RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: Schmehl, Paul L (pauls@utdallas.edu)
Date: 01/27/03

  • Next message: hellNbak: "RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
    From: "Schmehl, Paul L" <pauls@utdallas.edu>
    To: "Ron DuFresne" <dufresne@winternet.com>
    Date: Mon, 27 Jan 2003 00:30:28 -0600
    

    -----Original Message-----
    From: Ron DuFresne [mailto:dufresne@winternet.com]
    Sent: Sunday, January 26, 2003 11:01 PM
    To: Schmehl, Paul L
    Cc: Full-Disclosure; cmiller@pastiche.org; Matt Smith; Richard M. Smith; jasonc@science.org; Jay D. Dyson; Bugtraq
    Subject: RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    >
    > This simply shows your ignorance of the issues, Ron. Port 1434 was
    > not a normal port for SQL server *until* MSDE came out. We obviously
    > blocked 1433 long ago, as did almost every edu in the universe. But
    > 1434 was a recent "innovation" to make SQL server capable of running
    > multiple instances on multiple ports.
    >
    >Actually, no, it's not an 'innovatation' at all. I think if you review
    >the slapper alerts and the common ports M$-SQL is known to play upon,
    >you'll find that 1434 is no new issue:

    Umm, Ron, the date of that announcement is 7/24/2002. I would class that as a "recent" issue. It's only been six months since this was common knowledge. And at edus, you don't just arbitrarily block ports because something *might* happen some day.

    >Yet, your reply tends to add credence to some comments made in
    >another ongoing thread, sorry, I'm following too many to remember
    >the exact poster to quote directly, but, to paraphrase them,
    >"admins tend to do just enough on each successive worm/exploit
    >to cover their butts at that time, rather then really read the
    >information available and act in a proactive manner.

    That's certainly one way to look at it. Seems to be the most common opinion of those who have no apparent experience with large networks.

    >The solution isn't defensive worms. The solution lies in the
    >recognition (seldom expressed, lest we later regret it ourselves),
    >that the failure to patch a seven-month bug is NEGLIGENCE,

    Such a blanket condemnation of all networks is completely misguided. Until you know all the ramifications of what a network has to deal with, you are completely unqualified to determine what is and what is not negligence.

    For example, there are vendors who *require* that you not patch machines or they will no longer support them. I wouldn't expect people who don't admin networks to understand this, but I can hear the nodding heads of the poor admins who have to put up with this crap. They fight this battle every day. Whizbang Microscope Corp. only supports their electron microsope on NT 4.0 with SP4. If you put SP6a on the box - or god forbid, upgrade to 2000 or XP - they no longer support the microscope.

    Now you, and many simple minded others would respond - well just don't do business with such idiots, but when those idiots are the only ones in the world who make that microscope and your Nobel Prize winning microbiologist *needs* that microsope to do his award winning (and money producing) research, you will damn well allow that microscope on the network or you will be out of a job. (This example is completely made up out of thin air, but reflects reality in a lot of places.)

    >Few worms exploit vulnerabilities that are new and unknown. Most exploit
    >those that have been known for months. That it is cheaper for negligent
    >administrators to wait until the worm hits, suffer a day of disruption
    >and then fix the problem du jour is simply unacceptable. The only solution,
    >however, is to somehow make it more expensive to be negligent than it is
    >to be diligent. </quote>

    Dear Lord how I pray for the day when people can actually think rationally.

    Here's the scenario. You have networks that get compromised by worms. Why? Because they don't have the money to buy the latest whizbang security device and they don't have the personnel to patch every damn box before the worm hits.

    So how do you solve the problem? By suing them and taking away what little money they *do* have, thus making them much more secure, right?

    Why don't all the brilliant people who have all the answers start volunteering their time to help solve this problem? Go help a local non-profit corp that's struggling to solve these problems. Volunteer to help raise money for them. Offer to help your local schools tighten their security. Donate some of your time and your obviously immense talents in security to some of the poor edus around that are desparate for help. (I could use somebody this week to help me set up a snort box on FreeBSD. I'll probably be stuck half the week explaining why our network was so degraded during the worm attack.)

    Oh wait...that would require actual *work* on your part.....much easier to simply call them negligent and sue them out of existence, right? This kind of thinking disgusts me. And it reveals how truly childish and immature people can be.

    >You misread me, the port<s> in question should have already been closed.
    >And infected systems just cutoff from your network until the admins or
    >users in charge of them fix the problem.

    How long do you think it took us to do that, Ron? I'll give you a hint. The blocks were in place by Saturday morning - early. You see, you like most people, think the admins are doing *nothing*. The reality is, they're working their asses off to solve the problem. And of course, all their regular work is left undone, while they chase down the latest and greatest creation of some idiot with nothing to do.

