Thought this is on topic for the group with all the new
virii and new problems out there.
Would anyone here consider sending this out to all customers?
Later,
Jim
Last week at the Comdex show in Las Vegas, Computer Associates
International, Inc. (known to the world as CA) teamed up with
Microsoft Corp to provide "qualified" Windows home computer
users with a no-charge, one-year subscription to CA's eTrust
EZ Armor antivirus and firewall desktop security suite.
The move is designed to encourage home users to increase
the protection of their Windows systems and CA has stated
that the company will aggressively promote the offer as
part of Microsoft's "Protect Your PC" campaign.
SNIP
The EZ Armor software carries a value of $49.95 and the
free subscription offer for will be available for download
until June 30, 2004 and comes complete with one year of
personal firewall and antivirus protection including daily
virus signature updates.
http://www.it-analysis.com/article.php?articleid=11450
McBurnett, Jim writes on 11/24/2003 9:29 AM:
Thought this is on topic for the group with all the new virii and new problems out there.
Would anyone here consider sending this out to all customers?
Most if not all computers that are sold (branded ones at least) do come with an antivirus + "personal firewall" (aka snake oil firewall, as vernon schryver keeps saying on news.admin.net-abuse.email and elsewhere) package, with 6 months to a year of free updates.
What, if anything, is new about this?
srs
If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?
** Reply to message from Sean Donelan <sean@donelan.com> on Mon, 24 Nov
2003 13:29:57 -0500 (EST)
> Most if not all computers that are sold (branded ones at least) do come
> with an antivirus + "personal firewall" (aka snake oil firewall, as
> vernon schryver keeps saying on news.admin.net-abuse.email and
> elsewhere) package, with 6 months to a year of free updates.
If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?
You know that the best AV program in the world isn't going to amount to
a hill of beans if the user doesn't 1. download updates, 2. run the
occasional scan [1], and 3. pay for more updates past the 1 year mark
(for those for which this is a requirement).
Firewalls at least tend to be a bit more hands off... and I'd like to
hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
ships with default to "disabled?"
As for Malware... right now neither firewalls nor AV programs seem to
stop it's installation. Personally I wish that there was something that
we could install on customer machines that would absolutely and totally
block the installation of net.net stuff, to the point of deleting any
installation files that have been downloaded.
[1] When cleaning a customer's Nachi infected machine, I discovered
that the installed copy of NAV was completely up to date - but a system
scan hadn't been run since July 2002.
Sean Donelan writes on 11/24/2003 1:29 PM:
If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?
Er... two or three obvious reasons - there might be more.
# Users not updating their virus / firewall definitions, not paying for new definitions after their year of free definitions is done.
# Users leaving open windows shares, clicking on random windows attachments etc
# Viruses keeping one step ahead of antivirus vendors
I've been looking at some statistics on infected users. One of the more
interesting was "new" computer users are more likely to have infected
computers than "old" computer users. A computer bought in the last 30
days may be almost twice as likely to be infected than a computer more
than 1 year old.
Jeff Shultz writes on 11/24/2003 1:46 PM:
Firewalls at least tend to be a bit more hands off... and I'd like to
hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
ships with default to "disabled?"
Interesting reading here -
http://groups.google.com/groups?q=vernon+schryver+snake+oil+firewall
The latest version of Zone Alarm Pro does stop all applications from
accessing the net outbound unless specifically authorised, and it does
check the executable by checksum to make sure it hasn't been changed.
Of course, this doesn't cope with the clueless who are willing to click
on just about anything, particularly if it looks cute, but the one good
point about Zone Alarm Pro is that it requires a separate authorisation
before any executable is allowed to access an external site on Port 25.
I tend to encourage people to use PestPatrol for the malware on windoze boxes.
Suresh Ramasubramanian wrote:
Sean Donelan wrote:
If most if not all computers that are sold include antivirus + personal
firewalls, who is selling all the computers being infected with worms,
virus, malware?
Just got a new off the shelf PC, manufactured on 13th Nov 2003. Comes with
NAV2003 and virus definitions from late 2002 installed. This is on a model
that has been shipping for less than two months. Probably is not worth mentioning
that windowsupdate provided with 10+ critical and 10+ other updates (the OS
had Service Pack 1 installed)
The box should have been labeled "don�t connect this device to the public internet".
Pete
Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned while
patching)?
Since windows updates are downloaded only from one server at a time, none of those
servers are connected to the public Internet at high enough speed.
