Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Firewalls to Block Spyware?

Posted by Cliff on from the active-network-counterintelligence dept.

MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."

72 comments

  1. spybot search and destroy by joFFeman · · Score: 5, Informative

    comes with a HOSTS.TXT that you can extract the data from.

    http://security.kolla.de/

    --
    "Life is great; without it, you'd be dead." -Harmony Korine
    1. Re:spybot search and destroy by Zocalo · · Score: 3, Informative

      I was going to suggest the "hosts.txt" that comes with KaZaA Lite, which is also pretty extensive (and available seperately). Your best bet is probably to "cat * | sort | uniq" to get the combined list, but it's going to be pretty extensive...

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:spybot search and destroy by Kz · · Score: 1
      sort -u *
      --
      -Kz-
    3. Re:spybot search and destroy by Anonymous Coward · · Score: 0

      Your best bet is probably to "cat * | sort | uniq" to get the combined list, but it's going to be pretty extensive...

      Bewarned because with OpenBSD theses sorts of rules get searched in linear order. That means that if you have 200 block rules then every packet must go through all 200 rules before being accepted. I image this would be similar for other products.

      -Chad
      superfrink.net

  2. Firewall policy by Krandor3 · · Score: 5, Informative

    A firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.

    1. Re:Firewall policy by spectral · · Score: 1

      I hope you aren't advocating only allowing certain egress ports, because that right there is the cause of so much headaches for users it's not even funny. Block stupid crap like hotbar, gator, etc. etc.. but PLEASE do NOT make me have to stop my work to go bug the tech person to bug his superior, to bug their superiors to open an egress port. I have to deal with that at my school (work situations are slightly different, but still rather annoying). I have to basically tunnel everything that isn't ftp access on the standard port, telnet on the standard port, or ssh on the standard port. Web access must all go through the proxy (which is completely borked), making working on webpages a pain in the butt.

      Egress port blocking = annoying as f*ck. And there's no reason for it that I can tell (unless you're completely anal that only certain programs be allowed, etc. In that case, shouldn't you also have a specific allow list of websites able to be viewed? Even then, it's rather annoying. IM services, etc are very commonly used in work places, and it helps a great deal to be able to IM the person in the next cubicle, or on the other side of the building, than call them up. Less disruptive to thought processes too.)

    2. Re:Firewall policy by Anonymous Coward · · Score: 4, Insightful

      Huh? Either this is a troll, or you just don't get it.

      Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.

      Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.

      Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.

      If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.

      Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.

      A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.

    3. Re:Firewall policy by spectral · · Score: 1

      Ok, I was a bit harsh because I'm having problems with egress filtering in a school situation: I live there, and they prevent me from doing my school work and other things by their stupid rules. Places of employment I agree with you a bit more. My fault for saying that it's bad at all times, there are certainly times when it's ok..

      I still say egress filtering is a nuicance to people who know what they're doing, but I guess it is a necessary evil against people who think they know what they're doing, and just fark stuff up.

    4. Re:Firewall policy by Anonymous Coward · · Score: 1, Insightful

      A nusance yes, but a necessary evil - there are far too many people out there that think they know what they're doing, and dont have the slightest idea. Then there are the paper-traied MCSE/MBA people - knows enough to sound smart, but stupider than shit.

      These rules are very likely there for a good reason. I'm sure the admins are willing to listen to a good, well thought out argument against the filtering of something (I know I would).

      My rule basically goes like this; if you can present to me a good (management backed) business case to open this port up, and I cant come up with any effective alternatives (or serious security or other system issues) - I'll open it.

    5. Re:Firewall policy by PurpleFloyd · · Score: 1
      The poster wants to block spyware downloads, not spyware calling home. I've seen brand new, top-of-the-line Windows XP systems brought to their knees by loads of poorly designed and intrusive spyware and adware; in an enterprise system, filtering out incoming spyware downloads means less troubleshooting headaches, as well as no complaints from users that want to know what happened to their Bonzi Buddy. While a static block file might help things, new adware is being produced continiously. A user-maintained, moderated list of known spyware distribution sites and filenames would help get filtering serverside, where it could be much more easily managed.

