Virus?

Page 2 of 3  


Not really - a perimeter firewall is great at stopping incoming attacks. AFAIK most if not all do nothing about outgoing traffic.
A software firewall on the PC should stop the majority of unauthorised outgoing traffic, but there are ways around it. firehole.exe is quite a simply program but works around the majority of firewalls by patching into a browsers` access (this works with Opera as well as the patchwork quilt from hell known as IE)
In the end, user education is the only way to keep systems secure - I now use a router, I have ZoneAlarm on my system - as have every system i`ve built for the last few years - and I pre-install Spybot S&D and give the end-user a set of guidelines on how to update and scan their system regularly, including virus checker.
--
Please add "[newsgroup]" in the subject of any personal replies via email
* old email address "btiruseless" abandoned due to worm-generated spam *
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

A thought that occurred to me about 2 seconds after I hit "send"... (thinks, there must be a law that states this always happens)
My primary concern is in stopping evil coming in. If I somehow install some spyware, then I can only blame myself. But my router will permit some control of which ports can be accessed (although if I pin them down there's still no absolute guarantee and this might break even passive ftp, not too sure there).
--
John

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Solution:
http://www.geek.com/news/geeknews/2003Sep/bma20030908021650.htm
Available from:
http://www.apple.com
;-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Laird wrote:

Sadly the most common entry point for "evil" is not via a direct intrusion via a TCP/IP related vulnerability (the recent Blaster outbreak being an exception!) but via lookout express.
Once you have a compromised system (and remember that with outlook/express, simply selecting an email to enable you to delete it can be enough to get yourself infected if you have the preview pane enabled!), a firewall ought to be able to stop unauthorised outbound connections as well as inbound. Alas relying on NAT by itself will not help you here.
Software firewalls can work well at detecting unauthorised outgoing connections. However be aware that some malware will attempt to disable all of the common ones, or circumvent them by posing as an application that you have authorised for outbound access.
--
Cheers,

John.

/=================================================================\
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 08 Oct 2003 04:35:40 +0100, John Rumm

That's not been true for any version of OE for large number of years, please don't spread misinformation, people may actually be scared now to view their mails rather than taking sensible precautions. Current OE versions won't even let you execute programs direct from OE.
Jim.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I have a nagging thought that somewhere or other I've seen a ready-mixed smooth finishing plaster (or equivalent) that can be applied by paintbrush or roller. Is there really such a product or am I dreaming?
Bert http://www.bertcoules.co.uk
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I have a nagging thought that somewhere or other I've seen a ready-mixed smooth finishing plaster (or equivalent) that can be applied by paintbrush or roller. Is there really such a product or am I dreaming?
Bert http://www.bertcoules.co.uk
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Jim Ley wrote:

What you say regarding executables is true. However I was not talking about executables, but HTML related exploits. Since OE still insists on rendering HTML content in emails, and on using IE as a render engine(!) it will allways be vulnerable to this type of attack. This is an achitectural issue that will in all likelyhood continue until MS address some of the fundamental mechanics of how it handles non text emails.
I stand by my advice - If you want to be safe, and you insist on using Outlook or OE - turn off the preview pane. That way to can delete a message without giving it any chance to render.
To quote from MS03-014 (April this year):-
"However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail."
While I am sure it does not apply as much to the usualy pretty clued up members of this group, it is worrying the number (at least 50%) of customers systems I see that are still running the original versions of OE/IE that were installed with the OS - no service packs, hot fixes, or any other patches, and Windows Update never having been run.
--
Cheers,

John.

/=================================================================\
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 08 Oct 2003 13:41:43 +0100, John Rumm

Except of course there aren't any of those about, and even if there were, it would make a lot more sense to advise the user to simply turn off HTML in emails, since there's no way a user can know 100% that the content of an email is not legitimate - if you're concerned about HTML exploits - turn off HTML, it's a simple setting.
Jim.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Jim Ley wrote:

Glad you are so confident ;-)

> exploits - turn off HTML, it's a simple setting.
You are right - that would be the ideal solution. Alas MS do not provide an easy option for doing it in most versions of OE.
You can disable *sending" email in HTML format simply enough - but that does not prevent OE from rendering received emails that contain HTML in the preview window. OE 6 has an extra option to view messages in plain text only (although even that still does some rendering) previous versions don't.
Even if you do manage to disable rendering of HTML, the major security risk is still the usual MS achillies heel - that the _default_ action (and hence that used by 95% of the user base) is to render received emails that contain HTML.
Turning off preview will save any of these worries - 99% of spam you can normally identify and delete based on its "from" & "subject" fields. It's not exactly a hardship to then double click the first email you actually want to read is it?
--
Cheers,

John.

/=================================================================\
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Jim Ley wrote:

Must be pork in them there trees.... here comes another:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-042.asp
"To exploit this vulnerability, the attacker would have to create a specially formed HTMLbased e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability"
--
Cheers,

John.

