Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows Messenger Pop-up spam

From: "Kevin Davis" <kevin.davis () mindless com>
Date: Fri, 3 Dec 2004 06:06:24 -0500


We were talking about messenger spam only, and therefore it's pretty
much sufficient to disable the messenger service. No other action
needed, especially not blocking any ports. Period.
The fact that Messenger traffic was getting through exposes the fact that there is a problem. More than the Messenger service uses that port. 



But let's assume we're talking not only about messenger spam but malware
in general. Why would I rather block specific ports instead of disabling
unneeded services? In the latter case I won't *have* anything that needs
to be protected at allĀ¹. Plus Personal Firewalls proved theirselves to
be much less reliable than one would like to think. Do I have to remind
you of the Witty worm?
Disabling unneeded services is not an adequate protection from malware. There are tons of malware - in fact probably the majority that set up their own "server" once it infects the target system. That's where personal firewalls help. A new, unknown process is trying to get out to the net - the firewall will catch this and alert the user. I would agree that one should not put 100% confidence in personal firewalls. All software has bugs and many will have vulnerabilities from time to time. This fact in itself does not justify permanently discounting it. The first time you find out that your router has a bug in it's firmware do you throw it in the trash?
The best solution is a multi layered approach (defense in depth). 1. Patch your systems, 2. Get your systems behind a firewall (a personal firewall if a home user). 3. Get your system behind a router. 4. Harden system by turning off uneeded services. 5. Employ the use of virus and spyware scanners\blockers 5. Educate the user about security 6. Whatever else makes sense 



Sure, you can argue that maybe the host acts as a router for some local
network (ICS or something). However, I would still have to ask: why does
he need to provide any services at all? A router is not supposed to
provide services. Period. If one needs Internet connectivity for a local
network and needs all computers as workstations, then bite the damn
bullet and buy a router. They're not *that* expensive. And of course one
would block *everything* except for the desired traffic on the network
*perimeter*, not only deny the undesired traffic on the host itself.
The small, inexpensive SOHO routers only block inbound traffic. If a user gets some malware on their system, this helps them not. 


If
there's no LAN but just a single host with Internet connection, then why
does the box need to provide any services at all? IMnsHO.
You can't make a blanket statement like this for all cases. In some cases this would be true, in others not.
Lets take the Messenger service, for instance. Some people should *not* turn off the Messenger service. Why? Maybe they are running one of the several virus scanning products that use the Messenger service to alert the user of a virus problem. Turn that service off and it is degrading the ability of the virus scanner to do it's job properly. I'm sure that there are other examples. In this particular case, I think that the virus scanners that depend on this service are poorly designed. One could argue that this dependency is from one respect is weakening the security of the system.
Previous By Date Next
Previous By Thread Next

Current thread: