subject:"RE\: Interesting run\-down on Stuxnet from F\-Secure"

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread John Hornbuckle

An interesting read.

Would running without elevated permissions eliminate the risk of infection? Or 
do the two zero-day exploits (privilege escalation via keyboard layout file and 
privilege escalation via Task Scheduler) allow infection even when running as a 
limited user?



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us




From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Thursday, October 07, 2010 11:43 AM
To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

http://www.f-secure.com/weblog/archives/2040.html

They seem to draw a little bit of comparison between Stuxnet and Conficker, as 
well as some other mildly interesting bits

--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Free, Bob

FWIW- If you are interested in Stuxnet, Symantec published a nearly 50
page pdf titled  W32.Stuxnet Dossier. Pretty comprehensive coverage 

 

http://www.symantec.com/content/en/us/enterprise/media/security_response
/whitepapers/w32_stuxnet_dossier.pdf

 

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 07, 2010 8:43 AM
To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

 

http://www.f-secure.com/weblog/archives/2040.html 

They seem to draw a little bit of comparison between Stuxnet and
Conficker, as well as some other mildly interesting bits

-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Carl Houseman

I'd say it's a good bet the privilege escalation bugs are used to get around
limited user limitations and install the rootkit.

 

Looking forward a few years, non-admin users' risk will steadily increase as
malware more often includes code to exploit priv escalation bugs.  There's
always a priv escalation bug hiding around the next corner, and malware will
use them to survive.

 

Carl

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Thursday, October 07, 2010 12:04 PM
To: NT System Admin Issues
Subject: RE: Interesting run-down on Stuxnet from F-Secure

 

An interesting read.

 

Would running without elevated permissions eliminate the risk of infection?
Or do the two zero-day exploits (privilege escalation via keyboard layout
file and privilege escalation via Task Scheduler) allow infection even when
running as a limited user?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 07, 2010 11:43 AM
To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

 

http://www.f-secure.com/weblog/archives/2040.html 

They seem to draw a little bit of comparison between Stuxnet and Conficker,
as well as some other mildly interesting bits

-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 
 
NOTICE: Florida has a broad public records law. Most written communications
to or from this entity are public records that will be disclosed to the
public and the media upon request. E-mail communications may be subject to
public disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread John Hornbuckle

Ah-this one confirms that it uses the two zero-day exploits to get around users 
running with limited permissions. And that it doesn't work on 64-bit OS flavors.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us



From: Free, Bob [mailto:r...@pge.com]
Sent: Thursday, October 07, 2010 12:23 PM
To: NT System Admin Issues
Subject: RE: Interesting run-down on Stuxnet from F-Secure

FWIW- If you are interested in Stuxnet, Symantec published a nearly 50 page pdf 
titled  W32.Stuxnet Dossier. Pretty comprehensive coverage

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf


From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Thursday, October 07, 2010 8:43 AM
To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

http://www.f-secure.com/weblog/archives/2040.html

They seem to draw a little bit of comparison between Stuxnet and Conficker, as 
well as some other mildly interesting bits

--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Andrew S. Baker

*>>**Looking forward a few years, non-admin users' risk will steadily
increase as malware more often includes code to exploit priv escalation
bugs.*

I agree that we will see a rise in non-admin malware, but it will be much
easier to go after the low hanging fruit of people with too much local
access, because lots more sophistication is needed to implement these
attacks.

When this avenue is largely closed, then the malware folks will have no
choice but to spend more of their time on those classes of attacks.


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *



On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman  wrote:

>  I'd say it's a good bet the privilege escalation bugs are used to get
> around limited user limitations and install the rootkit.
>
>
>
> Looking forward a few years, non-admin users' risk will steadily increase
> as malware more often includes code to exploit priv escalation bugs.
> There's always a priv escalation bug hiding around the next corner, and
> malware will use them to survive.
>
>
>
> Carl
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Thursday, October 07, 2010 12:04 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Interesting run-down on Stuxnet from F-Secure
>
>
>
> An interesting read.
>
>
>
> Would running without elevated permissions eliminate the risk of infection?
> Or do the two zero-day exploits (privilege escalation via keyboard layout
> file and privilege escalation via Task Scheduler) allow infection even when
> running as a limited user?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 07, 2010 11:43 AM
>
> *To:* NT System Admin Issues
> *Subject:* Interesting run-down on Stuxnet from F-Secure
>
>
>
> http://www.f-secure.com/weblog/archives/2040.html
>
> They seem to draw a little bit of comparison between Stuxnet and Conficker,
> as well as some other mildly interesting bits
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications 
> to or from this entity are public records that will be disclosed to the 
> public and the media upon request. E-mail communications may be subject to 
> public disclosure.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Carl Houseman

The avenue closes as the percentage of XP machines ...  how long for that?
I'm guessing XP is less than 50% of Windows users before April 2014, and if
not by then, real soon afterwards.

 

Carl

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Thursday, October 07, 2010 2:25 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

 

>>Looking forward a few years, non-admin users' risk will steadily increase
as malware more often includes code to exploit priv escalation bugs.

 

I agree that we will see a rise in non-admin malware, but it will be much
easier to go after the low hanging fruit of people with too much local
access, because lots more sophistication is needed to implement these
attacks.

 

When this avenue is largely closed, then the malware folks will have no
choice but to spend more of their time on those classes of attacks.


 

ASB  <http://XeeSM.com/AndrewBaker> (My XeeSM Profile) 
Exploiting Technology for Business Advantage...
 





