Re: A question for the list...

• Previous message: King, Brian: "RE: Scans from proxyprotector.com"
• In reply to: Ed Shirey: "Re: A question for the list..."
• Next in thread: Mark Ng: "RE: A question for the list..."
• Reply: Mark Ng: "RE: A question for the list..."
• Reply: Gary Flynn: "Re: A question for the list..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 May 2003 11:14:25 -0700
To: incidents@securityfocus.com

It is an interesting topic.

Is this proposal a vaccine, or could it unleash such collateral damage
as to make the Internet useless? Keep in mind that the "attackers" are
more then likely compromised systems, and are thus "innocents." But is
this proposal more like a Good Samaritan then an active retaliation?
Can it be controlled outside a legal system? Let's face it, what is
going to stop someone from unleashing a malevolent virus under the guise
of benevolence? It is very possible to use the Good Samaritan laws ("I
was only trying to help") and provide even more shelter for the
malevolent.

Is the attacks a virus really? We have used that word because
mathematically it models the spread of the code. Organic mechanisms
react to a viral infection in three ways, defeat it, fail, or adapt.
Last time I checked, computers do not respond in the latter manner. How
can they adapt?

A vaccine worm is only a delivery mechanism. It only applies a "fix"
that should have been caught prior to deployment. Typically attacks
take the form of buffer overruns, or application designs to make things
easy and friendly to use or program. Prior to deployment there has to
be some form of compiler. I propose to make that compiler smarter and
search for the sets of security holes that are common.

Is it possible to stop this issue with the existing technology and not
have to rely on a solution in Meat Space (the legal system)? I can not
see how. The technology is too trivial (its binary after all) and was
designed for a trusted environment. I would like to entertain the topic
of how to we drive a new technology that is secure. But then again, I
don't know how realistic that topic can be.

---K

Ed Shirey wrote:
>
> Dan Hanson wrote:
>
> >As part of incident handling and response, most of us have had to respond
> >to virus infections that have affected networks and hosts. Reports are
> >circulating that members of the IRC operator community have distributed
> >code through the update mechanism of the Fizzer virus. The code reportedly
> >attempts to remove the virus from the host. The latest information seems
> >to indicate that the "update" code was removed until further testing can
> >be done and more discussion regarding the legalities of this are had.
> >
> I think that this approach to dealing with worms is an inevitable
> evolution of the network
> "organism". It obviously carries many risks, but it can also
> potentially provide tremendous
> benefit to the health of the overall system.
>
> It's certainly not always the case, but often an infected system has
> readily exploitable
> holes that an active "vaccine" could utilize to remove the malware.
> This approach has
> a host of ethical and technical issues, but assuming an altruistic and
> benevolent (and
> technically competent) source, this vaccine has a net benefit (sorry
> about all the puns).
>
> I suggest that many of the issues are similar to those associated with
> "Good Samaritans".
> Our overly litigous society has many would-be samaritans afraid to offer
> a helping hand
> because of concern for liability. Is this right? This isn't a
> rhetorical question -- there are
> certainly examples of well meaning, but inept assistance causing more
> harm than good.
>
> However, as more and more malware "organisms" begin to inhabit our
> network like
> virtual E. Coli. in the Internet gut, active measures may be required,
> if for no other
> reason than to protect bandwidth. Perhaps DSL providers should consider
> making
> permission to release active countermeasures part of the terms of use.
>
> This is going to be a fun thread...
>
> Ed
>
> ----------------------------------------------------------------------------
> *** Wireless LAN Policies for Security & Management - NEW White Paper ***
> Just like wired networks, wireless LANs require network security policies
> that are enforced to protect WLANs from known vulnerabilities and threats.
> Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
>
> To get your FREE white paper visit us at:
> http://www.securityfocus.com/AirDefense-incidents
> ----------------------------------------------------------------------------

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

• Previous message: King, Brian: "RE: Scans from proxyprotector.com"
• In reply to: Ed Shirey: "Re: A question for the list..."
• Next in thread: Mark Ng: "RE: A question for the list..."
• Reply: Mark Ng: "RE: A question for the list..."
• Reply: Gary Flynn: "Re: A question for the list..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]