Full Disclosure mailing list archives
Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c)
From: Darren Bennett <DARREN.L.BENNETT () saic com>
Date: 29 Jul 2003 17:36:57 -0700
***BEGIN RANT*** The current IT attitude is really frustrating! A "good admin" is one that ENABLES services and systems to be USED by individuals. This relatively new attitude of disable/disallow/distrust is a bad way for the IT world to be moving. The statement "screw the students" is very depressing. I'm glad the Internet was developed with the opposite attitude. When systems are so poorly secured (and so DIFFICULT to keep secure) that the "solution" is to cripple other features, then another resolution is needed. Watching the Internet and the IT profession over the past few years has been increasingly depressing. When a company's program or protocol is vulnerable, shutting down that program would be a better option than disabling the port/service/etc. I.E.: Exchange is vulnerable to viruses so don't allow .exe and .bat attachments. If a system can't be patched without a reboot then something needs to be changed. At the rate we are going, we will be back to snailmail and a notepad. Let's hope that the admins and the software manufacturers both step up to the plate and learn to take some responsibility. How? Well, 95% of all the "hacks" are done to systems using KNOWN vulnerabilities that simply were not patched because of incompetent or lazy sys-admins (maybe the fact that we have "dummed down" our server interfaces isn't all good after all). Of these exploits, many (most?) were the result of poor coding and bounds checking that was then exploited in the form of buffer overflows. Yeah, we can't stop them all.. but many of these show true negligence (if we could hold software manufacturers to the same standards as auto makers, we'd have a lot more product recalls and a lot better stability and security..the Firestone incident would pale in comparison) Would it cost more? Maybe, but doubtful. The cost of DOS/Hacks/downtime coupled with "cheaper" but incompetent admins is very very high as well. -Darren On Tue, 2003-07-29 at 13:51, Ron DuFresne wrote:
On Tue, 29 Jul 2003 Valdis.Kletnieks () vt edu wrote:On Tue, 29 Jul 2003 13:14:49 EDT, Jason <security () brvenik com> said:Wrong, the cost benefit does work out for the business. We are at 3.9 million because we did not pay attention to the assets that needed protecting and implement best practices. At 3.9 million we are still under the extremely conservative $4million estimate from one single outage!You can harp on "best practices" all you want - hell, *I* certainly do it enough. However, you have to come to some realizations here. All "best practices" cost something to implement. And at some point, the cost of prevention is going to exceed the cost of cleaning up. And at this point, the boss asks "So what are the chances we'll make it through the entire rest of the fiscal year without having to blow *another* $1.3M, compared to the chances we'll get wormed before the next advisory comes out?" Remember - we're up to MS03-*030* and it's still July. At $1.3M per, you've burned some $39M already to protect against a $4M threat. Security is *tradeoffs*. Do I wish all my users were patched against MS03-026? Yes. Do I think some will get trashed by whatever worm comes by? Yes - the last worm nailed 200 boxes or so before we got specific router filters in place. However, when the cost of forcing *all* the users to upgrade exceeds the cost of cleaning up the 200 that will get whacked, it's *REAL* hard to get resources allocated - I've never net a VP-level exec that would agree to the idea that they should spend $2M to protect against a $500K threat because it's "best practices". The only ways you'll get your $2M is to either make it under $500K instead, or something raises the $500K (for instance, if "liable for a $1.5M fine under the newly passed protection-of-private-law" gets added in...) Anybody who can't understand *that* probably doesn't get the joke about a $200 chip protecting the $0.75 fuse by blowing up first....Still the best defensive porture is taken at the entrance and exit points as pertains to most all these 'services'. If the ports 135 and 1433 etc are blocked, both tcp and udp protocols, then patching becomes far less dramatic, even if a few machines inside get infected due to laptops or what have you. when the flow on the wire for a segment starts to impact the other segments on the network, then, pull that segment and rush and and fix what's needed to get things up again in short order. Then again, patch at leisure. Barring a strong network perimiter, you become dangerous not only to others on your inside, but, everyone else out here. Screw the students that are in a programming class and can't get their toys to work across the borders, and their professors, they have to understand, or be made to understand that there are reasons that the policy that is in effect is so for a reason. The higher up that tries to cut costs and make his claim as an asset that can't be afforded to be lost, rather then doing so as most profs do by reaserch and publishing, well the old 'useless' equipment just became the test network for that comp sci dept, firewalled off from the rest of the network of course, well not in texas, they all need room to spread their funk on the wires and gateways outside their domain... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- ----------------------------------------------- Darren Bennett CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I Sr. Systems Administrator/Manager Science Applications International Corporation Advanced Systems Development and Integration ----------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Justin (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c) Darren Bennett (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c) Ron DuFresne (Jul 30)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Bojan Zdrnja (Jul 30)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) yossarian (Jul 30)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 30)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Bojan Zdrnja (Jul 31)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Scott M. Algatt (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Larry W. Cashdollar (Jul 29)