      Another idea I've had is re-Ghosting my Win2k clients over the network every weekend; this would obviously require some sort of daemon on a very low level (maybe have a PXE server that changes the boot image based on the day of the week, and a scheduled reboot for midnight Saturday?), but would obviously eliminate almost all problems with viruses, adware and user-installed software. Of course, users would have to be indoctrinated to save all files to the network, or disaster would result. The adware problem is one that could actually be helped by Palladium-type digital signatures; the ability for a sysadmin to specify that only certain authorized binaries could be run is something I would like to see. God knows that users are creative in finding ways to circumvent access control measures; this could be a valuable weapon against the people we're supposed to be serving.

      --

      That's it. I'm no longer part of Team Sanity.
    6. Re:Firewall policy by TheLink · · Score: 1

      Ghosting win2k clients every weekend?

      Nah. Get one of those hardware recovery cards.

      http://www.google.com/search?num=100&hl=en&lr=&i e= ISO-8859-1&safe=off&edition=&q=card+%22hardware+re covery%22

      http://www.magiccard.ca/MCnews/apex_summary.htm
      http://www.pnltools.com/printproduct.asp?producti d =196

      It doesn't stop a trojan from screwing up a user's files. Or exploiting other hosts on the network while the exploited PC is up. But reboot and most things are fine, just restore user's stuff from backup - no need to re-image O/S etc.

      Trouble with this solution is MUCH software seems to regularly need updating for security and other problems, that you'd still need to create a new image, and reimage stuff too often.

      --
    7. Re:Firewall policy by Istealmymusic · · Score: 1

      If you own a business and run a proxy server, please do not deny any users. You are doing a disservice to the Internet community by doing so, we already have a big enough problem with SMTP spam.

      --
      "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  3. pix spam blocking by Digita1Prophet · · Score: 3, Interesting

    Try the CAUCE, Osiris Relay, ORBS, and other spam clearing house websites. I was able to pull down spam domains and ip addresses to route to a non-existent port on my firewall.

    And don't forget those weather news download sites and gotomypc.com!!!!

    If you need some starter lists drop me a note.

    --
    Success is the ability to go from failure to failure without losing your enthusiasm.........
  4. Maybe these? by Gryftir · · Score: 4, Informative

    Spy Sites
    As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.

    Gryftir
    Death to all Fanatics!

    --
    http://www.santacruzbynight.com/index.shtml Santa Cruz By Night Vampire Larp
  5. 10 domains will kill 90% by mattsouthworth · · Score: 2, Informative

    I asked myself the same question a few months ago - creating a blacklist for squid - and couldn't find a good resource. I grabbed the hostfile that came with spybot and started with that - I found that about 10 domain names account for 90% of the spyware out there.

    The list itself is at the office, but maybe I'll reply to myself tomorrow.

    1. Re:10 domains will kill 90% by mattsouthworth · · Score: 2, Informative

      Wow, I can't cut or copy out of the reporting client. Anyway, a list of domains to block should include what I have below. I haven't modified this for a couple months, so I'm sure there are new offenders.

      Ideally, you don't do this on your PIX, but on your web proxy (you don't allow unauthenticated unproxied web browsing do you?) - a lot of DNS lookups could seriously impair your firewall. Also, I got better performance by noting and including all the subdomains below (like http://hotbar.com and http://www.hotbar.com) BEFORE anything with a wildcard. If it matches on an explicited domain and doesn't drop down to one of the wildcards you save processor work.

      *.clicktilluwin.com
      *.brilliantdigital.com
      *.l op.com
      unitedstates.rub.to
      xupiter.com
      www.xupi ter.com
      *.firstlook.com
      *.passthison.com
      *.ezcy bersearch.com
      *.bonzi.com
      *.gator.com
      *.cometsy stems.com
      *.xupiter.com
      *.hotbar.com
      *.livecurs ors.com
      *.mycometcursor.com
      *.purityscan.com
      *. smartpops.com
      *xww.de
      *.new.net
      *.cometsystems. *

    2. Re:10 domains will kill 90% by chipperdog · · Score: 1

      Dont forget

      *.microsoft.com

    3. Re:10 domains will kill 90% by Anonymous Coward · · Score: 0

      What the word for taking a domain and causing all lookups on it on your NS box to return null? Dammit, I forget. For example you do this when a spammer uses 5-6 known NS boxes to handle his spam. You list those NS boxes like that and all NS lookups related to that domain return nothing so SMTP transfer should fail.

