Measures against malware propagation

[Mok-Kong Shen]

I read that malware could propagate among computers over USB sticks and
like to learn the proper measures of defense. If one has a computer
disconnected from the internet and transfer only text files to it, not
using USB sticks but via TCP on a private WLAN, would that be secure or
not? Thanks in advance.

M. K. Shen

[Moe Trin]

On Tue, 04 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
article <k2491l$of$1...@news.albasani.net>, Mok-Kong Shen wrote:

>I read that malware could propagate among computers over USB sticks
>and like to learn the proper measures of defense.

]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0)
Gecko/20120824 Thunderbird/15.0

Microsoft Windows? Let's start at the beginning: I am _sure_ you
recall having to use anti-mal-ware software of some kind to protect
you from virus/trojan/bad-stuff that were passed around on floppy
discs. Same concept. We have standing orders that if you find a
floppy/tape/CD/DVD/USB-stick in the parking lot (or equal), you hand it
to the security guards and let them deal with it, rather than you being
a "Good Samaritan" and inserting it in your computer to see "what's on
there" (and therefore be able to return it to the owner). No, that
can get your ass fired for monumental stupidity. Why? Because the
media may be infected and your computer (to help you, of course) is
set to auto-run any executable found on removable media.

Hit your favorite search engine, and look for articles about the
"Flame" and "Stuxnet" worms. One place to look is the "Risks Digest"
from the "ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS". If your news server carries the group "comp.risks", look
there, and read the last ~90 articles. "Stuxnet" was mentioned in
risks-26.12 risks-26.39 risks-26.53 risks-26.96
risks-26.19 risks-26.42 risks-26.58 risks-26.97
risks-26.24 risks-26.44 risks-26.60
risks-26.31 risks-26.45 risks-26.85
risks-26.35 risks-26.47 risks-26.91
while Flame is mentioned in
risks-26.85 risks-26.88 risks-26.97
risks-26.87 risks-26.89
See also the "Gauss" toolkit mentioned in risks-26.97.

Not very much in the way of technical details, but it should give you
more keywords to search for. Note that most of the malware problems
are a result of the users not wanting to think about what they are
doing. "It's the computer's fault." Yeah, right.

>If one has a computer disconnected from the internet and transfer only
>text files to it, not using USB sticks but via TCP on a private WLAN,
>would that be secure or not?

What is your threat model? "Who's after you?" Are you worried about
some government agency stealing the secret recipe for the "Chocolate
Coated Cod Fish" you have hidden on your computer, or some h3X0r d00d
down the street trying to impress his girl-friend, by using your
computer to attack the Swiss Naval high command? The Flame virus has
apparently managed to propagate using Bluetooth as well as other media
and networks. But is that relevant to you? Transferring raw ASCII or
ISO-8859 text files isn't the problem, so much as what _ELSE_ gets
automatically transferred at the same time (intentionally or not).

If by "private WLAN" you mean some wireless networking setup, have
you made certain that the link is encrypted with a "strong" passphrase
that is changed on a regular basis? The words "Feind hört mit!" are
often translated as "The Enemy is Listening" - but if they can hear and
understand, they can also send and corrupt or destroy.

Old guy

[Ansgar -59cobalt- Wiechers]

Moe Trin <ibup...@painkiller.example.tld.invalid> wrote:
[ a lot ]

You're wasting your time. The guy has been trolling German security
newsgroups for a while now. He won't understand a single word of what
you wrote.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

[Skywise]

Ansgar -59cobalt- Wiechers <usene...@planetcobalt.net> wrote in
news:aapvui...@mid.individual.net:

> You're wasting your time.

Not an entire waste. At least this one lurker found it informative
and learned a few things.

Brian
--
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Sed quis custodiet ipsos Custodes?

[Mok-Kong Shen]

Am 05.09.2012 21:27, schrieb Moe Trin:
[snip]

> What is your threat model? "Who's after you?" Are you worried about
> some government agency stealing the secret recipe for the "Chocolate
> Coated Cod Fish" you have hidden on your computer, or some h3X0r d00d
> down the street trying to impress his girl-friend, by using your

> computer to attack the Swiss Naval high command? [snip]

I meant something in principle. Maybe something to be protected
is not just chocolate but a recipe to make Coke and the like.

But thank you anyway for the comments.

