Slashdot Mirror

The people that hacked Natanz would probably find it easier to get exclusive access to a zero day exploit on Windows 7 or 8 than XP.

When you're working for a government spy agency and have endless cash to pay off unprincipled 'security researchers' I think you can get into any OS whether old or new.

China can do the same thing. E.g.

http://en.wikipedia.org/wiki/O...

http://www.symantec.com/connec...

If you look at Stuxnet it seems like the initial infection was done by leaving USB sticks around

http://spectrum.ieee.org/podca...

Ralph Langner: Yeah, that's true. So the distribution we see with Stuxnet is mainly done via infected USB sticks. So, in technical terms, it would be not appropriate to call Stuxnet a worm because Stuxnet does not distribute by self-replication over the Internet, but thisâ"it distributes mostly by infected USB sticks. This is the exact strategy that you would use when attacking an aero jet facility. So just like a nuclear power plant. In this case, it makes most sense to assume that the attack was carried out via the Russian integrator that built the plant. Because if you are familiar with the commissioning of such big plans, you know security in those situations is practically nonexistent, especially IT security. So engineers walk in and out with their notebooks, with their programming devices that they use for programming the PLCs. And those engineers that walk in and out, they easily be lured into picking up infected USB sticks, so this makes very much sense to assume that the attack was performed via the integrator just by making sure that some of their engineers accept infected USB sticks, plug them in their notebooks, go home with their notebooks to their company headquarters, and at some point in time, go with their infected notebooks to the target site. By the way, this also explains all the infections that we see in India, Indonesia, and Pakistan. Because these are also regions where this particular integrator has business.

I've worked at companies where you were searched for removable storage going in. Hell I've worked at places where the USB ports where filled up with epoxy or disabled by group policy.

If you look at Bradley Manning air gap security is vulnerable to a single rogue employee. Also you need management that will enforce the policies - in Manning's case they should have stopped him bringing in CDs.

TrueCrypt is decent, but it can't hurt to have a utility that is updated and maintained with similar functionality. Truecrypt is going over two years without an update. It is a very good program, but PGP has a lot of functionality (public/private key exchange and upkeep, web of trust, etc.) that TC doesn't have.

Of course, one can use GNUpg and TrueCrypt. The command line works well, but GUI-wise, Symantec Encryption Desktop Professional (i.e. PGP Desktop) is just a lot easier to get around in.

One side note -- PGP Desktop isn't officially supported on Windows 8 and 8.1... but it does work.

Recent releases of PGP Desktop do support Windows 8/8.1: Symantec Encryption Desktop 10.3.2 compatibility with Microsoft Windows 8/8.1

http://www.symantec.com/connec...

Taking parent's post for granted, MiniDuke appears to only target Windows:
http://www.symantec.com/securi...

Other Anti-Virus vendors like Symantec, McAfee, and Kaspersky are going to continue to support XP past April, so why should Microsoft concede market share to these competitors?

Also, Microsoft is going to look pretty bad if a new virus makes a major impact, so having their security product database updates continue will mitigate that. Doing otherwise could easily be spun as irresponsible.

A long long time ago, Symantec purchased Intel's AV business including what became their corporate product. The bloat increased over time, but was still a halfway decent product for a few Symantec versions. So maybe McAfee's remains will grow into something better.

What's going to happen to the Intel and Symantec Alliance?

A long long time ago, Symantec purchased Intel's AV business including what became their corporate product. The bloat increased over time, but was still a halfway decent product for a few Symantec versions. So maybe McAfee's remains will grow into something better.

What's going to happen to the Intel and Symantec Alliance?

XP certainly has no ASLR or sandboxing. Look it up?

While I never claimed XP had sandboxing, I was sort of mistaken about ASLR. Apparently MS never added ASLR to Windows XP, but Wehntrust implements it Also, technically there's sandboxie and other similar programs, but of course there's some question about how just good they are--not that MS's own sandboxing technology exactly has a stellar record.

DEP only a few services use it on XP and the browser is not one of them.

Um, by default yes. But you can enable DEP system wide (although IIRC there's a hardcoded exception for ATI/AMD drivers).

EVen Firefox and Chrome are not sandboxed due to the lack of kernel support on that ancient OS.