    >Then again, you misread and misinterpret my comments. If your policy
    >is that lacking on giving those responsible for maintaining a secure
    >network envoironment for your .edu domain, then get those folks who
    >are responsible *organised* to start pressing the matter higher up,
    >to those Regents or Chancellors or whomever that can give those
    >responsible the power to do what needs to be done to not only be
    >proactive, but to properly react to abusive situations.

    :-) My response here would be x-rated, so I'll leave it unsaid. Foolish and na´ve come to mind, but I'll leave it at that.

    >It's so common to hear the "it's *not* my job" retort.
    >The fact is, you;re either part of the solution, or part
    >of the problem, or dead weight.

    I'd like to hire you, Ron. Then I could fire you the first time something failed. Would that be OK with you? Because if you can guarantee that nothing will ever fail, I NEED to hire you, ASAP!

    Otherwise you're blowing smoke.

    Do you have *any* network experience at all? Where's your resume? Can I look at it?

    >I never said the "perpetrators who wrote and released the worm"
    held no responsibility here,

    Then again, you never said they *did*, either. You simply ranted about the NEGLIGENT admins. I guess I missed your contempt for the bad guys in the midst of all that self-righteous anger against the evil admins.

    >and do not think I ever implied it. Not at all. Who is responsible
    >for installing what is used and potentially abused on those systems?
    >If it is not the job of the admin to properly maintain and secure
    >those systems under their control, then whose job is it? Whose
    >responsibility is it?

    See, I told you you knew nothing about large networks.

    Whose responsibility is it for installing SQL server (inside of MSDE) on the laptop of a developer who works in the bowels of CS and you don't know from Adam? You tell me. I can tell you this. As soon as we realize he's a problem, his machine goes off the network, and it doesn't come back on until he fixes it. But of course, by then, you and all the other smart guys have already condemned us for not having ESP.

    >When I've had issues with .edu users being abusive, or
    >infested systems in a .edu domain attacking my systems,
    >and taken the time to contact those tasked to deal with
    >abuse complaints in those domains, I've never had a problem
    >getting ports blocked, or systems locked off those nets
    >until the admins involved could fix their borked systems.

    Then I guess the admins must be doing their jobs...but wait...you said they were negligent....

    >But, you infer here that at your .edu, I'd have troubles
    >getting ahold of someone with that level of responsibility
    >and the power to deal with the matters in a timely manner?

    You send a letter to abuse with a complaint and you'll get an answer from me within an hour or two (except for when I'm sleeping - which ain't much these days), and if the problem is confirmed, the box will be off the network within about 10 minutes.

    But I'm negligent and incompetent because we had six machines out of 6000 that got infected. Right?

    >Damn folks want to be so amero-centric, often times it's nothing
    >to do with the bill of rights or anything related to the US
    >constitution at all, *sometimes* it is a jurisdictional issue
    >that -=crosses=- international boundries.

    When did America get exclusive rights to freedom of speech?

    All I'm saying is, expend your energy where it will do some good. Either ferret out the bad guys and expose them to ridicule and contempt, or volunteer to help some of us poor stupid admins who don't have a clue. Either that, or shut up and get out of the way.

    This reminds me of my childhood. One of my brothers was quite adept at getting Mom and Dad to argue with each other, forgetting completely that it was *his* misbehavior that started the entire incident. Focus on the bad guys. They are the problem. Not admins. No matter how much contempt you might hold them in.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    http://www.utdallas.edu/~pauls/
    AVIEN Founding Member
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



    Relevant Pages

    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... it's prolly as late/current as the dealing with port 1433. ... Seems to be the most common opinion of those who have no apparent experience with large networks. ... That it is cheaper for negligent ... > held no responsibility here, ...
      (Full-Disclosure)
    • IP Address Problems
      ... requests for microsoft-ds (port 445) info for other private address range ... networks. ... indicate a worm, ...
      (microsoft.public.windows.server.general)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... Subject: RE: MS SQL WORM IS DESTROYING INTERNET ... Perhaps some of the .edu admins need to ... >basic network design concepts and security. ... But the admins whose networks got hit *still* didn't ...
      (Full-Disclosure)
    • Re: "Net Threat Rising" says CR, zara claims otherwise
      ... >>> I suspect that most companies that were hit by this latest worm ... > Unlikely to ever be resolved as a lot of malware is installed by ... >>networks rendered useless by automatic pop-up ads. ... It has nothing to do with market share. ...
      (comp.sys.mac.advocacy)
    • RE: Remote Desktop vs VPN on Windows 2003
      ... > default SQL port to anything else, they would have never been touched by ... risk posed by slow insidious attacks when defenders are always facing off ... > characters) to prevent every SQL scanning worm in existence. ... > security through obscurity doesn't work, when clearly it does have its ...
      (Security-Basics)