agent 
> (formerly called the Okena Stormwatch system) which  claims to not just 
> detect but also prevent intrusions, I believe that this kind of solution 
> could be a viable mitigant to the risk of insider attack whether from a 
> Trojan or disgruntled employee. I have checked the pricing on this 
> technology with Cisco and they offer  a version of that product, lets 
> call it the limited edition,  whose pricing is tuned for medium sized 
> enterprises. The price of that version starts at $8000 in the US for a 
> small number of desktops + additional cost for additional desktops. For 
> 125 desktops the total price works out to ~$129/desktop not including 
> the cost of the server hardware to run the management server software.
> 
> In the end each enterprise has to conduct its own analysis of the total 
> cost in its own economic situation of any potential solution which may 
> include capital and/or labor and/or service outsourcing costs. When it 
> comes to security solutions, obviously a security professional who is 
> involved in such analysis and decision making has to have a good 
> understanding for each potential solution of what the corresponding 
> component costs are. I think one reason why sysadmins are often so 
> overloaded in their jobs is that insufficient attention is paid to the 
> labor component of those costs. In simpler terms we all tend to 
> underestimate how much work it is for an individual or team to maintain 
> a given solution and in my experience this underestimation problem gets 
> worse the further up the management chain you go.
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [Dshield] Microsoft Security Update CD
> From:
> John Holmblad <jholmblad at aol.com>
> Date:
> Fri, 26 Mar 2004 20:31:57 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
> All,
> 
> pursuant to earlier discussions on this list with respect to Microsoft's 
> offering of  free security update CD's, I received a copy of 2 CD's  
> which were handed out at a Microsoft Technet event this week. The first 
> CD contains security updates to Windows and the second CD contains a/v 
> software. I inquired with Microsoft reps about the expected frequency of 
> future updates  to the offering but none of the Microsoft contacts whom 
> I queried could provide a definitive answer. I suspect that the updates 
> will be available monthly or quarterly. The  CD containing the free a/v 
> software is based on the  Computer Associates  "Armor LE" anti-virus 
> software product  and it comes with  one year of free a/v signature 
> updates. I know little about this product and I seem to recall  that it 
> has not gotten "good press" which may explain why it is being handed out 
> at no charge. As most on this list are aware, Microsoft has acquired its 
> own a/v technology from a Romanian company  but I don't think it is the 
> same product as Microsoft has included in this package. I would be 
> interested to know if users on this list who have ordered and received 
> via mail the update CD also received the free copy of the a/v/ software. 
> The label on the marketing package that I received states that the 
> distribution is for the USA and Canada only.
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Dshield] Security in Layers
> From:
> "Johannes B. Ullrich" <jullrich at sans.org>
> Date:
> Fri, 26 Mar 2004 23:59:33 -0500
> To:
> General DShield Discussion List <list at dshield.org>
> 
> 
>>I am interested to learn more about your transition to RHEL 3.0. 
> 
> 
> this is an interesting topic, but not for this list. Please
> respond off-list.
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list