Full Disclosure mailing list archives
Re: The worm author finally revealed!
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 31 Jan 2003 11:30:05 -0600 (CST)
Paul, Seriously, I think if there was a large enough survey of the edu. domains, you'd find that an institution without any security policy in place, and no real perimiter devices in activge use to protect the edu's resources in some fashion would be in the rarebreed category. Granted, edus have a bad name from the past as regards security/abuse issues, but, I've noted lots of change taking place in the past few years, mostly due to abuse issues from the inside out, but, certainly also due to factors like corde red/nimda and the costs associated with downtime and restoring of data. Now, are the policies in the edu's strict? Not always, most are pretty 'open', are they thouroughly enforced with vigor? depends, on if yer a mere student/undergrad of a professor/regent, ect. And certainly it depends upon the institution in question as they all vary quite a bit. But, certainly this is a case of getting the security one is ready to pay for and enforce. If the site pays nothing and/or enforces no policy, they get that in return as regards 'security'. Course, security professionals in such an environment then become an oxymoron <smile>. Security professionals in most settings have their battles to fight, but, in a setting as you outline, the battle has not really been begun to be fought, time to get yer troops in the fray or just surrender. Thanks, Ron DuFresne On 31 Jan 2003, Paul Schmehl wrote:
On Fri, 2003-01-31 at 09:15, Mark Renouf wrote:(Note: this is not directed personally at you, just an observation in general.)Ditto. :-)What I don't get, why the sudden urgency to block 1434 all of a sudden... what are your SQL boxes doing listening publicly on ANY FREAKIN PORT AT ALL? IMO not only should SQL boxes be not listenin to the internet, they should be firewalled even behind the DMZ, so you'd have to comprimise both the web servers and them to do anything nasty...Firewall? DMZ? What makes you think everybody has those? How 'bout an even more esoteric question? Why do the tier 1 providers (like UUNET) allow traffic on port 1434???This goes FAR beyond forgetting to install a simple patch, I think it shows just how many poeple out there have no port filtering in place and probably check off "full install" on their windows servers without a second thought.Uh huh. And you're just now realizing this? I posted the other day that *some* edus don't even block NetBIOS ports. What makes you think they'd block 1434/UDP then?It also shows how many companies could give two shits about patching and firewalling important boxes internally. It only takes one. In our case we were infected by Corporate Central via the VPN tunnel. *sigh*I don't think it's a case of "give a shit" many times. I think it's a case of not realizing the importance of it. Perhaps we should blame ourselves for not having done a good enough job of selling security. One would have thought that I LUV YOU was a wake up call. It wasn't. One would have thought that SirCam was a wake up call. It wasn't. One would have *surely* thought Code Red was a wake up call. It wasn't. Certainly Nimda should have been a wake up call. It wasn't. And now we have Slammer. Will *it* be the wake up call? Given past experience, perhaps not. Perhaps it's time for the *security industry* to wake up and start screaming "BEST PRACTICES!!!!" in the ears of upper management until they get it? I know we never miss an opportunity like this to "sell" our ideas to upper management, and although they move glacially, the acceptance that change *must* come is progressing. You have to remember, at least in the edu space, "things" have been this way for a long time. Edu is where the Internet began, and "we" have enjoyed a free and open network for a long, long time. Telling folks in edu that the network can no longer be open is a shock to their systems. We once had a server admin who was shocked when her box was tagged (used for warez) several times. She looked at me incredulously and said, "I just put this box on the network. How could anyone even know it was here?" She didn't understand that when she plugged that RJ45 cable into the receptacle that she was connecting to the *world*, not to UTD. That should give you some idea of how much farther we have to go. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: The worm author finally revealed!, (continued)
- RE: The worm author finally revealed! kr0nograffik (Jan 30)
- Re: The worm author finally revealed! gotcha (Jan 30)
- Re: The worm author finally revealed! sockz loves you (Jan 30)
- RE: The worm author finally revealed! futureshoks (Jan 30)
- RE: The worm author finally revealed! Pipes Cuchifrito (Jan 30)
- RE: The worm author finally revealed! Paul Schmehl (Jan 30)
- RE: The worm author finally revealed! futureshoks (Jan 31)
- Re: The worm author finally revealed! HggdH (Jan 31)
- Re: The worm author finally revealed! Mark Renouf (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)
- Re: The worm author finally revealed! Ron DuFresne (Jan 31)
- Re: The worm author finally revealed! David Howe (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)
- Re: The worm author finally revealed! Ron DuFresne (Jan 31)
- Re: The worm author finally revealed! yossarian (Jan 31)
- Re: The worm author finally revealed! Ron DuFresne (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)
- Re: The worm author finally revealed! madsaxon (Jan 31)
- Re: The worm author finally revealed! Paul Schmehl (Jan 31)