*cough*Sandboxie*cough* Seriously, though, the sandbox is meant to be the last line of defense. And too often it's been shown to be no defense.

Dude arguing that XP is not broken is like arguing IE 6 is not broken because it runs your corporate websites fine.

No, IE 6 is broken. Period. This new XP Zero-Day shows XP is broken. Then again, IE11 on Windows 8.1 was very recently broken too.

It most certainly is and there are tons of hacks in that html code to make it even display right that the user does not see. XP has +800 workarounds for tens of thousands of virii each time code executes which is why a 128 meg Pentium III that ran XP fast in 2001 can't run XP SP 3 at all today. You do not see them but they are there and is obvious in performance degradation.

Which aren't in Windows 8.x? Because last I checked, the whole problem with Windows Vista/7/8 incompatibilities with older Windows software (and presumably some virii) had to do with presumptions about Administrator/Power User Access, not the layers of workarounds which are still in Windows--ie, if you use Windows XP as a normal user, you're just as safe from a lot of attacks (and before you say it can't be done, it can be--it's just more annoying than Vista's UAC). But, yea, your argument is precisely why Windows 8.x is even slower because it has even more libraries and hence even more workarounds.

Windows Transfer wizard takes care of moving files over.

"Alas, the one thing that Windows Easy Transfer can't do is reinstall programs for you. Insgtead, it displays this complete list of every program that was installed on your old PC." -- Inside the Windows 7 Easy Transfer Utility. Still, I'd admit that it looks like it takes away some of the pain. But, then I think about reinstalling several games and..bleh. Could be worse, though.

If XP was fine then why have this article? That exploit doesn't hit Windows 7 and later now does it?

Nor users of the latest version of Adobe Reader, so there is that too. Further, it's not really stated why exactly the exploit works in Windows XP and not Windows 7/8, as APSB13-15 Security Bulletin seems to cover most versions of Adobe Reader and the NDProxy.sys bug would presumably be in/patched in all Windows versions? My only wild guess is that it relates to a similar Microsoft Windows Kernel NDProxy Local Privilege Escalation Vulnerability from a few years ago and that both may be prevented from being exploited by either further Windows kernel protection or a shatter attack protection.

So, you do have a point to the extent that some more of those software firewalls seem to be working. But, just being up to d

Does exactly what you need and is designed explicitly for integration with third party tools. Spins up everything from disks to automating webforms and jobs and imports and exports of jobs. There really isn't anything else out there that comes close to what Workflow will do. Used to be called Altiris Workflow. Works with everything from CMDB, change management, service desk to multiple languages.

http://www.symantec.com/connect/articles/learn-about-symantec-workflow

It is even more apt to follow links from TFA to get the real story.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

It disappears BY DESIGN. The hackers want it to disappear.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

This PDF is much more informative than the summary or TFA. I got interested, and followed links, stumbling over this along the way.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

Don't worry if your city wasn't included, I'm sure it's on this "Top 100" list:
http://www.symantec.com/about/news/release/article.jsp?prid=20120215_01

Heh, marketing.

Back in the 1990s PGP's Windows GUI client could work with the clipboard

Still does.

http://www.symantec.com/business/support/index?page=content&id=HOWTO42131

And of course on Linux you can use xclip.

Swing and a miss...

If you click on a PDF in your browser and the result is a compromised system it is a browser vulnerability.

Similarly if you invoke a java applet; a security breach in Java is a browser vulnerability if java is enabled by default in the browser.

Neither of these common vectors involve javascript in any way. Block javascript and you might not be able to reach the part of the site that includes the exploit but making a % of the internet unreachable will obviously also "protect" you from a similar % of the exploits.

If you want to look at system wide vulnerabilities that is an entirely different question. Current data is a bit difficult to find but as of 2011 the big winner by a huge margin was MS RPC services.

http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=total_number_of_vulnerabilities

No one anywhere appears to have anything published that supports a figure of 95% over the last decade.

Android.Obad Manual removal

To remove this risk manually, please perform the following actions:

1. Open the Google Android Menu.
2. Go to the Settings icon and select Applications.
3. Next, select Manage.
4. Select the application and select Uninstall.

http://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99&tabid=3

What you're looking for is software virtualization/sandboxing. Install it using one of these, and when you need to use the app turn it "on", then off when done. Prevents cruft and all the other issues you're complaining about. Trust me, same issues here.

