Information Security News mailing list archives
RE: Researchers predict worm that eats the Internet in 15 minutes
From: InfoSec News <isn () c4i org>
Date: Thu, 24 Oct 2002 01:47:18 -0500 (CDT)
Forwarded from: Ryan Counts <webmaster () badsushi com> Greetings, I hate to say it, but getting organizations to release patches to security holes is only 10% of the cure. If I remember right, either Code Red or Nimda (or both, I can't find the emails that corroborate my thoughts) targeted security holes that Microsoft had already released patches for; not to mention a properly configured server (simple things such as setting the webroot to any other drive than C, and disabling unused virtual hosts and services) eliminated the threat. So, why did these worms succeed? Poor security policies; poor maintenance and non-updated Operating Systems. Is this really Microsoft's fault, or the organizations that either don't hire experienced personnel or have lazy or overtaxed admins? My vote is for the latter, and it's a situation that has no clear solution. I can almost guarantee you that if such a worm outbreak such as the one described in this article occurs, it will probably use an old, well known security hole that's been addressed by the manufacturer. And no matter whether the worm targets Windows, Unix, Linux, OSX or all of the above, the worm will owe its success to the same factors that made Nimda so successful. In my opinion, the critical question is how to fix this problem? Do we require IT Personnel to get a license before practicing administration like Doctors and hold them accountable? Do we fine companies for not keeping their hardware and software maintained? Or do we hand out a bunch of Etch-a-Sketches? Thanks, Ryan -----Original Message----- From: owner-isn () attrition org [mailto:owner-isn () attrition org] On Behalf Of InfoSec News Sent: Wednesday, October 23, 2002 12:55 AM To: isn () attrition org Subject: Re: [ISN] Researchers predict worm that eats the Internet in 15 minutes Forwarded from: Russell Coker <russell () coker com au> On Tue, 22 Oct 2002 10:56, InfoSec News wrote:
http://www.nwfusion.com/news/2002/1021worm.html By Ellen Messmer Network World Fusion 10/21/02 The three authors of the research, published two months ago, present a future where worm-based attacks use "hit lists" to target vulnerable Internet hosts and equipment, such as routers, rather than scanning aimlessly as the last mammoth worm outbreaks, Nimda and Code Red, did last year. And this new breed of worms will carry dangerous payloads to allow automated denial-of-service and file destruction through remote control.
Let's talk about "dangerous payloads". A large part of the problem here is that daemons get too much access to a typical server. There's no need for a daemon to have access to write any file on the system (root access on a typical Unix machine). Posix capabilities combined with non-root operation are a good step in the right direction but still aren't as comprehensive as you would like. Also Posix capabilities don't work well when a program has a need to change UIDs or write files owned by other users on occasion. Any decent Mandatory Access Control scheme should allow the daemons to be restricted enough that they have minimal opportunities to do damage. Even a compromised sshd should not result in the server being killed! However if "dangerous payload" means a DOS attack on whitehouse.gov then that's something that is probably impossible to prevent. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 22)
- <Possible follow-ups>
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 23)
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 23)
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 24)
- RE: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 24)
- Re: Researchers predict worm that eats the Internet in 15 minutes InfoSec News (Oct 26)