> -----Original Message-----
> From: Ray [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 14, 2001 02:01
> To: Noonan, Wesley
> Cc: [EMAIL PROTECTED]
> Subject: RE: FW: Anna Kournikova virus information - Please Read
>
>
> On Tue, 13 Feb 2001, Noonan, Wesley wrote:
>
> > Here is where I think it is overkill. Security isn't
> everything, and it sure
> > isn't the only thing. Someone once told me "security that
> hampers work is
> > not security". That is such a true statement. Security like
> that is just as
> > bad as the "malicious code" it serves to stop. They take
> different methods,
> > but the end result is the same - lost time and money.
>
> *All* security hampers work. The lock on my door hampers work since i
> have to waste 5 seconds opening it. Same as a car alarm. Do
> i lose more
> time/money by taking 5 seconds to unlock the car everyday, or should i
> just leave it open all the time?? Users don't know
> (computer) security,
> but they definitely need it. It's up to us to figure out how much...
Correct. This is my point. You have to figure out how much security is
needed in any given case. Let's go with your door scenario. Is it better to
lock all the doors, or is it better to lock only the doors that need it? I
contend the latter.
> > Rather than blocking all .vbs extensions, one could block
> only those that
> > their DAT files recognize. That allows the .vbs extensions
> a company may
> > need to receive to work just fine. I'll give you an
> example. This very email
> > I am writing will be blocked by no less than 10 people on
> this list. Why?
> > Not because it contains a virus (it doesn't) but because it
> contains a key
> > word. And as a result, no less than 10 people will gain no
> worthwhile
> > information from our exchange (not that they would anyway,
> but you get my
> > point ;-)). This is little better than blocking "all .vbs files". It
> > prevents the exchange of information.
>
> I completely disagree that this is "better" than blocking all
> .vbs.
You completely missed the point. I am saying blocking only the .vbs files
that the DAT recognizes is better, in some cases.
>If
> you're blocking this key word, how do you get CERT
> advisories?? How do
> you get advisories from your vendor?? How do you get that
> message from
> your mom when she asks if you got hit with the new virus!
Again, you miss my point. This is what happens when you block ALL instead of
some. Like I said, look at how many emails bounced on this topic (it has
since stopped) when it orignally hit. Why? Cause people started blocking
anything that had to do with the topic, irregardless of whether it was a
threat or an advisory. Making blanket statments of "stop all" means just
that, it stops all, regardless of whether what you were getting was useful.
> > Does the above protect against everything? No, you have the
> possibility that
> > a "new" virus slips in before your DAT's are updated, but
> one must ask
> > themselves "is the risk worth it, now that I have mitigated
> it in this
> > manner". The answer varies from case to case.
>
> 99% of the time the virus will hit before your DAT's are
> updated, unless
> you're updating every machine every 5 minutes. The virus isn't "new"
> until it hits, and a worm of this nature can spread
> throughout the world
> in a few short hours.
Like I said, this one was picked up by NAI without any upgrade needed.
Sounds to me like more stict security isn't what was needed. What was needed
was better implemented security.
> > Let me ask you this. Does anyone know of an email scanning
> product that
> > blocks "all .exe and .com extensions" by default and
> design? Of course not
> > (or at least I don't know of one - not by default at
> least), since people
> > need to be able to pass executables as part of their day to
> day business.
> > The same holds true for .vbs. The shops that have lot's of
> W2K and are
> > managing the hell out of it are doing so with scripting.
>
> I'll say again that a .vbs attachement is completely useless.
> There's no
> valid reason for it. And if you're "managing the hell out
> of" your W2k
> shop by emailing vbs scripts to yourself then running them in outlook,
> then i'd say you have much bigger problems than this little
> virus thing.
You fail to be able to see outside of your focus. A .vbs attachment is NOT
"completely useless". That is an ignorant postition to take. What if I need
to send you a script to help you do your job? You aren't going to email this
to all of your clients, but you might incorporate a subroutine into your
login script. Except if you block all .vbs files, you don't get the email.
Sure, there are alternatives (send the attachment as a .txt), but what I am
presenting is also an alternative.
> > An even better solution to the .vbs issue that I have seen
> is the newest
> > outlook patches which only allow you to save files with
> that extension (no
> > running of the code from the email client). Now that's a
> good balance of
> > protection and function IMHO. Another solution (though with
> secure email it
> > is tough, if not impossible, to do) is to change the
> extension to something
> > like .txt when it passes through the gateway. Yet another
> one is to change
> > the default execution method for .vbs to be "notepad.exe".
> Then one can
> > either uses cscript to manually run any .vbs that they need
> to, or pick an
> > extension (i.e. .wes) and associate .wes with wscript. Now
> anything that
> > comes in as .vbs is harmless, and you can still push and run scripts
> > internally by using the .wes extension.
>
> Great... if only i could find that automagic update every
> machine on the
> network script.
Like I said to the other guy who walked into this, those "completely
useless" .vbs scripts can do this. Easily. Automatically. And it can log the
success and failure of the updates. Amazing just what a "completely useless"
thing can do, huh?
>
> > It's all about mitigating the risk while providing
> solutions that allow the
> > users to work. No one said that it would be easy :)
>
> Until then, i'll just block ALL vbs scripts, and js, vbe,
> pif, reg, scr,
> and anything else that looks dangerous, since those files are
> much much
> more risky than they are useful when sent as a mail
> attachement. I would
> hope a lot of people agree.
Again, I think that this is an uninformed alamrist stance. I would hope that
people who specialize in security would be more able to keep from focusing
on one thing to the detriment of their surroundings.
Again, I am not saying that blocking all vbs scripts is a bad thing. I am
saying that doing so "just because" is.
Wes Noonan, MCSE/MCT/CCNA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
http://www.bmc.com
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
