Discussion:
Useless tidbit (MS AntiSpyware)
(too old to reply)
Nick FitzGerald
2005-05-10 23:16:43 UTC
Permalink
Interesting. Has this always been that way? While it's not a huge gaping
hole, it's definitely concerning. At least to me.
Well, yes, of course it's concerning...

If you have some unknown/unwanted/etc program running on one of your
machines you darn well should be concerned, regardless of whether its
called program.exe and located in the root directory of your Windows
install drive or not.

Of course, (assuming you are an IT admin) your boss should be even more
concerned in how in the heck you've allowed your IT system to be rolled
out such that arbitrary executables can actually get onto the machines
and be run so easily.

_THAT_ is a far larger problem you should have considered long before
you discovered that one (or more) of the many "band-aid" programs (like
MS AntiSpyware, most other anti-spywares, known virus scanning
"antivirus" programs, software firewalls, and so on) so commonly
advocated by lame (or hamstrung) system admins has this (and dozens of
other) trivial, stupid holes.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Tucker
2005-05-11 01:58:14 UTC
Permalink
May I ask what web browser you use, if any?
What about mail client?
Do you read rich text and html mails in code?
Do you never have to update your software?
Can you reliably justify rolling out new software versions to
massively time-dependant and business critical systems potentially
causing as much damage as an infection?

These are the issues from the other side.
Post by Nick FitzGerald
Interesting. Has this always been that way? While it's not a huge gaping
hole, it's definitely concerning. At least to me.
Well, yes, of course it's concerning...
If you have some unknown/unwanted/etc program running on one of your
machines you darn well should be concerned, regardless of whether its
called program.exe and located in the root directory of your Windows
install drive or not.
Of course, (assuming you are an IT admin) your boss should be even more
concerned in how in the heck you've allowed your IT system to be rolled
out such that arbitrary executables can actually get onto the machines
and be run so easily.
_THAT_ is a far larger problem you should have considered long before
you discovered that one (or more) of the many "band-aid" programs (like
MS AntiSpyware, most other anti-spywares, known virus scanning
"antivirus" programs, software firewalls, and so on) so commonly
advocated by lame (or hamstrung) system admins has this (and dozens of
other) trivial, stupid holes.
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Randall M
2005-05-11 11:04:52 UTC
Permalink
:-----Original Message-----
:From: full-disclosure-***@lists.grok.org.uk
:[mailto:full-disclosure-***@lists.grok.org.uk] On Behalf
:Of Nick FitzGerald
:Sent: Tuesday, May 10, 2005 6:17 PM
:To: full-***@lists.grok.org.uk
:Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
:
:
:_THAT_ is a far larger problem you should have considered long
:before you discovered that one (or more) of the many
:"band-aid" programs (like MS AntiSpyware, most other
:anti-spywares, known virus scanning "antivirus" programs,
:software firewalls, and so on) so commonly advocated by lame
:(or hamstrung) system admins has this (and dozens of
:other) trivial, stupid holes.
:
:
:Regards,
:
:Nick FitzGerald
:

Nick,
Would you please elaborate futhur on this? I read it to say we should have
cleaned out the machines first by hand and we are lame or hamstrug for
relying on anti-virus, anti-spyware programs to find them.

RandallM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
byte busters
2005-05-11 18:22:50 UTC
Permalink
Post by Randall M
:-----Original Message-----
:Of Nick FitzGerald
:Sent: Tuesday, May 10, 2005 6:17 PM
:Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
:_THAT_ is a far larger problem you should have considered long
:before you discovered that one (or more) of the many
:"band-aid" programs (like MS AntiSpyware, most other
:anti-spywares, known virus scanning "antivirus" programs,
:software firewalls, and so on) so commonly advocated by lame
:(or hamstrung) system admins has this (and dozens of
:other) trivial, stupid holes.
:Regards,
:Nick FitzGerald
Nick,
Would you please elaborate futhur on this? I read it to say we should have
cleaned out the machines first by hand and we are lame or hamstrug for
relying on anti-virus, anti-spyware programs to find them.
RandallM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
If one [or more] of you on the list could be so kind to indicate a
[many] resource[s] that lame hamstung admins would be wise to follow
as guidlines to secure Windows systems.. it would be so much more
productive. espcially for those lazy a$$ admins who may overlook the
single [or multiple] missed step that lets them become owned, hacked,
infected, unpatched, bugged, spewing, spamming, bots, rooted .... [I
am sure to have skipped a few important ones] ;-P

steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Kurt Buff
2005-05-11 18:30:46 UTC
Permalink
Post by byte busters
If one [or more] of you on the list could be so kind to indicate a
[many] resource[s] that lame hamstung admins would be wise to follow
as guidlines to secure Windows systems.. it would be so much more
productive. espcially for those lazy a$$ admins who may overlook the
single [or multiple] missed step that lets them become owned, hacked,
infected, unpatched, bugged, spewing, spamming, bots, rooted .... [I
am sure to have skipped a few important ones] ;-P
steve
Google is your friend - start with 'NSA security guidelines windows'.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
V***@vt.edu
2005-05-12 06:05:23 UTC
Permalink
Post by Kurt Buff
Post by byte busters
If one [or more] of you on the list could be so kind to indicate a
[many] resource[s] that lame hamstung admins would be wise to follow
as guidlines to secure Windows systems.. it would be so much more
productive. espcially for those lazy a$$ admins who may overlook the
single [or multiple] missed step that lets them become owned, hacked,
infected, unpatched, bugged, spewing, spamming, bots, rooted .... [I
am sure to have skipped a few important ones] ;-P
steve
Google is your friend - start with 'NSA security guidelines windows'.
I'll add in the Center for Internet Security benchmarks:

http://www.cisecurity.org

It covers a lot of the same stuff as the NSA guidelines (which were used as
one of the inputs). Benefits: (1) I don't know if the NSA stuff has been updated
for XP, and (2) the CIS stuff includes a scoring tool which will let you know
which things you've not tightened down.

XP SP2, current patches, and either/both of the NSA/CIS kits - I will *not*
guarantee that it's bulletproof secure, but at least the box won't be sitting
there with a 'HAX0R ME N0W' sign on it.

(No, I didn't work on the CIS Windows stuff, but I'll take at least partial
blame for the Solaris/Linux/AIX ones)
Des Ward
2005-05-12 07:49:53 UTC
Permalink
I'd also recommend learning to use RIS and SUS servers, GPO's and slipstreaming to keep patches up to date. True there are still unpatched vulnerabilities out there, but actually patching components such as MSIE is at least as important.

I disagree that malicious code spreads purely due to bad admins. Standard builds deployed by a combination of RIS and GPOs could allow greater control over the environment, the balance between useability and security is often a fine one.

Actually putting some thought into builds would be helpful, with basic builds having everthing unused switched off. Choosing between similar applications based on their lack of insecure features would help too.

The main problem IMHO is that people don't know what's on their network. It's kinda hard then to apply any advice you get. There's no excuse for this if you have a 1918 network, as you can use the basic version of NeWT to scan your network for vulnerabilities and to find out what you actually have.

Technology isn't a panacea, but slating people for using AV/Spyware products shows a lack of understanding of business. Or maybe certain people feel you don't need either if you've configured your network properly? (Airgap instead of the 'net anyone?) Sure the technology isn't perfect, but if it helps prevent further botnet activities on those systems controlled by less experienced people I'm certainly not going to make them feel bad for it.
-----Original Message-----
From: ***@vt.edu
Date: Thu, 12 May 2005 02:05:23
To:***@gmail.com
Cc:***@bytebusters.com, Full Disclosure <full-***@lists.grok.org.uk>
Subject: Re: [Full-disclosure] Useless tidbit (MS AntiSpyware)
Post by Kurt Buff
Post by byte busters
If one [or more] of you on the list could be so kind to indicate a
[many] resource[s] that lame hamstung admins would be wise to follow
as guidlines to secure Windows systems.. it would be so much more
productive. espcially for those lazy a$$ admins who may overlook the
single [or multiple] missed step that lets them become owned, hacked,
infected, unpatched, bugged, spewing, spamming, bots, rooted .... [I
am sure to have skipped a few important ones] ;-P
steve
Google is your friend - start with 'NSA security guidelines windows'.
I'll add in the Center for Internet Security benchmarks:

http://www.cisecurity.org

It covers a lot of the same stuff as the NSA guidelines (which were used as
one of the inputs). Benefits: (1) I don't know if the NSA stuff has been updated
for XP, and (2) the CIS stuff includes a scoring tool which will let you know
which things you've not tightened down.

XP SP2, current patches, and either/both of the NSA/CIS kits - I will *not*
guarantee that it's bulletproof secure, but at least the box won't be sitting
there with a 'HAX0R ME N0W' sign on it.

(No, I didn't work on the CIS Windows stuff, but I'll take at least partial
blame for the Solaris/Linux/AIX ones)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Kind regards,

Des Ward
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...