On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman  wrote:

I'd say it's a good bet the privilege escalation bugs are used to get around
limited user limitations and install the rootkit.

 

Looking forward a few years, non-admin users' risk will steadily increase as
malware more often includes code to exploit priv escalation bugs.  There's
always a priv escalation bug hiding around the next corner, and malware will
use them to survive.

 

Carl

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Thursday, October 07, 2010 12:04 PM


To: NT System Admin Issues

Subject: RE: Interesting run-down on Stuxnet from F-Secure

 

An interesting read.

 

Would running without elevated permissions eliminate the risk of infection?
Or do the two zero-day exploits (privilege escalation via keyboard layout
file and privilege escalation via Task Scheduler) allow infection even when
running as a limited user?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us

 

 

 

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 07, 2010 11:43 AM


To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

 

http://www.f-secure.com/weblog/archives/2040.html 

They seem to draw a little bit of comparison between Stuxnet and Conficker,
as well as some other mildly interesting bits

-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 
 
NOTICE: Florida has a broad public records law. Most written communications
to or from this entity are public records that will be disclosed to the
public and the media upon request. E-mail communications may be subject to
public disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~


~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Andrew S. Baker

There are still enough people running as admin on higher versions of Windows
AND some of those even disable UAC.

We will have enough stupidity for quite a while yet...

(Besides, 40-40% of all Windows users running XP will still be a pretty huge
number of juicy targets)


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *



On Thu, Oct 7, 2010 at 2:41 PM, Carl Houseman  wrote:

>  The avenue closes as the percentage of XP machines ...  how long for
> that?  I'm guessing XP is less than 50% of Windows users before April 2014,
> and if not by then, real soon afterwards.
>
>
>
> Carl
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Thursday, October 07, 2010 2:25 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Interesting run-down on Stuxnet from F-Secure
>
>
>
> *>>**Looking forward a few years, non-admin users' risk will steadily
> increase as malware more often includes code to exploit priv escalation
> bugs.*
>
>
>
> I agree that we will see a rise in non-admin malware, but it will be much
> easier to go after the low hanging fruit of people with too much local
> access, because lots more sophistication is needed to implement these
> attacks.
>
>
>
> When this avenue is largely closed, then the malware folks will have no
> choice but to spend more of their time on those classes of attacks.
>
>
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
>
>
>
>  On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
> wrote:
>
> I'd say it's a good bet the privilege escalation bugs are used to get
> around limited user limitations and install the rootkit.
>
>
>
> Looking forward a few years, non-admin users' risk will steadily increase
> as malware more often includes code to exploit priv escalation bugs.
> There's always a priv escalation bug hiding around the next corner, and
> malware will use them to survive.
>
>
>
> Carl
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Thursday, October 07, 2010 12:04 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* RE: Interesting run-down on Stuxnet from F-Secure
>
>
>
> An interesting read.
>
>
>
> Would running without elevated permissions eliminate the risk of infection?
> Or do the two zero-day exploits (privilege escalation via keyboard layout
> file and privilege escalation via Task Scheduler) allow infection even when
> running as a limited user?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 07, 2010 11:43 AM
>
>
> *To:* NT System Admin Issues
> *Subject:* Interesting run-down on Stuxnet from F-Secure
>
>
>
> http://www.f-secure.com/weblog/archives/2040.html
>
> They seem to draw a little bit of comparison between Stuxnet and Conficker,
> as well as some other mildly interesting bits
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Marc Maiffret

Privilege escalation bugs are pretty much here and now and being used more 
commonly in attacks as the sophistication level is not necessarily as high as 
one would think. This has always been an area of interesting at eEye as we 
started discovering some of the first windows priv. escalation vulns by the 
handful almost 5 years ago knowing this was the future and hoping people would 
pay attention (security industry, technology companies) and be ready for it. We 
obviously are not ready as we all know the technology OS makers like Microsoft 
only just in the last years finally even got around to least privilege user 
roles and just as they played catch up with that they will now again play catch 
up to privilege escalation vulnerabilities which completely make all of this 
"we run as non-admin" stuff totally an irrelevant point anymore. These things 
are a great example of always being one step behind the bad guys but NOT 
because we actually had to be ... only because technology companies allowed it 
to be.

P.S. My marketing department told me if I mentioned this new cheesily named 
thing I am doing they would buy me a beer, so consider this the mention:
http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx

Signed,
Marc Maiffret
Co-Founder/CTO
eEye Digital Security
Web: http://www.eeye.com
Blog: http://blog.eeye.com
Twitter: http://www.twitter.com/marcmaiffret

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, October 07, 2010 11:25 AM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

>>Looking forward a few years, non-admin users' risk will steadily increase as 
>>malware more often includes code to exploit priv escalation bugs.

I agree that we will see a rise in non-admin malware, but it will be much 
easier to go after the low hanging fruit of people with too much local access, 
because lots more sophistication is needed to implement these attacks.

When this avenue is largely closed, then the malware folks will have no choice 
but to spend more of their time on those classes of attacks.

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
mailto:c.house...@gmail.com>> wrote:
I'd say it's a good bet the privilege escalation bugs are used to get around 
limited user limitations and install the rootkit.

Looking forward a few years, non-admin users' risk will steadily increase as 
malware more often includes code to exploit priv escalation bugs.  There's 
always a priv escalation bug hiding around the next corner, and malware will 
use them to survive.

Carl

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Thursday, October 07, 2010 12:04 PM

To: NT System Admin Issues
Subject: RE: Interesting run-down on Stuxnet from F-Secure

An interesting read.

