Full Disclosure mailing list archives
RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
From: hellNbak <hellnbak () nmrc org>
Date: Sun, 26 Jan 2003 23:10:50 -0600 (CST)
On Sun, 26 Jan 2003, Schmehl, Paul L wrote:
This simply shows your ignorance of the issues, Ron. Port 1434 was not a normal port for SQL server *until* MSDE came out. We obviously blocked 1433 long ago, as did almost every edu in the universe. But 1434 was a recent "innovation" to make SQL server capable of running multiple instances on multiple ports.
Ummm, Paul -- what ever happened to the first rule (maybe its the second or third perhaps) of building a firewall -- "deny all" and only allow outgoing/incoming what you need. Even if you were not aware of 1434 being used, it should have been blocked by default by any firewall admin with a clue.
Now you're being silly. I'm certain that every edu in the world was rushing to close port 1434 yesterday. But the horse was already out of the barn.
I know a few that did not have to bother -- even with unpatched SQL boxes for the simple reason I stated above -- no traffic was allowed from the net to the boxes anyways.
First of all, it's *not* my job. Secondly, I wasn't whining. Thirdly, you'd better hope and pray there are people like me in edu who care enough to fight for what's right security-wise, or there's no hope for the Internet. (And I can assure you that there are a *lot* of people in edu who care very much and are working hard to change things.)
That is great to hear. Lets hope that you are not the benchmark but only the baseline at most. Perhaps some of the .edu admins need to first understand that they are an .edu and educate themselves on basic network design concepts and security. And no Paul, I am not reffering to you specifically either.
As far as waiting for vendors to fix things goes, why do you think I've abandoned MS products at work and refuse to use them for any of my security related work?
Huh? That makes zero sense in the real world - there is always a work around there are always to mitigate risk. Besides, there are a good handful of non-MS product holes that have not been fixed in quite sometime. But making the blanket statement -- I refuse to use "them" for any of my security related work -- is plain ignorant. Granted, for specific security tasks there are better products out there to use other than MS ones.
Blaming the admins for what happened is akin to prosecuting a woman for being raped. Instead of going after the perpetrators who wrote and released the worm, you want to go after the admins whose networks were taken advantage of. And you *assume* they were lazy, incompetent or any of the other perjoratives that make you feel better about yourself.
No, it is more like blaming the woman for not even attempting to protect herself. Come on Paul, how long have we had problems with *ALL* software and required patches?? Any admin worth his paycheck knows that systems need patching. I personally don't assume that they were lazy or incompetent as I have experianced the various politics around patching servers, change control, etc etc.... but there are few organizations that do not have a specific IT Security role anymore -- at a minimum these guys should be alerting admins about patching boxes -- its not like this was a zero day. Thinking that we will get secure and useful out of the box is a dream -- it won't happen as soon as you open up services you open up risk. Of course we can all be 100% patched and still get owned but at least in this specific case the worm would not have spread as easy as it did.
Try working in a large edu sometime and see how much change you can initiate. It takes a tough person to stick it out and keep fighting. (I'm not tooting my own horn, but standing up for all edu admins everywhere.) Some universities are *still* fighting to get the NetBIOS ports closed, for god's sake. Do you think for one minute that *any* admin in his right mind would *willing* expose those ports to the Internet? If not, then *why* on earth do you think they're still open? (Because the admins don't have the power to close them.)
If this is truly the case Paul then you have my sympathy. But I really want to say WTF -- they are a freakin educational institution -- you would think they know a thing or two. Perhaps some litigation over being a launching point for an attack will straighten things out.
It's *real* easy to criticize. Especially when you work in an atmosphere you can completely control. It's a lot tougher to find solutions to real problems in the real world and fight for change where it needs to occur.
I don't think anyone can completely control their work situation. We all have to deal with BS politics and actually prove the risk before some pointy haired boss agrees to the change. This is a reality inside the .edu and outside. Perhaps the .edu admins and security guys need to do a better job in proving the risk. Tie the risk to actual costs in bandwidth and loss of reputation etc... would these tactics not work in an .edu environment?
Why not blame the networks that allow these jerks to release their worms, run their DDoS networks and do all the other crap they do? Why is it still possible to host a website on the Internet that freely makes worms, viruses and exploit code available to the world? (Yeah, I know, it's a freedom of speech issue, right? Yeah, right!)
No Paul, to me this isn't a freedom of speech thing. It is a learning thing -- many (including me) crave to learn and know what the .edu system cannot teach. A lot of common sense is required to know what is right and what is wrong but taking the information off of the Internet won't solve the problems. What do we bust down doors and take everyone's computer books away and burn them? Do we lock up the RFCs and only let Microsoft, Sun, Cisco, HP, etc... see them (control them). What about computer science courses and all thsoe guys with the Bsc. and PHD in computer sciences? Shit, we had better lock them up cause they are terroritsts right? Removing the information from the Internet won't stop its flow and won't stop the malicious from using what they learn via other channels. The least we all can do as IT guys and IT Security guys is raise the fucking bar a little. Right now a 12 year old MafiaBoy wanna-be with even less knowledge can take out portions of the net -- what does that tell you? The worst change control procedure I have ever experianced took 30-45 days for a "critical" patch to be lab tested packaged and pushed out. This organization was still patched in time. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!, (continued)
- RE: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brett Moore (Jan 27)
- Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Erik Enge (Jan 28)
- Re: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! David Howe (Jan 28)
- RE: Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Brett Moore (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Henrik Lund Kramshøj (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Blue Boar (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ka (Jan 26)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Henrik Lund Kramshøj (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 26)
- RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! jmcguire (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Schmehl, Paul L (Jan 26)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 27)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Nick Jacobsen (Jan 27)
- Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! martin f krafft (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! hellNbak (Jan 27)
- RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! Ron DuFresne (Jan 27)