RE: Spyware
From: Paris E. Stone (pstone_at_alhurra.com)
Date: 12/17/04
- Previous message: Kirk Schafer: "Re: network worm"
- Maybe in reply to: Matt Stern: "Spyware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Dec 2004 08:15:47 -0500 To: "dallas jordan" <dallas.jordan@gmail.com>, "Matt Stern" <sternm@comprehensive.com>
That is correct, the best way too.
But, most spyware uses the outbound HTTP & HTTPS ports.
Why?
Because almost every firewall in the world allows that out.
Why?
Because those are the ports we browse the web on.
Spyware authors are pretty smart. I just found some spyware that set a
system restore point on a XP box, and whenever it's files got removed,
and registry keys got deleted, it system restored it's self right back!
~~~~~
Paris E. Stone, "Linux Zealot"
CISSP, CCNP, CNE, MCSE, CIW Master Administrator
~~~~~
"Not all who wander are lost."
J.R.R.T.
-----Original Message-----
From: dallas jordan [mailto:dallas.jordan@gmail.com]
Sent: Wednesday, December 15, 2004 2:09 PM
To: Matt Stern
Cc: security-basics@lists.securityfocus.com
Subject: Re: Spyware
I believe as a general rule, all traffic should be denied unless
explicitly permitted. this includes incoming as well as outgoing
traffic. You should start off with a "deny all" rule and then only
allow specific traffic through your firewall. This way, there is less
chance you may miss something. HTH.
On Tue, 14 Dec 2004 17:37:48 -0500, Matt Stern
<sternm@comprehensive.com> wrote:
> Hello all:
>
> I was just wondering if spyware sends its answers "back home" on any
> particular TCP or UDP port. If so, then couldn't I doubly safeguard
the
> LAN (after trying to keep all the spyware off the workstations) by
> disallowing outbound communications via the firewall, for those ports?
> Or conversely, instead of allowing all outbound traffic, only allow
the
> usual ports, such as 80, 443, 23, etc?
>
> Thanks.
>
> --
> Matthew H. Stern, CCP/CDP, sternm@comprehensive.com
> Serving the IT industry since 1976
> Comprehensive Computer Services Inc.
> www.comprehensive.com
> Phone: 631 755-2250, Fax 755-2254
> 560 Broad Hollow Road, Melville NY 11747
>
>
-- Dallas Jordan CCNA, Security+ Ernst & Young LLP Security & Technology Solutions (STS) Office: 404-817-5940 Mobile: 843-991-0271 EY/Comm: 7455673 E-mail: Dallas.Jordan@ey.com
- Previous message: Kirk Schafer: "Re: network worm"
- Maybe in reply to: Matt Stern: "Spyware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