Would running without elevated permissions eliminate the risk of infection? Or 
do the two zero-day exploits (privilege escalation via keyboard layout file and 
privilege escalation via Task Scheduler) allow infection even when running as a 
limited user?

John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us>

From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>]
Sent: Thursday, October 07, 2010 11:43 AM

To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

http://www.f-secure.com/weblog/archives/2040.html

They seem to draw a little bit of comparison between Stuxnet and Conficker, as 
well as some other mildly interesting bits

--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon re

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Andrew S. Baker

You sold out for a beer?  :)



>>These things are a great example of always being one step behind the bad
guys but NOT because we actually had to be … only because technology
companies allowed it to be.

*And I would say that we are were we are because as consumers and corporate
customers, we don't push for things to be different.   Not that technology
companies don't have their own responsibility to do the right thing, but
they'll always favor features over security is *we* favor features over
security.*

*
*

*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *



On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret  wrote:

> Privilege escalation bugs are pretty much here and now and being used more
> commonly in attacks as the sophistication level is not necessarily as high
> as one would think. This has always been an area of interesting at eEye as
> we started discovering some of the first windows priv. escalation vulns by
> the handful almost 5 years ago knowing this was the future and hoping people
> would pay attention (security industry, technology companies) and be ready
> for it. We obviously are not ready as we all know the technology OS makers
> like Microsoft only just in the last years finally even got around to least
> privilege user roles and just as they played catch up with that they will
> now again play catch up to privilege escalation vulnerabilities which
> completely make all of this “we run as non-admin” stuff totally an
> irrelevant point anymore. These things are a great example of always being
> one step behind the bad guys but NOT because we actually had to be … only
> because technology companies allowed it to be.
>
>
>
> P.S. My marketing department told me if I mentioned this new cheesily named
> thing I am doing they would buy me a beer, so consider this the mention:
>
> http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx
>
>
>
>
>
> Signed,
>
> Marc Maiffret
>
> Co-Founder/CTO
>
> eEye Digital Security
>
> Web: http://www.eeye.com
>
> Blog: http://blog.eeye.com
>
> Twitter: http://www.twitter.com/marcmaiffret
>
>
>
>
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Thursday, October 07, 2010 11:25 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Interesting run-down on Stuxnet from F-Secure
>
>
>
> *>>**Looking forward a few years, non-admin users' risk will steadily
> increase as malware more often includes code to exploit priv escalation
> bugs.*
>
>
>
> I agree that we will see a rise in non-admin malware, but it will be much
> easier to go after the low hanging fruit of people with too much local
> access, because lots more sophistication is needed to implement these
> attacks.
>
>
>
> When this avenue is largely closed, then the malware folks will have no
> choice but to spend more of their time on those classes of attacks.
>
>
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
>
>
>
> On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
> wrote:
>
> I'd say it's a good bet the privilege escalation bugs are used to get
> around limited user limitations and install the rootkit.
>
>
>
> Looking forward a few years, non-admin users' risk will steadily increase
> as malware more often includes code to exploit priv escalation bugs.
> There's always a priv escalation bug hiding around the next corner, and
> malware will use them to survive.
>
>
>
> Carl
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Thursday, October 07, 2010 12:04 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* RE: Interesting run-down on Stuxnet from F-Secure
>
>
>
> An interesting read.
>
>
>
> Would running without elevated permissions eliminate the risk of infection?
> Or do the two zero-day exploits (privilege escalation via keyboard layout
> file and privilege escalation via Task Scheduler) allow infection even when
> running as a limited user?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, October 07, 2010 11:43 AM
>
>
> *To:* NT System Admin Issues
> *Subject:* Interesting run-down on Stuxnet from F-Secure
>
>
>
> http://www.f-secure.com/weblog/archives/2040.html
>
> They seem to draw a little bit of comparison between Stuxnet and Conficker,
&

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Marc Maiffret

Hmmm you know you are right about that, I should have held out for a 
grasshopper. Ohh movie trivia... :)

And to your second point I agree completely!

-Marc

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, October 07, 2010 5:08 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

You sold out for a beer?  :)

>>These things are a great example of always being one step behind the bad guys 
>>but NOT because we actually had to be ... only because technology companies 
>>allowed it to be.

And I would say that we are were we are because as consumers and corporate 
customers, we don't push for things to be different.   Not that technology 
companies don't have their own responsibility to do the right thing, but 
they'll always favor features over security is *we* favor features over 
security.

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret 
mailto:mmaiff...@eeye.com>> wrote:
Privilege escalation bugs are pretty much here and now and being used more 
commonly in attacks as the sophistication level is not necessarily as high as 
one would think. This has always been an area of interesting at eEye as we 
started discovering some of the first windows priv. escalation vulns by the 
handful almost 5 years ago knowing this was the future and hoping people would 
pay attention (security industry, technology companies) and be ready for it. We 
obviously are not ready as we all know the technology OS makers like Microsoft 
only just in the last years finally even got around to least privilege user 
roles and just as they played catch up with that they will now again play catch 
up to privilege escalation vulnerabilities which completely make all of this 
"we run as non-admin" stuff totally an irrelevant point anymore. These things 
are a great example of always being one step behind the bad guys but NOT 
because we actually had to be ... only because technology companies allowed it 
to be.

