Re: Windows Messenger Pop-up spam
From: Kevin Davis (kevin.davis_at_mindless.com)
To: <email@example.com> Date: Fri, 3 Dec 2004 06:06:24 -0500
> We were talking about messenger spam only, and therefore it's pretty
> much sufficient to disable the messenger service. No other action
> needed, especially not blocking any ports. Period.
The fact that Messenger traffic was getting through exposes the fact that
there is a problem. More than the Messenger service uses that port.
> But let's assume we're talking not only about messenger spam but malware
> in general. Why would I rather block specific ports instead of disabling
> unneeded services? In the latter case I won't *have* anything that needs
> to be protected at allą. Plus Personal Firewalls proved theirselves to
> be much less reliable than one would like to think. Do I have to remind
> you of the Witty worm?
Disabling unneeded services is not an adequate protection from malware.
There are tons of malware - in fact probably the majority that set up their
own "server" once it infects the target system. That's where personal
firewalls help. A new, unknown process is trying to get out to the net -
the firewall will catch this and alert the user. I would agree that one
should not put 100% confidence in personal firewalls. All software has bugs
and many will have vulnerabilities from time to time. This fact in itself
does not justify permanently discounting it. The first time you find out
that your router has a bug in it's firmware do you throw it in the trash?
The best solution is a multi layered approach (defense in depth). 1. Patch
your systems, 2. Get your systems behind a firewall (a personal firewall if
a home user). 3. Get your system behind a router. 4. Harden system by
turning off uneeded services. 5. Employ the use of virus and spyware
scanners\blockers 5. Educate the user about security 6. Whatever else
> Sure, you can argue that maybe the host acts as a router for some local
> network (ICS or something). However, I would still have to ask: why does
> he need to provide any services at all? A router is not supposed to
> provide services. Period. If one needs Internet connectivity for a local
> network and needs all computers as workstations, then bite the damn
> bullet and buy a router. They're not *that* expensive. And of course one
> would block *everything* except for the desired traffic on the network
> *perimeter*, not only deny the undesired traffic on the host itself.
The small, inexpensive SOHO routers only block inbound traffic. If a user
gets some malware on their system, this helps them not.
> there's no LAN but just a single host with Internet connection, then why
> does the box need to provide any services at all? IMnsHO.
You can't make a blanket statement like this for all cases. In some cases
this would be true, in others not.
Lets take the Messenger service, for instance. Some people should *not*
turn off the Messenger service. Why? Maybe they are running one of the
several virus scanning products that use the Messenger service to alert the
user of a virus problem. Turn that service off and it is degrading the
ability of the virus scanner to do it's job properly. I'm sure that there
are other examples. In this particular case, I think that the virus
scanners that depend on this service are poorly designed. One could argue
that this dependency is from one respect is weakening the security of the