[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1044028547.21025.664.camel@utd49554.utdallas.edu>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: The worm author finally revealed!
On Fri, 2003-01-31 at 09:15, Mark Renouf wrote:
>
> (Note: this is not directed personally at you, just an observation
> in general.)
Ditto. :-)
>
> What I don't get, why the sudden urgency to block 1434 all of a
> sudden... what are your SQL boxes doing listening publicly on
> ANY FREAKIN PORT AT ALL? IMO not only should SQL boxes be not
> listenin to the internet, they should be firewalled even behind
> the DMZ, so you'd have to comprimise both the web servers and
> them to do anything nasty...
Firewall? DMZ? What makes you think everybody has those? How 'bout an
even more esoteric question? Why do the tier 1 providers (like UUNET)
allow traffic on port 1434???
>
> This goes FAR beyond forgetting to install a simple patch, I think
> it shows just how many poeple out there have no port filtering
> in place and probably check off "full install" on their windows
> servers without a second thought.
>
Uh huh. And you're just now realizing this? I posted the other day
that *some* edus don't even block NetBIOS ports. What makes you think
they'd block 1434/UDP then?
> It also shows how many companies could give two shits about
> patching and firewalling important boxes internally. It only
> takes one. In our case we were infected by Corporate Central
> via the VPN tunnel. *sigh*
>
I don't think it's a case of "give a shit" many times. I think it's a
case of not realizing the importance of it. Perhaps we should blame
ourselves for not having done a good enough job of selling security.
One would have thought that I LUV YOU was a wake up call. It wasn't.
One would have thought that SirCam was a wake up call. It wasn't. One
would have *surely* thought Code Red was a wake up call. It wasn't.
Certainly Nimda should have been a wake up call. It wasn't.
And now we have Slammer. Will *it* be the wake up call? Given past
experience, perhaps not.
Perhaps it's time for the *security industry* to wake up and start
screaming "BEST PRACTICES!!!!" in the ears of upper management until
they get it? I know we never miss an opportunity like this to "sell"
our ideas to upper management, and although they move glacially, the
acceptance that change *must* come is progressing.
You have to remember, at least in the edu space, "things" have been this
way for a long time. Edu is where the Internet began, and "we" have
enjoyed a free and open network for a long, long time. Telling folks in
edu that the network can no longer be open is a shock to their systems.
We once had a server admin who was shocked when her box was tagged (used
for warez) several times. She looked at me incredulously and said, "I
just put this box on the network. How could anyone even know it was
here?"
She didn't understand that when she plugged that RJ45 cable into the
receptacle that she was connecting to the *world*, not to UTD. That
should give you some idea of how much farther we have to go.
--
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member
Powered by blists - more mailing lists