P.S. My marketing department told me if I mentioned this new cheesily named 
thing I am doing they would buy me a beer, so consider this the mention:
http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx

Signed,
Marc Maiffret
Co-Founder/CTO
eEye Digital Security
Web: http://www.eeye.com
Blog: http://blog.eeye.com
Twitter: http://www.twitter.com/marcmaiffret

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Thursday, October 07, 2010 11:25 AM

To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

>>Looking forward a few years, non-admin users' risk will steadily increase as 
>>malware more often includes code to exploit priv escalation bugs.

I agree that we will see a rise in non-admin malware, but it will be much 
easier to go after the low hanging fruit of people with too much local access, 
because lots more sophistication is needed to implement these attacks.

When this avenue is largely closed, then the malware folks will have no choice 
but to spend more of their time on those classes of attacks.

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
mailto:c.house...@gmail.com>> wrote:
I'd say it's a good bet the privilege escalation bugs are used to get around 
limited user limitations and install the rootkit.

Looking forward a few years, non-admin users' risk will steadily increase as 
malware more often includes code to exploit priv escalation bugs.  There's 
always a priv escalation bug hiding around the next corner, and malware will 
use them to survive.

Carl

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Thursday, October 07, 2010 12:04 PM

To: NT System Admin Issues
Subject: RE: Interesting run-down on Stuxnet from F-Secure

An interesting read.

Would running without elevated permissions eliminate the risk of infection? Or 
do the two zero-day exploits (privilege escalation via keyboard layout file and 
privilege escalation via Task Scheduler) allow infection even when running as a 
limited user?

John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us>

From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>]
Sent: Thursday, October 07, 2010 11:43 AM

To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-Secure

http://www.f-secure.com/weblog/archives/2040.html

They seem to draw a little bit of comparison between Stuxnet and Conficker, as 
well as some other mildly interesting bits
--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into t

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread William J. Robbins

Who hasn't sold out for a beer?  :)
 
WJR
 - from my Crackberry.

"If you find yourself in a fair fight, your tactics suck."

-Original Message-
From: "Andrew S. Baker" 
Date: Thu, 7 Oct 2010 20:08:04 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: Re: Interesting run-down on Stuxnet from F-Secure

You sold out for a beer?  :)



>>These things are a great example of always being one step behind the bad
guys but NOT because we actually had to be … only because technology
companies allowed it to be.

*And I would say that we are were we are because as consumers and corporate
customers, we don't push for things to be different.   Not that technology
companies don't have their own responsibility to do the right thing, but
they'll always favor features over security is *we* favor features over
security.*

*
*

*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *



On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret  wrote:

> Privilege escalation bugs are pretty much here and now and being used more
> commonly in attacks as the sophistication level is not necessarily as high
> as one would think. This has always been an area of interesting at eEye as
> we started discovering some of the first windows priv. escalation vulns by
> the handful almost 5 years ago knowing this was the future and hoping people
> would pay attention (security industry, technology companies) and be ready
> for it. We obviously are not ready as we all know the technology OS makers
> like Microsoft only just in the last years finally even got around to least
> privilege user roles and just as they played catch up with that they will
> now again play catch up to privilege escalation vulnerabilities which
> completely make all of this “we run as non-admin” stuff totally an
> irrelevant point anymore. These things are a great example of always being
> one step behind the bad guys but NOT because we actually had to be … only
> because technology companies allowed it to be.
>
>
>
> P.S. My marketing department told me if I mentioned this new cheesily named
> thing I am doing they would buy me a beer, so consider this the mention:
>
> http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx
>
>
>
>
>
> Signed,
>
> Marc Maiffret
>
> Co-Founder/CTO
>
> eEye Digital Security
>
> Web: http://www.eeye.com
>
> Blog: http://blog.eeye.com
>
> Twitter: http://www.twitter.com/marcmaiffret
>
>
>
>
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Thursday, October 07, 2010 11:25 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Interesting run-down on Stuxnet from F-Secure
>
>
>
> *>>**Looking forward a few years, non-admin users' risk will steadily
> increase as malware more often includes code to exploit priv escalation
> bugs.*
>
>
>
> I agree that we will see a rise in non-admin malware, but it will be much
> easier to go after the low hanging fruit of people with too much local
> access, because lots more sophistication is needed to implement these
> attacks.
>
>
>
> When this avenue is largely closed, then the malware folks will have no
> choice but to spend more of their time on those classes of attacks.
>
>
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
>
>
>
> On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
> wrote:
>
> I'd say it's a good bet the privilege escalation bugs are used to get
> around limited user limitations and install the rootkit.
>
>
>
> Looking forward a few years, non-admin users' risk will steadily increase
> as malware more often includes code to exploit priv escalation bugs.
> There's always a priv escalation bug hiding around the next corner, and
> malware will use them to survive.
>
>
>
> Carl
>
>
>
> *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> *Sent:* Thursday, October 07, 2010 12:04 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* RE: Interesting run-down on Stuxnet from F-Secure
>
>
>
> An interesting read.
>
>
>
> Would running without elevated permissions eliminate the risk of infection?
> Or do the two zero-day exploits (privilege escalation via keyboard layout
> file and privilege escalation via Task Scheduler) allow infection even when
> running as a limited user?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
>

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread greg.sweers

I'm a lot cheaper.  Just give me a cold coke..

From: William J. Robbins [mailto:dangerw...@gmail.com]
Sent: Thursday, October 07, 2010 8:27 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

Who hasn't sold out for a beer? :)

WJR
- from my Crackberry.

"If you find yourself in a fair fight, your tactics suck."