  6. Firewalls + a good policy by rogueMonkey · · Score: 3, Interesting

    Our site denies software installations of any type through Windows policies for anyone but power users (ie.: programmers and not even all of them). Sure there were complaints and groaning... But they weren't for crashing computers anymore. You'd be surprised of the kind of sh*t some cute screen savers (TM) install. DLL messups, preferences mangling! So while firewalling might prevent some of the symptoms of spyware (ie.: call homes) good policies both technically enforced and "socially" enforced go a long way.

  7. Time wasters... by (H)elix1 · · Score: 5, Funny

    I don't have a complete list, but you may want to add 66.35.250.150 to your IP blocks banned. I've seen way to much time lost to that one...

    --
    +++ UGUCAUCGUAUUUCU
    1. Re:Time wasters... by muonzoo · · Score: 4, Informative
      In case you can't figure it out; it's funny.
      Welcome to Darwin!
      bash-2.05a$ host 66.35.250.150
      150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
      150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org
    2. Re:Time wasters... by Anonymous Coward · · Score: 0

      WARNING!!! PARENT POST IS A goatse.cx LINK!!!

      Lameness filter encountered. Post aborted!
      Reason: Don't use so many caps.

    3. Re:Time wasters... by Anonymous Coward · · Score: 0

      * Looking up 66.35.250.150 ------ * Resolved 66.35.250.150 to slashdot.org Wrong.

    4. Re:Time wasters... by Anonymous Coward · · Score: 0
      Why do you asshats insist on tricking people into going to goatse?
      ping goatse.cx

      Pinging goatse.cx [66.35.250.150] with 32 bytes of data:
    5. Re:Time wasters... by Anonymous Coward · · Score: 0

      What are you talking about you moron?

      PING goatse.cx (198.247.175.96): 56 data bytes
      64 bytes from 198.247.175.96: icmp_seq=0 ttl=49 time=99.4 ms
      64 bytes from 198.247.175.96: icmp_seq=1 ttl=49 time=98.6 ms
      --- goatse.cx ping statistics ---
      2 packets transmitted, 2 packets received, 0% packet loss
      round-trip min/avg/max = 98.6/99.0/99.4 ms

      PING slashdot.org (66.35.250.150): 56 data bytes
      --- slashdot.org ping statistics ---
      3 packets transmitted, 0 packets received, 100% packet loss

      :~$ dig goatse.cx A

      ; > DiG 9.2.1 > goatse.cx A
      ;; global options: printcmd
      ;; Got answer:
      ;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
      ;; QUESTION SECTION:
      ;goatse.cx. IN A

      ;; ANSWER SECTION:

      goatse.cx. 604657 IN A 198.247.175.96

      ;; Query time: 52 msec
      ;; SERVER: 192.168.1.3#53(192.168.1.3)
      ;; WHEN: Tue May 13 22:01:09 2003
      ;; MSG SIZE rcvd: 43

    6. Re:Time wasters... by DASHSL0T · · Score: 1

      Welcome to Darwin!
      bash-2.05a$ host 66.35.250.150
      150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
      150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org

      Yeesh, give these Mac kids a command line and they start goin nuts!

      --
      Freedom Is Universal
      Linux-Universe
    7. Re:Time wasters... by muonzoo · · Score: 1
      Oh, sorry, perhaps I should have done:
      OpenBSD 3.2 (GENERIC) #25: Thu Oct 3 19:51:53 MDT 2002

      -bash-2.05b$ host 66.35.250.150
      Name: slashdot.org
      Address: 66.35.250.150
      Although there is something amusing about being called a "Mac Kid".
    8. Re:Time wasters... by Anonymous Coward · · Score: 0

      YHBT HAND

    9. Re:Time wasters... by DASHSL0T · · Score: 1

      Heh, it was all in good fun. Sorry if you took it different than was intended. Mea culpa.