I just went looking, and there are several options these days - when Windows 7 came out, I lost the ability to use my favorite (Altiris). Fortunately, it appears to be fixed and working with 7.

http://www.symantec.com/workspace-virtualization (click Trialware then download - the "Symantec Workplace Virtualization" used to be Altiris. Home license is free)
http://www.cameyo.com/ (free)
http://www.sandboxie.com/ (cheap)

No. This was not gross negligence. This was not a bug that would affect anyone under conditions remotely close to normal. This is something that is being actively exploited by someone (the criminal in this case) in a way never intended by the programmers. It'd be like suing the people who made the bullets used in the Sandy Hook massacre. Not only that, they probably agreed when they installed the software not to hold the software company responsible for anything. The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.

Yeah, for no other browsers have vulnerabilities and exploits..

Here's how Norton did it, back in the late 1990's: http://www.symantec.com/business/support/index?page=content&id=TECH106806

I recall using this in college, in 2003, to reimage our 'learning' workstations. (After we'd break them, like discovering that Windows 98 SE would let you format the OS volume, and not crash.)

Symantec has an analysis of the linux component. It relies on extracting a history of ssh connections from windows machines from an application called mRemote, an open source, multi-protocol remote connections manager.

Lies. I used to do this too, when I was in primary and high school, on my Cyrix 200. It used to take me about a week to crack 95-98% of the passwords, you never got to 100% unless everyone there had really weak passwords. There were always _some_ passwords which I couldn't crack in a reasonable amount of time. They were often the passwords of my friends who were doing similar things.

Over the years I had figured out a lot of different ways to break into machines. But the best way I got the hashes was by bringing along a bootable linux diskette (or CD in the later years), booting in off of that (sometimes had to get around BIOS protections first), then we could grab the sam file (or the sam.bak file). I also found some code which we compiled to a DLL, which pretended to be a Novell logon manager, and would simply dump the login and password to a text file when someone logged in. They didn't realize for a long time, and it seems even Symantec didn't become aware of this till 2002. Which was many many many years later. This ensured that if we lost an admin password, we'd just have to wait for them to log back in, and we'd have it again.

Eventually I got wise and figured out how to terminal into the domain server with one of the admin passwords, at which point I created a very official sounding domain admin account, which had permissions for just about everything. At which point I'd then brag and show my friends that I could access network shares which were off limits and print to fancy colour printers reserved only for teachers... like a gangsta.

The problems that Windows has are a Windows problem. They aren't shared by anyone else. Even the problems that Android has are down to bad apps masquerading as good ones and aren't the self-replicating and browse-by infections that you can get with Windows.

Windows is the only cesspool. It's about Microsoft engineering, not popularity.

Wow, that's some serious blinders you've got on, you've obviously got a religious attachment to some Microsoft hate that makes you spew out rubbish like that. The sort of thing that keeps you ignorant of things like jailbreakme.com, linux rootkits, OSF.8759, Slapper, Scalper, Linux.Svat and L10n among many, many, many others. You're just a clear ignorant fanboy.

The transport used was fairly generic in nature, but since the payload was aimed at a specific controller used on centrifuges its not surprising that it had little effect elsewhere.

Even if that Siemens motor controller was common, its use case in Iran was rather specific, and chances are the payload was pretty specific to exact firmware levels. From Wiki:

While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.

Had it been given a shorter life span than two years, chances are it would never have been discovered.

The real risk here is that others have climbed on board this train and are using essentially the same engine for other purposes.
 

You missed the entire part where for 10 years now the sequence numbers have been randomized and are no longer predictable. Mitnicks attack is simply not feasible, and has not been for 10+ years depending on the tcp stack.

Re read my post above:

....Which is a lot less feasible now that sequence numbers are pseudorandomly generated:
(from http://www.symantec.com/connect/articles/ip-spoofing-introduction [symantec.com])

Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.

(and again, that quote is 10 years old)
Before attacking me for not understanding TCP, you might want to read the entirety of my post.

That simply wont work. Telnet is TCP, which means a single packet wont work-- there will be acknowledgements sent back and forth with sequence numbers. You cant simply have your client shout at the server without ever receiving data back, because you will be unable to complete the 3 way handshake.