From: "Andrew S. Baker" 
Date: Thu, 7 Oct 2010 20:08:04 -0400
To: NT System Admin Issues
ReplyTo: "NT System Admin Issues" 
Subject: Re: Interesting run-down on Stuxnet from F-Secure

You sold out for a beer?  :)

>>These things are a great example of always being one step behind the bad guys 
>>but NOT because we actually had to be ... only because technology companies 
>>allowed it to be.

And I would say that we are were we are because as consumers and corporate 
customers, we don't push for things to be different.   Not that technology 
companies don't have their own responsibility to do the right thing, but 
they'll always favor features over security is *we* favor features over 
security.

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret 
mailto:mmaiff...@eeye.com>> wrote:
Privilege escalation bugs are pretty much here and now and being used more 
commonly in attacks as the sophistication level is not necessarily as high as 
one would think. This has always been an area of interesting at eEye as we 
started discovering some of the first windows priv. escalation vulns by the 
handful almost 5 years ago knowing this was the future and hoping people would 
pay attention (security industry, technology companies) and be ready for it. We 
obviously are not ready as we all know the technology OS makers like Microsoft 
only just in the last years finally even got around to least privilege user 
roles and just as they played catch up with that they will now again play catch 
up to privilege escalation vulnerabilities which completely make all of this 
"we run as non-admin" stuff totally an irrelevant point anymore. These things 
are a great example of always being one step behind the bad guys but NOT 
because we actually had to be ... only because technology companies allowed it 
to be.

P.S. My marketing department told me if I mentioned this new cheesily named 
thing I am doing they would buy me a beer, so consider this the mention:
http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx

Signed,
Marc Maiffret
Co-Founder/CTO
eEye Digital Security
Web: http://www.eeye.com
Blog: http://blog.eeye.com
Twitter: http://www.twitter.com/marcmaiffret

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Thursday, October 07, 2010 11:25 AM

To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

>>Looking forward a few years, non-admin users' risk will steadily increase as 
>>malware more often includes code to exploit priv escalation bugs.

I agree that we will see a rise in non-admin malware, but it will be much 
easier to go after the low hanging fruit of people with too much local access, 
because lots more sophistication is needed to implement these attacks.

When this avenue is largely closed, then the malware folks will have no choice 
but to spend more of their time on those classes of attacks.

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
mailto:c.house...@gmail.com>> wrote:
I'd say it's a good bet the privilege escalation bugs are used to get around 
limited user limitations and install the rootkit.

Looking forward a few years, non-admin users' risk will steadily increase as 
malware more often includes code to exploit priv escalation bugs.  There's 
always a priv escalation bug hiding around the next corner, and malware will 
use them to survive.

Carl

From: John Hornbuckle 
[mailto:john.hornbuc...@taylor.k12.fl.us<mailto:john.hornbuc...@taylor.k12.fl.us>]
Sent: Thursday, October 07, 2010 12:04 PM

To: NT System Admin Issues
Subject: RE: Interesting run-down on Stuxnet from F-Secure

An interesting read.

Would running without elevated permissions eliminate the risk of infection? Or 
do the two zero-day exploits (privilege escalation via keyboard layout file and 
privilege escalation via Task Scheduler) allow infection even when running as a 
limited user?

John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us>

From: James Rankin [mailto:kz2...@googlemail.com<mailto:kz2...@googlemail.com>]
Sent: Thursday, October 07, 2010 11:43 AM

To: NT System Admin Issues
Subject: Interesting run-down on Stuxnet from F-

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-07 Thread Jon Harris

Marc, not that this is the correct thread to ask this but, doesn't eEye have
an AV product that concentrates more on the actions of a file and less on
the definitions?

Jon

On Thu, Oct 7, 2010 at 8:43 PM,  wrote:

>  I’m a lot cheaper.  Just give me a cold coke..
>
>
>
> *From:* William J. Robbins [mailto:dangerw...@gmail.com]
> *Sent:* Thursday, October 07, 2010 8:27 PM
>
> *To:* NT System Admin Issues
>  *Subject:* Re: Interesting run-down on Stuxnet from F-Secure
>
>
>
> Who hasn't sold out for a beer? :)
>
>
> WJR
> - from my Crackberry.
>
> "If you find yourself in a fair fight, your tactics suck."
>  --
>
> *From: *"Andrew S. Baker" 
>
> *Date: *Thu, 7 Oct 2010 20:08:04 -0400
>
> *To: *NT System Admin Issues
>
> *ReplyTo: *"NT System Admin Issues" 
>
>
> *Subject: *Re: Interesting run-down on Stuxnet from F-Secure
>
>
>
>
>  You sold out for a beer?  :)
>
>
>
>
>
> >>These things are a great example of always being one step behind the bad
> guys but NOT because we actually had to be … only because technology
> companies allowed it to be.
>
> And I would say that we are were we are because as consumers and corporate
> customers, we don't push for things to be different.   Not that technology
> companies don't have their own responsibility to do the right thing, but
> they'll always favor features over security is *we* favor features over
> security.
>
>
>
> *ASB *(My XeeSM Profile) <http://xeesm.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
>
>
>
>  On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret  wrote:
>
> Privilege escalation bugs are pretty much here and now and being used more
> commonly in attacks as the sophistication level is not necessarily as high
> as one would think. This has always been an area of interesting at eEye as
> we started discovering some of the first windows priv. escalation vulns by
> the handful almost 5 years ago knowing this was the future and hoping people
> would pay attention (security industry, technology companies) and be ready
> for it. We obviously are not ready as we all know the technology OS makers
> like Microsoft only just in the last years finally even got around to least
> privilege user roles and just as they played catch up with that they will
> now again play catch up to privilege escalation vulnerabilities which
> completely make all of this “we run as non-admin” stuff totally an
> irrelevant point anymore. These things are a great example of always being
> one step behind the bad guys but NOT because we actually had to be … only
> because technology companies allowed it to be.
>
>
>
> P.S. My marketing department told me if I mentioned this new cheesily named
> thing I am doing they would buy me a beer, so consider this the mention:
>
> http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx
>
>
>
>
>
> Signed,
>
> Marc Maiffret
>
> Co-Founder/CTO
>
> eEye Digital Security
>
> Web: http://www.eeye.com
>
> Blog: http://blog.eeye.com
>
> Twitter: http://www.twitter.com/marcmaiffret
>
>
>
>
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Thursday, October 07, 2010 11:25 AM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: Interesting run-down on Stuxnet from F-Secure
>
>
>
> *>>**Looking forward a few years, non-admin users' risk will steadily
> increase as malware more often includes code to exploit priv escalation
> bugs.*
>
>
>
> I agree that we will see a rise in non-admin malware, but it will be much
> easier to go after the low hanging fruit of people with too much local
> access, because lots more sophistication is needed to implement these
> attacks.
>
>
>
> When this avenue is largely closed, then the malware folks will have no
> choice but to spend more of their time on those classes of attacks.
>
>
>
> *ASB *(My XeeSM Profile) <http://xeesm.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
>
>
>
> On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
> wrote:
>
> I'd say it's a good bet the privilege escalation bugs are used to get
> around limited user limitations and install the rootkit.
>
>
>
> Looking forward a few years, non-admin users' risk will steadily increase
> as malware more often includes code to exploit priv escalation bugs.
> There's always a priv escalation bug hiding around the next corner, and
> malware will use them to survive.
>
>
>
> Carl
>
>
&g

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Ben Scott

On Thu, Oct 7, 2010 at 2:41 PM, Carl Houseman  wrote:
> The avenue closes as the percentage of XP machines ...  how long for that?
> I'm guessing XP is less than 50% of Windows users before April 2014, and if
> not by then, real soon afterwards.

  "People running as admin when they shouldn't" doesn't go away with
UAC.  These users are already clicking "Yes" to download/install this
stuff.  They'll continue to click "Allow" under Vista/Win 7.  I've
seen it happen.  It's harder to do by accident, but no number of
dialog boxes will ever stop a click-happy user.  And many (if not
most) users are click-happy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Ben Scott

On Thu, Oct 7, 2010 at 8:08 PM, Andrew S. Baker  wrote:
> And I would say that we are were we are because as consumers and corporate
> customers, we don't push for things to be different.   Not that technology
> companies don't have their own responsibility to do the right thing, but
> they'll always favor features over security is *we* favor features over
> security.

  What really sucks is that for those of us who actually care about
security, we're told that everything is fine, nothing is broken,
nobody else is worried about this, you want to much, ha ha cute little
user, etc., etc., etc.   >:-(

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Ziots, Edward

Yep, its defintely like that, until they get royally 0wned, then its Chicken 
Little the Sky is falling, and by then its too late you are the next poster boy 
for newspapers, and the fallout. 

So really who wants to be the next TJX/Hannaford Foods/ etc etc, sorry I will 
pass. I don't care if I die trying :) 

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org
Cell:401-639-3505

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Friday, October 08, 2010 4:03 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

On Thu, Oct 7, 2010 at 8:08 PM, Andrew S. Baker  wrote:
> And I would say that we are were we are because as consumers and corporate
> customers, we don't push for things to be different.   Not that technology
> companies don't have their own responsibility to do the right thing, but
> they'll always favor features over security is *we* favor features over
> security.

  What really sucks is that for those of us who actually care about
security, we're told that everything is fine, nothing is broken,
nobody else is worried about this, you want to much, ha ha cute little
user, etc., etc., etc.   >:-(

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread James Winzenz

+9000

--
From: "Ben Scott" 
Sent: Friday, October 08, 2010 1:02 PM
To: "NT System Admin Issues" 
Subject: Re: Interesting run-down on Stuxnet from F-Secure

On Thu, Oct 7, 2010 at 8:08 PM, Andrew S. Baker  wrote:
And I would say that we are were we are because as consumers and 
corporate
customers, we don't push for things to be different.   Not that 
technology

companies don't have their own responsibility to do the right thing, but
they'll always favor features over security is *we* favor features over
security.

 What really sucks is that for those of us who actually care about
security, we're told that everything is fine, nothing is broken,
nobody else is worried about this, you want to much, ha ha cute little
user, etc., etc., etc.   >:-(

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Carl Houseman

UAC prompting isn't the major benefit of UAC.  The major benefit is that, for
admins, programs that aren't admin-by-nature run without admin rights.  If
the admin user runs a malware executable that tries to write something to a
protected file/registry area, it will fail (unless it also exploits a
privilege escalation bug).

Carl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Friday, October 08, 2010 3:59 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

On Thu, Oct 7, 2010 at 2:41 PM, Carl Houseman  wrote:
> The avenue closes as the percentage of XP machines ...  how long for that?
> I'm guessing XP is less than 50% of Windows users before April 2014, and if
> not by then, real soon afterwards.