      --
      Freedom Is Universal
      Linux-Universe
    10. Re:Time wasters... by fallen1 · · Score: 1

      Errrrrr, well, label me whatever you'd like but how about:
      C:\tracert slashdot.org

      Tracing route to slashdot.org [66.35.250.150]
      over a maximum of 30 hops:

      --

      Dream as if you'll live forever.
      Live as if you'll die tomorrow.
      ~Anonymous~

  8. Excuse me? by Anonymous Coward · · Score: 0, Flamebait

    You let your users install stuff? You have a lot to learn...

  9. Some spyware modifies firewalls to get through! by StandardCell · · Score: 2, Interesting

    I can't remember which spyware apps did this, but they will actually go into the ZoneAlarm config and get through that way. It's scary, but it happens. IIRC I even read about it on /. (imagine that...).

    The other way firewalls get bypassed is if the spyware uses something already given permission to tunnel out on a system, like a web browser spyware plug-in would. In that case, what chance do you have of stopping it but to remove it?

    1. Re:Some spyware modifies firewalls to get through! by emptybody · · Score: 1

      well, if you are blocking egress to IPs that would do it.

      --
      comment directly in my journal
    2. Re:Some spyware modifies firewalls to get through! by Technician · · Score: 2, Insightful

      Zone alarm on a users machine is not a replacement for a corporate firewall. Nothing on a users machine should be able to mess with the corprorate firewall. Some of your blocked ports should be blocked at your router/firewall, not by a users software package.

      --
      The truth shall set you free!
    3. Re:Some spyware modifies firewalls to get through! by DA-MAN · · Score: 1

      Unless of course it communicates through an allowed port like 80.

      --
      Can I get an eye poke?
      Dog House Forum
    4. Re:Some spyware modifies firewalls to get through! by emptybody · · Score: 1

      unless of course you have properly ordered your rules to block IPs before allowing ports.

      --
      comment directly in my journal
    5. Re:Some spyware modifies firewalls to get through! by Anonymous Coward · · Score: 0

      I'm not too worried about spyware messing with my PF ruleset.

    6. Re:Some spyware modifies firewalls to get through! by Analysis+Paralysis · · Score: 1
      Corporate firewalls are not a replacement for a personal one either. That corporate firewall has no way to tell what application is trying Internet access - so a connection to port 80 outside could be Internet Exploder/Netscrape or SuperStealthTrojan with both being dealt with in the same way.

      Both types of firewall are needed - and with new ways for malicious apps to piggyback onto legitimate ones like Firehole, an up-to-date personal firewall that can handle DLL injection (I believe the latest ZoneAlarm does as does version 2 of Outpost - currently in beta) should be thought of as a necessary companion to the corporate firewall. An application firewall like System Safety Monitor should also be considered - properly configured this can stop any spyware in its tracks.

      Finally, restricting Active Content (ActiveX, Javascript and Java) to only a few "trusted" sites will do a great deal to prevent users from being affected by drive-by downloads, home page hijacking and various other forms of malware. A good reference on these can be found at Eric Howes' Privacy and Security Site.

    7. Re:Some spyware modifies firewalls to get through! by DA-MAN · · Score: 1

      That wasn't part of the deal! My point was that simply blocking ports is not good enough, not that blocking ports and ip's wasn't good enough. Either way my point still stands, there is very little additional security in simply blocking ports.

      --
      Can I get an eye poke?
      Dog House Forum
  10. hosts file works well by infonography · · Score: 4, Informative

    Here is a copy of mine in Text format.

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
  11. Shutting the barn door by Demona · · Score: 2, Informative

    after the horse has left, but for what it's worth, there's Peer Guardian, which uses a constantly updated list of IP addresses which have been declared "bad".

    --
    Fuck Slashdot
  12. Blocking the Permissioned Media "trojan" by questionlp · · Score: 2, Informative
    After having a couple of calls regarding the Permissioned Media "trojan" from users at work (which will still install even if you decline the Software Install prompt at the warning), I decided to look around the Net for ways to block it. I stumbled across Symantec's listing of the "trojan", which provided a list of IP addresses.

