[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
- To: <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
- From: "Richard Stevens" <richard@tccnet.co.uk>
- Date: Wed, 13 Aug 2003 10:46:34 +0100
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2>seems perfectly logical to me. </FONT></SPAN></DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff size=2>There
are lots of different ways to get infected.. over VPN, internal lans,
email etc, the perimeter firewall not being everything has been
gone over 100 times here...</FONT></SPAN></DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff size=2>but
for x million joe users sitting at home on their XP boxes, ticking
"firewall this connection" would have drastically reduced the spread of
this worm.</FONT></SPAN></DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff size=2>Having
it turned on by default (as MS seem to do with lesser needed features, such as
for example dcom) seems like quite a good idea to me...</FONT></SPAN></DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff size=2>Of
course it wouldnt have stopped it entirely.. but I think it would have had a
huge impact.</FONT></SPAN></DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2>regards</FONT></SPAN></DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=359433009-13082003><FONT face=Arial color=#0000ff
size=2>Richard</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Lan Guy
[mailto:rlanguy@hotmail.com]<BR><B>Sent:</B> 12 August 2003
16:21<BR><B>To:</B> Richard Stevens; Chris Garrett;
full-disclosure@lists.netsys.com<BR><B>Subject:</B> Re: [Full-Disclosure] ISS
Security Brief: "MS Blast" MSRPC DCOM Worm Propagation
(fwd)<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>that is not logical, because if you use an
ethernet broadband connection and connect via a dialler (L2tp or pptp) then
you have to firewall both that is correct.</FONT></DIV>
<DIV><FONT face=Arial size=2>but what about firewalling the connection
via vpn to your office. Although if the office is already infected it might
not be such a bad idea .... </FONT><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Lan Guy</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial"> </DIV>
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=richard@tccnet.co.uk href="mailto:richard@tccnet.co.uk";>Richard
Stevens</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=somatose@cox.net
href="mailto:somatose@cox.net";>Chris Garrett</A> ; <A
title=full-disclosure@lists.netsys.com
href="mailto:full-disclosure@lists.netsys.com";>full-disclosure@lists.netsys.com</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, August 12, 2003 3:34
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Full-Disclosure] ISS
Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)</DIV>
<DIV><BR></DIV>I appreciate that many users dont know what a firewall is..
but this stuff is given so much coverage and sales pitch.. it makes you
wonder....<BR> <BR>with regards to which ports to block etc... the ICF
firewall by default just blocks all incoming traffic that has not
specifically been requested, and allows all outgoing. It doesnt take a
genius to click "firewall this connection" no user thought processes
required!<BR> <BR>maybe ms should enable it be default on any interface
with a public IP address? <BR> <BR> <BR><BR>-----Original
Message----- <BR>From: Chris Garrett [mailto:somatose@cox.net] <BR>Sent: Tue
12/08/2003 12:43 <BR>To: <A
href="mailto:full-disclosure@lists.netsys.com";>full-disclosure@lists.netsys.com</A>
<BR>Cc: <BR>Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast"
MSRPC DCOM Worm Propagation (fwd)<BR><BR><BR><BR>Richard Stevens:<BR>> I
must be missing something here... xp home & pro both have a
"click<BR>> and forget" firewall?<BR>> why aren't people using
it?<BR><BR>You're talking about the Internet Connection Firewall (ICF)?
Firstly, if most<BR>people even knew what a firewall was, then the impact of
this worm might not<BR>have been as severe. I'm sure you realize there are a
lot of users out there<BR>that bought XP for its "pretty" interface. Those
people don't know a firewall<BR>from a hole in the wall. If you tell them it
can protect their precious computer<BR>from evil script kiddies, then they
might be more interested, but unless you put<BR>that information right in
their face, they're not going to bother.<BR><BR>As far as my friend is
concerned, he wasn't using ICF, rather, he was using<BR>Sygate. He knows
what a firewall does, but he has no real experience that has<BR>mandated he
ever really configure/use a firewall. A firewall gives a user so<BR>much
power. To be able to block incoming and outgoing traffic is a pretty
big<BR>responsibility. Which ports should a user configure? How on Earth is
an<BR>inexperienced user to know? Unless you have experience configuring
firewalls on<BR>servers or managing a personal home network built for the
security-conscious<BR>people that go out and do lots of research, you will
have no idea. Also, unless<BR>a user with a firewall keeps up to date on
advisories, that person will not be<BR>very aware as to the urgency of
filtering certain ports. Most people that run<BR>windows and have heard
about the "auto updating" service think that that service<BR>is going to
protect them from anything major, anyway. "It's an automatic<BR>updating
service. Microsoft isn't going to leave me hanging." Seriously,
people<BR>develop a false sense of security. You can give someone a
firewall, but that<BR>doesn't mean they'll know what to do with it.<BR><BR>I
informed another friend of mine today that friend #1 [the one infected
with<BR>the worm] was infected with a particular worm based on a recently
released<BR>exploit. I told him he should secure his computer. His response
was "But I have<BR>an Anti-Virus program installed." More false sense of
security. I cleared the<BR>falsity of this claim up for him, of course, but
he's more into computers than<BR>your average user. He's a
webdesigner.<BR><BR>My point is, there are people out there who need to be
educated. I teach people<BR>what I can to help them secure their systems on
their own. I pull people out of<BR>that false sense of security and that
notion that if they modify any settings in<BR>Windows that it will break. If
they need to ask, I tell them I'm here for their<BR>inquiries, and Google
can take care of the rest.<BR><BR>Companies like Cox, on the other hand, go
and filter port 135, and even outgoing<BR>port 25! I had a long discussion
with one of the techies that works at Cox in<BR>regards to the port 25
filtering, because one day I could no longer connect to<BR>my SMTP server
outside Cox's walls. The tech said he didn't think it was the<BR>greatest of
ideas, but it was easier to just filter 25 than it was to set
up<BR>smtp-auth or pop-before-smtp. The same mindset was applied to port
135. I don't<BR>particularly like the fact that those ports have been
filtered. It seems very<BR>restrictive, even though I can find other ways to
get along without using those<BR>ports in the manner in which they have been
filtered. I don't even like hosting<BR>services that install a
spam-filtering agent by default. I want to receive the<BR>mail and traffic
that was intended for me. If I don't want it, I'll learn how to<BR>filter it
myself. Companies like Cox spend more money advertising than they
do<BR>educating people to make the Internet an overall more secure place for
the<BR>average user. Cox, instead, protects the ignorant people and keeps
them<BR>ignorant. I think Cox should have send snail-mail to each one of its
users<BR>describing its reason to blocking port 25 or even 135. That would
have made one<BR>HELL of a dent in the ignorance. Oh well, Corporate
America.<BR><BR>People can learn! Teach them! Don't let them be ignorant.
Ignorance is a MAJOR<BR>security problem!<BR><BR>Of course we could just
take the easy way out: How do you secure the Internet?<BR>Kill all its
users.<BR><BR>Regards,<BR>Christohper Garrett III<BR>Inixoma,
Incorporated<BR><BR>_______________________________________________<BR>Full-Disclosure
- We believe in it.<BR>Charter: <A
href="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR><BR><BR>_______________________________________________<BR>Full-Disclosure
- We believe in it.<BR>Charter: <A
href="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>