  "People running as admin when they shouldn't" doesn't go away with
UAC.  These users are already clicking "Yes" to download/install this
stuff.  They'll continue to click "Allow" under Vista/Win 7.  I've
seen it happen.  It's harder to do by accident, but no number of
dialog boxes will ever stop a click-happy user.  And many (if not
most) users are click-happy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Ben Scott

On Fri, Oct 8, 2010 at 4:51 PM, Carl Houseman  wrote:
> UAC prompting isn't the major benefit of UAC.  The major benefit is that, for
> admins, programs that aren't admin-by-nature run without admin rights.  If
> the admin user runs a malware executable that tries to write something to a
> protected file/registry area, it will fail (unless it also exploits a
> privilege escalation bug).

  The "privilege escalation bug" in this case would be the user
clicking "Allow", is my point.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Marc Maiffret

Indeed our Blink product goes way beyond traditional anti-virus by actually 
preventing the exploitation of vulnerabilities that lead then to attackers 
loading malware. Most all AV and related are simply looking for the malware 
that is deployed to a system after it has been exploited and in doing that you 
are in a constant arms race of signatures and staying ahead of the bad guys 
which is a failing endeavor. Blink on the other hand will for example 
generically prevent things like buffer overflow exploits against Adobe Reader, 
whether your system is patched or unpatched, zeroday or otherwise, does not 
matter. By preventing software vulnerabilities from being exploited in the 
first place you get out of the rat race of malware signatures. 

http://www.eeye.com/blink

We also have a version of Blink that is called Retina Protection Agent which 
comes included with our next generation vulnerability management platform 
Retina CS. Difference with RPA is that it can co-exist with your existing AV to 
fill in the gaps that traditional AV has.  

http://www.eeye.com/Products/Retina/CS.aspx

Happy Friday!

BTW, I am not sure if you folks saw, I think I forgot to mention it here, but 
we recently "re-launched" our Zero-Day Tracker website: http://www.eeye.com/zdt

-Marc

-Original Message-
From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Thursday, October 07, 2010 6:42 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

Marc, not that this is the correct thread to ask this but, doesn't eEye have an 
AV product that concentrates more on the actions of a file and less on the 
definitions?
 
Jon


On Thu, Oct 7, 2010 at 8:43 PM,  wrote:


I'm a lot cheaper.  Just give me a cold coke..

 

From: William J. Robbins [mailto:dangerw...@gmail.com] 
Sent: Thursday, October 07, 2010 8:27 PM 

To: NT System Admin Issues
    
    Subject: Re: Interesting run-down on Stuxnet from F-Secure



 

Who hasn't sold out for a beer? :)


WJR
- from my Crackberry.

"If you find yourself in a fair fight, your tactics suck."



From: "Andrew S. Baker"  

Date: Thu, 7 Oct 2010 20:08:04 -0400

To: NT System Admin Issues

ReplyTo: "NT System Admin Issues" 
 

        Subject: Re: Interesting run-down on Stuxnet from F-Secure

 




You sold out for a beer?  :)

 

 

>>These things are a great example of always being one step behind the 
bad guys but NOT because we actually had to be ... only because technology 
companies allowed it to be.

And I would say that we are were we are because as consumers and 
corporate customers, we don't push for things to be different.   Not that 
technology companies don't have their own responsibility to do the right thing, 
but they'll always favor features over security is *we* favor features over 
security.

 

ASB (My XeeSM Profile) <http://xeesm.com/AndrewBaker>  
Exploiting Technology for Business Advantage...
 





On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret  
wrote:

Privilege escalation bugs are pretty much here and now and being used 
more commonly in attacks as the sophistication level is not necessarily as high 
as one would think. This has always been an area of interesting at eEye as we 
started discovering some of the first windows priv. escalation vulns by the 
handful almost 5 years ago knowing this was the future and hoping people would 
pay attention (security industry, technology companies) and be ready for it. We 
obviously are not ready as we all know the technology OS makers like Microsoft 
only just in the last years finally even got around to least privilege user 
roles and just as they played catch up with that they will now again play catch 
up to privilege escalation vulnerabilities which completely make all of this 
"we run as non-admin" stuff totally an irrelevant point anymore. These things 
are a great example of always being one step behind the bad guys but NOT 
because we actually had to be ... only because technology companies allowed it 
to be.

 

P.S. My marketing department told me if I mentioned this new cheesily 
named thing I am doing they would buy me a beer, so consider this the mention:

http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx

 

 

Signed,

Marc Maiffret

Co-Founder/CTO

eEye Digital Security

Web: http://www.eeye.com <http://www.eeye.com/> 

Blog: http://blog.eeye.com <http://blog.eeye.com/> 

Twitter: http://www.twitter.com/marcmaiffret

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-08 Thread Carl Houseman

No, the UAC prompt may not happen.  UAC prompting only happens for specific
programs that are recognized as needing elevation.  It does NOT happen for
every API call that might fail if not elevated.

Yes, the malware writers could make their malware smart enough to cause the
UAC prompt and gain elevation, but that's not my point.  My point is that
plenty of malware that succeeds for admin users under XP will fail for admin
users under Vista/7 because UAC is enabled, and the user will not be prompted
to override that protection.

Carl

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Friday, October 08, 2010 5:17 PM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

On Fri, Oct 8, 2010 at 4:51 PM, Carl Houseman  wrote:
> UAC prompting isn't the major benefit of UAC.  The major benefit is that,
for
> admins, programs that aren't admin-by-nature run without admin rights.  If
> the admin user runs a malware executable that tries to write something to a
> protected file/registry area, it will fail (unless it also exploits a
> privilege escalation bug).