    So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the download off of other IP addresses and servers... so I went back to SARC document and added the new IP addresses to the block list. For two weeks, I checked the page twice a day to see if the list changed. Since then, the problem stopped.

    As far as HotBar is concerned, I setup the internal DNS caching server to be authoritative for the hotbar.com zone and pointed it to a non-active IP in the local subnet. That fixed much of the problem of people installing it... :)

  13. Careful... by rumpledstiltskin · · Score: 1

    Be careful, you don't want to get sued

  14. Re:FP Redundant? by Anonymous Coward · · Score: 0
    you must be dumb or french never to have seen an FP modded redundant

    Do not insult me sir! To call me dumb is fair play, but French? That is a low blow.

    Actually, I was just having a bit of fun at the expense of some karma.

  15. Re:hosts file works well --- Sort of OT by infonography · · Score: 1

    Yes I do make those boots in the directory above the file.

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
  16. Windows XP supports application signing by fluor2 · · Score: 0, Troll

    Windows XP supports application signing. Learn more at microsoft.com/windowsxp

    1. Re:Windows XP supports application signing by Anonymous Coward · · Score: 0

      -5 troll.
      M$ Zealot.

  17. Personal Software firewall. by GreenKiwi · · Score: 1

    I personally use Tiny Persona Firewall. It doesn't have tons of features but it does the job. Every time a program tries to access the internet, I'm given the option to block or allow and can set up rules accordingly. So when adware tries to get out and report home, I block it's network connection. (Ver. 2 is free)

    In addition, it is nice because I can stop Outlook Express from accessing images from HTML docs, and may programs with built in images for ads can have their ads blocked as well.

    There are other such programs, I just don't know much about them.

  18. I use a hosts file by BladeMelbourne · · Score: 1

    My hosts file is here:
    http://www.froggy.com.au/mike.skinner/16bit win.htm

    It blocks lots of adds, cookies, trackers and XXX sites. It might even block Slashdot images and adds ;-) to load much faster...

  19. Add to your ban list: by lateralus_1024 · · Score: 2, Funny


    http://www.slashdot.org

    --
    If you think /. comments are bad, check out Digg.
  20. quick and diry way by ReaperEB-Moo · · Score: 1

    We had the same problem here, someone went and started to image our new sites, and hmm what do we find but Gator.. this thing was driving us nuts, but since we have our own internal DNS that gets used, we put an entry in the DNS that pointed all traffic destine for gator to 127.0.0.1 .. the gator traffic that was 75% of our outbound traffic dropped to 0%...

  21. The easiest way to do this.. by Zeddicus_Z · · Score: 3, Informative

    The easiest way to acheive what you want is to change your network security policy, and enforcing it by way of ACL's on the INSIDE interface of your PIX. By this, I mean:

    Go from your current "Internal users can access anything they want" (default allow), to "Internal users can ONLY access what we allow" (default deny). The beauty of this is that you *don't* waste time tracking down various ports for each and every application you want to block. Nor do you have to worry about keeping up with the latest spyware-ridden P2P client crap to be released. The only thing it *won't* cover is applications using protocols you allow (such as using port 80 for data xfers in $P2PappName). You can cover this with more specific ACL's on a per-shittyFsckingMakeMyNetworkAdminLifeMiserableP2 PApp basis. But i digress.

    The PIX makes this very easy - matter of fact, we do this exact same thing at work.

    First thing you need to do is take a list of all network applications (or protocols) that your users require to do their jobs. Things like FTP, WWW, SSH and the like. Next, you formulate your ACL list to be applied to the inside interface (or whatever name you gave to the interface your users sit on. It defaults to INSIDE with a security level of 100). Do this in a text file, and check it for sanity BEFORE you apply it to your PIX (otherwise you have irate users calling you 100 at a time, screaming that you broke $nameOfAppINeedToDoMyJob).

    Once you have this list and you think it's complete, add a default deny rule to the bottom. Now before you go pointing out that PIX already has default-deny, you should STILL add this because the PIX won't log packets that hit its default deny - only packets that match an explicitly defined Default Deny ACL.

    Very basic example ACL list:

    access-list PERMIT_OUT permit tcp any any eq 80
    access-list PERMIT_OUT permit tcp any any eq 21
    access-list PERMIT_OUT deny any any (denys all other traffic from any source to any destiation on any port, and logs it)

    The above will allow FTP and HTTP outbound for your users (you need to use protocol fixup on the FTP), and deny ALL other traffic! Problem solved, and it only takes about 10 minutes to do.

    --
    Janie took my gun...
  22. Off topic: Using sort(1) portably by Xenophon+Fenderson, · · Score: 2, Interesting

    The "-u" flag to sort(1) only works on systems that implement the XPG4 standard. If you want to write portable shell scripts, you'll need to call uniq(1). Unfortunately for us script writers, not all the world uses GNU textutils.

    HTH. HAND.

    --
    I'm proud of my Northern Tibetian Heritage
  23. Simple but effective... by Sherloqq · · Score: 1

    Don't mean to sound like an Internet Nazi, but...

    Denying all traffic while allowing only the bare minimum necessary is a good policy to implement on many levels. Here's some of the most important reasons why that are in my head right now (not necessarily in order of importance):

    - increased security: not only are outsiders unable to see what you have running inside (obscurity), they simply can't get to it. What can't be reached, cannot be easily (i.e. directly) exploited

    - simplifies management of rules: instead of blocking port A for irc, port B for ICQ/AIM, port C for Gnutella, port D for... this IP range for irc, that IP range for Gnutella... just block everything by default. No worries if new nodes, not yet on your list, pop up. Less time spent adding IPs. No worries that a third-party blocking mechanism might block false-positives

    - increase productivity (yeah, yeah, I know). But, simple fact is, when people are at work, they should be working, not downloading the latest Britney Spears singles (and yes, I am a hipocrite when I say this, because I am reading / posting to slashdot right now)

    - make sure that whatever means of blocking you use (e.g. a firewall) are configured to filter both incoming and outgoing traffic: even if a piece of spyware makes its way inside, it won't do too much harm (except maybe try to spread itself)

    - in general use the least-trust principle -- it's simply the way to go, not just about spyware, but in general

    Yes, I am biased. I'm an admin :)

    --
    Have EVDO, will travel.
    1. Re:Simple but effective... by Anonymous Coward · · Score: 1, Funny

      You're also fired.

      -- The mgmt

  24. The ones who claim to know by Archfeld · · Score: 1

    what they are doing are the worst, any true Guru generally downplays their knowledge because they know how much is out there and how fast it changes.

    I once read, the more you know, the more you know there is to know, the less you really know.

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  25. Wierd FedEx by Animats · · Score: 1

    One of the very few mainstream websites to use totally wierd ports is FedEx. Their Java applet for shipping packages not only uses unusual ports, it requires that a connection be opened from the host side. If you're behind a NAT box, this is painful. Amazingly, Linksys has special support for this.

  26. ip blocking by sdibb · · Score: 1
    Make sure you block this ip address.

    Your employees will undoubtedly spend way too much time there, and its full of a bunch of opinionated, undereducated tech geeks anyway!

  27. Using DNS to block spyware, IM, etc by Nonesuch · · Score: 1
    Better yet, block internal hosts from communicating to the Internet on port 53, and require all internal hosts to use the local nameservers instead.

    On these nameservers, override the zones for the biggest spyware domains and also for AIM, Yahoo Chat and the like, adding wildcard A records directing the request to the IP address of an internal machine running a HTTPd, or to 127.0.0.1.

    The effect is twofold -- this will break 90% of the spyware programs, and you will have a log of all of the internal clients with spyware installed.

    I use DJBDNS for the nameserver and publicfile for the HTTPd, but the same effect can be obtained with BIND and Apache.

    There are a few programs out there that use or will fall back to hardcoded IP addresses, but these can be dealt with by adding NULL routes at the appropriate gateway routers.

    --

    I do not deploy Linux. Ever.
    1. Re:Using DNS to block spyware, IM, etc by anticypher · · Score: 1

      If I still had some mod points, I'd mod this post WAY up. Its one of the first few posts to deal with the original topic.

