Security Basics mailing list archives
RE: Purging Blaster.worm
From: "Bob Walker" <bobwalker8 () comcast net>
Date: Thu, 14 Aug 2003 14:21:41 -0500
Maybe I am a little sensitive to this, being the firewall guy and
all, but come on people.>> Hmmm... Maybe so :-) My point here was simply that I have yet to have a customer walk in the door that was infected who was running a broadband connection behind a firewall. All (or most)were simple broadband (primarily cable) connections, wide open. A further point was that we all have a lot of work to do here to educate folks, whether it's the home user or the corporate exec, about security and the necessity of applying patches as they are made available. But seriously, how many of these users are going to do that on their own? By your own admission, your infection came from within your organization from unpatched laptops, and there you are definitely correct, no firewall in the world would have prevented that. But consider this too. No matter how timely we do the patches, at some point, there is a vulnerability discovered prior to the patch being available. Hopefully, that vulnerability is discovered by a good guy and not a bad guy, and the patch developed and made available for the rest of us good guys. But (reading the lowlife that released this worm's mind here), perusing the microsoft web site for patches, and knowing the mindset of most users and the alacrity of applying said patches, that surely gives the bad guy a leg up on most folks. Can we ever expect to get ahead of the bad guys here without some kind of firewall that gives us that "little bit of time to slow it down and apply the patches"? Bob -----Original Message----- From: Jay Woody [mailto:jay_woody () tnb com] Sent: Thursday, August 14, 2003 1:07 PM To: bobwalker8 () comcast net; security-basics () securityfocus com Subject: RE: Purging Blaster.worm
This infection doesn't seem to be able to get past a properly configured firewall, with ports 4400 and 135 locked down, which could
be why it's been so widespread, eh? ;-) What does that tell us?
Guys, I hate to beat a dead horse here, but I continue to see posts like this. A "properly configured firewall" is a very small part of this answer. Some people need NetBIOS inside and they use TFTP to the outside, etc. The answer was to be freaking patched. To see 100's of smart people warn you to be patched for 3 or 4 weeks and then when it hits to go, "Man, I thought our firewall would stop it." shows that you aren't reading the bulletin to begin with. Ever since Code Red waltzed in over port 80, the answer stopped being a firewall. They are great and they can slow it down and give you a little time to patch, but they will just keep changing ports (I think I saw 593 now as one to block) and changing ports. The firewall can stop some crap, but the answer is to freaking patch the systems. In this case, no one knew to block 69 until it hit for example. 69 is legitimate for anyone that uses TFTP. ow is a firewall that has been configured to allow 69 going to stop that? Maybe I am a little sensitive to this, being the firewall guy and all, but come on people. I stopped 135, 136, 445, 4444 and a host of others and you know what, it still hit. Know what it hit, a couple of freaking laptops from home. They brought it in and my firewall did d!ck as it bounced around from floor to floor. Sure I could shut off 69 and keep it from hitting the world, but that didn't stop all the UNPATCHED workstations from getting this thing. The answer is to freaking listen to the community and patch the boxes. Don't count on a firewall or anti-virus to protect you. All this took was a little 800K patch and you would have had NO PROBLEMS at all. You had 3 or 4 weeks to get it out. And it worked with SP6 in NT, SP2 in 2K and I think SP1 in XP, so you didn't even have to roll a SP out with it. That was the answer. Patch. I'll do the best I can to block the crap from the outside, but when you let it walk in the backdoor, there ain't a lot I can do, but sit back and laugh. Oh, and explain over and over again why for 3 weeks now I warned you to patch the workstations (that is what happened here at least) and told you the firewall couldn't stop it. JayW --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Purging Blaster.worm, (continued)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
- Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- RE: Purging Blaster.worm Blaxes (Aug 16)
- RE: Purging Blaster.worm Preston, Tony (Aug 13)
- RE: Purging Blaster.worm Rory (Aug 13)
- Re: Purging Blaster.worm Jay Woody (Aug 13)
- RE: Purging Blaster.worm Parolini, Walter A REV:EX (Aug 13)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
- RE: Purging Blaster.worm David Gillett (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 15)
- RE: Purging Blaster.worm Vachon, Scott (Aug 15)
- RE: Purging Blaster.worm Jay Woody (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 18)
- RE: Purging Blaster.worm Alfred . Diggs (Aug 19)
- RE: Purging Blaster.worm Meidinger Chris (Aug 20)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)