  The "privilege escalation bug" in this case would be the user
clicking "Allow", is my point.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Interesting run-down on Stuxnet from F-Secure

2010-10-09 Thread Ben Scott

On Fri, Oct 8, 2010 at 6:28 PM, Carl Houseman  wrote:
> My point is that
> plenty of malware that succeeds for admin users under XP will fail for admin
> users under Vista/7 because UAC is enabled, and the user will not be prompted
> to override that protection.

  Any defense which is neutralized by a trivial change in the malware
code is of little utility, and that's exactly what you describe.  I've
already seen reports of malware requesting elevation as part of its
penetration vector.

  This is the same argument many Linux and/or Mac fans use: Right now,
there is effectively no Linux malware, and almost no Mac malware.  So
switch to Linux/Mac and you'll be malware free!  Except that as soon
as malware targets the other platform, your protection disappears like
smoke in the wind.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Interesting run-down on Stuxnet from F-Secure

2010-10-10 Thread Ken Schaefer

Also look at the various HIPS products out there. Most can be a resource hog, 
but if you want that type of protection, then that's one thing to look for.

Cheers
Ken

From: Jon Harris [mailto:jk.har...@gmail.com]
Sent: Friday, 8 October 2010 9:42 AM
To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

Marc, not that this is the correct thread to ask this but, doesn't eEye have an 
AV product that concentrates more on the actions of a file and less on the 
definitions?

Jon
On Thu, Oct 7, 2010 at 8:43 PM, 
mailto:greg.swe...@actsconsulting.net>> wrote:
I'm a lot cheaper.  Just give me a cold coke..

From: William J. Robbins 
[mailto:dangerw...@gmail.com<mailto:dangerw...@gmail.com>]
Sent: Thursday, October 07, 2010 8:27 PM

To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

Who hasn't sold out for a beer? :)

WJR
- from my Crackberry.

"If you find yourself in a fair fight, your tactics suck."

From: "Andrew S. Baker" mailto:asbz...@gmail.com>>
Date: Thu, 7 Oct 2010 20:08:04 -0400
To: NT System Admin 
Issuesmailto:ntsysadmin@lyris.sunbelt-software.com>>
ReplyTo: "NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Subject: Re: Interesting run-down on Stuxnet from F-Secure

You sold out for a beer?  :)

>>These things are a great example of always being one step behind the bad guys 
>>but NOT because we actually had to be ... only because technology companies 
>>allowed it to be.

And I would say that we are were we are because as consumers and corporate 
customers, we don't push for things to be different.   Not that technology 
companies don't have their own responsibility to do the right thing, but 
they'll always favor features over security is *we* favor features over 
security.

ASB (My XeeSM Profile)<http://xeesm.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 7:33 PM, Marc Maiffret 
mailto:mmaiff...@eeye.com>> wrote:
Privilege escalation bugs are pretty much here and now and being used more 
commonly in attacks as the sophistication level is not necessarily as high as 
one would think. This has always been an area of interesting at eEye as we 
started discovering some of the first windows priv. escalation vulns by the 
handful almost 5 years ago knowing this was the future and hoping people would 
pay attention (security industry, technology companies) and be ready for it. We 
obviously are not ready as we all know the technology OS makers like Microsoft 
only just in the last years finally even got around to least privilege user 
roles and just as they played catch up with that they will now again play catch 
up to privilege escalation vulnerabilities which completely make all of this 
"we run as non-admin" stuff totally an irrelevant point anymore. These things 
are a great example of always being one step behind the bad guys but NOT 
because we actually had to be ... only because technology companies allowed it 
to be.

P.S. My marketing department told me if I mentioned this new cheesily named 
thing I am doing they would buy me a beer, so consider this the mention:
http://www.eeye.com/Company/News-and-Events/Minute-With-Maiffret.aspx

Signed,
Marc Maiffret
Co-Founder/CTO
eEye Digital Security
Web: http://www.eeye.com<http://www.eeye.com/>
Blog: http://blog.eeye.com<http://blog.eeye.com/>
Twitter: http://www.twitter.com/marcmaiffret

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Thursday, October 07, 2010 11:25 AM

To: NT System Admin Issues
Subject: Re: Interesting run-down on Stuxnet from F-Secure

>>Looking forward a few years, non-admin users' risk will steadily increase as 
>>malware more often includes code to exploit priv escalation bugs.

I agree that we will see a rise in non-admin malware, but it will be much 
easier to go after the low hanging fruit of people with too much local access, 
because lots more sophistication is needed to implement these attacks.

When this avenue is largely closed, then the malware folks will have no choice 
but to spend more of their time on those classes of attacks.

ASB (My XeeSM Profile)<http://xeesm.com/AndrewBaker>
Exploiting Technology for Business Advantage...

On Thu, Oct 7, 2010 at 12:33 PM, Carl Houseman 
mailto:c.house...@gmail.com>> wrote:
I'd say it's a good bet the privilege escalation bugs are used to get around 
limited user limitations and install the rootkit.

Looking forward a few years, non-admin users' risk will steadily increase as 
malware more often includes code to exploit priv escalation bugs.  There's 
always a priv escalation bug hiding around the next corner, and malware will 
use them to survive.

Carl

From: John

RE: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

Re: Interesting run-down on Stuxnet from F-Secure

RE: Interesting run-down on Stuxnet from F-Secure

23 matches

Site Navigation

Mail list logo

Footer information