Re: Hackers plot to create massive botnet

From: Winged (Winged_at_nofollow.com)
Date: 06/09/05 

Date: Wed, 08 Jun 2005 21:45:17 -0500

Jim Watt wrote:
> On 8 Jun 2005 20:09:12 GMT, Juergen Nieveler
> <juergen.nieveler.nospam@arcor.de> wrote:
>
>
>>Jim Watt <jimwatt@aol.no_way> wrote:
>>
>>
>>>>Seems it's finally time to say "no executable attachments what so ever
>>>>will be accepted".
>>>
>>>I've been doing that for some time - why worry about updating
>>>virus scanners - nobody should be mailing me executables.
>>
>>Indeed, that's the policy at $Ork as well. The only virus infection we
>>had in the last 3 years was through a virus that spread through
>>Netbios-shares and got in via a share meant to exchange files with
>>other parts of the corporation. Apparently one of the others does not
>>have the same policy... and they're the same part that got infected
>>with a bunch of other viruses as well.
>>
>>If it was for me, I'd disconnect them from the WAN until they get their
>>*** together, but Management wouldn't let me...
>
>
> ..zip files get the chop, and I now filter .gif's because I'm fed up
> with fancy email and the advertisments that come that way.
>
> --
> Jim Watt
> http://www.gibnet.com

It must be nice. We had to establish a local methodology to get known
good attachments into the system through the filters to do business yet
filter the unknown. It was a painful process to train our users to use
a band aid methodology, but word has got out and it is working well for
us. It does require a naming convention to get past the filters, then
the user must define the appropriate extension in the mail body and why
our users should open the message. We have other methodologies we could
use such as various secure ftp methodologies however using these methods
is cumbersome in many cases. Our methodology works for us. I am
curious to hear what methods others are using.

For us, transmitting data in various file formats is part of our
worldwide business. We don't have the option to just say no to
attachments. Sometimes that balance beam of security versus usability
is a tough rope to walk, and business trumps security.

We do run AV and a number of other security products. Our networks have
had various clients get compromised by various methods occasionally but
we have not had a widespread outbreak going back to before Melisa (I
Love You virus). These clients are automatically disconnected if/when
abnormal behavior is seen on the network via automated tools. In the
last year we have had to rebuild of about .5% of our clients due to
spyware or other exploits, though the number one exploit vector has
typically been web based. We have had a large number of attempts via
e-mail but few seem to get through or operate in our environment.

The concept of running with no centrally managed AV/firewall (that
really sends cold chills) or prohibiting e-mailing of all files is
totally alien to me. We couldn't do business effectively.

Winged