M. K. Shen

[Moe Trin]

On Fri, 07 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
article <k2d2bi$s0g$1...@news.albasani.net>, Mok-Kong Shen wrote:

>schrieb Moe Trin:

>> What is your threat model? "Who's after you?" Are you worried
>> about some government agency stealing the secret recipe for the
>> "Chocolate Coated Cod Fish" you have hidden on your computer, or
>> some h3X0r d00d down the street trying to impress his girl-friend,
>> by using your computer to attack the Swiss Naval high command?

>I meant something in principle. Maybe something to be protected
>is not just chocolate but a recipe to make Coke and the like.

The recipe to make Coca Cola has been kept in a safe in the office
of the Coca Cola company in Atlanta, Georgia, USA for more than a
hundred-twenty years. There is no reason for the recipe to be _near_
a computer, so why would it be? If it's not available, it can't be
stolen. Why are you putting "secret" material on a computer... or on
a table, desk or similar, where it _can_ be stolen/copied/messed-up?
Lock it up in a safe where it can't be accessed by unauthorized people.

"Who's after you?" If it's a government agency, they can do things
you'd never think of, so the only way to protect the information is
to use strong encryption to encode the secret keyphrase that actually
is used to encrypt the stuff you're protecting (the government would
not be interested in the recipe for Coke anyway). Lock it up, and
don't forget the armed guards that you can trust. That kid down the
block can be defeated more easily, but encryption is still the answer.
The curious grandmother who lives across the street but doesn't know
what a computer is... she wouldn't find the file, as long as you don't
leave a print-out on your front door or broadcast it on the radio/TV.

Old guy

[Mok-Kong Shen]

Am 08.09.2012 03:45, schrieb Moe Trin:
> On Fri, 07 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
> article <k2d2bi$s0g$1...@news.albasani.net>, Mok-Kong Shen wrote:
>
>> schrieb Moe Trin:
>
>>> What is your threat model? "Who's after you?" Are you worried
>>> about some government agency stealing the secret recipe for the
>>> "Chocolate Coated Cod Fish" you have hidden on your computer, or
>>> some h3X0r d00d down the street trying to impress his girl-friend,
>>> by using your computer to attack the Swiss Naval high command?
>
>> I meant something in principle. Maybe something to be protected
>> is not just chocolate but a recipe to make Coke and the like.
>
> The recipe to make Coca Cola has been kept in a safe in the office
> of the Coca Cola company in Atlanta, Georgia, USA for more than a
> hundred-twenty years. There is no reason for the recipe to be _near_
> a computer, so why would it be? If it's not available, it can't be
> stolen. Why are you putting "secret" material on a computer... or on
> a table, desk or similar, where it _can_ be stolen/copied/messed-up?
> Lock it up in a safe where it can't be accessed by unauthorized people.

I was indicating that there could be modern documents as valuable as the
recipe of Coke, e.g. some results of researches of chemical and
pharmaceutical companies that are reasonable to be stored on computers
for efficient processing by authorized persons of the companies (and
not just in form of papers to be put in safes).

M. K. Shen

[Moe Trin]

On Sat, 08 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
article <k2f6nu$om0$1...@news.albasani.net>, Mok-Kong Shen wrote:

>> Why are you putting "secret" material on a computer... or on a
>> table, desk or similar, where it _can_ be stolen/copied/messed-up?
>> Lock it up in a safe where it can't be accessed by unauthorized
>> people.

>I was indicating that there could be modern documents as valuable as
>the recipe of Coke, e.g. some results of researches of chemical and
>pharmaceutical companies that are reasonable to be stored on computers
>for efficient processing by authorized persons of the companies (and
>not just in form of papers to be put in safes).

Ignoring official (government) classified materials (the handling rules
for which are VERY exact) in this discussion, such documents are often
restricted to "unconnected" (to the Internet) computers and/or networks
to make unauthorized access much more difficult (but not impossible).

The other technique to protect the data is encryption. The file itself
is encrypted, and access to the computer where the file is located is
controlled/restricted. You don't have to give access to everyone.

Speaking just of IPv4, about 3 weeks ago there were 3454811936 (3.45e9)
addresses on 118784 networks allocated or assigned in 235 countries by
the five Regional Internet Registries. You really don't have to permit
access from all of those addresses to your restricted data. Worried
about zombies and bots in "your" country? There's really no sane
reason to allow access from every address in "your" country either. If
you look at the way Airbus Industries and Boeing are designing new
aircraft, they HAVE to allow access to the drawings and specifications
to those companies who are providing the parts and that access is via
encrypted tunnels between specific systems. All systems at company
"A" do _not_ have access to any/all systems at company "B". Heck,
most systems at company "B" don't have access to most systems at
company "B" either. No _need_ to access means no access allowed.

