Full Disclosure mailing list archives
RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Sun, 26 Jan 2003 23:48:54 -0600
-----Original Message----- From: hellNbak [mailto:hellnbak () nmrc org] Sent: Sunday, January 26, 2003 11:11 PM To: Schmehl, Paul L Cc: Ron DuFresne; Full-Disclosure Subject: RE: [Full-disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! On Sun, 26 Jan 2003, Schmehl, Paul L wrote:
This simply shows your ignorance of the issues, Ron. Port 1434 was not a normal port for SQL server *until* MSDE came out. We obviously
blocked 1433 long ago, as did almost every edu in the universe. But 1434 was a recent "innovation" to make SQL server capable of running multiple instances on multiple ports.Ummm, Paul -- what ever happened to the first rule (maybe its the
second
or third perhaps) of building a firewall -- "deny all" and only allow outgoing/incoming what you need. Even if you were not aware of 1434 being used, it should have been blocked by default by any firewall
admin
with a clue.
No, with a clue *and* permission. I'd be really surprised to find a single edu that has a "deny all" stance. Worldwide. That is a complete paradigm shift for edu. Fortunately, the med schools are being forced to do that now due to HIPAA, and hopefully it will be true some day in all of edu. For now, very few edus even have firewalls, much less a "deny all" policy. It's time some folks got a grasp on reality. I have a deny all policy on every box that I control, but for the entire network? Good luck. Maybe some day, after edus have suffered enough that the upper administration and the faculty get some clues, but not today. Not in edu. I wish it were true.
Now you're being silly. I'm certain that every edu in the world was rushing to close port 1434 yesterday. But the horse was already out of the barn.
I know a few that did not have to bother -- even with unpatched SQL
boxes
for the simple reason I stated above -- no traffic was allowed from the
net to the boxes anyways.
I'd be real interested to hear the names of any edus that 1) have a firewall and 2) have a "deny all" policy in place and *implemented*.
That is great to hear. Lets hope that you are not the benchmark but only the baseline at most. Perhaps some of the .edu admins need to first understand that they are an .edu and educate themselves on basic network design concepts and security. And no Paul, I am not reffering to you specifically either.
There are others in edu who are much more knowledgeable than I. I certainly wouldn't call myself an expert. But I haven't found anyone in edu in the security or networking areas that doesn't know what needs to be done and devoutly wishes they could implement it.
As far as waiting for vendors to fix things goes, why do you think I've abandoned MS products at work and refuse to use them for any of my security related work?
Huh? That makes zero sense in the real world - there is always a work around there are always to mitigate risk. Besides, there are a good handful of non-MS product holes that have not been fixed in quite sometime. But making the blanket statement -- I refuse to use "them" for any of my security related work -- is plain ignorant. Granted, for specific security tasks there are better products out there to use other than MS ones.
Given your last statement is true, then why should I use MS products for security? 1) I don't trust MS products for security related tasks. The idea of implementing a firewall based on an MS OS scares the hell out of me. 2) Their performance sucks. Compared to *nix based products, it takes twice the box to do the same job - whether it's scanning for vulnerabilities or using an IDS, setting up a firewall, you name it. And then there's the cost. ISS wants 6 figures (for software and the necessary equipment) to scan for vulnerabilities. Why should I spend the few precious dollars we have for that when I can use nmap and nessus and get better results?
Blaming the admins for what happened is akin to prosecuting a woman for being raped. Instead of going after the perpetrators who wrote and released the worm, you want to go after the admins whose networks
were taken advantage of. And you *assume* they were lazy,
incompetent
or any of the other perjoratives that make you feel better about yourself.
No, it is more like blaming the woman for not even attempting to
protect
herself.
And here I thought we'd progressed into the 21st century. It is *never* the victim's fault, no matter the provocation, for a crime having been committed against them. Never. Their behavior might mitigate the criminal's punishment, but it does not excuse the crime.
Come on Paul, how long have we had problems with *ALL* software and required patches??
Since software was first written.
Any admin worth his paycheck knows that systems need patching. I
personally
don't assume that they were lazy or incompetent as I have experianced
the
various politics around patching servers, change control, etc etc....
but
there are few organizations that do not have a specific IT Security
role
anymore
We just got ours in September, 2002.
-- at a minimum these guys should be alerting admins about patching
boxes Hell, I've been doing that for four years - long before I got this position. I sent the notice on this particular problem in July, when the patch was first announced. We still had six boxes hit. Most were on desktops in schools, in places we weren't aware of.
-- its not like this was a zero day. Thinking that we will get secure
and
useful out of the box is a dream -- it won't happen as soon as you open
up
services you open up risk. Of course we can all be 100% patched and
still
get owned but at least in this specific case the worm would not have
spread
as easy as it did.
All that is true. But the admins whose networks got hit *still* didn't release the worm. I know very good admins, in very tight networks, who got taken completely by surprise by one remote user who connected to the network before they could detect them. It's real easy to kneejerk and blame them for the problem. All I can say is, walk a mile in their shoes. Until you've been responsible for 10,000 desktops of every size, shape and description, you have no idea what you're talking about. Talk is cheap.
If this is truly the case Paul then you have my sympathy.
I'm not looking for sympathy. I trying to point the blame for these problems at the real culprits.
But I really want to say WTF -- they are a freakin educational
institution --
you would think they know a thing or two.
Knowledge is one thing. The power to implement what you know is another entirely.
Perhaps some litigation over being a launching point for an attack will
straighten things out.
Sure it will! You'll fill a few lawyers pockets and leave the admins behind with less money now than they had before. Now *there's* a "solution" that has real merit. For those of you smartass know-it-alls that think you've got the tiger by the tail, here's a suggestion for you - volunteer your time to some of the local educational institutions. Pick a non-profit in your local area and help them with their network. Do some fund raising to get them the equipment they need. Or donate the equipment you throw out because it's "out of date". DO something about the problem instead of bitching about it in the lists and blaming the poor admins who have no power to fix it.
I don't think anyone can completely control their work situation. We all have to deal with BS politics and actually prove the risk before some pointy haired boss agrees to the change. This is a reality inside the .edu and outside. Perhaps the .edu admins and security guys need to do a better job in proving the risk. Tie the risk to actual costs in bandwidth and loss of reputation etc... would these tactics not work in an .edu environment?
They help. I never miss an opportunity to use an incident like this to ask for permission to implement better solutions. Sometimes I implement them first and get chewed out later. Whatever gets the job done. But the larger the institution, the more difficult it is for the poor grunts who do the work to get anything substantive done.
Why not blame the networks that allow these jerks to release their worms, run their DDoS networks and do all the other crap they do? Why
is it still possible to host a website on the Internet that freely makes worms, viruses and exploit code available to the world? (Yeah, I know, it's a freedom of speech issue, right? Yeah, right!)
No Paul, to me this isn't a freedom of speech thing. It is a learning thing -- many (including me) crave to learn and know what the .edu system cannot teach.
I have no problem with that. Just learn it in a controlled environment that *you* own. Learning it at someone else's expense is theft - pure and simple. Some people have cried for litigation to "force" networks to "clean up" and get rid of "lazy" admins. How about we ask for legislation to put hackers away for life? Would you like that?
A lot of common sense is required to know what is right and what is wrong but taking the information off of the Internet won't solve the problems. What do we bust down doors and take everyone's computer books away and burn them? Do we lock up the RFCs and only let Microsoft, Sun, Cisco, HP, etc... see them (control them). What about computer science courses and all thsoe guys with the Bsc. and PHD in computer sciences? Shit, we had better lock them up cause they are terroritsts right?
No, that's silly. But when someone "experiments" and takes down networks, stop blaming the networks for the problem. Blame the person responsible.
Removing the information from the Internet won't stop its flow and won't stop the malicious from using what they learn via other channels.
So we should just give up? Did it ever occur to you that my posts might also be informational and educational? That they might influence someone *not* to experiment with other people's networks?
The least we all can do as IT guys and IT Security guys is raise the fucking bar a little. Right now a 12 year old MafiaBoy wanna-be with even less knowledge can take out portions of the net -- what does that tell you?
It tells me there's a large gap between utopia and reality.
The worst change control procedure I have ever experianced took 30-45 days for a "critical" patch to be lab tested packaged and pushed out. This organization was still patched in time.
What's change control? ;-) Look, do admins need to do better? Of course they do. Do networks need to take security more seriously? Of course they do. But stop blaming the networks every time there's a problem. Blame the culprits who release these bugs. If it wasn't considered so gosh darn cool to release something that takes down the Internet, maybe less people would consider doing it. As long as they can hide in the smoke of the blame game, they'll keep releasing bugs. When everybody gets focused on the real problem - people who don't give a damn how they hurt others, they *maybe* some of this will stop. Meanwhile, I have work to do, and I've pretty much said my piece, so y'all can hash it over here and talk about how stupid my ideas are. I'm done with this. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!, (continued)
- Re: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! David Howe (Jan 28)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Henrik Lund Kramshøj (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Blue Boar (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ka (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Henrik Lund Kramshøj (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 26)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! jmcguire (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 27)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Nick Jacobsen (Jan 27)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! martin f krafft (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 27)