Pete
Valdis.Kletnieks@vt.edu writes on 11/24/2003 3:43 PM:
Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned while
patching)?
That'd have to be very fast indeed, given that only one windows update mirror is used at a time, and patches are downloaded and applied in sequence.
Two ways to get at least some safety -
# Machine behind NAT while it is being updated
# Patches preferably downloaded onto a CD and applied offline
** Reply to message from Valdis.Kletnieks@vt.edu on Mon, 24 Nov 2003
15:43:34 -0500
Suresh Ramasubramanian wrote:
Valdis.Kletnieks@vt.edu writes on 11/24/2003 3:43 PM:
Question: What speed access is needed to guarantee "mean time to download
patches" is significantly less than "mean time to probed by packet-to-0wn"
(significantly == 20x lower still gives a 5% chance of getting 0wned while
patching)?
That'd have to be very fast indeed, given that only one windows update mirror is used at a time, and patches are downloaded and applied in sequence.
Two ways to get at least some safety -
# Machine behind NAT while it is being updated
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category. Just cause your broadband router (ahem, switch) vendor states that NAT (in reality PAT) as one of their security 'knobs' does not make it in any way a security feature when implemented. Only thing that might benefit is IPv4 address space.
Make a NAT Translation to a workstation (nothing else) and see if you can still carryout some of the exploits making the rounds.
NAT and PAT do not prohibit any TCP/UDP connections to egress.
Most broadband providers still perform a NAT translation downstream, is it helping alleviate any of the attacks/compromises? NOT!!!!!
# Patches preferably downloaded onto a CD and applied offline
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back....
Gerardo Gregory writes on 11/24/2003 4:20 PM:
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same
It is not a cure all and I never said it was one. It cuts the risk down a little, is all.
Most broadband providers still perform a NAT translation downstream, is it helping alleviate any of the attacks/compromises? NOT!!!!!
A lot of it is because of infected hosts in a subnet searching around for open windows shares on IPs around it.
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back....
Sounds like a good thing to have around.
Two words: Joe Sixpack.
Phrased differently - the sites that have enough clue and infrastructure to
deploy that product are not, in general, the sites that are getting whacked
the first time their single box connects to the net.....
Funny you mentioned ol' Joe...
An article on the paper today stated that only 33% of U.S. citizens are "Tech Savvy". Meaning allot of Joe's out there are clueless....
I bet ol' Joe's AV signatures where last updated in 98 or 99...
G.
Dan Senie called me on this one once, and he was right.
1-to-1 NAT is not much of a security feature.
Port NAT (PNAT) does, *as a side effect*, provide a measure of
meaningful security.
as Dan pointed out to me, the code required to implement PNAT is
nearly identical to the code required to provide a state keeping
firewall similar to what might be done with OpenBSD's PF or
Linux's IPTables packages. it doesn't provide the additional useful
features of such firewalls, but it does do the minimum.
now the consumer PNAT appliances have other issues, and of course
PNAT often breaks protocols that make end to end assumptions
(which is why i don't like it), but the "not a security feature" thing is
not really accurate. the security feature is a side effect, and wasn't
the original intent of PNAT, but that doesn't mean it's not there.
richard
NAT is not a security feature, neither does it provide any real
security, just one to one translations. PAT fall into the same
category.
While it may not be a cure-all, a NAT solution offered by most entry-level
routers is an effective, if incomplete security tool.
While it does not prevent stupid user tricks (downloading malware,
misconfiguring NAT to allow incoming connections, etc) it does stop most
non-email worms in their tracks.
For example, from an nmap or other scan of the IP address of my home DSL
connection you would onot see any interesting ports open, even if one or
more of the hosts behind the router were accessing content of some kind.
Worms that spread over open shares and insecure services (windows or
otherwise) do not ever hit any of the machines behind the NAT.
I, of course, run other security solutions (IDS detection/etc) to keep my
skills sharp, but I've pleasantly suprised at the wherewithall of my
little Efficient router and it's NAT implementation. It's never allowed
any unwanted traffic through from the out side (port 135 crud/etc).
I always tell people that a NAT like this (rather than a 1:1 NAT or a NAT
with PAT holes to allow access to servers) "keeps honest people honest".
Could somebody figure out a way (TCP intercept, etc) to get to a machine
bhind the NAT? I supose so, but like the blinking red light on the
dashboard of your car, it makes the lazy thief move on to the next car
that doesn't present the apperance of protection.
-Scott