Using Layered Defenses to Stop Internet Worms 148
An anonymous submitter writes "Following last week's release of security configuration guidance for Mac OS X, the National Security Agency has released a paper on Internet worms and how to stop new worms using layered defenses (pdf). A good read - your US tax dollars at work."
Using ggv... (Score:5, Funny)
Hrmmm...
Do I "notify the author" (malcodeteam@nsa.gov> or just assume that Echelon will do it for me when you read this?
So did you just out yourself? (Score:2, Funny)
Re:So did you just out yourself? (Score:2, Funny)
They could have just done a whois on my domain name
Hold on, I'm being paged down to the parking garage...
Re:Using ggv... (Score:2, Funny)
Re:Using ggv... (Score:3, Informative)
I mean, I know that they government is in bed with the cooporations and all, but I think they have better ways to abuse their power then to waste time skiming the web for bug reports
Re:Using ggv... (Score:1)
Re:Using ggv...Digest Version (Score:1)
Can (should) Slashcode be changed to implement a preview instead of submission by hitting the enter key?
Re:Using ggv...Digest Version (Score:3, Funny)
Re:Using ggv...Digest Version (Score:2, Funny)
Tax dollars. (Score:5, Funny)
I'm rich.
Re:Tax dollars. (Score:2, Funny)
This report cost $2 billion US taxpayer dollars (Score:4, Funny)
-Patch your systems.
-Use a firewall.
-Stop running web servers and other stuff.
Thank You,
Uncle Sam
Re:This report cost $2 billion US taxpayer dollars (Score:3, Funny)
Don't use Windows.
Oh, I get it! Its.. (Score:2)
my guide to avoiding worms (Score:3, Insightful)
2) Automatically filter all emails with attachments into a seperate folder
3) Only have one user/computer
4) Always virus scan software first
5) Always run a firewall
6) Always have twice as much bandwidth on the website as you need
7) Block virus/worm emails using filters
Re:my guide to avoiding worms (Score:3, Funny)
1) Use Linux
Re:my guide to avoiding worms (Score:2, Funny)
1) Use Linux
Ha ha!! LOL!! ROFLMAO!!!1!! R0FFl3z!! That is S0 hill-ayreeous! Use Lunix becaz Micr0$0ft iz teh SUXXH0RZ!!!1! Yuo mad teh j0k3 abuot Micr0$0ft s0 u'll g3T m0dd3d UP!!! Lun1X T0rV@ld1s si teh MADMAN!!!1!
Re:my guide to avoiding worms (Score:5, Insightful)
1) Use Linux
Well, the mods think it's funny, but I've been doing exactly that since 1997, and it's worked wonders for me. Linux was ready for my desktop back then, it was ready for the desktop of most clerical employees, and it's gotten nothing but better in the last seven years. For most folks, there's no reason not to use Linux except inertia.
Of course, if you don't mind buying Apple hardware, there's always OSX. If your organization has an exclusive contract with Dell, that's not an option, though.
Re:my guide to avoiding worms (Score:4, Interesting)
I switched her since I was tired of reinstalling her Windows system which she always found ways to break. So far, her Linux box works flawlessly.
*BSD (Score:2, Insightful)
Re:my guide to avoiding worms (Score:1, Insightful)
write me some real full blown solutions, that will install without a week or month of rewriting cfg files, recompiling, and it has to be compatible with the cabinet full of other software used...or go back to the corner and whine some more.
MS is not the single solution to any infrastructure, and neither is Linux, so get off the soapbox already! Use the best tool for the job, never put all your eggs in one basket.
Don't follow zealots, they a
Re:my guide to avoiding worms (Score:4, Interesting)
Security isn't about the OS, it's about awareness and prudence. I don't run software of unknown provenance or whose capabilities I don't fully understand. I keep Linux-based firewalls between the (mostly unpatched) Windows machines and the Internet. I don't use Internet Explorer or Outlook.
Re:my guide to avoiding worms (Score:1)
Re: (Score:1)
Re:my guide to avoiding worms (Score:5, Insightful)
Re:my guide to avoiding worms (Score:3, Insightful)
I know this was meant to be funny, but I think it is this type of thinking that could one day lead to other operating systems being exploited or filled with worms as much as Windows is now.
