Re: The worm author finally revealed!

[Ron DuFresne <dufresne () winternet com>]

Paul,

Seriously, I think if there was a large enough survey of the edu. domains,
you'd find that an institution without any security policy in place, and
no real perimiter devices in activge use to protect the edu's resources in
some fashion would be in the rarebreed category.  Granted, edus have a bad
name from the past as regards security/abuse issues, but, I've noted lots
of change taking place in the past few years, mostly due to abuse issues
from the inside out, but, certainly also due to factors like corde
red/nimda and the costs associated with downtime and restoring of data.
Now, are the policies in the edu's strict?  Not always, most are pretty
'open', are they thouroughly enforced with vigor?  depends, on if yer a
mere student/undergrad of a professor/regent, ect.  And certainly it
depends upon the institution in question as they all vary quite a bit.
But, certainly this is a case of getting the security one is ready to pay
for and enforce.  If the site pays nothing and/or enforces no policy, they
get that in return as regards 'security'.  Course, security professionals
in such an environment then become an oxymoron <smile>.  Security
professionals in most settings have their battles to fight, but, in a
setting as you outline, the battle has not really been begun to be fought,
time to get yer troops in the fray or just surrender.

Thanks,

Ron DuFresne


On 31 Jan 2003, Paul Schmehl wrote:

> On Fri, 2003-01-31 at 09:15, Mark Renouf wrote:
> > (Note: this is not directed personally at you, just an observation
> > in general.)
>
> Ditto. :-)
> > What I don't get, why the sudden urgency to block 1434 all of a
> > sudden... what are your SQL boxes doing listening publicly on
> > ANY FREAKIN PORT AT ALL? IMO not only should SQL boxes be not
> > listenin to the internet, they should be firewalled even behind
> > the DMZ, so you'd have to comprimise both the web servers and
> > them to do anything nasty...
>
> Firewall?  DMZ?  What makes you think everybody has those?  How 'bout an
> even more esoteric question?  Why do the tier 1 providers (like UUNET)
> allow traffic on port 1434???
> > This goes FAR beyond forgetting to install a simple patch, I think
> > it shows just how many poeple out there have no port filtering
> > in place and probably check off "full install" on their windows
> > servers without a second thought.
> Uh huh.  And you're just now realizing this?  I posted the other day
> that *some* edus don't even block NetBIOS ports.  What makes you think
> they'd block 1434/UDP then?
>
> > It also shows how many companies could give two shits about
> > patching and firewalling important boxes internally. It only
> > takes one. In our case we were infected by Corporate Central
> > via the VPN tunnel. *sigh*
> I don't think it's a case of "give a shit" many times.  I think it's a
> case of not realizing the importance of it.  Perhaps we should blame
> ourselves for not having done a good enough job of selling security.
>
> One would have thought that I LUV YOU was a wake up call.  It wasn't.
> One would have thought that SirCam was a wake up call.  It wasn't.  One
> would have *surely* thought Code Red was a wake up call.  It wasn't.
> Certainly Nimda should have been a wake up call.  It wasn't.
>
> And now we have Slammer.  Will *it* be the wake up call?  Given past
> experience, perhaps not.
>
> Perhaps it's time for the *security industry* to wake up and start
> screaming "BEST PRACTICES!!!!" in the ears of upper management until
> they get it?  I know we never miss an opportunity like this to "sell"
> our ideas to upper management, and although they move glacially, the
> acceptance that change *must* come is progressing.
>
> You have to remember, at least in the edu space, "things" have been this
> way for a long time.  Edu is where the Internet began, and "we" have
> enjoyed a free and open network for a long, long time.  Telling folks in
> edu that the network can no longer be open is a shock to their systems.
>
> We once had a server admin who was shocked when her box was tagged (used
> for warez) several times.  She looked at me incredulously and said, "I
> just put this box on the network.  How could anyone even know it was
> here?"
>
> She didn't understand that when she plugged that RJ45 cable into the
> receptacle that she was connecting to the *world*, not to UTD.  That
> should give you some idea of how much farther we have to go.
>
> --
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html