funsec mailing list archives
Re: InfoSec Slammer :-)
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Wed, 3 May 2006 00:19:58 -0400
On 5/2/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
Dude VanWinkle wrote: > Now this is FUNNY =) What?
The fact that someone brought an infected MS SQL server to a security trade show. If they piped in inet1 to the building, then routed it to all their wireless nodes, then yeah, thats a little funny too.
> However whilst exhibiting at the show, security risk firm McAfee was > able to detect various networks connections that lacked any > encryption, so maybe things weren't as rosy as we first suspected. > Using its Network intrusion prevention product, IntruShield, McAfee > spotted 50,000 instances of attack by the Slammer worm. Slammer was > been pumped across some security vendors' own networks, McAfee > reports.
The fact that a single moron with a Slammer-infected machine was present at a security trade show?
A single moron with a SQL server (MSDE will do) and yes, I find that pretty damn funny. Even more so because I know he was handing out cards that read "Internet Security Consultant" lol.
I mean, the way Slammer works, 50,000 "attacks" detected means there were very few sources involved, and as the McAfee person trying to make PR of it didn't mention the _source_ numbers, you can bet there were _VERY FEW_ sources... I mean, what would be the more "marketable" story nowadays -- "27 Slammer infected machines present" or "50,000 Slammer probes detected"? I'd say, guessing at how big Infosec is likely to be, that one Slammer-infected machine is likely to be well below the world average...
I would have liked to see source MAC's, and even though it may be below the world average, these packets shows that at least one company who quite possibly was a vendor, was at the same time infected with an antique worm and trying to convince people of how much they knew about security.
> Attacks by SQL Slammer shouldn't be confused with successful > infections. Net security services firm MessageLabs, which has a > distinguished pedigree in spotting such outbreaks, told us it hadn't > seen any problems. Or the fact that the reporter (John L really should know better!), despite supposedly specializing in security issues, still hasn't noticed that ML does Email and web filtering so wouldn't be very likely to spot _ANY_ Slammer attacks that may, or may not, have been present, yet he reported the ML comment straight, repeating the ML spin? Can you say "shill" John?
FUD and what we should expect of security vendors, but still funny IMO
For my money, it is the latter that is funny (the former is just sad!).
Well this was all free, so at least enjoy the fact that it didnt cost you anything,
Regards, Nick FitzGerald
-JP
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- InfoSec Slammer :-) Dude VanWinkle (May 02)
- Re: InfoSec Slammer :-) Nick FitzGerald (May 02)
- Re: InfoSec Slammer :-) Dude VanWinkle (May 02)
- Re: InfoSec Slammer :-) Valdis . Kletnieks (May 02)
- Re: InfoSec Slammer :-) Jeff Kell (May 02)
- Re: InfoSec Slammer :-) Nick FitzGerald (May 02)