Old guy

[Mok-Kong Shen]

Am 09.09.2012 05:52, schrieb Moe Trin:
> On Sat, 08 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
> article <k2f6nu$om0$1...@news.albasani.net>, Mok-Kong Shen wrote:
>
>>> Why are you putting "secret" material on a computer... or on a
>>> table, desk or similar, where it _can_ be stolen/copied/messed-up?
>>> Lock it up in a safe where it can't be accessed by unauthorized
>>> people.
>
>> I was indicating that there could be modern documents as valuable as
>> the recipe of Coke, e.g. some results of researches of chemical and
>> pharmaceutical companies that are reasonable to be stored on computers
>> for efficient processing by authorized persons of the companies (and
>> not just in form of papers to be put in safes).
>
> Ignoring official (government) classified materials (the handling rules
> for which are VERY exact) in this discussion, such documents are often
> restricted to "unconnected" (to the Internet) computers and/or networks
> to make unauthorized access much more difficult (but not impossible).

I didn't say anything about official classified materials, but was
in the above concerning about much more mundane but nonetheless highly
valuable commercial documents that are to be well guarded because
of the (popularly well known) spionage financed by competing firms.
(We refrain from considering here rumored cases where certain
governments were said to have helped in such spionage.)

> The other technique to protect the data is encryption. The file itself
> is encrypted, and access to the computer where the file is located is
> controlled/restricted. You don't have to give access to everyone.

But then one has the inconvenience of decryption every time one reads
the documents or maybe worse when modifications are to be done. Further
there are concerns of the quality of the encryption algorithm used
and key management problems to be taken care of.

M. K. Shen

[Moe Trin]

On Sun, 09 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
article <k2hn4r$ep9$1...@news.albasani.net>, Mok-Kong Shen wrote:

>schrieb Moe Trin:

>> Ignoring official (government) classified materials (the handling
>> rules for which are VERY exact) in this discussion, such documents
>> are often restricted to "unconnected" (to the Internet) computers
>> and/or networks to make unauthorized access much more difficult
>> (but not impossible).

>I didn't say anything about official classified materials, but was
>in the above concerning about much more mundane but nonetheless highly
>valuable commercial documents that are to be well guarded because
>of the (popularly well known) spionage financed by competing firms.

Many commercial companies are _aware_ that the officially classified
materials have special rules, and try to emulate them. The "due
dilligence" requirements of public companies give incentive to at
least attempt to take reasonable care of commercial documents. While
I have network administration responsibilities, I don't have unlimited
access to the financial, advertising and sales department networks
because those areas are deemed "sensitive". Yet I am an employee.

>> The other technique to protect the data is encryption. The file
>> itself is encrypted, and access to the computer where the file is
>> located is controlled/restricted. You don't have to give access
>> to everyone.

>But then one has the inconvenience of decryption every time one
>reads the documents or maybe worse when modifications are to be done.

Oh, it's terrible - I have to carry a _key_ to enter my house or use
my car. Is the information sensitive? Then you have to protect it.

>Further there are concerns of the quality of the encryption algorithm
>used and key management problems to be taken care of.

That's part of the price of doing business, just as having to have a
key to open locks meant to keep others out.

Old guy

[Mok-Kong Shen]

Sorry, I don't understand what you mean above in the present context.
The fact that you are an employee and not a CEO surely has no
relevance to the general discussion of how a certain security measure
should best be in a certain situation, or has it? You yourself raised
the encryption issue and certainly therefore know also that encryption
keys used in firms etc. must be managed. If so, what's the point of
the key for your house or car?

M. K. Shen

[Moe Trin]

On Mon, 10 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
article <k2k9jt$evu$1...@news.albasani.net>, Mok-Kong Shen wrote:

>schrieb Moe Trin:

>> The "due dilligence" requirements of public companies give incentive
>> to at least attempt to take reasonable care of commercial documents.
>> While I have network administration responsibilities, I don't have
>> unlimited access to the financial, advertising and sales department
>> networks because those areas are deemed "sensitive". Yet I am an
>> employee.

>> I have to carry a _key_ to enter my house or use my car. Is the

>> [company] information sensitive? Then you have to protect it.

>>> Further there are concerns of the quality of the encryption
>>> algorithm used and key management problems to be taken care of.

>> That's part of the price of doing business, just as having to have
>> a key to open locks meant to keep others out.

>Sorry, I don't understand what you mean above in the present context.
>The fact that you are an employee and not a CEO surely has no
>relevance to the general discussion of how a certain security measure
>should best be in a certain situation, or has it?

