Welcome, Guest
Please Login or Register.    Lost Password?

Webwasher settings to prevent Aurora cyber attack
(1 viewing) (1) Guest
High level security related questions and answers
Go to bottomPage: 1
TOPIC: Webwasher settings to prevent Aurora cyber attack
#11
Webwasher settings to prevent Aurora cyber attack 11 Years, 1 Month ago Karma: 2
It's January 21st and so many people are running around to identify all that has happened with Operation Aurora and the cyber attack on Google and others.
Fortunately, I've been privileged to listen to a phone conversation from the key people working on this at McAfee. It was a briefing of what has transpired and the efforts to identify and prevent follow-on waves.

Some of the items that were mentioned in this phone call made sense to me to report here. If a company was blocking and using web filtration such as a Webwasher it could have blocked the believed JPEG archive that was the payload which the Javascript enabled to be fired as part of the exploit.

If you are filtering your content with a Webwasher, please make sure you have the following settings turned on and the action is to block:
Common -> Media Type Filters (watch for multiple policies) -> Actions Tab -> "Non-rectifiable media types with magic bytes mismatch" = BLOCK

This prevents media with formats other than the suffix from coming though. Also,you could have multiple policies, so be careful there.

In addition, make sure you have and are using the reputation settings of Trusted Source. The database there has been updated to stop many of the Websites the unauthorized pseudo SSL traffic was being communicated back to out of the malware design. Also, make sure you're enabled the Malware option if you've received it as part of your license.

These three items would have successfully blocked the front door portion of this attack. There are other internal tools that would catch it from other areas of penetration.
In a conversation today, Chat and Skype have been identified as points of entry as well.

Thought I would share what I know, but also to help make sure you have the right settings enabled to give the most protection possible.
The administrator has disabled public write access.
 
Go to topPage: 1
Moderators: halls
get the latest posts directly to your desktop