RE: Purging Blaster.worm

["Bob Walker" <bobwalker8 () comcast net>]

> > Maybe I am a little sensitive to this, being the firewall guy and
all, but come on people.>>

Hmmm... Maybe so  :-)

My point here was simply that I have yet to have a customer walk in the
door that was infected who was running a broadband connection behind a
firewall.  All (or most)were simple broadband (primarily cable)
connections, wide open.  A further point was that we all have a lot of
work to do here to educate folks, whether it's the home user or the
corporate exec, about security and the necessity of applying patches as
they are made available.  But seriously, how many of these users are
going to do that on their own?  By your own admission, your infection
came from within your organization from unpatched laptops, and there you
are definitely correct, no firewall in the world would have prevented
that.

But consider this too.  No matter how timely we do the patches, at some
point, there is a vulnerability discovered prior to the patch being
available.  Hopefully, that vulnerability is discovered by a good guy
and not a bad guy, and the patch developed and made available for the
rest of us good guys.  But (reading the lowlife that released this
worm's mind here), perusing the microsoft web site for patches, and
knowing the mindset of most users and the alacrity of applying said
patches, that surely gives the bad guy a leg up on most folks.  Can we
ever expect to get ahead of the bad guys here without some kind of
firewall that gives us that "little bit of time to slow it down and
apply the patches"?

Bob



-----Original Message-----
From: Jay Woody [mailto:jay_woody () tnb com] 
Sent: Thursday, August 14, 2003 1:07 PM
To: bobwalker8 () comcast net; security-basics () securityfocus com
Subject: RE: Purging Blaster.worm


> > This infection doesn't seem to be able to get past a properly 
> > configured firewall, with ports 4400 and 135 locked down, which could

> > be why it's been so widespread, eh? ;-)  What does that tell us?

Guys, I hate to beat a dead horse here, but I continue to see posts like
this.  A "properly configured firewall" is a very small part of this
answer.  Some people need NetBIOS inside and they use TFTP to the
outside, etc.  The answer was to be freaking patched.  To see 100's of
smart people warn you to be patched for 3 or 4 weeks and then when it
hits to go, "Man, I thought our firewall would stop it." shows that you
aren't reading the bulletin to begin with.  Ever since Code Red waltzed
in over port 80, the answer stopped being a firewall.  They are great
and they can slow it down and give you a little time to patch, but they
will just keep changing ports (I think I saw 593 now as one to block)
and changing ports.  The firewall can stop some crap, but the answer is
to freaking patch the systems.  In this case, no one knew to block 69
until it hit for example.  69 is legitimate for anyone that uses TFTP. 
ow is a firewall that has been configured to allow 69 going to stop
that?

Maybe I am a little sensitive to this, being the firewall guy and all,
but come on people.  I stopped 135, 136, 445, 4444 and a host of others
and you know what, it still hit.  Know what it hit, a couple of freaking
laptops from home.  They brought it in and my firewall did d!ck as it
bounced around from floor to floor.  Sure I could shut off 69 and keep
it from hitting the world, but that didn't stop all the UNPATCHED
workstations from getting this thing.  The answer is to freaking listen
to the community and patch the boxes.  Don't count on a firewall or
anti-virus to protect you.  

All this took was a little 800K patch and you would have had NO PROBLEMS
at all.  You had 3 or 4 weeks to get it out.  And it worked with SP6 in
NT, SP2 in 2K and I think SP1 in XP, so you didn't even have to roll a
SP out with it.  That was the answer.  Patch.  I'll do the best I can to
block the crap from the outside, but when you let it walk in the
backdoor, there ain't a lot I can do, but sit back and laugh. 
Oh, and explain over and over again why for 3 weeks now I warned you to
patch the workstations (that is what happened here at least) and told
you the firewall couldn't stop it.

JayW



---------------------------------------------------------------------------
----------------------------------------------------------------------------