/=================================================================\
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Just to add to that, my virus checker also spots malicious web code and has flagged up quite a few exploits in the past.
--
Please add "[newsgroup]" in the subject of any personal replies via email
* old email address "btiruseless" abandoned due to worm-generated spam *
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I`ve sorted out so many systems recently for people who didn`t have any patches / updates / virus checkers / firewall etc that i`m inclined to disagree.
New users *should* be a little more informed about what can and will happen to their system if they do nothing.
Tanatos (bugbear) was the latest virus to be found on a colleagues` system, and that was just last night. He hasn`t got a virus checker etc etc and has never applied any updates. The scary part is, his son is a *manager* of a computer shop.
--
Please add "[newsgroup]" in the subject of any personal replies via email
* old email address "btiruseless" abandoned due to worm-generated spam *
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 08 Oct 2003 04:35:40 +0100, John Rumm

An abomination I never use...
--
"No man's life, liberty, or property is safe while the legislature is in
session." (Judge Gideon J. Tucker, 1866.)
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Laird wrote:

NAT router will stop any connections being made to your PC. It doesn't stop existing ones being hijacked, but this is beyond most script kiddies.
Not sure about 'out of bounds' packets, but if these are outwardly directed to teh router, then it is what has to deal with them, and will hopefully reject them.
NAT router basically stops all direct attacks. That leaves things you might catch via web browsing download or e-mail.
Run Norton.
I haven't got infected using this system. Norton has caught a few dozen e-mail viruses, and lord knows how many unkonown attacks have arrived at the router and been discarded.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

However, if the router can be compromised - and some of the cheap ones can by swamping with traffic - then various accesses can be gained.

As long as it remains working correctly in the event of being swamped.

.andy
To email, substitute .nospam with .gl
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

That's a feature (or not) of the firewall, and nothing to do with where it's installed.

Software firewall on a Windows PC is rather ineffective because it can be disabled, which is exactly what one (at least) of the recent rounds of viruses does. The firewall needs to be somewhere where it cannot be configured/disabled via the network (which on a Windows PC, also means by the user). There is nowhere in a Windows PC where that requirement is met. Ideally, it is a separate box with no configuration access via the network (other than for passing packets through). If you normally use Unix on a PC and you don't normally use root (certainly not for anything involving networking), then a firewall in the same box as your normal working box is going to be secure enough for most home users.
Personally, I use an old 486DX33 as a firewall, brought out of retirement running Unix. It is inaccessible via the network; it can only be accessed for configuration/admin purposes from its console. I did provide the means to remote power-cycle it (as it's not easy to physically access), but that proved unnecessary as it's never crashed/locked-up/rebooted in the two years it's been running. Running my DSL line flat out (512k business line) doesn't manage to get the 486 to even 10% CPU utilisation, so you could say it's rather badly over-powered for the task ;-)
--
Andrew Gabriel

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 8 Oct 2003 11:22:44 GMT, snipped-for-privacy@cucumber.demon.co.uk (Andrew Gabriel) wrote:

So a laptop p133 might also suffice?

To avoid moving parts I wondered about running above laptop with a smart card and ide converter instead of the hard drive, is this feasible?
In another group I was advised that the firewall computer should be dedicated to the task and not also motor a telephone line for faxes, is this reasonable?
AJH
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
In uk.d-i-y, Andrew wrote:

older one without an expansion dock. If your net interface is a serial modem, no problem - serial out to the modem, PCMCIA card or (rarely) built-in Ethernet for the domestic side. Older laptops won't have USB either, cutting out one of the other ways of getting a second Ethernet port. Laptops sometimes have less common hardware in them, making it a bit more of a pain to get OpenBSD or Linux-as-Smoothwall or similar to come up initially: drivers are usually available on the Net but need some searching out. But if you have an old laptop otherwise unused, it's a fine use for it.

is unlikely to cause much in the way of disk accesses.

as extras, the smaller the chance that there'll be exploitable vulnerabilities in it.
HTH - Stefek
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Tue, 07 Oct 2003 23:12:10 +0100, John Laird

Not really. Conventional security practice is to use a number of levels of security simply to make it harder for an attacker to penetrate to the internal machines.
A very typical solution for this involves using two routers and having a demilitarised zone (DMZ) between them. Filters are applied to each to allow the required traffic through and not otherwise. An intermediate firewall appliance may then be put into the DMZ as well and traffic passed through that. The logic is that having disparate solutions provides a greater level of protection.
This architecture also allows machines to which you do want to have public access to be placed outside the firewall. In some environments people even put machines known as honeypots in place. These are deliberately made to be relatively easy to attack and the idea is to distract the hacker from greater prizes. It also can provide a means to do forensic work on where the attack is coming from.
While running a firewall package on an application machine is better than having nothing at all, notwithstanding the poor security environment of Windows, it is all too easy for said firewall to be compromised as new software is added to the machine.
This is why it's much better to have a dedicated machine with a solid and conservative operating environment which is kept stable without the addition of applications.
.andy
To email, substitute .nospam with .gl
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.