The CEO (Chief _Executive_ Officer) is a business person - they have
less knowledge of technical matters, never mind IT. On the other hand,
the people in IT are supposed to maintain the networks. But neither
CEO or IT are given any more access than is needed to perform their
job. Others who lack that need are given no access. The CEO may make
overall decisions about security ("protect stuff") and may make crude
statements of how ("lock doors", "encrypt stuff"), but the actual
implementations are the responsibility of those lower in organization
chart with more specialized skills/knowledge.

>You yourself raised the encryption issue and certainly therefore know
>also that encryption keys used in firms etc. must be managed.

That's the job of the IT people. The executives know nothing about it,
and lack the skills to evaluate the strength of an encryption algorithm
(heck, many of them can't decode EBG13, never mind something stronger).
Encryption is not the _total_ answer - it is part of the answer only.
Access is also important - if "the bad guys" don't have access, (both
physical and electronic), they have more difficulty. This is why the
sensitive data is kept encrypted and why it's not kept on accessible
systems where some idiot can install mal-ware through stupid actions
like surfing his favorite pr0n or gaming site.

>If so, what's the point of the key for your house or car?

Do you leave your house unlocked? If not, do you give a key to the
house to anyone who asks? This is no different than the management of
the encryption keys, the configuration of the computers and networks
or the physical/electronic access to the facility where sensitive
information is used and/or stored.

Old guy

[Mok-Kong Shen]

If a certain building complex as a whole is guarded, the doors
there could well be left open so that the workers could easily
move around, no?

M. K. Shen

[Skywise]

Ansgar was right. My obtuseness detector is going crazy.

[Moe Trin]

On Tue, 11 Sep 2012, in the Usenet newsgroup comp.security.firewalls, in
article <k2muic$fqm$1...@news.albasani.net>, Mok-Kong Shen wrote:

>schrieb Moe Trin:

>> Do you leave your house unlocked? If not, do you give a key to the
>> house to anyone who asks? This is no different than the management
>> of the encryption keys, the configuration of the computers and
>> networks or the physical/electronic access to the facility where
>> sensitive information is used and/or stored.

>If a certain building complex as a whole is guarded, the doors
>there could well be left open so that the workers could easily
>move around, no?

It depends, but often "no". The previous facility I worked at had
guards at the property entrance, more guards at the building entrances
and the offices are locked and even the desks and file cabinets have
locks. There are guards patrolling the property. That's a bit more
security than the industry normal, because it is a research facility.
The facility I work in now lacks the guards at the property entrance
but is otherwise similar. I was in to visit my stock broker recently:
a guard at the building entrance and individual locked offices.

You can freely move from office/lab/work-area to the rest-rooms,
cafeteria, break-rooms, hall-ways, etc., but access to the work areas
is restricted/controlled. The computers in the office/lab/work-areas
are all password protected with screen-locks. The servers and network
hardware are in locked rooms with limited access. The computers that
can be accessed by the public (from the world) are not even in this
facility. (And no, this isn't government or military related.)

Why so many hoops? Access to "everything" is NEVER needed to do your
job. You have access to what you need, and no more. That way, you
can't learn the secrets of new products being worked on in the other
departments. If you don't know, you can't leak the information. The
concept has been in use for centuries. Without access, you also can
not bring in mal-ware. That concept has only been around for decades.

Want to check your (personal) email, surf the web, or have other
non-business access to the Internet? No problem - the employee
association has a number of computers in the break-rooms and cafeteria
that are not connected to the company network - use those (that's
where I'm posting from now) or use your own computer at home.

Old guy

[Mok-Kong Shen]

The analogy with the building was not in the sense of one-to-one but
is simply used to stress that encryption is not sensible in general,
if the access to the one computer containing the sensible documents
is sufficiently restricted/protected. Unlike looking to a tiny recipe
(e.g. that of Coke), people doing research nowadays, say, in organinc
chemistry, have to look into much stuffs at a time and even have to
do team work concurrently. That's why my point. Even to the issue of
buildings: I don't think that any defense ministry of any country
the world is such that doors of each its rooms is locked all the time.
For that simply paralyses any useful work from being done at all.

M. K. Shen

[Shadow]

On Tue, 04 Sep 2012 09:02:15 +0200, Mok-Kong Shen
<mok-ko...@t-online.de> wrote:

>
>I read that malware could propagate among computers over USB sticks and
>like to learn the proper measures of defense.

Disable autorun for all drives. Yahoo it.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012