Re: InfoSec Slammer :-)

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 5/2/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
> Dude VanWinkle wrote:
>
> > Now this is FUNNY =)
>
> What?
The fact that someone brought an infected MS SQL server to a security
trade show.

If they piped in inet1 to the building, then routed it to all their
wireless nodes, then yeah, thats a little funny too.

> > However whilst exhibiting at the show, security risk firm McAfee was
> > able to detect various networks connections that lacked any
> > encryption, so maybe things weren't as rosy as we first suspected.
> > Using its Network intrusion prevention product, IntruShield, McAfee
> > spotted 50,000 instances of attack by the Slammer worm. Slammer was
> > been pumped across some security vendors' own networks, McAfee
> > reports.

> The fact that a single moron with a Slammer-infected machine was
> present at a security trade show?
A single moron with a SQL server (MSDE will do) and yes, I find that
pretty damn funny. Even more so because I know he was handing out
cards that read "Internet Security Consultant" lol.
> I mean, the way Slammer works, 50,000 "attacks" detected means there
> were very few sources involved, and as the McAfee person trying to make
> PR of it didn't mention the _source_ numbers, you can bet there were
> _VERY FEW_ sources...  I mean, what would be the more "marketable"
> story nowadays -- "27 Slammer infected machines present" or "50,000
> Slammer probes detected"?  I'd say, guessing at how big Infosec is
> likely to be, that one Slammer-infected machine is likely to be well
> below the world average...

I would have liked to see source MAC's, and even though it may be
below the world average, these packets shows that at least one company
who quite possibly was a vendor,  was at the same time infected with
an antique worm and trying to convince people of how much they knew
about security.

> > Attacks by SQL Slammer shouldn't be confused with successful
> > infections. Net security services firm MessageLabs, which has a
> > distinguished pedigree in spotting such outbreaks, told us it hadn't
> > seen any problems.
>
> Or the fact that the reporter (John L really should know better!),
> despite supposedly specializing in security issues, still hasn't
> noticed that ML does Email and web filtering so wouldn't be very likely
> to spot _ANY_ Slammer attacks that may, or may not, have been present,
> yet he reported the ML comment straight, repeating the ML spin?  Can
> you say "shill" John?

FUD and what we should expect of security vendors, but still funny IMO

> For my money, it is the latter that is funny (the former is just sad!).

Well this was all free, so at least enjoy the fact that it didnt cost
you anything,

> Regards,
>
> Nick FitzGerald

-JP
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.