It's Not Paranoia When It's the Truth

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1271385,00.asp

By Peter Coffee 
September 17, 2003   
 
When it comes to computer and network security, I'm moving toward the
doctrine adopted by Sangamon Taylor for nighttime bicycle safety. "I
assume I'm wearing fluorescent clothes, and there's a million-dollar
bounty going to the first driver who manages to hit me. And I ride on
that assumption," says Neal Stephenson's fictional toxic-waste
vigilante in the 1988 novel, "Zodiac."

Taylor's approach is beginning to seem like the only viable strategy
for Internet self-defense. "I assume that everyone in a car is out to
get me," Taylor ruminates. "My nighttime attitude is, anyone can run
you down and get away with it." If your safety depends on anyone
perceiving that you're in danger, and actually making any effort not
to kill you, he concludes, "you've already blown it." Bingo.

That's the network environment in which we live, where even the
aggregate bandwidth consumed by millions of Windows Update users is
beginning to look like a denial-of-service attack on the Internet as a
whole. The cure is almost as bad as the disease.

In fact, so hostile has the environment become that the anti-virus
instructions page at MIT, in Cambridge, Mass., instructs all users of
Institute facilities: "To prevent your machine from being compromised
while you are applying the patch, Network Security encourages users to
implement port filtering described at
http://web.mit.edu/net-security/prevent-reinfection.html."; Based on
eWEEK Labs experience during past worm episodes, I'd call that good
advice: We've seen systems attacked multiple times during the period
required to download the latest patches following an out-of-the-box
installation.

What really drove the point home was a little item I saw at The
Inquirer, concerning the ease with which an attacker can reinstall a
vulnerable version of an ActiveX control that might have been
previously, conscientiously, removed from a machine. "If some evil
mail or website tries to introduce it to your system you'll get the
standard popup, much like the one you get on Office Update," observed
writer Rick Reroy, continuing, "Click 'Yes,' and your computer is ripe
for a reinstallation. You can save that click if you on a previous
occasion checked the box that says 'Always trust content from
Microsoft Corporation' (what were you thinking?)'"

I'm thinking that the system not only comes out of the box unsafe, it
almost appears designed to ensure that it stays that way.

And if I may borrow Reroy's question, I'd like to know what Microsoft
itself is thinking when it can't even give consistent warnings on its
own Web pages concerning the latest RPC-borne worm. At one URL, the
company warns its enterprise and developer customers that "Microsoft
tested Windows Millennium Edition, Windows NT Workstation 4.0, Windows
NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows
2000, Windows XP and Windows Server 2003 to assess whether they are
affected by this vulnerability. Previous versions are no longer
supported, and may or may not be affected by these vulnerabilities."

That same page, however, offers a link to an "end user version" of
this bulletin, where we learn that "Windows 98, Windows 98 Second
Edition (SE), and Windows 95 also are not affected by this issue.  
However, these products are no longer supported." Am I the only one
who finds the second statement much more useful than the first, and
wonders why enterprise buyers don't get the same story right up front?

What I'm also thinking is that it's worth the effort to dismiss, many
times an hour, the warnings that I get from Norton Internet Security
about what's attempting to access my system, and how. I'm thinking
that it's worth the effort to "stealth" all of my ports to minimize
the chance that an attack even comes my way. I'm thinking like a
bicyclist on a dark night on Storrow Drive, winding along the Charles
River between Boston and Cambridge, as the bars close and the drunks
all head for home.

At least, for the most part, the drunks actually had to pass a driving
test: Too many Internet users lack even that level of preparation.

So you might as well behave as if they're all out to get you on
purpose. Accident or malice, it doesn't much matter when the bumper
hits you in the back.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.