Get back to us when "one day" comes, then. Like the people who play the "Windows marketshare ensures it is the most exploited" game, your logic is flawed. Alternatives to Windows all start from a different base and evolve in a different manner, so you can't assume that what trouble 95% of users today will necessar
Re:my guide to avoiding worms (Score:3, Funny)
Re:my guide to avoiding worms (Score:2)
Which required the user to save the file, set the execute attributes, then explicitly run it.... Yeah, that was a really bad problem.... -rolls eyes-
Re:my guide to avoiding worms (Score:3, Informative)
ETAP/SIMILE [18] - Cross-platform worm that affects both Windows Portable Executable (PE) and Linux Executable and Linkable Format (ELF) executables. Uses an entry-point obscuring technique and sophisticated polymorphic file infector to avoid detection by anti-virus p
Re:my guide to avoiding worms (Score:1)
1) Don't use Windows NT
2) Don't feel compelled to write "WORMPAPER" guide
3) Don't publish broken Acrobat file
4) Prof....er...retain profits!
Re:my guide to avoiding worms (Score:3, Insightful)
Use OS X.
Run Software Update every once and a while.
Make sure the firewall stays on.
Back up.
Watch Slashdot for malware that isn't just FUD.
Re:my guide to avoiding worms (Score:4, Insightful)
A more useful list would be shorter yet:
1) Make sure all users are intelligent with regards to computers.
Re:my guide to avoiding worms (Score:2, Funny)
'root', naturally... just make sure everyone has the password written down in a memorable place.
Re:my guide to avoiding worms (Score:2)
Re:my guide to avoiding worms (Score:2, Funny)
This is actually the biggest virus I know of. It kills my work machine when I am trying to do anything useful, although I am fine reading
Re:my guide to avoiding worms (Score:5, Funny)
8) Don't dig into the ground ....
9) Step carefully after it rains
10) Stay away from bait shops
11)
12) Profit!
(Sorry, couldn't resist...)
EricWhy the Vioxx recall reduced spam [ericgiguere.com] (humor)
Re:my guide to avoiding worms (Score:1)
Re:my guide to avoiding worms (Score:1)
Re:my guide to avoiding worms (Score:2)
Properly secured, most of the items on your checklist aren't necessary or can be given fewer system resources. Also, some of the items on your list implicitly trust the tool to do the job for you...though you should be awar
Re:my guide to avoiding worms (Score:1)
That's all well and good...but I'll bet you lunch that if mom & pop ask that question at Best Buy, some enterprising salesman is going to package a copy of Norton or somesuch and tell them they're covered. He might even sell the extended service contract.
what is this? (Score:5, Funny)
Re:what is this? (Score:1)
Re:what is this? (Score:1, Offtopic)
har har (Score:1, Funny)
Tech report (Score:5, Funny)
Re:Tech report (Score:2)
Re:Tech report (Score:1)
Huh? Presentations are never supposed to yield in-depth, relevant info. A presentation that does that is torture for the audience. It's just supposed to give an overview on the topic. If you want relevant, in-depth info, you're supposed to read the report, but as you say, a common ground would be nice.
The best way to achieve common ground is that when you give a presentation, you hand out a 1-6 page summary with plenty of f
Re:Tech report (Score:1)
Well, it could have an abstract and a few pretty pictures for us who'd just like to know what it's all about. If us natural science geeks can do it on a regular basis, what's holding you CS people back?
Just Makes Sense (Score:5, Insightful)
I don't agree with part of their analysis. (Score:2)
This is how a trojan infects someone. I don't think it should be in their list.
Re:Just Makes Sense (Score:2)
I think you're missing the point of what makes them script kiddies instead of crackers.
Actually the real url is (Score:2, Funny)
But it is good to see the government is adopting some standards that are actually useful. but who wants to guess how much this cost them and how much it should have really cost?
Good greif (Score:3, Insightful)
Re:Good greif (Score:5, Funny)
The average user? No.