      In places where my clients were worried about spyware/trojans/web tracking/popups, I installed a split DNS with firewall rules blocking outgoing port 53 from all internal networks. The internal DNS server would only be allowed to contact the external, which would then perform the real world lookups. The internal server was made authoritative for hundreds (greps my master file, 322) domains which are known for popups, tracking, and spyware. The server returns a specific IP address which is null-routed at the firewall, and the main firewall returns an ICMP no-route-to-host for every packet heading to MalWareNet. If you don't return an ICMP packet many browsers will block for 10-60 seconds waiting for a response. The PIX was made for actions like this.

      There are a few dozen individual IP addresses that need to be blocked at the PIX level after that, for the few hard coded spyware/adware apps that don't bother using DNS. Of course, blocking everything and forcing lusers to use a web proxy can also help in identifying lusers who insist on downloading questionable applets and cruft from the internet. Before switching in a proxy, make sure you have a well explained security policy in place.

      Its amazing the comments we get from client's lusers who can surf all day long at work and never see any ads/popups, and then go home to all the unfiltered shit on the internet. It really does make a difference.

      the AC
      the AC has a large and well maintained list of malware sites, and the knowledge to create a relatively secure internet connection. He's available for contract work at reasonable rates anywhere in Europe

      --
      Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  28. blackhole NS IPs by Anonymous Coward · · Score: 0
    BIND defines a "blackhole" ACL listing servers that will never be used to resolve a query, and which queries will never be accepted from.

    BIND 9 documentation states that "this is not yet implemented in BIND 9"

    The alternative is to add "block out return-icmp" rules to the packet filter for those destination IP addresses -- just dropping the outbound query packets will cause the nameserver to wait for the query to timeout before returning SERVFAIL.

  29. Congratulations by SecretAsianMan · · Score: 1

    With karma to burn, I would like nothing more than to congratulate you on your achievement of the Useless Use of cat Award.

    --

    Washington, DC: It's like Hollywood for ugly people.

    1. Re:Congratulations by Istealmymusic · · Score: 1
      Is cat EVER useful except in rare circumstances or with programs that naively accept one filename only? The page said "The purpose of cat is to concatenate (or "catenate") files. If it's only one file, concatenating it with nothing at all is a waste of time, and costs you a process. " Well, sort is kind enough to accept any number of filenames, so you don't need to concatenate -- sort will do it for you, in one less process.

      sort * | uniq

      --
      "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
    2. Re:Congratulations by Zocalo · · Score: 1

      Actually, since all my boxes have GNU Textutils (even the Windows ones) I'd have used "sort -u *", but since the poster may or may not even be using *NIX, I used the longhand command above more to get the concept across. For all we know, his preferred method of achieving this might me to load the two files into a text editor, copy one document to the clipboard and paste it into the other, then use the editor's inbuilt sort function to produce the required file. There are plenty of GUI only types who would *have* to do this, although that group probably wouldn't have chosen a Cisco IOS based product due to the CLI... ;)

      --
      UNIX? They're not even circumcised! Savages!
  30. Yes and No. by Medievalist · · Score: 1

    I deal with a lot of sites that are implementing security for the first time due to HIPAA regulation.

    If you are a stone-cold IP expert, that is, you can name at least thirty ports and their uses off the top of your head, you know exactly why DirectX v7 doesn't NAT properly, you are intimate with the ICMP packet structure, you know why FTP uses more than one channel (and how to proxy that) you are qualified to do this.

    If you aren't an expert, and you set up a firewall for an existing site using the philosophy of "everything that is not mandatory is forbidden" you might cause more trouble than you'd have from not using a firewall at all.

    If you want to become an expert, set up a NEW network with a firewall, or do it at home, or something. Don't break business processes for 10,000 users because you don't understand that certain types of ICMP must be allowed, or because you don't understand FTP port negotiation.

    If you want the security, and you are too cheap to hire an expert and too proud to take training, at least run some serious packet logging on all your outbound links for a month or more (business runs on monthly, quarterly and yearly cycles) so you know what is going on before you break it.