From wikipedia:

SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number (A + 1), and the sequence number that the server chooses for the packet is another random number, B.
ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A + 1, and the acknowledgement number is set to one more than the received sequence number i.e. B + 1.

That third part is where your plan fails: You will never get the SYN-ACK from the server, and will thus not know what sequence number the server chose, and will thus be unable to generate an ACK that would be acceptable to the server.

Generally the client isnt even going to send more than a few packets before stopping to wait for the servers ACKs, which will never arrive.

Its possible that at one point sequence numbers were easier to guess; if you have used nmap any time in the recent past you will notice that basically every target you scan lists "sequence number prediction" as "good luck". As I say, Im no history guru, but it seems to me that at one point it may have been easier to predict, but that (obvious) hole that allowed IP spoofing of TCP connections has been closed.

That article you link corroborates what Im saying:

Two different attack mechanisms were used. IP source address spoofing and
TCP sequence number prediction were used

....Which is a lot less feasible now that sequence numbers are pseudorandomly generated:
(from http://www.symantec.com/connect/articles/ip-spoofing-introduction)

Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.

Note that that article was written in 2003, a full 9 years ago (back before symantec became awful!)

I don't know what they are updating, but they certainly are not pushing signature updates 7-8 times a day. Not enough new threats come out every day to warrant that kind of update cycle.

FWIW, I don't even see an official product page for the "2013" version, which makes me think you might be running a trojan and the 2012 version only updates every few days, which is typical.

The bit.ly link goes to www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

Or, you too can be a marketroid for the day: bit.ly/Q07MpB+

"The PDF file attached to the email exploits the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID 43057). It uses a technique known as return-oriented programming (ROP) to bypass Data Execution Prevention (DEP), using code in the icucnv36.dll module."

I definitely don't like anti-virus companies or products, but what about Symantec's research into Stuxnet? I think that was original research, and quite comprehensive.

The Symantec report, the Internet Security Threat Report, 2011 Trends, did not say what the article in the OP claims.

The actual report is here: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf . Page 33 of the report, the only discussion of religion, states

"religious and ideological sites were found to have triple the average number of threats per infected site than
adult/pornographic sites."

Three points:

1. The report lumps religious and ideological sites together. Maybe the infected sites were ideological (non-religious) sites. You cannot conclude anything about religious sites at all from that statistic.

2. The report implies nothing about the safety of religious/ideological sites. It just says that if a religious/ideological site is infected, then it has more threats on average than an infected adult site. If the percentage of religious/ideological sites that are infected is lower than the percentage of adult sites that are infected, then religious/ideological sites could be much safer on average. Indeed, figure 16 on page 36 of the report doesn't list religous/ideological sites as dangerous. The point is that the safety of religious/ideological sites as a whole must account for uninfected sites. The "number of threats per infected site" is just about irrelevant.

3. If there is any limit to the gullibility or statistical illiteracy of internet users, I have yet to perceive it.

It is interesting to note that Web sites hosting adult/pornographic content are not in the top five, but ranked tenth. The full list can be seen in figure 16. Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.

Figure 16, interestingly, does not show religious and ideological sites, I assume it is grouped with "Education/Reference". The full top 10 is

1. Blogs/Web Communications
2. Hosting/Personal hosted sites
3. Business/ Economy
4. Shopping
5. Education/ Reference
6. Technology Computer & Internet
7. Entertainment & Music
8. Automotive
9. Health & Medicine
10. Pornography

The link for "remarkably successful" should have been to Symantek's W32/Induc-A page which describes a virus which attack delphi programmers.

If you don't want to follow the laws of the US, don't use .com, use the country that has the laws you agree with. Would you be screaming if MegaUpload was hosted in the US and the servers were confiscated? Why do you think it is any different for MegaUpload.com domain name than it would be for their physical servers? It is a fact that Verisign has offices in the US, therefore it has to do what US law says.

http://www.symantec.com/business/theme.jsp?themeid=contact-verisign

^ that link is from the main page of Verisign's web site as their contact Verisign link.

At least Norton tries to provide a working removal tool at no charge. The only problem I've found is that it's made deliberately inaccessible to blind users (with a CAPTCHA) so that malware doesn't automatically run it on every computer that it tries to infect.

