RE: Was RE: disinfection tool -- now a minor rant.

["Marc Maiffret" <marc () eeye com>]

I couldnt agree more. Dont get me wrong... I have said things to knock
admins in the past however the more i talk to administrators I find that
companies themselves make it a pain for administrators to sometimes even do
their jobs.

Two of the biggest things I from nt admins about security:
1. I am damned if I do and damned if I dont. A lot of times I have to wait
until late friday night or late in the evening to install a security patch
because company management doesnt want any downtime for our eCommerce store
etc...
2. I can not install XYZ Microsoft patch until we have tested it with our
environment to make sure its not going to break things. Funny enough a lot
of NT admin's seem to be more afraid patches sometimes then vulnerabilities
themselves.

those are generalizations and just examples but never the less i was a bit
surprised as i talked with a large handful of admins about this codered
ordeal.... i was especially (well not really) surprised about number 2.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

|-----Original Message-----
|From: Mark Challender [mailto:MarkC () mtbaker wednet edu]
|Sent: Monday, August 06, 2001 12:05 PM
|To: 'Mark Ng'; incidents () securityfocus com
|Subject: Was RE: disinfection tool -- now a minor rant.
|
|
|
|-----BEGIN PGP SIGNED MESSAGE-----
|Hash: SHA1
|
|This email struck a nerve in me.
|
|Mr. Ng speaks of "ignorant Sysadmins" and wanting to "get the idiots
|to listen."
|
|A lot of people, me included, can't understand why professional
|admins don't update their systems.
|
|What many of us forget, though, is that NT4 is being used by millions
|of small businesses who do not have professional admins and don't
|have a clue what IIS4 is and why it needs to be patched.  Yet, they
|are connected with DSL (Cisco 675 modems that are failing) or
|fractional T1s and they don't understand why the "bad guys" want to
|get into their systems.
|
|What needs to be done is for people like us to educate those business
|owners.  Contact your local paper or radio station and talk to the
|news director.  Do an interview, be an expert.  Create a "hit squad"
|of local sysadmins and offer to take phone calls from business
|owners.  Create a Code RED fix on CD (maybe include SP6 and all post
|SP6 fixes including the IIS fixes on CD with an automated QChain
|script)
|
|But, quit complaining about "stupid, ignorant sysadmins" and the
|"idiots" and do something to help the situation.
|
|Most of us were not smart sysadmins to begin with........
|
|- -----Original Message-----
|From: Mark Ng [mailto:markn () markng co uk]
|Sent: Monday, August 06, 2001 5:20 AM
|To: incidents () securityfocus com
|Subject: RE: disinfection tool
|
|
|Perhaps a very controversial viewpoint is using the backdoor
|installed by the
|copycat code red worm to patch these systems.  The majority of
|sysadmins who
|by now haven't patched (or unmapped the script mappings from) their
|systems
|are mostly ignorant anyway.  Perhaps a couple of honeypot systems
|built to
|automatically connect back, patch and reboot.
|
|The only issue that creates is the problem of transparent proxies.
|Not sure
|how you'd solve that one.
|
|This may eventually be the only way of actually getting rid of code
|red
|completely.  If we live in a an ideal world, we'd eventually get the
|idiots
|to listen.  However, I find that unlikely.
|
|Mark
|
|- ----------------------------------------------------------------------
|- ------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management
|and tracking system please see: http://aris.securityfocus.com
|
|-----BEGIN PGP SIGNATURE-----
|Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
|
|iQA/AwUBO27p4d5aUxficepaEQLQDACgn//XAnrm1HFZbBtD/Ax7ODRB5AIAoOzn
|dXkFl5005IccBSWdQQatpnM9
|=oTd8
|-----END PGP SIGNATURE-----
|
|-------------------------------------------------------------------
|---------
|This list is provided by the SecurityFocus ARIS analyzer service.
|For more information on this free incident handling, management
|and tracking system please see: http://aris.securityfocus.com
|
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com