[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
- To: "Richard Stevens" <richard@tccnet.co.uk>, "Chris Garrett" <somatose@cox.net>, <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
- From: "Lan Guy" <rlanguy@hotmail.com>
- Date: Tue, 12 Aug 2003 18:21:07 +0300
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.3790.0" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>that is not logical, because if you use an ethernet
broadband connection and connect via a dialler (L2tp or pptp) then you have to
firewall both that is correct.</FONT></DIV>
<DIV><FONT face=Arial size=2>but what about firewalling the connection via
vpn to your office. Although if the office is already infected it might not be
such a bad idea .... </FONT><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Lan Guy</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial"> </DIV>
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=richard@tccnet.co.uk href="mailto:richard@tccnet.co.uk";>Richard
Stevens</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=somatose@cox.net
href="mailto:somatose@cox.net";>Chris Garrett</A> ; <A
title=full-disclosure@lists.netsys.com
href="mailto:full-disclosure@lists.netsys.com";>full-disclosure@lists.netsys.com</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, August 12, 2003 3:34
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Full-Disclosure] ISS
Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)</DIV>
<DIV><BR></DIV>I appreciate that many users dont know what a firewall is.. but
this stuff is given so much coverage and sales pitch.. it makes you
wonder....<BR> <BR>with regards to which ports to block etc... the ICF
firewall by default just blocks all incoming traffic that has not specifically
been requested, and allows all outgoing. It doesnt take a genius to click
"firewall this connection" no user thought processes
required!<BR> <BR>maybe ms should enable it be default on any interface
with a public IP address? <BR> <BR> <BR><BR>-----Original
Message----- <BR>From: Chris Garrett [mailto:somatose@cox.net] <BR>Sent: Tue
12/08/2003 12:43 <BR>To: <A
href="mailto:full-disclosure@lists.netsys.com";>full-disclosure@lists.netsys.com</A>
<BR>Cc: <BR>Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast"
MSRPC DCOM Worm Propagation (fwd)<BR><BR><BR><BR>Richard Stevens:<BR>> I
must be missing something here... xp home & pro both have a "click<BR>>
and forget" firewall?<BR>> why aren't people using it?<BR><BR>You're
talking about the Internet Connection Firewall (ICF)? Firstly, if
most<BR>people even knew what a firewall was, then the impact of this worm
might not<BR>have been as severe. I'm sure you realize there are a lot of
users out there<BR>that bought XP for its "pretty" interface. Those people
don't know a firewall<BR>from a hole in the wall. If you tell them it can
protect their precious computer<BR>from evil script kiddies, then they might
be more interested, but unless you put<BR>that information right in their
face, they're not going to bother.<BR><BR>As far as my friend is concerned, he
wasn't using ICF, rather, he was using<BR>Sygate. He knows what a firewall
does, but he has no real experience that has<BR>mandated he ever really
configure/use a firewall. A firewall gives a user so<BR>much power. To be able
to block incoming and outgoing traffic is a pretty big<BR>responsibility.
Which ports should a user configure? How on Earth is an<BR>inexperienced user
to know? Unless you have experience configuring firewalls on<BR>servers or
managing a personal home network built for the security-conscious<BR>people
that go out and do lots of research, you will have no idea. Also, unless<BR>a
user with a firewall keeps up to date on advisories, that person will not
be<BR>very aware as to the urgency of filtering certain ports. Most people
that run<BR>windows and have heard about the "auto updating" service think
that that service<BR>is going to protect them from anything major, anyway.
"It's an automatic<BR>updating service. Microsoft isn't going to leave me
hanging." Seriously, people<BR>develop a false sense of security. You can give
someone a firewall, but that<BR>doesn't mean they'll know what to do with
it.<BR><BR>I informed another friend of mine today that friend #1 [the one
infected with<BR>the worm] was infected with a particular worm based on a
recently released<BR>exploit. I told him he should secure his computer. His
response was "But I have<BR>an Anti-Virus program installed." More false sense
of security. I cleared the<BR>falsity of this claim up for him, of course, but
he's more into computers than<BR>your average user. He's a
webdesigner.<BR><BR>My point is, there are people out there who need to be
educated. I teach people<BR>what I can to help them secure their systems on
their own. I pull people out of<BR>that false sense of security and that
notion that if they modify any settings in<BR>Windows that it will break. If
they need to ask, I tell them I'm here for their<BR>inquiries, and Google can
take care of the rest.<BR><BR>Companies like Cox, on the other hand, go and
filter port 135, and even outgoing<BR>port 25! I had a long discussion with
one of the techies that works at Cox in<BR>regards to the port 25 filtering,
because one day I could no longer connect to<BR>my SMTP server outside Cox's
walls. The tech said he didn't think it was the<BR>greatest of ideas, but it
was easier to just filter 25 than it was to set up<BR>smtp-auth or
pop-before-smtp. The same mindset was applied to port 135. I
don't<BR>particularly like the fact that those ports have been filtered. It
seems very<BR>restrictive, even though I can find other ways to get along
without using those<BR>ports in the manner in which they have been filtered. I
don't even like hosting<BR>services that install a spam-filtering agent by
default. I want to receive the<BR>mail and traffic that was intended for me.
If I don't want it, I'll learn how to<BR>filter it myself. Companies like Cox
spend more money advertising than they do<BR>educating people to make the
Internet an overall more secure place for the<BR>average user. Cox, instead,
protects the ignorant people and keeps them<BR>ignorant. I think Cox should
have send snail-mail to each one of its users<BR>describing its reason to
blocking port 25 or even 135. That would have made one<BR>HELL of a dent in
the ignorance. Oh well, Corporate America.<BR><BR>People can learn! Teach
them! Don't let them be ignorant. Ignorance is a MAJOR<BR>security
problem!<BR><BR>Of course we could just take the easy way out: How do you
secure the Internet?<BR>Kill all its users.<BR><BR>Regards,<BR>Christohper
Garrett III<BR>Inixoma,
Incorporated<BR><BR>_______________________________________________<BR>Full-Disclosure
- We believe in it.<BR>Charter: <A
href="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR><BR><BR>_______________________________________________<BR>Full-Disclosure
- We believe in it.<BR>Charter: <A
href="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR></BLOCKQUOTE></BODY></HTML>