The average manager needing justification before buying new security tools? Heck yeah! The clever ones will append the NSA document to their budget proposals.
Re:Good grief (Score:2, Insightful)
"It is unrealistic to assume that users will become cautious about running unknown files."
p. 6, last line of second paragraph
Even the NSA thinks ordinary people won't get smart about computer security.
Re:Good grief (Score:1)
p. 6, last line of second paragraph
Even the NSA thinks ordinary people won't get smart about computer security.
And why wouldn't they? Have you worked with these "ordinary people"?
I laugh everytime the computer guys send an email out warning about not open strange attachments and then I stop. That's because I know A: somebody probably already did it (hence the warning) and B: The network is about the get slow.
Thanks! (Score:2)
It's cool that an agency with the worlds best IT infrastructure has the gumption to spend it's tax money and help bring the industry forward to solve practical problems.
Tragically none of the other government agencies will read your paper and the next worm will take down a half dozen of them...
Oh yeah, while were at it, we'd like to apologize for Jake 2.0...
What happened to Darwinism? (Score:5, Insightful)
In my perfect world they would advocate open standards and address the flaws in the system not just individual "patients." As these plagues come and go, if we all have the same immune systems, our collective odds are not good.
I am glad they are putting good info out there. I guess I am hoping that in each case they identify the larger problem so we can all keep our eye on the ball.
Re:What happened to Darwinism? (Score:3, Interesting)
Following the diversity mantra would require me to install Windows on some servers and run IIS. I doubt that this increases security of my systems, especially because I don't know much about Windows server administration.
Re:What happened to Darwinism? (Score:1)
If you are not running Windows you are already following the diveersity mantra
NSA vs. l33t h4x... (Score:5, Insightful)
Re:NSA vs. l33t h4x... (Score:2)
It's not a place where next generation tech-elites will submit their resume. Every techie I knew working for the NSA was better with politics than technology.
Re:NSA vs. l33t h4x... (Score:2)
Excellent! The machines are working properly! Muhahah! Muhahahahh! Muhahahahahahahah!
Re:NSA vs. l33t h4x... (Score:2)
Re:NSA vs. l33t h4x... (Score:2)
Not to discourage the little punks, but if they devote themselves to the art and stick with it, they could end up becoming major contributors to the discipline.
Somehow I get the feeling it is a fe
I Kind of Wish (Score:5, Funny)
Um...
Hmm... Nevermind.
Re:I Kind of Wish (Score:4, Funny)
Since you guys killed the server last time (Score:2, Informative)
Here's a mirror. Don't hammer too hard, k?
http://seraphim.ecsis.net/~gregday/WORMPAPER.pdf [ecsis.net]
/.ing the NSA!!?!?!! (Score:5, Funny)
we're all screwed now...
Summary of 54 pages (Score:1)
Information Assurance Directorate
Worm Information Center
life functions
attack attributes
worm technology
defense matrix
Applied Defensive Methodology
defense-in-depth strategy
layered defense solution
worm infection vectors
zero day tactics
blended threats
worm life cycle
infection life function
operator incuded amnesia
tortoise mustard
knick knack paddy whack
worm analysis (tell me how being a worm makes you FEEL)
ad nauseum
Re:Summary of 54 pages (Score:2)
Difficult thing about worms... (Score:2, Interesting)
Re:Difficult thing about worms... (Score:3, Insightful)
From what I can tell, holes exploited by worms are often just common vulnerabilities. Buffer overflows, format strings, cross-site scripting vulnerabilities, are all old news.
If this story about worms ... (Score:1, Insightful)
Re:If this story about worms ... (Score:1)
Alive? (Score:1)
A little creepy.
Maybe they intend to... (Score:2)
Re:Alive? (Score:5, Insightful)
However, reading the article, the advance of programming technology is getting pretty sneaky. Self-decrypting program code (hmm.. similar to DNA, only the parts in use are exposed), Self-modifying code (probably close here, though with VB's capacity to recompile on any windows machine...), Command and Control, built in analytical heuristics (worms using scanners and 'decision making' on how to propogate), and even getting to the point where they start to operate at less than full throttle to avoid the common detection method, interference in the host's performance.
