RE: [fw-wiz] Worms, Air Gaps and Responsibility

From: Ben Nagy (ben_at_iagu.net)
Date: 05/05/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Cannot send mail" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 5 May 2004 16:13:06 +0200

    For disclaimer, see bottom of tin [1]

    So what should people be doing better? Follow this advice and you will
    probably not end up a statistic.

    First - worms hit known vulnerabilities. Manage your vulnerabilities, and
    get that up to the executive level as a priority. The time between the
    patches and the worms is shrinking, so it's getting harder every time.
    (Blaster was 26 days, Sasser 17 or 18). Eliminiating the root
    vulnerabilities is the ONLY sure way to not get infected by worms. The rest
    is damage control and lucky underwear.

    Prepare Better. Put worm outbreak stratgies in your BCPs and DRPs.

    Implement egress filtering wherever possible to chop out the key TCP and UDP
    ports that are spreading vectors. Typically these are anything related to MS
    networking (long list, 137 138 139 445 blah blah). Also chop TFTP, FTP and
    IRC wherever you can.

    Do what Paul says, and put in some physical separation for truly critical
    networks. Not VLANs. Not firewalls. Air. For those networks, make sure
    random machines cannot be connected without you knowing about it, get rid of
    unsecured VPN endpoints and roaming wireless.

    Stay Informed. Mailing lists - (NT)bugtraq, Full Disclosure (but never run
    any code you see on that list ;), Vuln-Dev are all OK, but can be noisy.
    Check websites like K-Otik and Packetstorm to see when public releases of
    exploit code take place. the ISC website is also excellent for early warning
    if you know what you are looking for - you would do well to add the
    handler's diary to your morning read.

    Fundamentally, to perform accurate threat assessment you at least need to
    know the basic difference between different kinds of exploits. Some (like
    lsass and the IIS PCT bug) are trivial to write exploits for. Others, like
    some of the RPC race condition bugs, the ASN.1 heap corruption bugs etc are
    harder to exploit, and less reliable. Worm writers want two things - a bug
    in a core service (lots of targets) and something that is easy and reliable
    to exploit.

    I can't say this next part loud enough. To date, almost all of the worms
    have been non-destructive (Witty being a notable exception, but with a
    smaller target base). This can NOT last. How hard do you think it would be
    for a mass-market worm to just trash the partition table and flash the BIOS
    when it was sick of spreading? Now you can multiply your damage and recovery
    figures by ten or twenty (or more).

    As a closing note - if you run IIS then the SSL PCT bug is a worm waiting to
    happen, don't get distracted by sasser, although I'm sure mutations are
    coming for that one, and don't say I didn't warn you.

    Sorry to be alarmist, and sorry for the soapbox.

    Cheers,

    ben

    [1] I work for eEye, we know lots and lots about vulnerabilities and worms
    and stuff, we found the vulnerability behind sasser, and we make some
    products in this area. However, this is not a plug.

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of Paul D. Robertson
    > Sent: Wednesday, May 05, 2004 2:25 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Worms, Air Gaps and Responsibility
    >
    > Hospitals, banks, the U.K. Coast Guard... The damage from
    > the latest Microsoft-based worm isn't as widespread as that
    > from the last one, but it's pretty darned bad in point cases.
    >
    > Why do people continue to connect critical production
    > networks to user/administrative networks?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Cannot send mail"

    Relevant Pages

    • RE: A question for the list...
      ... >ISP's warning them that x number of their customers have the latest worm. ... infected with worms. ... Just like wired networks, wireless LANs require network security policies ...
      (Incidents)
    • Re: Call to arms - INFORMATION ANARCHY
      ... > worms is undeniable. ... > same vulnerabilities, they do so using the same techniques as were ... the people who tend to do default installations and then just ...
      (NT-Bugtraq)
    • Re: Call to arms - INFORMATION ANARCHY
      ... Call to arms - INFORMATION ANARCHY ... step-by-step instructions for exploiting security ... vulnerabilities, without regard for how the information may be used." ... worms is undeniable. ...
      (NT-Bugtraq)
    • Re: Awu / Wu / Autowu trojan
      ... > Thanks for the info. I'm not a regular visitor in this NG, so who is Luke? ... Most of these types of worms were self defeating in that they downloaded ... Whilst on the subject of vulnerabilities ... ... I'm tending to believe that _basic_ BOF attacks are becoming harder to ...
      (comp.os.linux.security)
    • Re: RPC/DCOM
      ... Relative to vulnerabilities from ... Windows networking, this computer appears to be VERY ... NetBIOS networking protocol over the Internet. ... worms have exploited the vulnerabilities ...
      (microsoft.public.windowsxp.general)