March 21st, 2005, 04:06 PM
Fighting Spyware Requires Multi-Pronged Approach
Not really any new information but includes some potential topics of discussion.
edit// Sorry,the link's a little wonky. http://informationweek.securitypipeline.com and it is listed on the left under Security News. I'll try and sort the link out.
Trying to find out exactly what they have is a pain and half the time the uninstallers don't work.
"From a staffing perspective, the cleanup usually exceeds the time it takes to handle an antivirus infection."
They first line of the licensing agreement could say "I'M GOING TO PUT LOTS OF CRAP ON YOUR COMPUTER WHEN YOU CLICK YES" and at least half the people would still agree because they want the product because "everyone else uses it".
The FTC sees two issues. First, people frequently aren't notified when spyware is placed on their computers. And second, the software they do seek comes bundled with adware they don't want because end-user licensing agreements often aren't clear. "These agreements give a patina of legitimacy by having some form of disclosure," says Tom Pahl, the FTC's assistant director for advertising practices. "But consumers often don't understand the choices they're making."
Most of the time it's free stuff, what do they expect. It's the spyware that come just by going to a site that is a real kick in the nads.
End-user license agreements are a big issue. When users download a software program, they should be given a clear choice about accepting or declining other software with it. Spyware doesn't give them that choice, or does so surreptitiously.
So please buy our new Anti-Spyware. Don't get me wrong I like Symantec.
Security vendor Symantec Corp. recently conducted a study to see how much spyware and adware finds its way onto PCs during Web surfing. Symantec monitored what types of spyware and adware glommed on to PCs while users surfed to different types of Web sites. The company spent one hour per category visiting sports, kids, gaming, news, reseller, shopping, and travel sites. It found that 468 adware applications and 10 instances of spyware were left behind on Symantec's test machine. The system also was infected with seven so-called hijackers, tiny apps that redirect users' Web browsers to unintended sites.
4000 x 200 = 800,000/infections per month. I'm sure all during work related activities.
Anti-spyware tools aren't perfect, but they help. The Denver Health & Hospital Authority expects to save more than $170,000 annually in help-desk costs by using a policy-control appliance from Blue Coat Systems Inc. to keep spyware and adware off of 4,000 PCs. "Before, we had about 200 spyware intrusions per month on each machine," chief technology officer Jeffrey Pellot says. Now the problem has been mostly eliminated, he says.
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
March 21st, 2005, 04:16 PM
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 23rd, 2005, 10:32 PM
We went with the more comprehensive, multi-part approach at Intranet Journal.
Definitions seem to be a must in all spyware pieces (muddled as they may be); testing; prevention, recovery... I think you need to hit them all if you're trying to educate users.
March 23rd, 2005, 10:57 PM
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
March 23rd, 2005, 11:07 PM
Multipronged is something of an understatement in this case I think.... <LOL>
These are the measures I take to try to minimize/kill the spyware issue:-
1. Custom security policy administered through GP that blocks ActiveX in all cases and prompts for any scripts.
2. Surfcontrol blocks as much non-work related activity as I can. Where SurfControl doesn't catagorize, (or mis-categorizes), a site that provides a lot of crap I block it manually by policy.
3. All workstations run a logoff script that clears the users Temporary Internet Files - administered through GP.
4. All public access workstations have a startup script administered through GP that runs a spyware remover whenever the computers are restarted - usually daily, certainly weekly.
5. Snort sensors run the Bleeding Snort Malware rules. If a workstation shows signs of malware it is placed in a "Malware" OU that runs a spyware remover when the computer is restarted - administered through GP.
6. The Malware DNS Blacklist I brought up in a previous thread is implemented on all my nameservers redirecting the resolution to 127.0.0.1 for known spyware sites thus effectively neutering the little "bastiges".
7. User's internet activity is regularly audited. Those users with a high usage _and_ a high propensity for non work-related activity are reported to their supervisor and additional restrictions are discussed with the supervisor and implemented as agreed.
8. Some Snort rules indicate "devious" activity such as downloading executable where the requested resource was an image and some other ones. These are looked at regularly to determine the activity that took place by referencing the log files and WGeting the targets to see what the downloaded content actually was.
I have to "blow my own trumpet" on this.... It appears to work very well... It took some time to get all this in place but when you can spend 2+ hours cleaning a single workstation, ('cos you just hate to be beaten and re-image the damn thing..... )... It pays off....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides