lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050825072246.ixjbpioqfveoo484@mail.doctorunix.com>
Date: Thu Aug 25 13:23:05 2005
From: trains at doctorunix.com (trains@...torunix.com)
Subject: MS05-039 spreading   was: AV Reaction Times
	of the latest MS05-039-based Worm Attacks

Quoting Andreas Marx <gega-it@....de>:

>

> Of course, we know that the problem related to MS05-039 is not 
> primary an AV problem, but something for (Personal) Firewalls, 
> IDS/IPS systems and a better patch management. :-)
>

This is sometimes hard to sit through.  It is an access control 
problem.  The rule of least access was violated by the IT staff of the 
infected organization.  There was no valid business reason for end user 
X and end user Y to have access to one another's ports 135-445.  
Organizations that used some kind of NPAR technology to cut the network 
into zones sucessfully limited the spread of the worm from one machine 
to a few hundred machines.

We routinely cut our networks into (up to) 4000 zones, putting 
(typically) one end user machine on each zone.  The solution is not to 
patch more often (that is necessary but not sufficient).

The solution is not to make LSA, DCOM, or whatever safe (can't be done 
and you are kidding yourself if you are waiting for that MS patch)

The solution becomes apparent only after the network team decides to 
adopt the attitude of "Windows cannot be made safe, and I cannot remove 
windows from my network, and all my laptop users are bringing worms in 
every day, and every idiot user out there is clicking on attachments 
that look interesting, and it's not going to get any better."

It is an Access control problem.  If anybody on this list has not heard 
the principle of 'first block everything, then allow only what's 
necessary' it would surprise me greatly.

And yet we see IT organizations slapping in PCs by the boatload without 
thinking, "maybe I have allowed too much access".

I throw this out for discussion and flames.

tc

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services@...torunix.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