Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #8: Anti-Virus, Anti-Spyware, and Other Protective Software

Published: 2007-10-08
Last Updated: 2007-10-08 23:03:25 UTC
by Tom Liston (Version: 1)
0 comment(s)

Perhaps the single most important line of defense available for your computer today is a good, up-to-date anti-virus program.  Anyone who uses a computer in this day and age without adequate anti-virus protection enabled is simply asking for disaster to strike.

Anti-spyware software works to do much the same stuff as anti-virus software, but it targets a different class of malicious code – malware with a business model.

Together, these programs fall into a class that, for the remainder of this diary entry, we’ll refer to as “anti-malware”.

While anti-malware vendors go to great lengths to try to differentiate their products, touting various tests that prove that their software is the best, when dealing with typical end-users, I tend toward a rather more pragmatic selection method:

Choose an anti-malware program that you’ll use.  Choose something that you understand and that you feel comfortable with.  Choose a program that you can figure out how to keep updated.  Don’t worry about anything else: just choose something you’ll use.

Because, you see, these anti-malware programs create a sort of software Maginot Line to keep the bad stuff off of your computer.  If you choose software that someone else thinks is best, and you can’t figure out how to use it, then best or not, it won’t do you any good.

All anti-malware tools all suffer from neglect.  New malicious software is created every single day, and in order to be able to recognize these new programs, anti-malware software needs a constant supply of “signatures” – information that helps it recognize the bad stuff.

That’s why, more important that any or all of the features that anti-malware vendors want to sell, being able to actually use and update your anti-malware program is the most important feature of all.

0 comment(s)

TOTALLY OT! Happy Thanksgiving Canada!

Published: 2007-10-08
Last Updated: 2007-10-08 21:35:09 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Cheers from the great white north Canuckistan, on the
day of our Thanksgiving. Tryptophan? What's that?
Does it mix well with beer?


0 comment(s)

Dirty O.W.!

Published: 2007-10-08
Last Updated: 2007-10-08 20:36:58 UTC
by Tom Liston (Version: 1)
0 comment(s)

One of my all-time favorite movies is the 1965 classic, "A Thousand Clowns" starring Jason Robards as the unforgettable Murray Burns. Murray is a rather unconventional character, and the film's plot revolves around his struggles with a child welfare department threat to remove his twelve-year old nephew Nick from his custody unless he "conforms" to what they consider to be an appropriate role model for the young man.  Nick is Murray's sister's child, born out-of-wedlock and thus referred to (by a social worker) as an "O.W." child.  One of the best lines in the movie is when Murray calls one of the child welfare workers "a dirty O.W.".

The point of all of this?  Well, I have a quick "quiz" for our loyal readership.  No prizes beyond a shot at ISC Handler's Diary glory: The first person who correctly answers will be have their name or initials enshrined here and can thus use that ISC mention to claim all of the rights and honors they so richly deserve.  In perpetuity.

Here we go:

The other day, I was at a client site, setting up and locking down a Solaris 10 box.  In the process of doing that, I needed to move some scripts that I had written on my Linux laptop over to the Solaris machine.  When I popped my USB key into the Solaris box, it was auto-recognized and appeared on the desktop.  I immediately (and erroneously it turns out...) accused my friend, colleague, and fellow ISC Handler, Ed Skoudis of being "a dirty O.W."


UPDATE 1: Since the answers I've received so far have been somewhat disappointing (to say the least...) here's Hint #1: There is a very specific reason that I chose Ed Skoudis as the target of my accusation.  Normally, I blame the ISO Standard Scapegoat, Mike Poor, for pretty much anything that goes wrong/bad/viral with a computer.

UPDATE 2: Arrrgh!  You guys are really disappointing me.  Hint #2: Perhaps my accusation might have something to do with the default name assigned to the device...

UPDATE 3: We have a winner! Ok... so reader David Lesperon didn't get it EXACTLY right, but he was on the right track... Here's the skinny: I plugged my USB key into the machine and what name was assigned? /dsk/c0d0!  But the funky window manager attempted to remove what it assumed were "escaped" characters, and left it as: sk0d0! I immediately unplugged it from the Solaris machine and plugged it into my Linux laptop, mounted it, and saw that it was identified it as the normal "tliston" name I've assigned to the drive.  Pulled it from the Linux box and reinserted it in the Solaris machine and "sk0d0" returned.  Strange... very strange...

And to those who felt compelled to write in with the "obvious" answer, Ed is a very nice man.  You should be ashamed of yourselves...

0 comment(s)
Diary Archives