Full Disclosure mailing list archives
RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Sun, 26 Jan 2003 19:38:03 -0600
-----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Sunday, January 26, 2003 3:35 PM To: Schmehl, Paul L Cc: Matt Smith; Richard M. Smith; jasonc () science org; Jay D. Dyson; Bugtraq; Full-Disclosure Subject: RE: [Full-disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! On Sat, 25 Jan 2003, Schmehl, Paul L wrote:
Until you've walked a mile in the shoes of the admins having to deal with this, keep your smug self-righteous indignation to yourselves.
Admins of the boxes in question and more directly the network admins are fully responsible. But, perhaps the real issue here is this is a rationale for more distinct perimiter boundries. That and the fact that foreknowledge of M$-SQL issues have been known since slapper at the least and thus, these ports should have long been blocked or 'protected' on the perimiters.
This simply shows your ignorance of the issues, Ron. Port 1434 was not a normal port for SQL server *until* MSDE came out. We obviously blocked 1433 long ago, as did almost every edu in the universe. But 1434 was a recent "innovation" to make SQL server capable of running multiple instances on multiple ports.
Yet, even if you have an internal 'cloud' of systems, they have
entrance
and exit points to and from your .edu network. It might seem dramatic,
but closing the access/entrance points from those systems that have/had
been compromised would prhaps quickly resolve the issues in that .edu domain you are charged with.
Now you're being silly. I'm certain that every edu in the world was rushing to close port 1434 yesterday. But the horse was already out of the barn.
If the .edu domains policies do not allow such 'extreme' measures of dealing with admins not up to snuff, then
the
matter needs to be pushed up the chain of that domains 'management', which of course starts with admins, in staff meetings, pushing their teir one folks and managers to push for something higher in the feeding
chain. And here, you display your ignorance of the edu environment. The idea that an admin could close a port simply because he thought it was dangerous is laughable. You have to go through committtees made up of students and faculty and convince them it's necessary. Then you have to get the President's approval, and in the case of state schools, the approval of the Regents or Chancellors.
Whining that your hands are too full to do the job you are hired and
paid
to do, while waiting for vendors to fix issues that they have a long
record
of wanting to avoid dealing with, will get nothing accomplished.
First of all, it's *not* my job. Secondly, I wasn't whining. Thirdly, you'd better hope and pray there are people like me in edu who care enough to fight for what's right security-wise, or there's no hope for the Internet. (And I can assure you that there are a *lot* of people in edu who care very much and are working hard to change things.) As far as waiting for vendors to fix things goes, why do you think I've abandoned MS products at work and refuse to use them for any of my security related work? Blaming the admins for what happened is akin to prosecuting a woman for being raped. Instead of going after the perpetrators who wrote and released the worm, you want to go after the admins whose networks were taken advantage of. And you *assume* they were lazy, incompetent or any of the other perjoratives that make you feel better about yourself. Try working in a large edu sometime and see how much change you can initiate. It takes a tough person to stick it out and keep fighting. (I'm not tooting my own horn, but standing up for all edu admins everywhere.) Some universities are *still* fighting to get the NetBIOS ports closed, for god's sake. Do you think for one minute that *any* admin in his right mind would *willing* expose those ports to the Internet? If not, then *why* on earth do you think they're still open? (Because the admins don't have the power to close them.) It's *real* easy to criticize. Especially when you work in an atmosphere you can completely control. It's a lot tougher to find solutions to real problems in the real world and fight for change where it needs to occur. Why not blame the networks that allow these jerks to release their worms, run their DDoS networks and do all the other crap they do? Why is it still possible to host a website on the Internet that freely makes worms, viruses and exploit code available to the world? (Yeah, I know, it's a freedom of speech issue, right? Yeah, right!) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!, (continued)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Albert Sunseri (Jan 27)
- RE: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brett Moore (Jan 27)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Erik Enge (Jan 28)
- Re: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! David Howe (Jan 28)
- RE: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brett Moore (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Henrik Lund Kramshøj (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Blue Boar (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ka (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Henrik Lund Kramshøj (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 26)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Albert Sunseri (Jan 27)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! jmcguire (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 27)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Nick Jacobsen (Jan 27)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! martin f krafft (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 27)