RE: Novarg
From: sloppy seconds (beleguese_at_yahoo.com)
Date: 01/30/04
- Previous message: peter.huang_at_ossecurity.ca: "Yet another Visa scam scheme"
- In reply to: Duston Sickler: "RE: Novarg"
- Next in thread: Robert Morales: "RE: Novarg"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jan 2004 22:07:35 -0800 (PST) To: Duston Sickler <dustons@charter.net>, 'Jeremy Strachan' <Jeremy.Strachan@ClemengerCommunications.co.nz>
To All!
Thanks for your responses.
To touch on a few points and clear the air I present
the following...
From a policy perspective:
Our company needs zip files to do business... it is a
massive corporate culture issue.
I like the suggestions of using NAV to scan emails
for executables etc...I am rather surprised that we
are not blocking them... Is this a limitation of
Trend? (our email av solution)
I did like the suggestion to delay/hold attachments
for a cooling off period...
Some have suggested that we block all internet mail
(hotmail ...etc).
Due to various employee "friendliness" initiatives we
cannot permanently block these sites...we did
temporarily block them due to the 9/11 anniversary...
From the user education perspective...
It is a little hard to combat the social engineering
tactics of this particular virus...
EX: coworker gets a zip file from me (spoofed) with an
attachment.
Thankfully my peers are a bit too paranoid to just
open the attachment...
I think we need to work on the "all networks are
hostile" mentatily to overcome this...
From the make it less intuitive perspective...
I too am fond of the security by obscurity layer of
defense....
Unfortunately we are pushed to make everything too
easy for the end user... "IT is a tool and it must be
easy to use"
Most users/management don't care how it works...it had
just better allow them to do their work...
You would not believe how many requests I have seen
for NetBIOS in the DMZ, or SMB access...!!!!!!!!!!!
Heaven forbid they use FQDN or SSH..etc that would
require thought... :/
I hear...security is too hard to understand and work
with... (mental response: Step away from the
computer!)
Typical Pebkac (problem exists between keyboard and
chair) users...
I have 3 choices.
Laugh
Lobby for change
Leave
I think I will go with door number 2!
Thanks for all the feedback!
Back to the salt-mines and train-wrecks,
Beleguese
--- Duston Sickler <dustons@charter.net> wrote:
> We have our Symantec Gateway server configured to
> scan all incoming
> attachments. It automatically strips all
> executables and any "encrypted
> containers". (password protected zips) This and NAV
> Corp (managed) has kept
> our organization free from worms for three years
> running now.
>
> Duston Sickler
> CompTIA A+ Certified
> "Cedo Nilli"
>
> -----Original Message-----
> From: Jeremy Strachan
>
[mailto:Jeremy.Strachan@ClemengerCommunications.co.nz]
>
> Sent: Wednesday, January 28, 2004 2:31 PM
> To: 'sloppy seconds'
> Cc: 'incidents@securityfocus.com'
> Subject: RE: Novarg
>
>
> For what its worth - we use NAV for Exchange, and
> one of the options is to
> block certain attachment types, in this case we
> block .exe attachments.
>
> NAV looks inside .ZIP files, see's the .exe inside,
> and blocks (or deletes)
> the entire attachment.
>
> That means we aren't dependant on a virus signature
> being released to block
> this worm (or new variants).
>
>
> Jeremy
> National IT Manager
> Clemenger Communications Ltd
> Microsoft MCSE, Novell CNE, Compaq ASE
>
> -----Original Message-----
> From: sloppy seconds [mailto:beleguese@yahoo.com]
> Sent: Wednesday, 28 January 2004 5:32 p.m.
> To: incidents@securityfocus.com
> Subject: Novarg
>
>
> To all,
>
> Yes as many of you have noticed Novarg is spreading
> fast. I work for a large
> international corporation and we have seen extensive
> infiltration. However,
> this worm has not proved to be as "damaging" as some
> may claim. The scary
> part is that our investment in AV solutions (Trend,
> Symantec, et al...) has
> not protected us. We are now reconsidering our
> stance on allowing .ZIP files
> in Email.
>
> We engineered our own cleaning utility hours before
> our AV vendors even had
> signatures. Infecting lab clients and using diff
> tools...etc
>
> From a network perspective we are watching for the
> supposed DOS against SCO.
>
>
> We have had the outbreak under control just a few
> hours after it's
> inception.
>
> Anyone care to contribute their experience?
>
> Thanks,
> Beleguese
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool.
> Try it!
> http://webhosting.yahoo.com/ps/sb/
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: peter.huang_at_ossecurity.ca: "Yet another Visa scam scheme"
- In reply to: Duston Sickler: "RE: Novarg"
- Next in thread: Robert Morales: "RE: Novarg"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
