RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

["Richard Stevens" <richard () tccnet co uk>]

I appreciate that many users dont know what a firewall is.. but this stuff is given so much coverage and sales pitch.. 
it makes you wonder....
 
with regards to which ports to block etc... the ICF firewall by default just blocks all incoming traffic that has not 
specifically been requested, and allows all outgoing. It doesnt take a genius to click "firewall this connection"  no 
user thought processes required!
 
maybe ms should enable it be default on any interface with a public IP address? 
 
 

        -----Original Message----- 
        From: Chris Garrett [mailto:somatose () cox net] 
        Sent: Tue 12/08/2003 12:43 
        To: full-disclosure () lists netsys com 
        Cc: 
        Subject: Re: [Full-disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)
        
        

        Richard Stevens:
        > I must be missing something here... xp home & pro both have a "click
        > and forget" firewall?
        > why aren't people using it?
        
        You're talking about the Internet Connection Firewall (ICF)? Firstly, if most
        people even knew what a firewall was, then the impact of this worm might not
        have been as severe. I'm sure you realize there are a lot of users out there
        that bought XP for its "pretty" interface. Those people don't know a firewall
        from a hole in the wall. If you tell them it can protect their precious computer
        from evil script kiddies, then they might be more interested, but unless you put
        that information right in their face, they're not going to bother.
        
        As far as my friend is concerned, he wasn't using ICF, rather, he was using
        Sygate. He knows what a firewall does, but he has no real experience that has
        mandated he ever really configure/use a firewall. A firewall gives a user so
        much power. To be able to block incoming and outgoing traffic is a pretty big
        responsibility. Which ports should a user configure? How on Earth is an
        inexperienced user to know? Unless you have experience configuring firewalls on
        servers or managing a personal home network built for the security-conscious
        people that go out and do lots of research, you will have no idea. Also, unless
        a user with a firewall keeps up to date on advisories, that person will not be
        very aware as to the urgency of filtering certain ports. Most people that run
        windows and have heard about the "auto updating" service think that that service
        is going to protect them from anything major, anyway. "It's an automatic
        updating service. Microsoft isn't going to leave me hanging." Seriously, people
        develop a false sense of security. You can give someone a firewall, but that
        doesn't mean they'll know what to do with it.
        
        I informed another friend of mine today that friend #1 [the one infected with
        the worm] was infected with a particular worm based on a recently released
        exploit. I told him he should secure his computer. His response was "But I have
        an Anti-Virus program installed." More false sense of security. I cleared the
        falsity of this claim up for him, of course, but he's more into computers than
        your average user. He's a webdesigner.
        
        My point is, there are people out there who need to be educated. I teach people
        what I can to help them secure their systems on their own. I pull people out of
        that false sense of security and that notion that if they modify any settings in
        Windows that it will break. If they need to ask, I tell them I'm here for their
        inquiries, and Google can take care of the rest.
        
        Companies like Cox, on the other hand, go and filter port 135, and even outgoing
        port 25! I had a long discussion with one of the techies that works at Cox in
        regards to the port 25 filtering, because one day I could no longer connect to
        my SMTP server outside Cox's walls. The tech said he didn't think it was the
        greatest of ideas, but it was easier to just filter 25 than it was to set up
        smtp-auth or pop-before-smtp. The same mindset was applied to port 135. I don't
        particularly like the fact that those ports have been filtered. It seems very
        restrictive, even though I can find other ways to get along without using those
        ports in the manner in which they have been filtered. I don't even like hosting
        services that install a spam-filtering agent by default. I want to receive the
        mail and traffic that was intended for me. If I don't want it, I'll learn how to
        filter it myself. Companies like Cox spend more money advertising than they do
        educating people to make the Internet an overall more secure place for the
        average user. Cox, instead, protects the ignorant people and keeps them
        ignorant. I think Cox should have send snail-mail to each one of its users
        describing its reason to blocking port 25 or even 135. That would have made one
        HELL of a dent in the ignorance. Oh well, Corporate America.
        
        People can learn! Teach them! Don't let them be ignorant. Ignorance is a MAJOR
        security problem!
        
        Of course we could just take the easy way out: How do you secure the Internet?
        Kill all its users.
        
        Regards,
        Christohper Garrett III
        Inixoma, Incorporated
        
        _______________________________________________
        Full-Disclosure - We believe in it.
        Charter: http://lists.netsys.com/full-disclosure-charter.html
        

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html