Tod Merley wrote:
I think you respond here to a comment that I meant to support
penetration testing. I regret that I was misunderstanding your last
post.
Your guidance concerning honey pots is welcome. What I am becoming
aware of is that indeed our networks are filled with them. Every
computer on your network contains "honey" someone wants to get to. I
suppose what I really want are better tools to prevent and detect and
respond to infection.
"honey pot" is a technical term, with a specific meaning.
I did come up with one possibly useful idea while thinking about this.
I think I would like to see our computers report suspicious activity
(attempts to access ports for services we do not use - port scans -
etc,,) to a central clearing house. Perhaps each state could have a
site with a server farm dedicated to obtaining and processing data of
this nature which would then forward the processed results to a
national server. Perhaps the national server could coordinate a trace
process designed to find the actual source which coordinates the
suspicious activity. I would like to find "bot" controllers. Maybe
this could become part of how.
I suspect that there is already at least one network of security
consultants doing this. See what you can find with google,
Some might be public and may welcome you as a participant, others
private. Suppose the CIA is running some honeypots. Would it be likely
to share information with North Korea or Iran?
I suppose the response of the enemy to this would be to DOS it with
false reports and other attacks. This could be mitigated and used to
enhance the process by spreading the server IPs across several ranges,
coordinating the times which messages are to be sent by specific
computers to those IPs and detecting the bots by either that they send
at a wrong time or do not use the secret protocol as they were
instructed by the server at a previous time.
I manage systems on different IAPs, I have noticed quite a difference in
the volume of traffic I drop/reject on the different networks.
and I note that RH doesn't highlight security at all, that's I could
find in three clicks.
In fairness Windows gets hit most because it is most popular.
Similarly RH gets hit most because it is most popular. Same with
Ubuntu.
Windows might get hit most, but it gets penetrated most because it's so
weak. Remember Microsoft's key point, eXPerience.
box and us confused about all the attacks he sees.
I suppose what I would really like to see is an intelligent "action
watcher" which would notice malicious activity and start yelling
about it. I guess I should not call it a "honey pot" in the classic
snort I think is what you want.
What I like about them is that they are convenient, espically for a
laptop. Since they are fairly cheap what I do is always have and use
more than two. Loose one, not happy with that but little loss.
bank account details? SS number for Americans. Information about you
that could lead to someone else knowing enough about you to present
himself as you?
I hate in a way to admit it, but I do not use online transactions. I
gladly receive your point if I ever do.
There are lots of places where one can purchase by credit card, and
ecommerce is so popular I can even transfer money from my account to
anyone else's (at least within Oz, i don't know about international
transfers).
Several in this thread have testimonies to what they were forced to do
when infected with no way to cure it. I believe we are often infected
with no way to even find it!!
I can't speak for you, but I tend to notice. Anything behind my firewall
tries to connect to odd ports, I notice. The Boss tried a little
torrent, I noticed:-)
Yes, we now have scanners that will detect some polymorphic viruses.
So what else will they come up with that we do not yet know about?
Certainly wipe and re-load is hard. However, I have noted myself that
you get much better at it with practice. Since you may have to do it
anyway, it would be good to be practiced! It is not just about
frustrating system infection it is also about what you will eventually
need to be ready to do.
If Wipe and Reload was good, Big Businesses would do it. They don't.
Perhaps we can agree that vendor fixes and other security upgrades
should be soon placed into a test environment and when found to be
good the configuration implemented on similar boxes in the system
quickly and in a way that can be easily and quickly replicated when
necessary. Also, that snapshots of the data areas be taken often.
I'm happy to let fixes wait a while. I figure of they're broken, someone
will notice. But I'm not protecting high-value sites. They do set up set
environments and hire hordes of folk to do their QA testing.
If a box is often exposed to an infectious environment, I believe it
should be re-loaded with such approved configurations often.
We, my wife and I, have been burgled once (in over 30 years). It
happened while I was at home.
More recently, we've had monitored security installed. Mrs S tends to be
a little paranoid, and I thought it might be worth the dollars for her
peace of mind.
In several years, we've had no intrusions, but quite a few false alarms.
The most recent two were in October while we were on holiday in
Melbourne (Australia). We live in the Perth area, dropping in to check
wasn't and easy option and I talked her it of it. More recently, it
happend again while we were on holiday, this time at Margaret River (I'm
sure Google can tell you about it, it's famous for fine wines and for
excellent surf). This time she insisted in coming home.
The security is not providing her peace of mind, in fact it's disturbing
her. And the cost has exceeded any likely expense should we be burgled -
we're also insured.
I'm beginning to think it's as sensible as reinstalling one's Linux
regularly - that is, not very.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)