    And don't forget IP-addressed ingress and egress filters - i.e. don't let people send packets IN to your domain using your source addresses, and don't let people send packets OUT of your domain unless they ARE using your source addresses.

    --Charlie

    1. Re:Yes and No. by Istealmymusic · · Score: 2, Insightful
      Okay, I'll bite.

      Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport, which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.

      Why must certain types of ICMP be allowed? Is "port unreachable" really necessary, or can connections to unreachable ports simply time out? Echo certainly isn't necessary. As for FTP, passive mode is preferred as it allows connections to be initiated by the client rather than the server (or maybe the other way around, I'm tired, and its late), so I fail to see how its relevant.

      But I'm willing to be enlightened.

      --
      "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
    2. Re:Yes and No. by Medievalist · · Score: 1
      /.
      Okay, I'll bite.
      OUCH! Hey, cut that out.
      Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport, which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.
      Let me give you an example: If you are playing SMACX (Sid Meier's Alpha Centauri, Alien Crossfire expansion, which is a typical v7 multiplayer game) with players on both the inside (RFC1918 10.xxx addressing) and the outside (IANA Internet unique numbers) of a NATting firewall (let's say, an OpenBSD or Smoothwall box) you will have to set the NAT engine to point incoming directX to the game host's box inside the firewall. Now, all players will be able to contact the primary host, so map synchro and such will work OK. But, multiplayer chat will *NOT* work, because the nodes on the outside can ONLY talk to the primary host on the inside. Several game functions depend on peer-to-peer connections between client nodes without primary host intervention - these functions simply will not work, as the external nodes have all their traffic NATted to the primary host, which discards the unsolicited packets instead of forwarding them to the intended recipient.
      The basic problem is that the DirectX design uses the old IBM-mainframe "100% reliable network" paradigm, and not the Internet-style "completely unreliable network" paradigm. If a packet can't get through one way... oops, there is only one way. Or at least that's how it plays out in real life (I have considerable experience with this).
      I imagine a DX-masq module that tracked incoming and outgoing connections, along the lines of the quake and IRC masq modules, could be run to get around this problem. But I haven't written it (yet!) and I haven't found any indication that anyone else has. You'd have to packet-sniff quite a bit to get the necessary information out of the DX traffic I think.
      Why must certain types of ICMP be allowed? Is "port unreachable" really necessary, or can connections to unreachable ports simply time out? Echo certainly isn't necessary.
      ICMP is required for PMTU discovery. If you have ICMP blocked, you will experience lots of apparently random TCP failures, and much of the Internet will not be able to talk to you. MTU dicovery protocols are a good and desirable thing, and it is rare that a site would have legitimate reason to break them.
      As for FTP, passive mode is preferred as it allows connections to be initiated by the client rather than the server (or maybe the other way around, I'm tired, and its late), so I fail to see how its relevant.
      It's only relevant (and barely) as an example of an oddball protocol; I was pointing out that problems will certainly result from an overly restrictive firewall being put in place on an existing network. For FTP, sure, you can reconfigure most clients to use more modern defaults. Do you know for a fact that all the end-users (who may be transferring vitally important files daily) know this? You shouldn't be implementing a firewall unless you know what machines on your site are using FTP, and what they use it for, and etc. etc. etc... FTP and telnet are legacy protocols, and should be eliminated when possible and accomodated when necessary. Too often a firewall is dropped in place, with the FTP control port open and the data port blocked, and the site experiences major disruption of profit-generating activities because the users suddenly can't do their jobs (and they will of course report it to the help desk as "my PC is broken" not "the firewall dropped my FTP packets").
      But I'm willing to be enlightened.
      Aha, you hold the key to great wisdom. I recommend the Platform Sutra. My apologies for the excessively wordy post.

      --Charlie
  31. Loading spyware on a test machine by Nonesuch · · Score: 1
    Gryftir writes:
    As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.
    On that topic, an instance of VMWare works great for providing a test "victim workstation" on which to install spyware, document the filesystem and network behavior, and easily revert back to a clean system with a minimum of effort.

    It's even possible to execute two or more identical test systems on their own private "ethernet bridge" to watch the scanning and propagation behavior of a virus or worm.

    --

    I do not deploy Linux. Ever.