What a cool way to subvert lots of machines at once! Hack the cloud, and insert your own hashes.
I like it... Kurt On Tue, Apr 17, 2012 at 08:41, Stu Sjouwerman <[email protected]> wrote: > > I wrote a white paper about whitelisting from the perspective of a system > admin. If you are interested, here is a copy to the link of the PDF: > > https://s3.amazonaws.com/knowbe4.cdn/Whitelisting_WhitePaper.pdf > > Warm regards, > > > > Stu > > > > From: Andrew S. Baker [mailto:[email protected]] > Sent: Tuesday, April 17, 2012 7:10 AM > To: NT System Admin Issues > Subject: Re: Whitelisting > > > > Yes, it can address that scenario. > > > > You can sign the scripts you want to run, and disallow unsigned scripts. > > > > Does whitelisting solve world hunger, cure cancer or find livable space on > Mars? No. But it does address, more effectively, a huge range of threats > that are inadequately addressed by the traditional blacklisting approach of > current AV products. It's even used within Windows directly to make the OS > more secure. As a result, I will continue to use and recommend it to reduce > my threat landscape, leaving more time to intelligently address the threats > that it does not handle well. > > ASB > > http://XeeMe.com/AndrewBaker > > Harnessing the Advantages of Technology for the SMB market… > > > > On Tue, Apr 17, 2012 at 12:46 AM, Ken Schaefer <[email protected]> wrote: > > Let’s try another one: I use an exploit (or even just VBA automation) in Word > to password protect all your files. You need to pay me to get them back (or > maybe I don’t care whether you get them back, I just like inflicting pain – > aka like most mass market viruses) > > > > Does whitelisting address this scenario? No. > > Are exploits just going to move from the problem space solved by whitelisting > and to a new area that is not addressed by this technology? Yes > > > > It’s just like spam (and every other area where we have a constantly > escalated war of technology). Yet for some reason we don’t seem to be > learning that lesson. > > > > Cheers > > Ken > > > > From: Andrew S. Baker [mailto:[email protected]] > Sent: Tuesday, 17 April 2012 11:07 AM > > > To: NT System Admin Issues > Subject: Re: Whitelisting > > > > For any given environment, there will be less known good items that I want to > run, than known bad ones that I don't, not to mention all the unknown bad > ones that I don't know about yet. > > > > Managing the smaller list is *better*, not *perfect*. > > > > I haven't missed the point. A flawed example is just that -- flawed. But, > going beyond that and focusing on the principle itself, the blacklist is ALSO > vulnerable to the same issue. > > > > So, do you settle for the us both sharing your example problem, plus you > having a host of other ones that are greater than mine? Or do you > acknowledge that the approach I favor creates a smaller attack surface area? > > > > > > ASB > > http://XeeMe.com/AndrewBaker > > Harnessing the Advantages of Technology for the SMB market… > > > > On Mon, Apr 16, 2012 at 3:33 PM, Ben Scott <[email protected]> wrote: > > On Mon, Apr 16, 2012 at 12:11 PM, Andrew S. Baker <[email protected]> wrote: > >>> If it's an exploit, it's going to launch code. The code > >>> won't run in a whitelisting environment unless it's approved by the admin. > >> > >> CMD /C DEL C:\*.* /S /Q /F /A > > > > > A - Wouldn't work so nicely in 2008 and above, due to lack of elevated > > rights > > > > B - Limited use infection (since it destroys itself) > > You're missing the point. You're arguing against the example, > rather than the principle. Namely: It's possible to use a whitelisted > application as an attack vector.[1] > > You're also making another mistake -- you're seeing protection of > the system as an end, rather than a means. Nobody cares if the OS is > intact if all the data is gone. We protect the OS because we use the > OS to protect the assets, not just for the sake of having a protected > OS. > > -- Ben > > [1] To the original question: This doesn't mean blacklisting, i.e., > trying to identify and exclude "known bad" software, is the better > alternative. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
