[unisog] antivirus that works despite ssl

Rohan Joseph rjoseph at nci.ca
Mon Jul 16 20:03:39 GMT 2007

The solution we have seen to be most effective for scenarios such as
yours is the Aladdin eSafe Web SSL.  As a consultant I recommend the
eSafe Web SSL, we have found the eSafe line of products the best at
securing web based content.  Government and Law Enforcement swear by it
around these parts and the educational references for web security are
extensive. As a security consulting organization we have had the chance
to test just about everything in our lab at the request of clients. 


This is not a paid advertising their stuff just works and clients are
happy and we don't get any screaming callbacks.  


Rohan Joseph CISSP 
rjoseph at nci.ca





From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of power less
Sent: Wednesday, July 11, 2007 10:37 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] antivirus that works despite ssl


Ok I think I'm starting to get the hint. This is apparently not the list
for this kind of discussion.
But I can't help but point out that actually the fact that the worm
from using the flux thing to not using it would appear to imply that
there *was* 
a problem there for the fluxers. But we weren't in the loop to find out
what it was. And we don't like people to ask those questions. Like we
really didn't like someone asking why
do we make policies telling people to use antivirus programs that we
don't test and they 
don't work in real usage scenarios? 

On 7/10/07, Brian Eckman <eckman at umn.edu> wrote:

power less wrote: 
> BTW in my exhausting coverage of the storm worm :-)  I should mention
> this article:
> http://www.securityfocus.com/news/11473
> This explains a few things, I guess. I'm not well-versed in DNS I'm
> I take it they are not talking about the urls in the storm messages
> themselves?
> Because those are are IP numbers not domain names  in most of the ones
> got. I

Storm a/k/a Peacomm switched from using fast flux DNS to IP addresses a 
while back. That would explain the difference in what you read and what
you saw.

> Two I just got:
> Address:  24.93. 201.2
> Name:     cpe-24-93-201-2.neo.res.rr.com
> Address:  65.190. 29.151
> Name:    cpe-065-190-029-151.triad.res.rr.com 
> I'd love to hear more about this dnsflux business. A comment to that 
> article
> asked?
> "Why don't ISPs just block the inbound DNS traffic to home machines on
> dynamic addresses? Do that and the distributed DNS part evaporates."
> Is that true? 

ISPs will probably tell you that this isn't their job. Regardless,
hardly anyone has the capability to determine what is a "home machine on
dynamic addresses" 95% of the time, let alone 100% of the time. Also, I 
bet you there are no less than 1,000 legitimate Internet domain names
(and likely lots more than that) that have their authoritative DNS
servers running on "home machines on dynamic addresses", or what would 
appear to most people to be "home machines on dynamic addresses".

ISPs don't like blocking legitimate traffic. It makes their customers,
help desk, and shareholders quite unhappy. The solution proposed above 
would certainly do this.

Put bluntly, there is no patch for stupidity nor ignorance. If you
approach the entire world's population, hand them a loaded gun, and tell
them you'll give them dinner if they point it at their head and pull the

trigger, I guarantee you'd find people that would do it. Not just the
suicidal folks, but there are surely millions of people in the world
that have no idea what a gun looks or acts like.

The same principle applies to computer users. Some percentage of them 
just have no clue that clicking the link in the email, then "clicking
here" to get their greeting card because the site is "testing new
functionality", then clicking "Open" or "Run" when prompted what to do 
with ecard.exe is risky behavior. They just want to see their stupid
greeting card.

Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
unisog mailing list
unisog at lists.dshield.org 



IMPORTANT: The contents of this email and any
attachments are confidential. They are intended
for the named recipient(s) only.

If you have received this email in error, please
notify the system manager or the sender 
immediately and do not disclose the contents to 
anyone or make copies thereof.

This message was secured by IronPort

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070716/fd3be44f/attachment-0001.htm 

More information about the unisog mailing list