[unisog] How often to pull anti virus updates from vendors

Peter Van Epp vanepp at sfu.ca
Fri Dec 7 18:29:18 GMT 2001


> 
> Sophos has an "alert" mailing list for this very purpose.  My plan is
> to have a message received from this list trigger a process to pick
> up the latest set of definitions -- while Sophos does send the new IDE
> with their message, I'd rather not go through the hassle of vetting the
> incoming message.  If all an incoming message does is trigger a process
> to go to a hardcoded known site for data, the worst a fake e-mail message
> can do is a kind of DOS by having my host repeatedly check for updates.
> 
> Anne.
> -- 
> Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
> anne at alcor.concordia.ca                                        +1 514 848-7606
> 

	While it may be just me, I shuddered when one of our business units 
suggested using the automatic Internet update feature from NAI to update their
virus signatures. As a cracker the place I'm going to break in to is NAI's
distribution server and let it automatically distribute my virus for me. While
one would hope such a breakin would be hard, the return on investment is likely
to attract the best. Failing that my next attack would be the network routing 
to the "hardcoded" site to insert my host (and possibly via a man-in-the-middle
attack to defeat cryptography if it is in use on the link as well) and my virus
into your update stream. Digitally signed updates (assuming the attacker hasn't
managed to compromise the virus company's key) would be one way around most 
of this risk.
	So I think the worst that could happen is a fair bit more serious than 
a DOS attack (although unlikely enough that the risk may be acceptable to you
as long as you are aware it is there and have considered it ...)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list