lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.6.66.0301262241200.2232-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK
 PORT 1434!

On Sun, 26 Jan 2003, Schmehl, Paul L wrote:

> This simply shows your ignorance of the issues, Ron.  Port 1434 was not
> a normal port for SQL server *until* MSDE came out.  We obviously
> blocked 1433 long ago, as did almost every edu in the universe.  But
> 1434 was a recent "innovation" to make SQL server capable of running
> multiple instances on multiple ports.

Ummm, Paul -- what ever happened to the first rule (maybe its the second
or third perhaps) of building a firewall -- "deny all" and only allow
outgoing/incoming what you need.  Even if you were not aware of 1434 being
used, it should have been blocked by default by any firewall admin with a
clue.

> Now you're being silly.  I'm certain that every edu in the world was
> rushing to close port 1434 yesterday.  But the horse was already out of
> the barn.

I know a few that did not have to bother -- even with unpatched SQL boxes
for the simple reason I stated above -- no traffic was allowed from the
net to the boxes anyways.

> First of all, it's *not* my job.  Secondly, I wasn't whining.  Thirdly,
> you'd better hope and pray there are people like me in edu who care
> enough to fight for what's right security-wise, or there's no hope for
> the Internet.  (And I can assure you that there are a *lot* of people in
> edu who care very much and are working hard to change things.)

That is great to hear.  Lets hope that you are not the benchmark but only
the baseline at most.  Perhaps some of the .edu admins need to first
understand that they are an .edu and educate themselves on basic network
design concepts and security.  And no Paul, I am not reffering to you
specifically either.

> As far as waiting for vendors to fix things goes, why do you think I've
> abandoned MS products at work and refuse to use them for any of my
> security related work?

Huh?  That makes zero sense in the real world - there is always a work
around there are always to mitigate risk.  Besides, there are a good
handful of non-MS product holes that have not been fixed in quite
sometime.  But making the blanket statement -- I refuse to use "them" for
any of my security related work -- is plain ignorant.  Granted, for
specific security tasks there are better products out there to use other
than MS ones.

> Blaming the admins for what happened is akin to prosecuting a woman for
> being raped.  Instead of going after the perpetrators who wrote and
> released the worm, you want to go after the admins whose networks were
> taken advantage of.  And you *assume* they were lazy, incompetent or any
> of the other perjoratives that make you feel better about yourself.

No, it is more like blaming the woman for not even attempting to protect
herself.  Come on Paul, how long have we had problems with *ALL* software
and required patches??  Any admin worth his paycheck knows that systems
need patching.  I personally don't assume that they were lazy or
incompetent as I have experianced the various politics around patching
servers, change control, etc etc.... but there are few organizations that
do not have a specific IT Security role anymore -- at a minimum these
guys should be alerting admins about patching boxes -- its not like this
was a zero day.  Thinking that we will get secure and useful out of the
box is a dream -- it won't happen as soon as you open up services you open
up risk.  Of course we can all be 100% patched and still get owned but at
least in this specific case the worm would not have spread as easy as it
did.

> Try working in a large edu sometime and see how much change you can
> initiate.  It takes a tough person to stick it out and keep fighting.
> (I'm not tooting my own horn, but standing up for all edu admins
> everywhere.)  Some universities are *still* fighting to get the NetBIOS
> ports closed, for god's sake.  Do you think for one minute that *any*
> admin in his right mind would *willing* expose those ports to the
> Internet?  If not, then *why* on earth do you think they're still open?
> (Because the admins don't have the power to close them.)

If this is truly the case Paul then you have my sympathy.  But I really
want to say WTF -- they are a freakin educational institution -- you would
think they know a thing or two.  Perhaps some litigation over being a
launching point for an attack will straighten things out.

> It's *real* easy to criticize.  Especially when you work in an
> atmosphere you can completely control.  It's a lot tougher to find
> solutions to real problems in the real world and fight for change where
> it needs to occur.

I don't think anyone can completely control their work situation.  We all
have to deal with BS politics and actually prove the risk before some
pointy haired boss agrees to the change.  This is a reality inside the
.edu and outside.  Perhaps the .edu admins and security guys need to do a
better job in proving the risk.  Tie the risk to actual costs in bandwidth
and loss of reputation etc... would these tactics not work in an .edu
environment?

> Why not blame the networks that allow these jerks to release their
> worms, run their DDoS networks and do all the other crap they do?  Why
> is it still possible to host a website on the Internet that freely makes
> worms, viruses and exploit code available to the world?  (Yeah, I know,
> it's a freedom of speech issue, right?  Yeah, right!)

No Paul, to me this isn't a freedom of speech thing.  It is a learning
thing -- many (including me) crave to learn and know what the .edu system
cannot teach.

A lot of common sense is required to know what is right and what is wrong
but taking the information off of the Internet won't solve the problems.
What do we bust down doors and take everyone's computer books away and
burn them?  Do we lock up the RFCs and only let Microsoft, Sun, Cisco, HP,
etc... see them (control them).  What about computer science courses and
all thsoe guys with the Bsc. and PHD in computer sciences?  Shit, we had
better lock them up cause they are terroritsts right?

Removing the information from the Internet won't stop its flow and won't
stop the malicious from using what they learn via other channels.

The least we all can do as IT guys and IT Security guys is raise the
fucking bar a little.  Right now a 12 year old MafiaBoy wanna-be with even
less knowledge can take out portions of the net -- what does that tell you?

The worst change control procedure I have ever experianced took 30-45 days
for a "critical" patch to be lab tested packaged and pushed out.  This
organization was still patched in time.

 --
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