Security Basics mailing list archives
Re: Windows Messenger Pop-up spam
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sat, 4 Dec 2004 05:08:21 +0100
On 2004-12-03 Kevin Davis wrote:
But let's assume we're talking not only about messenger spam but malware in general. Why would I rather block specific ports instead of disabling unneeded services? In the latter case I won't *have* anything that needs to be protected at allĀ¹. Plus Personal Firewalls proved theirselves to be much less reliable than one would like to think. Do I have to remind you of the Witty worm?Disabling unneeded services is not an adequate protection from malware.
It is an adequate protection from malware that tries to attack services.
There are tons of malware - in fact probably the majority that set up their own "server" once it infects the target system.
If malware is already running on the system, the box is 0wned and schould be rebuilt.
That's where personal firewalls help.
No.
A new, unknown process is trying to get out to the net - the firewall will catch this and alert the user.
The firewall may possibly catch this and alert the user. Or the malware may simply sneak around the firewall. Or disable it. You can't rely on PFWs to control outbound traffic.
I would agree that one should not put 100% confidence in personal firewalls. All software has bugs and many will have vulnerabilities from time to time.
Bugs are an issue with inbound traffic, but not with outbound traffic.
This fact in itself does not justify permanently discounting it. The first time you find out that your router has a bug in it's firmware do you throw it in the trash?
Of course not. However, if its firmware continues being buggy, I would reconsider that decision.
The best solution is a multi layered approach (defense in depth).
Defense in depth is a good thing. *If* it gains you security.
1. Patch your systems,
Of course.
2. Get your systems behind a firewall (a personal firewall if a home user).
Firewall on a router: very well. Personal Firewall: most likely not. Yes, there are some exceptions, but their number is few.
3. Get your system behind a router.
Local networks of any kind: of course. A single home computer: maybe, but not a must.
4. Harden system by turning off uneeded services.
That would be my second step. No services -> nothing to exploit. I would consider using a Personal Firewall *only* if for some reason a service can't be disabled or bound to a specific interface.
5. Employ the use of virus and spyware scanners\blockers
Virus scanners may be useful. However, one should be aware of their limitations, since each virus scanner is just as good or bad as its virus definitions. As for spyware scanners/blockers: I usually prefer to not install spyware in the first place. Avoiding IE/OE helps. Much. [...]
Sure, you can argue that maybe the host acts as a router for some local network (ICS or something). However, I would still have to ask: why does he need to provide any services at all? A router is not supposed to provide services. Period. If one needs Internet connectivity for a local network and needs all computers as workstations, then bite the damn bullet and buy a router. They're not *that* expensive. And of course one would block *everything* except for the desired traffic on the network *perimeter*, not only deny the undesired traffic on the host itself.The small, inexpensive SOHO routers only block inbound traffic. If a user gets some malware on their system, this helps them not.
Neither does a PFW. Once malware is running on your system, you're toast. Period. Even Microsoft finally did understand that [1].
If there's no LAN but just a single host with Internet connection, then why does the box need to provide any services at all? IMnsHO.You can't make a blanket statement like this for all cases. In some cases this would be true, in others not. Lets take the Messenger service, for instance. Some people should *not* turn off the Messenger service. Why? Maybe they are running one of the several virus scanning products that use the Messenger service to alert the user of a virus problem.
Any AV software that uses the messenger service for notifying the (local) user should be trashed *immediately*, because of major incompetence of the vendor.
Turn that service off and it is degrading the ability of the virus scanner to do it's job properly. I'm sure that there are other examples. In this particular case, I think that the virus scanners that depend on this service are poorly designed. One could argue that this dependency is from one respect is weakening the security of the system.
I still fail to see *any* good reason why a single computer (no LAN) should *not* have all services disabled. [1] http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 01)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 03)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 03)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 07)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 08)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 09)
- Re: Windows Messenger Pop-up spam Michael Painter (Dec 10)
- Message not available
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 13)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- <Possible follow-ups>
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 01)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam H Carvey (Dec 03)
- Re: Windows Messenger Pop-up spam H Carvey (Dec 03)