Verisign alone might not, but Symantec (which now owns the "trust" business of Verisign), has 41.72% of the market, according to Netcraft: http://www.symantec.com/about/news/release/article.jsp?prid=20110526_01

Yup, crack it.

Sorry but the whole premise of you statements is off. She is using Symantec PGP which is uncrackable. Everything else after that is irrelevant as the encryption is still there.

Photos? How does a photo of a hard drive prove that the data on the drive has not been manipulated?

You continue to miss the point. It is not about police in the field; it is about the drive once it is in the evidence locker and needs to be accessed to get data off of. That is where the tampering will take place if it does. An investigator signs the drive out, manipulated tha data and signs the drive back in. The picture if the drive does not change.

The hurry is that there is no way to decrypt the drive without the password and someone who has stolen thousands if not millions of dollars from hard working people may get away with it just because she used PGP. The people who lost the money sure would not agree with it. There is also the issue with due process. One can not charge someone and wait a couple of years while an NSA computer cracks the encryption before going to trial. The case would be thrown out. There is also a statute of limitations to watch.

No, it's flagging it as "Malware" because it wants to you do the following as their solution for removing the so-called "Malware". Note how they conveniently left the simplest instructions for uninstalling the application all the way at the bottom of the page (where almost no one will see it).

Perhaps Symantec are flagging it as malware because it is using permissions that the app clearly does not need, and it is just some rookie developer that has permission code copied in from some other site?

You could try clicking the link in the article and see why. http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99&tabid=2

Or just be lazy like the rest of the slashdot heard.

Had to deal with this issue this morning

Extra information http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

Presently if you use PCanywhere for WAN access disable now, if you use it in a closed network should be ok, unless someone is already on the network but if that is the case, you already have a problem better than this.

I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement about what they had, mainly 2006 code. Anon yesterday declared they had a few zero days Symantec issued a statement dealing with it last night.

I never understood why people would upload a copy of a file to the Internet, manually/purposefully delete their only local copy, and proceed to complain that they no longer have a local copy.
Why on earth would you delete it from your computer?!?

There is NO excuse for this problem.

This is FAR from a new issue with "the cloud" either.
People used to do the exact same thing with web-hosting.
They would upload their website to a web server somewhere, delete their only copy, then when the hosting company went under, had the server crash, disk failure, whatever... the user would proceed to blame the ISP for the fact the user themselves deleted their only copy from their own computer. wtf?

The standard rule for backups is, if you can't bother to have two copies (One on your computer, one backed up on another device) then it clearly wasn't important enough to warrant bitching about when you lose it. That rule implied ONE copy was not enough... Why on earth would people think ZERO copies is any better?

Hard drives die. It's a fact of life. The "if" is always a yes, only the "when" is variable.
That fact alone is reason enough to already have more than one copy in your own home on your own equipment.
A provider disappearing like this should be nothing worse than a minor inconvenience in finding somewhere else to host it and upload another copy, then chase down URLs pointing there and update them. Sure, that can be a bit of work and is quite annoying, but it should be nothing on the scale of data loss.

Storage is cheap.
Encryption is easy (Thanks to the efforts of projects like PGP, GPG, and TrueCrypt)
BackupPC is free, runs on Linux which is free, and can be as simple as an old Pentium-2 desktop sitting unused in your basement that you toss a couple extra hard drives in.
You set it up once and it does everything for you! It daily grabs copies of other computers, all automated, all by itself. It can backup Linux, Windows, and even OSX via the network. You can feed it DHCP logs to watch for less frequently connected machines like laptops. It de-duplicates to save disk space, and can email you if and when a problem crops up. I only check mine twice or so a year just to make sure things are running (never had a problem yet) and as it deletes older backups only when needed to make room for new ones, with de-duplication I can go grab a file from any date between now and three years ago, at any stage of editing (Well, in 3 day increments for my servers.. but it's all configurable, and should be set based on the importance of the data!)
On ubuntu and debian based systems, it is a single apt-get install away. Likely just as easy on any other distro with package management.
Any true computer geek can slap together such a system with zero cost and spending less than an afternoon. Anyone else can do so for minimal cost and perhaps a day of work.

Apple has ridiculously easy backup software (Time Machine?), and Windows has the advantage of most of the software out there being written for it, so the odds that there are less than five different software packages to do this exact same thing is next to impossible.