The similarity between computer worms and viruses and biological viruses is very close, just on different platforms. While these aren't 'alive' in the common sense, they sure have the capacity to act like it on occasion.
Wonder what's next. Worms that record where it sends itself to in order to form a distributed AI Network?
Re:Alive? (Score:2)
No, we (the worm researchers) are beyond that stage already (it makes countermeasures too easy). I expect the kids to catch up within the year.
There are lab setups with very intelligent and frightening worms. Distributed, anonymous zombie network creation with fail-safe, encrypted communication channels. Fancy stuff. I've not yet seen any of the papers published. Some of it isn't practical for the Int
Why I don't want a "secure" OS (Score:5, Insightful)
Telling less experience users that a particular OS is "secure" leads them to think they don't need to be vigilant. Same thing with telling them a firewall will solve their worm problems, or that as long as they keep up with patches they're safe from attacks. All of these are important, but no single one of them is a panacea.
I didn't RTFPDF, but it's common wisdom that a multi-layered approach to security is best. No individual step fixes everything, nor usually even stops all of the attacks it's designed to stop. All we do is raise the bar, and hope attackers will go elsewhere.
So don't tell me that an OS is "secure". I know there isn't such a thing. Tell me what its soft spots are, so I can layer other defenses around them. Maybe the bad guys will pass me by for a while.
Re:Why I don't want a "secure" OS (Score:2)
Re:Why I don't want a "secure" OS (Score:4, Interesting)
Firewall box is running something like OpenBSD (or some other heavily-audited OS), with a pro-active NIDS that detects abnormal network behaviour and shuts down the offending connection.
User box is running some sort of B1-class "Trusted OS". (A1 would be nicer, but there aren't any commercial A1-certified OS'.) The OS has file-integrity checkers, such as Tripwire, to screen for infections. All externally-originating connections are host-authenticated. RSH and other "vulnerable" protocols are totally disabled. All passwords are validated as "strong" and kept in a secure file or database. Again, all software is heavily audited. Anything considered potentially "unsafe" is run with strict bounds-checking and in a highly controlled environment (eg: a chrooted "jail".)
In practice, I don't know of any user who actually has a setup of this kind, but let's suppose someone did. Would they still need to be vigilent? Is there anything that is likely to be able to bust through that kind of security? Even if a potential exploit existed somewhere along the chain, isn't the chain sufficiently extensive that nobody could ever make use of it?
And even if someone could bust through and seize control of such a machine, isn't the threshold so high that the only people able to do it would likely not be stopped by anything you as a user could possibly do? No matter how vigilent you were?
I believe that "secure" computers can exist, that there is nothing fundamentally impossible about having a setup that is, to any practical degree, uncrackable but still useful to users.
I don't believe any such systems exist for home users. (I don't consider a top-end SGI box, running the latest and greatest version of IRIX, to be a device you could really call a home computer.) However, equally, I don't believe there is any law of nature which prevents such systems existing for home users.
When (not if) such systems are developed for the home user, I think it would be very safe for such users to cut back on security patches and eternal vigilence. The combination of holes required to breach such a system would be unlikely to exist, so letting a few holes slide shouldn't be a problem.
And if someone was good enough to get through all those layers of automatic defence, they'd likely be good enough to get past any defence a mere individual could put up, no matter how vigilent they were.
Why I don't have to be vigilant (Score:3, Insightful)
My point is that you need to have that kind of situation, which is a multi-layered approach.
But to answer directly, yes, they still need to be vigilant. They're still being a client, unless the box i
Re:Why I don't have to be vigilant (Score:1)
http://stoplistening.com/ [stoplistening.com]
or
http://www.firewallleaktester.com/wwdc.htm [firewallleaktester.com]
These disable certain Windows protocols / services to ensure no worms can attack the system by exploiting known or unknown security holes in those components.
Re:Why I don't want a "secure" OS (Score:2)
Think about it. I send HappyFunScreenSaver.exe to someone. He runs it. The OS locks down and puts it in a chrooted jail, and HappyFunScreenSaver.exe prints "Oh No! It looks like I'm in jail! I can't run from inside jail. If you want to play the HappyFunScreenSaver game, just type in your password so I can get out of jail!"
Note that this "type in your password" option is going to have to exist somewhere in the OS. It's a user OS. The user's going to wa
A few papers to consider reading on the subject... (Score:1)
DAC is DAC is DAC.
http://www.dyadsecurity.com/papers/rbac.html
h
ht
ht
Re:Why I don't want a "secure" OS (Score:2)
Assuming you mean the system that's more securable, I agree.
Security is an emotion. You decide what level of risk is tolerable (makes you feel you're secure), and do what you need to do to get there.
For you, security is having a "secure system". I wish you the best.
Make MS security a point of nat;l security (Score:5, Insightful)
MS annnounced yesterday that they are seriously considering ending FREE security patches in order,
now listen real carefully -
NOT to provide better or worse security, but to wield an effective blunt object against counterfeiters.
Microsoft views YOUR security as nothing more than a convenient tool to blackmail the entire known world into paying for MS's product. It doesn't matter that you or I never actually stole any of their product - we WILL be threatened with cyber terrorism for the criminalities of other people until WE ALL cough up more money to pay.
And at the end of the day MS makes zero warranty that patches that cost real money will be any better than the FREE updates we already get.
Seriously, in other countries and in other industries this why industries get nationalized by an irate fed up underserviced populace.
Re:Make MS security a point of nat;l security (Score:1)
Kazaa flooded by LATEST_SECERETI_PATCH.EXE with a description of "This is not a virus, honest!" and a teddy bear icon.
Re:Make MS security a point of nat;l security (Score:1)
Can anyone post a link to this announcement?
Re:Make MS security a point of nat;l security (Score:2)
Re:Make MS security a point of nat;l security (Score:2)
I really want to see a proper worm anlysis (Score:3, Funny)
Do you feel like people are always looking down on you?
Do you feel segmented and isolated from society?
Do you worry about cholesterol given you have 8 hearts.
Are you always this slimy or are you just pleased to see me?
This is the sort of stuff we really need to know because to borrow the immortal words of that famous philosopher, John Rambo "To survive worm you must become worm".
thank you (Score:2, Interesting)
It's very nice to see that an organisation such as NSA makes this info Globally Accessible.
This is important, especially with your current president.
Of course, the US benefits from the fact that worms do not spread to the nation of freedom
So once again, thank you for knowing we exist!
PS Slashdot is America-centric !
Re:thank you (Score:1)
Re:thank you (Score:2)
the american-centric thing is an age-old rant. you know, the kind we imagine beowulf clusters of?
Just Wondering... (Score:4, Interesting)
Is it possible to use the Xen VM that was on Slashdot earlier today to run multiple OSes and use one OS on the machine as a firewall for the other?
Could you rig the setup of one so that it couldn't crash the hardware, it could at most make itself crash and reboot without the computer going with it?
Re:Just Wondering... (Score:5, Informative)
If you mean stacking VMs up to filter traffic...no...that won't work.
If you mean stacking VMs so that only specific VMs 'see' each other at the network level, yes. That works with VMs or connected systems with properly configured routers.
The reason? Firewalls are not designed to block the network. Firewalls are designed to allow access for specific ports in specific ways. If you chain systems together, and each hands off the allowed packets to the destination system, you've just punched a hole through the firewall to that final system.
By isolating systems so that only ones that are required to 'see' each other can 'see' each other, you've added a meaningful level of protection. This does not require a firewall. It requires router configuration even if the router is software running in another VM and routes for VMs on the same machine. It also requires that you design services and apps to work in this environment; seperate the web server from the DB for example. If it is a web server, and you just remap the default web server port 80 to another port, you've done nothing; the data still passes both ways and the destination is still potentially exposed.)
Defense Lawyers (Score:1)
Tax Joke? (Score:5, Insightful)
Then again, they should already know how to do this and learn for themselves, but a dollar saved is a dollar earned. Damn worms!