RE: Novarg

From: Smith, David (dsmith_at_teamumc.com)
Date: 01/30/04

Next message: Jamie Pratt: "Re: new IIS exploit?"

Previous message: mgotts_at_2roads.com: "Re: Novarg"
Maybe in reply to: Nick FitzGerald: "RE: Novarg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Jeremy Hyland' <hylandj@u.washington.edu>, 'Ivan Coric' <ivan.coric@workcoverqld.com.au>, jim@jimz.net, incidents@securityfocus.com
Date: Fri, 30 Jan 2004 11:05:28 -0600

We block *.zip, *.exe, etc. with little problem. If our user is getting
mail with a stripped attachment that they need, they will call our help
desk. It was easy to train our users to tell the sender to change the
extension on the file to *.txt and provide a note in the body as to what the
actual extension should be in the body of the letter. They can then save
the attachment, change the extension, and move forward. We have about 1200
PC's; it would be worse having to disinfect each one. Users do not bother
with any of the attachments unless they are really work related. It sure
cut down on the junk stored on our Exchange server, as well as not having a
single machine impacted by this latest episode.

David Smith
Technical Support Manager
University Medical Center
Lubbock, TX 79415
806-775-9080

-----Original Message-----
From: Jeremy Hyland [mailto:hylandj@u.washington.edu]
Sent: Thursday, January 29, 2004 8:58 PM
To: 'Ivan Coric'; jim@jimz.net; incidents@securityfocus.com
Subject: RE: Novarg

I also find limiting all inbound traffic significantly reduces the chances
of all manner of network security issues, but that doesn't make it a good
policy.

The issue here is the classic debate of usability vs. security. Well yeah
.zip files represent a risk, but they can also be a powerful tool for
getting work done.

I'm not about to start recommending .zip files be blocked on my network
because I know my users need the functionality provided by .zip files. Your
situation may be very different, and blocking .zip files might be the best
choice. Either way, I highly recommend that the needs of users be considered
before usability is curtailed.

-Jeremy

Jeremy J. Hyland

-----Original Message-----
From: Ivan Coric [mailto:ivan.coric@workcoverqld.com.au]
Sent: Wednesday, January 28, 2004 4:58 PM
To: jim@jimz.net; incidents@securityfocus.com
Subject: Re: Novarg

Hi Jim,
Maybe you could explain this statement a little better?

"after all, completely blocking zip files in attachments is a very, very
sharp double-edged knife."

We block all 'zip' attachments and have found it excellent way to prevent
new virus' from entering the network, prior to signatures files being
released. And that also goes for, .pif, .scr, .exe etc.

Kind Regards
Ivan

Ivan Coric, CISSP
IT Technical Security Officer
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric@workcoverqld.com.au

>>> Jim Zajkowski <jim@jimz.net> 01/29/04 04:33am >>>
I'm waiting for the virus that automatically zips itself with a
different, random password and e-mails the victim with something like
"hey, check this out -- I encrypted it with password <foo>." It'll be
interesting to watch the policies fly -- after all, completely blocking
zip files in attachments is a very, very sharp double-edged knife.

--Jim

---------------------------------------------------------------------------
----------------------------------------------------------------------------

***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland.
The contents of this message are to be used for the intended purpose only
and are to be kept confidential at all times.
This message may contain privileged information directed only to the
intended addressee/s. Accidental receipt of this information should be
deleted promptly and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jamie Pratt: "Re: new IIS exploit?"

Previous message: mgotts_at_2roads.com: "Re: Novarg"
Maybe in reply to: Nick FitzGerald: "RE: Novarg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Novarg
... The issue here is the classic debate of usability vs. security. ... I'm not about to start recommending .zip files be blocked on my network ... and blocking .zip files might be the best ... We block all 'zip' attachments and have found it excellent way to prevent ...
(Incidents)
Re: Cant Open or Save Attachments - Another case
... To be able to open those type of files, you need to lower your security ... Open Internet Explorer, click Tools/Internet Options/Security tab ... >> There is no file association for .exe, ... > attachments save fine, and be "blocked" from running until I explicitly ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: Cant Open or Save Attachments - Another case
... Both .exe and .url ... file types are considered high risk. ... attachments save fine, and be "blocked" from running until I explicitly ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Re: SBS blocked attachments
... What happens if you change the extension on the .exe or .zip to something ... "Outlook blocked access to the following potentially unsafe attachments" ...
(microsoft.public.backoffice.smallbiz)
Re: Cant Open or Save Attachments - Another case
... Thanks, but still no joy. ... and still the .exe and ... To be able to open those type of files, you need to lower your security ... > attachments save fine, and be "blocked" from running until I explicitly ...
(microsoft.public.windows.inetexplorer.ie6_outlookexpress)