Hell, even for non-geeks, most people have that one guy or gal in the family who supports everyones computers. Just ask them! They will likely be ecstatic to help, possibly will donate spare parts from their collection (Or find you the best prices on parts if not) - and be content in the fact they won't have to tell you things like "Sorry, your hard drive has the click-o-death, I can't recover anything from it." which no one likes to need to say.

This is worth repeating: There is NO excuse for this problem.

Personally, if it's important, I have a bare minimum of four copies.
One for actually using, on my system drive.
One that got a

So I was correct. You are talking about tracker communication used to keep track of participating clients. "The dictionary exchange", L7. Therefore the client must explicitly state its (external, routable) IP address to be given out to external peers. I'm talking about the process involved in sharing the files, L3. P2P can be set up over TCP but traditionally it is pretty rare. Though I do have to say I'm seeing more and more of it over TCP port 80. Why not over port 443 I don't know but...

http://www.symantec.com/connect/articles/identifying-p2p-users-using-traffic-analysis

Today almost all P2P applications using a decentralized structure have a built-in module to fulfill their interaction work, because there are many control purpose packets needed to be sent out to many destinations. A great deal of the modern P2P networks and protocols select UDP as the carrying protocol.

Why do they select UDP? UDP is simple, effect and low-cost. It does not need to provide guarantee for packet delivery, establish connection, or maintain connection state. All these features make UDP fit for fast delivery of data to many destinations. These are just what P2P applications need. Inspecting different P2P applications carefully, you will find most of the modern decentralized P2P applications adopt a similar network behavior. When they startup, they create one or several UDP sockets to listen, and then communicate with abundant outside addresses during their life by using these UDP ports to assist their interaction in the P2P world.

You could use something like Altiris Deployment Solution which was bought by Symantec. Judging by the screenshots of the latest versions, it already has the backup and wipe capabilities built in. So it would be a one box solution. I know that you can assign initial deployment tasks to any new system detected by DS, so you can just set it up to perform the backup first, then perform a data wipe, and when it's completed, the new system will be identified in the UI as such.

I've used an older version primarily for OS deployments in a large-ish (500-800PC) network, and rarely had any difficulty. I think that the biggest downside, other than having to use Windows as your base OS, would be the costs for licensing. I think they sell it in blocks of 100 systems, and it isn't exactly cheap. It will, however, do exactly what you want in an automated fashion.

Ghost was never designed to do Gov/Mil disk wiping like what you are asking.

ftp://ftp.symantec.com/public/english_us_canada/products/ghost/manuals/DoDwipe.pdf
http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2002112213111525
gdisk.exe 1 /DISKWIPE /DOD /Y
gdisk.exe 2 /DISKWIPE /DOD /Y
gdisk.exe 3 /DISKWIPE /DOD /Y
...

Ghost was never designed to do Gov/Mil disk wiping like what you are asking.

ftp://ftp.symantec.com/public/english_us_canada/products/ghost/manuals/DoDwipe.pdf
http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2002112213111525
gdisk.exe 1 /DISKWIPE /DOD /Y
gdisk.exe 2 /DISKWIPE /DOD /Y
gdisk.exe 3 /DISKWIPE /DOD /Y
...

You can use your installation media to clear bootsector malware of any kind!

---

1.) Boot up to RECOVERY CONSOLE (read only environs of the install media, use this)

2.) Use FixMBR to FIRST fix a bootsector

3.) OPTIONAL: IF a bogus rootkit protects that with a driver (ala hello_tt.sys, from "the indestructible rootkit" a month or so ago)? You can use the DISABLE command to stop said "bogus bootsector protector" driver (again, hello_tt.sys in the case above), which upon reboot disables the protective driver from loading and protecting its bogus bootsector!

---

The KNOWN drivers to disable, are as follows:

cmi4432.sys, jminet7.sys, nfrd965.sys, & adpu321.sys 4 drivers & NETP191.PNF DLL is the usermode lib to destroy & that's covered below too on its removal a couple ways!

(The files noted are per Symantec's updated research on it here -> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf )

(After this "optional step" (optional for rootkits that just use a bogus bootsector that is), because this thing uses drivers, perform step #1 once more, & you SHOULD be ok - this is how you kill these types of rootkits from a read-only inviolate environs, & one that works PRIOR to a rootkit being able to deceive usermode antivirus/antispyware/antimalware tools in general!)

