Comments on: Harder, Better, Faster, Stronger – The Malware http://www.gnucitizen.org/blog/harder-better-faster-stronger-the-malware/ Information Security Think Tank Sat, 02 Feb 2013 17:50:40 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: nate http://www.gnucitizen.org/blog/harder-better-faster-stronger-the-malware/comment-page-1/#comment-124572 nate Fri, 05 Dec 2008 01:55:46 +0000 https://www.gnucitizen.org/?p=1861#comment-124572 Good point but I think this idea is a little premature. My experience has taught me that most bosses take their IT recommendations with a grain of salt. How many companies want to pay $4k on antivirus when they can bury their heads in the sand? Without a tangible effect, most attack vectors go unnoticed. I work in healthcare with the leading software apps and they give unadulterated ActiveX access despite any security software we could have bought. You want to tighten our auditing measures and make it difficult to do our job? You can't confirm that the weakened security is malware-related? Personally, I've learned that IT has a big mouth and management has closed ears. You're talking about a silent attack vector. My experience has taught me that without seeing the whites of their eyes, management tends to disregard hypotheticals. And I say hypothetical only because they won't invest in tracking down the cause of your proposed attack. This is why Windows networks are such easy targets. Why hack a *nix box when 90% of PCs are running a vulnerable Win install? Just my opinion. Good point but I think this idea is a little premature. My experience has taught me that most bosses take their IT recommendations with a grain of salt. How many companies want to pay $4k on antivirus when they can bury their heads in the sand? Without a tangible effect, most attack vectors go unnoticed.

I work in healthcare with the leading software apps and they give unadulterated ActiveX access despite any security software we could have bought. You want to tighten our auditing measures and make it difficult to do our job? You can’t confirm that the weakened security is malware-related?
Personally, I’ve learned that IT has a big mouth and management has closed ears. You’re talking about a silent attack vector. My experience has taught me that without seeing the whites of their eyes, management tends to disregard hypotheticals. And I say hypothetical only because they won’t invest in tracking down the cause of your proposed attack. This is why Windows networks are such easy targets. Why hack a *nix box when 90% of PCs are running a vulnerable Win install?

Just my opinion.

]]> By: pdp http://www.gnucitizen.org/blog/harder-better-faster-stronger-the-malware/comment-page-1/#comment-124438 pdp Sun, 23 Nov 2008 17:07:29 +0000 https://www.gnucitizen.org/?p=1861#comment-124438 nye, thanks for sharing. daemonmidi, yes, perhaps with the help of nessus and other auditing tools you can detect abnormalities and perhaps even insulate any problem. still, my point is that you might end up in the situation where you don't know whether the change was intentional or it is the result of a malware infection. The auditing tool may end up with too many false-positives, which is undesirable. nye, thanks for sharing. daemonmidi, yes, perhaps with the help of nessus and other auditing tools you can detect abnormalities and perhaps even insulate any problem. still, my point is that you might end up in the situation where you don’t know whether the change was intentional or it is the result of a malware infection. The auditing tool may end up with too many false-positives, which is undesirable.

]]> By: daemonmidi http://www.gnucitizen.org/blog/harder-better-faster-stronger-the-malware/comment-page-1/#comment-124437 daemonmidi Sun, 23 Nov 2008 16:10:31 +0000 https://www.gnucitizen.org/?p=1861#comment-124437 Nice concept - How do you get around periodically performed security audits? They would detect the infected hosts. Assuming you run these scans (using e.g. nessus) in very short intervals (every 8h ??) -- there's still some time to get data from the infected system - Ok, but chances are vanishing the shorter the scan interval gets... Nice concept – How do you get around periodically performed security audits? They would detect the infected hosts. Assuming you run these scans (using e.g. nessus) in very short intervals (every 8h ??) — there’s still some time to get data from the infected system – Ok, but chances are vanishing the shorter the scan interval gets…

]]> By: nye http://www.gnucitizen.org/blog/harder-better-faster-stronger-the-malware/comment-page-1/#comment-124435 nye Sun, 23 Nov 2008 11:45:14 +0000 https://www.gnucitizen.org/?p=1861#comment-124435 Hey PDP, I do malware research full-time for a large company, and malware reducing a machine's security posture is quite common. We've seen various ways of doing this...most often killing the running AV processes, modifying the firewall to be more permissive and modifying the web browser to allow automatic execution of code. In many cases, a first stage bit of malware does this, which allows a full compromise once the initial stage runs successfully. Scary stuff! Hey PDP,

I do malware research full-time for a large company, and malware reducing a machine’s security posture is quite common. We’ve seen various ways of doing this…most often killing the running AV processes, modifying the firewall to be more permissive and modifying the web browser to allow automatic execution of code. In many cases, a first stage bit of malware does this, which allows a full compromise once the initial stage runs successfully. Scary stuff!

]]>