Re: DCOM RPC exploit (dcom.c)

[Paul Schmehl <pauls () utdallas edu>]

On Sat, 2003-07-26 at 23:22, Jason wrote:
> The war begins...
>
> I'm not going to debate the release of code with anyone. Simply put, 
> best practices should have mitigated this in a huge way from the 
> beginning. All of the remaining threat should have been tested and 
> patched by now.
What a polyanna world you live in.

> RPC services have been a risk forever. Knowing that the majority of 
> clients do not use DCOM, an RPC service, is all that the administrators 
> needed to know. Do you build a *nix system and leave all(any) RPC 
> services enabled?
>
> ** DCOM should have been disabled for 99% of the systems they have. **
So, since you're so smart, publish a document that explains, in language
Windows users can understand, how to disable DCOM.  Oh, and make sure
you include the code so the fix can be deployed to thousands of machines
easily, just like the worms are.

ISTM the "security community" is a lot more eager to publish exploits
than they are to publish fixes - unless you want to pay them obscene
consultant fees.  It's interesting that many seek fame by releasing and
publishing exploits, but then they want to charge for the knowledge to
fix the problem.  (And no, I don't need your help.)

If I had millions of dollars, I could put all sorts of "security
solutions" in place.  I have yet to find one that is reasonably priced
(for Windows.)  I have vendors calling me every week offering the next
great security solution for "only" $100,000 or more.

Have you noticed how the open source community doesn't do much
development for Windows?  (I'm talking about security products here.) 
It's getting better, with snort, nessus and nmap leading the way, but
where are the open source tools for patch deployment for Windows?  Where
are the open source tools for checking patch levels and verifying
compliance?  (And please don't tell me hfnetchk.)  Far too many open
source developers sneer at Windows and refuse to even develop for it,
then turn around and criticize the Windows admins for not maintaining
their boxes properly and having a lax attitude about security.  Seems
grossly hypocritical to me.

> Ohhh, now we are going to complain about having to put in all those 
> extra hours and spend all that overtime money. Umm, be happy you still 
> have a job.
Overtime money?  You must be kidding.  Our IT people work an average of
60 hours a week and get no overtime money.  They're all on salary and
"exempt" from overtime pay.  The reason I have this Gentoo box at home
is so I can monitor the network when I'm "not working".  (I'm not
complaining, mind you, I happen to love what I do.)

While the rest of the university community is enjoying their two week
Christmas holiday, the IT staff is busily patching and doing maintenance
on boxes that are too critical to take down during the academic year.

Please visit the real world some day.  It might actually change your
viewpoint.  (Then again, maybe not, since you are so far into the
fantasy world.)
 
> Sorry, no sympathy here.
>
> ** If you have assets worth protecting you hire people who are capable 
> of protecting them. **
Assuming, of course, that you have the money to do so.  Wouldn't be nice
if your imaginary scenarios could actually play out in real life.  In
real life IT is almost always understaffed and overworked - and then we
have to suffer the "experts" telling us what a lousy job we're doing and
how much better off we'd be if we'd simply hire them - at outrageously
inflated consulting fees - to fix our problems. 

> * How many of the systems vulnerable internally are protected with an 
> IDS? ( slim to none? )
IDSes don't protect anything.  They merely tell you where the shit just
hit the fan.  IPSes are still in their infancy, and very few admins are
going to trust them to stop bad stuff without also stopping important
traffic.

> * How many of the systems vulnerable from the internet are implemented 
> and administered by an MCSE or equivelant? ( nearly all? )
Funny, the only MCSE we've ever had left years ago.  AFAIK we don't have
a single person on staff with acronyms after their name.  We do have an
excellent Windows admin who used to be Banyan Vines certified.  Usually,
if a person gets acronyms, they leave for greener pastures. 

> * I am still a firm believer in the ability of the human race to learn 
> by making mistakes. ( it can be fun )
Please come to UTD next week.  You can participate in the "fun".

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html