Mind you - This is about a 5 MINUTE FIX too, very fast...

* You do those steps, in THAT exact order, with most ANY rootkit (provided their drivers do NOT protect the reg init. area for drivers (which isn't always the case in rootkits, using drivers for that))?

It's history!

(AND, yes, with tools you already OWN if you're a Windows user!)

NOW - Should the rootkit "haul in" more malware while you're in usermode operations?

Well, 2 ways to kill that too (sometimes, rootkits do that also in usermode):

---

A.) RECOVERY CONSOLE bootup, use the DEL command on the offending malware's files...

OR

B.) ProcessExplorer.exe (to first find the offending exe or, dll/lib even if loaded under another process, infesting/infecting it, to first halt the parent callng process & delete the malware dll/lib on disk being called on).

---

"Here endeth the lesson"...

APK

P.S.=> LINUX IS NOT NEEDED AT ALL TO KILL THIS THING & as long as this thing's drivers DO NOT PROTECT THE REGISTRY INIT./LOAD AREAS FOR THOSE DRIVERS (& as far as I have read about its current design, it does not)? This technique will work to make it "history" ... apk

Duqu uses cmi4432.sys, jminet7.sys, nfrd965.sys, & adpu321.sys 4 drivers & NETP191.PNF DLL

(This is per Symantec's updated notes on it here http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf ).

I.E. -> Use RC's DISABLE command on 'em (to stop them om loading at all period) - this will stop them from protecting a bogus bootsector @ least (which IS what most bogus rootkits do via drivers).

* Also, if you want to "spot them", you can use LISTSVC (shows the state of ALL drivers AND EVEN SERVICES), first... to be sure they are there @ all!

APK

P.S.=> Once more - this SHOULD work, as it did vs. "the indestructible rootkit"'s HELLO_TT.SYS protectant of the bogus bootsector it uses... as long as the drivers don't protect their registry init/load areas? Again - this SHOULD work & with tools you already own, quickly... "Here endeth the lesson"... apk

NETP191.PNF DLL (this is per Symantec's updated notes on it here http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf )

Ha - the malware makers use a technique of internal containment for it INSIDE other executables!

(I've done stuff like this in screensavers - housing video they playback as an internal resource that's extracted out to disk or memory & loaded for playback - makes for "1 piece/1 moving part" installations & runs, no installer needed type apps: However, in this case, in a malware? Heh - VERY sneaky!).

* This "update" of mine's per my last post, & using ProcessExplorer.exe to destroy the libs this malware uses -> http://it.slashdot.org/comments.pl?sid=2505686&cid=37921376

APK

P.S.=> In real essence though, this lib (that I assume, hopefully correctly) loads ONLY in usermode (correct me IF I am wrong/off guys, I only skimmed the updated docs on it from Symantec) - so, that said?

ProcessExplorer.exe MIGHT NOT EVEN BE NECESSARY! You can use Recovery Console's DEL command instead to destroy the DLL while in usermode IF it is still on disk, & doesn't just "extract" for injection in usermode only...

... apk

The original Ghost is still produced as Ghost Solution Suite. See http://www.symantec.com/business/ghost-solution-suite. Symantec also produces Norton Ghost which uses a different code base and incompatible image file formats.

HTML 5 offers better performance, better security, and better privacy controls (at least in theory) because it depends solely on the browser.

I'm sure it feels nice to say that, but what can you back it up with?
Performance: Most HTML 5 gaming / graphics demos I've seen peg the CPU worse than comparable Flash apps. Where are the examples that outperform Flash?
Security: In recent years, Flash has actually had fewer security vulnerabilities than most major browsers (2010, 2009).
Privacy: Flash has always given users full control over local storage ("Flash cookies"), and has made changes in the past year to make that UI easier to find. Flash also integrates with "private browsing mode." So, what privacy concerns are unique to Flash exactly?

A secure browser = secure HTML 5.

Sure, but a secure Flash Player = secure Flash, too. Problem is, no software is perfect and so today we have neither secure browsers nor secure Flash. Thankfully both are moving increasingly towards a process-sandboxing model that will go a long way toward making both more secure.

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe