Blackazarro,

thanks for the info man. Guess I should have rtfm 

Can you say D'oh! ?

cheers for the link, put a smile on my face during a long day in the office.

I read this story earlier and so far I'm hoping that this is PR-type fluff.

In my opinion this could cause some real damage to 'non-combatants' if this were ever utilised. Even if the 'target' is a legitimate enemy (I'll leave the definition to the politicians as we usually disagree) the traffic required to cause the DDoS still needs to head of public/commercial links at some point to reach the destination. Even if service is unaffected by the overheads (unlikely due to reports of ISP's over-subscribing lines etc.) are the US military going to compensate service providers for the extra cost of carrying this traffic? (the US's enemies are often a large distance from their physical borders so this could be a lot of affected networks)

I need to think about it more, just hope the military are going to think about it some more too.

BillV,

looks like a nice device, but I think the price is the main appeal for the EeePC. OQO price is a little out of my budget at the minute but I'll keep it bookmarked for when I win the lottery ,cheers.

I'll second EnGarde as a good solution.
Good EH-Net review here (It's how I discovered EnGarde in the first place)

Geekyone,

I agree with your point, but at some point people have to be responsible for the security of their machine. I'm growing tired of the 'not me guv, must be one of them 1337 haxz0r type people' excuses. If you have anything on your machine then you should know how it got there. Until this is a basic requirement prosecuting this kind of thing is going to continue being a joke.

/rant

Jimbob,

thanks for the links, I always like having challenges to practice and test my skills. Should keep me out of mischief for a while.

Checked that section afterwards as I hadn't changed the defaults. Suspected and potentially unwanted detects were set to 'prompt me' and know malicious threats were set to 'quarantine and alert me'. Either the alert wasn't generated or I missed it, something to bear in mind either way

From further testing I've installed this app on an XP machine I've got lying around (hasn't been rebuilt in years) and threatfire gave it a clean bill of health. Either I know how to keep a machine in good health or it missed something. (I hate when AV-type programs find nothing, no machine can be that clean )

I've also noticed a few stability/performance issues with my machines whilst threatfire has been running, but this could just be the usual Windows flakiness. If anyone else has had similiar issues can you let me know?

Finally after more playing I've seen that threatfire has a real-time report on the number of global events it has scanned an threats found globally. I haven't had time to investigate this myself yet, does anyone know how this information is reported back and/or what information is included?

Don,

thanks for the link I've just taken a look and run a scan of my system and it looks promising. As Blackazarro said, could be a good addition to AV.

After install I performed a full scan of my system, whilst this did take a while (~3hrs for ~80GB) it found several potential threats on my system. Whilst everything it found I knew about (components from Metasploit and archived binaries from previous incident handling) if I was unaware of the files on my systems I would definately want to know about them. At the same time the files were ignored by recent AV scans on my machine (using Sophos and AVG free).

The aspect that could really be of interest is the behaviour based detection. I tested this with using netcat to set up a port listener, ThreatFire both closed the port and quarantined the nc.exe binary. My only complaint is that I did not recieve an alert starting that the quarentine had taken placing, leaving me to search for a few minutes to figure out why an executable I had just used had vanished 

Overall I'll keep it around and will install it in my malware analysis environment to see how well it performs with behaviour from the 'wild'. Thanks for the heads up.

Peoples,

I've recently put a Nepenthes server into production. There were several reasons for this, from trying to get a better view of what's out there, training resources and just 'for fun' (yes I'm a bit strange).

Unfortunately, the server is being too successful and is providing more samples than I can analyse in the timeframe available. Can anyone provide tips so that I can quickly identify and focus on the 'interesting' samples rather than spend time and resources investigating 'garden variety' malware?

Any advice appreciated, thanks in advance.
RR

wow.... thats a lot of business

couldn't agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.

idscore,

I think that on a diverse and distributed system like the Internet what you are proposing could be nearly impossible without physical authentication.

As has been said MAC/IP address isn't going to be the way forward even just due to people having access to multiple machines/public access/etc. before we even get into the realm of spoofing. Likewise multiple, unique individuals may try to access your system from the same IP or MAC address, a shared/public terminal for example.

As Shawal has suggested debit/credit card information should be unique, but a person can have more than one card legitimately (If I only had one my finances would look nicer )

Even going to the extreme of requiring physical authentication (such as RSA keyfobs, swipe cards, etc) whilst each device is unique, again an individual could have access to more than one device, for example registering/recieving one from multiple addresses.

However, whilst it may/will be impossible to get a 100% perfect system it is important to remember that you only need to remove enough flaws to make the system usuable. Holes can and will be found in any non-simple system, online or otherwise, what is required is reducing the level of holes to an acceptable level depending on your context and requirements.

Hope this helps, good luck

Guys,

I've just read this article on Dark reading regarding penetrating databases. Gave me food for thought and I'll be looking over my own sysems in response to make sure I haven't missed the obvious.

Is also a good example of ways to penetrate systems without requiring an exploit which was recently queried by Loic all methds mentioned rely on poor configuration, poor input validation or simple human error. No 'sploit required

I feel your pain. GF has a habit of infecting her (& my) machine on a semi regular basis.

Recently took the huff when I explained that you actually need to (god forbid) run your AV rather than just install it gotta love non-techies...

Sounds great, just wish I could make it
Spare a thought for us poor unfortunates stuck at home...